Reproduced by permission of Thomson Reuters Canada Limited from Annual Review of Civil Litigation 2020, ed. The Honourable Mr. Justice Todd L. Archibald.
Shining a Light on Privacy: Untangling the Web of Canadian Privacy Laws
BONNIE FISH AND ALEXANDER EVANGELISTA1 It was terribly dangerous to let your thoughts wander when you were in any public place or within range of a telescreen. The smallest thing could give you away. George Orwell, 1984
I. THE GENESIS OF PRIVACY LITIGATION Although there are more Canadian privacy laws than ever before and the right to privacy has quasi-constitutional status,2 Canadian citizens have never had greater cause for concern about their privacy. Our devices make public a dizzying amount of our personal information.3 We share information about our preferences and location with retailers and data brokers when shopping for online products and when shopping in physical stores using our credit cards, payment cards or apps. Smart homes and smart cities make possible Orwellian surveillance and data capture that previously would have been illegal without a judicial warrant.4 The illusion of anonymous or secure internet activity has been shattered5 by large scale privacy breaches that have exposed the vulnerability of our personal information to hackers.6 The COVID-19 crisis raises new privacy concerns as governments and private institutions exert extraordinary powers to control the outbreak, including the use of surveillance technologies.7
1 Bonnie Fish is a Partner and the Director of Legal Research at Fogler, Rubinoff LLP, Alexander Evangelista is an associate in the litigation department of Fogler, Rubinoff LLP. The authors thank Emily Duncan, articling student, Fogler, Rubinoff LLP, for her research assistance with this paper. 2 Lavigne v. Canada (Office of the Commissioner of Official Languages), 2002 SCC 53, [2002] 2 S.C.R. 773 (S.C.C.) at para. 22. 3 Cameron F. Kerry, “Why Protecting Privacy is a Losing Game Today and How to Change the Game” (2018)
As concern for privacy has grown, the web of privacy laws has become increasingly complex and tangled. The Supreme Court has declared that privacy protection is necessary to preserve a free and democratic society and so ruled that privacy breaches engage Charter rights and privacy laws have a quasi- constitutional status. The Federal and provincial legislatures have addressed privacy concerns with a raft of legislation that governs the collection, use, and disclosure of personal data. Our courts have recognized a number of torts that offer remedies for breaches of personal privacy. This paper is intended to offer guidance in navigating the expanding landscape of Canadian privacy laws. The fundamental argument advanced is that the starting point for analyzing any privacy problem is the quasi- constitutional status of privacy laws. The paper begins by exploring that quasi- constitutional status and how privacy breaches engage the Charter. With this analytical framework in place, the paper then provides an overview of the statutory privacy schemes and common law privacy torts. The final section explains how the available statutory, Charter, and common law remedies fit together.
II. WHY IS PRIVACY LITIGATION SO COMPLICATED? Privacy litigation is complicated because privacy is a broad concept with personal and public dimensions that can engage Charter, statutory and common law protection. The protection of privacy is partially addressed by privacy statutes and partially by the common law. As the Supreme Court has confirmed, privacy laws are quasi-constitutional and some breaches of privacy engage Charter rights. The statutory regimes address personal privacy as it relates to the collection, use and disclosure of personal data by governments and private sector organizations.8 However, data protection laws do not cover the entire privacy field. While there is a direct connection between data collection and personal privacy,9 protection of personal data is distinct from the right to privacy in life. Privacy extends to activities, decisions, thoughts, bodies and communications.10 One commentator explains how the concepts interact:
Coronovirus raises concerns about government power after pandemic ends” CNBC, (March 26, 2020)
While “privacy” includes various aspects of “data protection”, these are not one and the same. The ultimate purpose of [data protection laws] was to protect individuals from data-handling activities that were potentially harmful to them. This notion of “risk of harm” behind [data protection laws] . . . is actually broader than the notion of “privacy” and “privacy” is broader than data protection, although the two notions clearly overlap.11 Common law torts provide remedies for breaches of privacy outside of data protection. This divide between statutory and common law remedies is complicated by the fact that some provincial privacy statutes create a statutory cause of action for breach of privacy. The relationship between the statutory scheme and the common law is explored more fully below in the section which addresses the intersection between tort and statute. The quasi-constitutional status of privacy laws provides context to the field of privacy and how the laws should be interpreted. We begin with an analysis of the Supreme Court’s approach to privacy.
III. PERSONAL PRIVACY AS A CHARTER RIGHT Long before personal privacy was threatened by the Internet and social media, the Supreme Court recognized that protection from inappropriate intrusions by the state upon personal privacy was the underlying purpose of the right against unreasonable search and seizure in section 8 of the Charter of Rights and Freedoms.12 This purposive approach to interpreting section 8 was adopted by the Court in 1982 in Hunter et al. v. Southam Inc.: Like the Supreme Court of the United States, I would be wary of foreclosing the possibility that the right to be secure against unreasonable search and seizure might protect interests beyond the right of privacy, but for purposes of the present appeal I am satisfied that its protections go at least that far. The guarantee of security from unreasonable search and seizure only protects a reasonable expectation. This limitation on the right guaranteed by s. 8, whether it is expressed negatively as freedom from ‘‘unreasonable” search and seizure, or positively as an entitlement to a ‘‘reasonable” expectation of privacy, indicates that an assessment must be made as to whether in a particular situation the public’s interest in being left alone by government must give way to the government’s interest in intruding on the individual’s privacy in order to advance its goals, notably those of law enforcement.13 [emphasis in original]
10 Helen F. Nissenbaum, “Privacy as Contextual Integrity” (2004) 79:1 Wash. L. Rev. 119 at 123-24. 11 Charnetski, supra note 8 at 204. 12 Canadian Charter of Rights and Freedoms, Schedule B to the Canada Act 1982, 1982, c. 11 (U.K.). 13 [1984] 2 S.C.R. 145 (S.C.C.) at 160. See also the dissenting judgment of Justice La Forest in Dagg v. Canada (Minister of Finance), [1997] 2 S.C.R. 403 (S.C.C.) at paras. 65-66 where he wrote: Annual Review of Civil Litigation / 546
In 1993 R. v. Osolin, Justice L’Heureux-Dube´ J., dissenting but not on this point, also wrote that privacy was the fundamental value protected by section 8: The importance of privacy as a fundamental value in our society is underscored by the protection afforded to everyone under s. 8 of the Charter ‘‘to be secure against unreasonable search or seizure”. This value finds expression in such legislation as the Privacy Act, R.S.C., 1985, c. P-21, which restricts the purposes for which information may be used to those for which it was received.14 [emphasis in original] More recently in R. v. Spencer15 the Supreme Court considered whether the constitutional protection afforded to privacy applied to child pornography stored by an accused on a computer. The police identified the Internet Protocol (IP) address of a computer the accused used to access and store child pornography through an Internet file-sharing program. They then obtained from the Internet Service Provider (ISP), and without prior judicial authorization, the subscriber information associated with that IP address. The request was made pursuant to section 7(3)(c.1)(ii) of PIPEDA and ultimately led the police to the accused who was convicted by the trial judge. While the conviction was upheld on appeal, the Supreme Court stressed that a state search that interferes with a reasonable expectation of privacy is a breach of section 8 of the Charter: Under s. 8 of the Charter, ‘‘[e]veryone has the right to be secure against unreasonable search or seizure.” This Court has long emphasized the need for a purposive approach to s. 8 that emphasizes the protection of privacy as a prerequisite to individual security, self-fulfilment and autonomy as well as to the maintenance of a thriving democratic society.16 [emphasis added] In Blencoe v. British Columbia, the Supreme Court held that the liberty interest protected by section 7 is no longer restricted to mere freedom from physical restraint but rather applies whenever the state interferes with fundamental personal choices.17 This type of purposive approach to section 7, understanding the right in light of the interests it was meant to protect, paves
Privacy is also recognized in Canada as worthy of constitutional protection, at least in so far as it is encompassed by the right to be free from unreasonable searches and seizures under s. 8 of the Canadian Charter of Rights and Freedoms [citations omitted]. 14 [1993] 4 S.C.R. 595 (S.C.C.) at 614; See also the dissenting judgment of Justice La Forest in R. v. Wise, 1992 CarswellOnt 71, [1992] 1 S.C.R. 5276 (S.C.C.). 15 R. v. Spencer, 2014 SCC 43, [2014] 2 S.C.R. 212 (S.C.C.). 16 Ibid. para. 15, The Court relied on Hunter v. Southam Inc., [1984] 2 S.C.R. 145 (S.C.C.) at 156-157; R. v. Dyment, [1988] 2 S.C.R. 417 (S.C.C.) at 427-428; R. v. Plant, [1993] 3 S.C.R. 281 (S.C.C.) at 292-293; R. v. Tessling, 2004 SCC 67, [2004] 3 S.C.R. 432 (S.C.C.) at paras. 12-16; Alberta (Information and Privacy Commissioner) v. United Food and Commercial Workers, Local 401, 2013 SCC 62, [2013] 3 S.C.R. 733 (S.C.C.) at para. 22. 17 Blencoe v. British Columbia (Human Rights Commission), 2000 SCC 44, [2000] 2 S.C.R. 307 (S.C.C.) at paras. 49-51. 547 / Untangling the Web of Canadian Privacy Laws the way to argue that the right to liberty also encompasses breaches of personal privacy.18
IV. PRIVACY LEGISLATION IS QUASI-CONSTITUTIONAL In addition to recognizing that personal privacy is the underlying purpose of some Charter Rights, the Supreme Court has declared privacy laws to be quasi- constitutional. Laws with quasi-constitutional status “save . . . constitutional laws [are] more important than all others.”19 As John Helis writes in his book, Quasi-Constitutional Laws of Canada, privacy laws are therefore meant to perform a more fundamental role and to have primacy over ordinary statutes: . . . At a theoretical level, quasi-constitutionality is a statutory and common law form of fundamental law with theoretical links to the underlying principles of the Constitution. This fundamental character results in a special approach to the interpretation and application of quasi-constitutional statutes, even vis-a`-vis other laws, despite the fact that they are enacted through the regular legislative process. This approach includes two salient features that are rooted in statutory interpretation. First, the courts have adopted a broad, liberal and purposive approach to the interpretation of quasi-constitutional statutes, which expands the rights these statutes protect. Second, quasi-constitutional statutes hold primacy and supersede regular statutes in the interpretive exercise. Primacy affects the interpretation of a regular statute, which must be interpreted in a manner that avoids conflict with quasi- constitutional statutes. Quasi-constitutional statutes are therefore not subject to the doctrine of implied repeal. They are always prioritized in the interpretive exercise over regular statutes. Most significantly, when a provision in a regular statute cannot be interpreted in a manner that avoids conflict with a quasi-constitutional one, a court or tribunal, in some instances, can declare the impugned provision inoperable or devise a comparable remedy. The primacy of quasi-constitutional legislation therefore provides a form of judicial review that is distinct from constitutional supremacy.20 The Supreme Court has held that quasi-constitutional laws are fundamental laws and therefore must be given a broad, liberal and purposive interpretation. They supersede other laws when a conflict arises, and they cannot be altered or amended or repealed or subject to exceptions except by clear legislative enactment.21 Quasi-constitutional laws not only have primacy over other
18 Section 2 of the Charter protects freedom of association and could potentially be used to preclude invasions of privacy which interfere with the rights of Canadians to associate in environments which are under government or private surveillance. The breadth of the right protected by section 2 is examined in Moretto v. Canada (Citizenship and Immigration), 2018 FC 71 (F.C.) at para. 84, affirmed 2019 CarswellNat 5583 (F.C.A.), leave to appeal refused Massimo Thomas Moretto v. Minister of Citizenship and Immigration, 2020 CarswellNat 1101 (S.C.C.). 19 Lavigne v. Canada (Office of the Commissioner of Official Languages), supra note 2 at at para. 24. 20 John Helis, Quasi Constitutional Laws of Canada, (Toronto: Irwin Law, 2018) at 1-2. Annual Review of Civil Litigation / 548 legislation but also over private law instruments, such as contracts and collective agreements, which cannot be used to diminish quasi-constitutional rights.22 As explored more fully below, there are two kinds of privacy rights protected by legislation. The first protects personal information held by government institutions, such as the federal Privacy Act.23 The second protects personal information in the private sector and concerns the collection, use and disclosure of that information.24 The Supreme Court of Canada has held that both kinds of privacy laws are quasi-constitutional. “They have received this label by the courts because they are of fundamental importance, of fundamental value in our society and indeed fundamental in the Canadian legal system.”25 With respect to privacy legislation which protects personal information held by government, in Lavigne v. Canada (Office of the Commissioner of Official Languages),26 in the context of interpreting the federal Privacy Act, the Supreme Court described the protection of privacy as necessary to the preservation of a free and democratic society and recognized the quasi-constitutional status of privacy laws: The Privacy Act is a reminder of the extent to which the protection of privacy is necessary to the preservation of a free and democratic society. In Dagg v. Canada (Minister of Finance), 1997 CanLII 358 (SCC), [1997] 2 S.C.R. 403, at paras. 65-66, La Forest J. wrote (although he dissented, he spoke for the entire Court on this point): The protection of privacy is a fundamental value in modern, democratic states; see Alan F. Westin, Privacy and Freedom (1970), at pp. 349-50. An expression of an individual’s unique personality or personhood, privacy is grounded on physical and moral autonomy — the freedom to engage in one’s own thoughts, actions and decisions; see R. v. Dyment, 1988 CanLII 10 (SCC), [1988] 2 S.C.R. 417, at p. 427, per La Forest J.; see also Joel Feinberg, ‘‘Autonomy, Sovereignty, and Privacy: Moral Ideals in the Constitution?” (1982), 58 Notre Dame L. Rev. 445. Privacy is also recognized in Canada as worthy of constitutional protection, at least in so far as it is encompassed by the right to be free from unreasonable searches and seizures under s. 8 of the Canadian Charter of Rights and Freedoms; see Hunter v. Southam Inc., 1984 CanLII 33 (SCC), [1984] 2 S.C.R. 145. Certain privacy interests may also inhere in the s. 7 right to life, liberty and security of the person; see R. v. Hebert, 1990 CanLII 118 (SCC), [1990] 2 S.C.R. 151, and R. v. Broyles, 1991 CanLII 15 (SCC), [1991] 3 S.C.R. 595.27
21 Law Society of Upper Canada v. Skapinker, [1984] 1 S.C.R. 357 (S.C.C.) at para. 10. 22 Helis, supra note 20 at 93. 23 R.S.C., 1985 c. P-21. 24 Helis, supra note 20 at 6. 25 Ibid. at 1. 26 2002 SCC 53, [2002] 2 S.C.R. 773 (S.C.C.) at para. 22. 27 Lavigne v. Canada (Office of the Commissioner of Official Languages), supra note 2 at paras. 24-25; See more recently Douez v. Facebook, Inc., 2017 SCC 33, [2017] 1 S.C.R. 751 (S.C.C.) at para. 59. 549 / Untangling the Web of Canadian Privacy Laws
The Supreme Court developed the analysis further in H.J. Heinz Co. of Canada Ltd. v. Canada (Attorney General) which concerned ‘‘the delicate balance between privacy and access to information.”28 In that case, a federal agency received a request under the Federal Access to Information Act (the “Access Act”) to access records within the control of Heinz. Despite Heinz’s objection that the documents referenced confidential business and scientific information, the agency determined that the records should be disclosed with redactions. Heinz commenced a review pursuant to the Access Act relying upon the business information exemption as well as the personal information exemption in s. 19 of the Access Act. The Federal Court and Federal Court of Appeal both concluded that Heinz could rely on the personal information exemption. The Supreme Court of Canada agreed, and found that the plain language of the Access Act, together with the legislative intention that it should create a seamless code with the Privacy Act, supported the conclusion that privacy was to be given primacy.29 The Court emphasized the quasi- constitutional nature of personal privacy rights and the right to raise them on an application for judicial review: . . . Where it has come to the attention of a third party that a government institution intends to disclose information which will violate the statutorily mandated, quasi- constitutional privacy rights of an individual, the third party must have the right to raise this concern upon judicial review. A contrary ruling would force individuals to wait until the personal information has been disclosed and the (potentially irreversible) harm done before looking to the Privacy Commissioner or the courts for a remedy. . . . A narrow interpretation of s. 44 would thus weaken the protection of personal information and dilute the right to privacy.30 The Supreme Court recognized the quasi-constitutional nature of privacy legislation which protects personal information in the private sector, in Pro Swing Inc. v. Elta Golf Inc.31 In that case, one of the bases upon which the Court denied enforcement of an order from a foreign jurisdiction was that it would involve disclosure of personal information protected under the Personal Information and Protection of Electronic Documents Act (“PIPEDA”).32 The Court specifically referenced the quasi-constitutional nature of that statute:
28 2006 SCC 13, [2006] 1 S.C.R. 441 (S.C.C.) at para. 3. 29 H.J. Heinz Co. of Canada Ltd. v. Canada (Attorney General), 2006 SCC 13, [2006] 1 S.C.R. 441 (S.C.C.) at para. 2. 30 Ibid. at para. 63. 31 Pro Swing Inc. v. Elta Golf Inc., 2006 SCC 52, [2006] 2 S.C.R. 612 (S.C.C.). 32 S.C. 2000, c. 5 [PIPEDA]. See equivalent statutes in some provinces Personal Information Act, SBC 2003, c 63; Personal Information Protection Act, SA 2003 c P- 6.5, Act respecting the protection of personal information in the private sector RSQ c P- 39.1. Annual Review of Civil Litigation / 550
The quasi-constitutional nature of the protection of personal information has been recognized by the Court on numerous occasions: H.J. Heinz Co. of Canada Ltd. v. Canada (Attorney General), [2006] 1 S.C.R. 441, 2006 SCC 13, at para. 28; Lavigne v. Canada (Office of the Commissioner of Official Languages), [2002] 2 S.C.R. 773, 2002 SCC 53, at para. 24; Dagg v. Canada (Minister of Finance), 1997 CanLII 358 (SCC), [1997] 2 S.C.R. 403, at paras. 65-66. In Burns, the Court required assurances that our constitutional protections would be extended to individuals found on Canadian soil; in the same way, courts should be mindful of the values that merit constitutional or quasi-constitutional protection. In light of the quasi-constitutional status attributed to privacy, the order enjoining Elta to provide all credit card receipts, accounts receivable, contracts, etc. could be problematic. The range of documents is wide and most of them contain personal information that might be protected. 33 Similarly, in Alberta (Information and Privacy Commissioner) v. United Food and Commercial Workers, Local 401,34 the Supreme Court, relying on Dagg and Heinz found that Alberta’s version of PIPEDA35 is quasi-constitutional and stated that the ‘‘protection of privacy in a vibrant democracy cannot be overstated.”36 Most recently in Douez v. Facebook, Inc.37 the Supreme Court considered the effect of a forum selection clause in Facebook’s user agreements. The Court found the clause unenforceable. In this context, the majority described the quasi- constitutional nature of privacy and the importance of breaches of privacy with the growth of the internet as follows: At issue in this case is Ms. Douez’s statutory privacy right. Privacy legislation has been accorded quasi-constitutional status (Lavigne v. Canada (Office of the Commissioner of Official Languages), 2002 SCC 53, [2002] 2 S.C.R. 773, at paras. 24-25). This Court has emphasized the importance of privacy — and its role in protecting one’s physical and moral autonomy — on multiple occasions (see Lavigne, at para. 25; Dagg v. Canada (Minister of Finance), 1997 CanLII 358 (SCC), [1997] 2 S.C.R. 403, at paras. 65-66; R. v. Dyment, 1988 CanLII 10 (SCC), [1988] 2 S.C.R. 417, at p. 427). As the chambers judge noted, the growth of the Internet, virtually timeless with pervasive reach, has exacerbated the potential harm that may flow from incursions to a person’s privacy interests. In this context, it is especially important that such harms do not go without remedy. And since Ms. Douez’s matter requires an interpretation of a statutory privacy tort, only a local court’s interpretation of privacy rights under the Privacy Act will provide clarity and certainty about the scope of the rights to others in the province.38
33 Pro Swing Inc. supra note 31, para. 60. 34 2013 SCC 62, [2013] 3 S.C.R. 733 (S.C.C.) at para. 22. 35 Personal Information Protection Act, SA 2003, c P-6.5 [PIPA]. 36 Alberta (Information and Privacy Commissioner) v. United Food and Commercial Workers, Local 401, 2013 SCC 62, [2013] 3 S.C.R. 733 (S.C.C.) at para. 26; See also Mountain Province Diamonds Inc. v. De Beers Canada Inc., 2014 ONSC 2026 (S.C.J.) at para. 37. 37 2017 SCC 33, [2017] 1 S.C.R. 751 (S.C.C.) at para. 59. 551 / Untangling the Web of Canadian Privacy Laws
The primacy of privacy laws depends upon their quasi-constitutional status, not on the existence of a primacy provision in a particular statute. Some privacy statutes contain a primacy provision that states that the statute prevails over any other acts. For example, Ontario’s Municipal Freedom of Information and Protection of Privacy Act provides that ‘‘this Act prevails over a confidentiality provision in any other Act unless the other Act or this Act specifically provides otherwise.”39 Alberta’s PIPA,40 which concerns privacy in the private sector, contains a similar primacy provision. However, a primacy provision is not required to give privacy laws primacy. For example, although the Federal Privacy Act does not contain a primacy provision, the Supreme Court of Canada recognized its primacy in HJ Heinz to decide that privacy took precedence over access to information: The intimate connection between the right of access to information and privacy rights does not mean, however, that equal value should be accorded to all rights in all circumstances. The legislative scheme established by the Access Act and the Privacy Act clearly indicates that in a situation involving personal information about an individual, the right to privacy is paramount over the right of access to information, except as prescribed by the legislation. Both Acts contain statutory prohibitions against the disclosure of personal information, most significantly in s. 8 of the Privacy Act and s. 19 of the Access Act. Thus, while the right to privacy is the driving force behind the Privacy Act, it is also recognized and enforced by the Access Act.41 [emphasis added] It is the fundamental nature of privacy rights that distinguish them from other rights acquired by law and not a primacy clause. “Fundamental rights in statutory or common law form help advance the foundational constitutional principles and accordingly are recognized as quasi-constitutional.”42 A consequence of the primacy of privacy legislation is that privacy laws cannot be overridden except by clear statutory language.43
38 Douez v. Facebook, Inc., supra note 27 at para. 59. 39 Municipal Freedom of Information and Protection of Privacy Act, RSO 1990, c. M. 56, s. 53(1). 40 SA 2003, c. P-6.5, s. 4(6). 41 H.J. Heinz, supra note 29 at para. 26; see also Dagg v. Canada (Minister of Finance), [1997] 2 S.C.R. 403 (S.C.C.) at para. 48. Where two quasi constitutional statutes “appear to conflict, both must be interpreted broadly, liberally and purposively, and one is not to be interpreted as being subordinate to the other. To the extent possible, quasi- constitutional statutes are to be interpreted harmoniously.” John Helis, Quasi Constitutional Laws of Canada, (Toronto: Irwin Law, 2018) at 6. 42 Helis, supra note 20 at 185. 43 “Courts and tribunals accordingly will not accept that a legislature intended to override the primacy of a quasi-constitutional statute short of clear statutory language that explicitly invokes the override.” John Helis, Quasi Constitutional Laws of Canada, Annual Review of Civil Litigation / 552
V. WHEN DOES A BREACH OF PRIVACY FIT INTO THE STATUTORY REGIME?
1. The Legislative Scheme Canadian legislation is essentially an array of data protection laws which cover privacy concerns relating to the collection, use or disclosure of personal information. Collecting personal information gives rise to a risk of subjective harms like the feeling of being under surveillance; disclosing personal information gives rise to the subjective harm of humiliation or embarrassment; and using personal information gives rise to a risk of objective harms like discrimination, financial or physical harm.44 Canadian legislation covers the privacy of personal information on two fronts: the privacy of personal information held by government institutions and the privacy of personal information held by private sector organizations.45 The first type of privacy is protected by statutes like the Federal Privacy Act46 and its provincial equivalents which protect personal information about individuals held by government and provide individuals with a right of access to that information. The second type of privacy is covered by PIPEDA47 and its provincial equivalents, which protect the collection, use and disclosure of personal information by private sector organizations. Before exploring the legislative scheme, it is important to understand what “personal information” it protects. Since privacy legislation in both the public and private sectors has quasi-constitutional status,48 personal information in both contexts is given a broad interpretation. In a number of decisions, the Federal Court has applied a broad and purposive approach to interpreting privacy statues and found that “personal information” is deliberately broad.49 In Sutherland v. Canada, the Federal Court explained that personal information is protected unless it is established that an exception applies; “a party wishing to
(Toronto: Irwin Law, 2018) at 192; Ontario (Community Safety and Correctional Services) v. Ontario (Information and Privacy Commissioner), 2014 SCC 31, [2014] 1 S.C.R. 674 (S.C.C.) at para. 33. 44 Charnetski, supra note 8 at 220-25. 45 Helis, supra note 20 p.6. 46 Ibid. at 68. 47 PIPEDA, supra note 32. Personal Information Act, SBC 2003, c 63; Personal Information Protection Act, SA 2003 c P-6.5, Act respecting the protection of personal information in the private sector RSQ c P-39.1. 48 The quasi-constitutional nature of all kinds of privacy legislation is discussed more fully below. 49 Canada (Privacy Commissioner) v. Canada (Labour Relations Board), [1996] 3 F.C. 609 (Fed. T.D.) at para. 48, affirmed (2000), (sub nom. Privacy Commissioner (Canada) v. Canada Labour Relations Board) 180 F.T.R. 313 (Fed. C.A.). 553 / Untangling the Web of Canadian Privacy Laws demonstrate that information about an identifiable individual is not ’personal information’ must show that an exception applies.” 50 Generally speaking, the courts regard information as personal if the information is about an ‘‘identifiable individual”. An individual is ‘‘identifiable” if the individual can be identified by combining the disclosed information with publicly available information.51 2. Privacy Act
(a) General scheme of the Privacy Act The Canadian Privacy Act52 is quasi-constitutional legislation that regulates the collection, use and disclosure of “personal information” held by federal government institutions.53 Federal institutions include any department or ministry of the Government of Canada, any government body in the lengthy list of specific federal government institutions under the Privacy Act, and a parent Crown corporation or a wholly-owned subsidiary of a Crown corporation.54 The Act applies to personal information broadly defined as “information about an identifiable individual that is recorded in any form”.55 Government institutions may collect personal information directly related to an operating program or activity, directly from the subject individual, and must ensure that the information is accurate, up-to-date and complete.56 Collected information cannot be used by the institution for a purpose other than or inconsistent with the purpose for which it was collected without the individual’s consent.57 A government institution cannot disclose personal information except
50 Sutherland v. Canada (Minister of Indian and Northern Affairs), [1994] 3 F.C. 527 (Fed. T.D.) at para. 22. 51 Girao v. Zarek Taylor Grossman, Hanrahan LLP, 2011 FC 1070 (F.C.) at para. 32; relying upon Canada (Information Commissioner) v. Canada (Transportation Accident Investigation and Safety Board), 2005 FC 384 (F.C.) at para. 43, reversed 2006 FCA 157 (F.C.A.), leave to appeal refused 2007 CarswellNat 800, [2006] S.C.C.A. No. 259 (S.C.C.). 52 R.S.C. 1985, c. P-21. 53 Office of the Privacy Commissioner of Canada. Summary of privacy laws in Canada. online:
para. 69; Prairie North Health Region and CUPE, Local 5111 (Employee Name Tags), Re, 2015 CarswellSask 768 (Sask. Arb.) at para. 136. 58 The Privacy Act, supra note 52, s 7(a)-(b),s 8(1)-(2). including: (a) for a purpose for which the information was obtained or compiled; (b) for purpose in accordance with any Act of Parliament or regulation; (c) for legal proceedings involving the Crown or the Government of Canada; (d) to an investigative body specified in the regulations for the purpose of enforcing a law of Canada or a province or carrying out an investigation; and (e) where a head of an institution opines that the public interest and the benefit to the subject of the information outweighs concerns with invasion of privacy. The head of a government institution must refuse to disclose any record requested that contains personal information, except where the individual consents, the information is publicly accessible, or disclosure is in accordance with section 8 of the Act. Access to Information Act, R.S.C., 1985, c. A-1, s 19(1)-(2). [Access Act] 59 Privacy Act, supra note 52, s. 69(2) provides that sections 7 and 8 do not apply to publicly available information. 60 Martin v. Canada (Minister of Health), 2016 FC 796 (F.C.) at paras. 53-57; Luka´cs v. Canadian Transportation Agency, 2015 FCA 140 (F.C.A.) at para. 69 61 Husky Oil Operations Ltd. v. Canada-Newfoundland and Labrador Offshore Petroleum Board, 2016 FC 117 (F.C.) at paras. 13-15, affirmed 2018 FCA 10 (F.C.A.). 62 R.S.C. 1985 c. A-1.[Access Act]. 63 Barbara McIsaac, Kris Klein & Shaun Brown, Privacy Law in Canada, Volume 1 (Toronto: Thomson Reuters, 2018), Law of Privacy in Canada, Section 3.1.5. 64 Access Act, supra note 62, s 6. 65 Canada Post Corp. v. Canada (Minister of Public Works),(sub nom. Societe canadienne des postes v. Canada) [1995] 2 F.C. 110 (Fed. C.A.) at paras. 28-29; also see: Canada (Privacy Commissioner) v. Canada (Labour Relations Board) (2000), (sub nom. Privacy Commissioner (Canada) v. Canada Labour Relations Board) 180 F.T.R. 313 (Fed. C.A.) at paras. 6-8. 66 Access Act, supra note 58, s.19 (1) Subject to subsection (2), the head of a government institution shall refuse to disclose any record requested under this Part that contains personal information. 555 / Untangling the Web of Canadian Privacy Laws statutes ‘‘privacy is paramount over access.”67 This view is consistent with the quasi-constitutional nature of privacy legislation and was reiterated by the Supreme Court in H.J. Heinz Co: . . . This Court has stated on numerous occasions that the Privacy Act and the Access Act must be read together as a ‘‘seamless code”: Canada (Information Commissioner) v. Canada (Commissioner of the Royal Canadian Mounted Police), [2003] 1 S.C.R. 66, 2003 SCC 8 (‘‘RCMP”), at para. 22. The right of access to government information, while an important principle of our democratic system, cannot be read in isolation from an individual’s right to privacy. By including a mandatory privacy exemption in the Access Act itself, Parliament ensured that both statutes recognize that the protection of the privacy of individuals is paramount over the right of access, except as prescribed by law. . . .68 The Courts read the Privacy Act and the Access Act together for consistency in interpretation. For example, the Access Act defines ‘‘personal information” as having the same meaning as section 3 of the Privacy Act.69 The definition of ‘‘personal information” under the Privacy Act is broad but carves out certain exceptions for access to information requests.70 While the courts read these sections together to determine whether access should be given to the requested information, privacy is given precedence.71 (b) Enforcement of the Privacy Act The Privacy Commissioner of Canada (the “Privacy Commissioner”) receives and investigates all complaints under the Privacy Act regarding improper use or
67 Dagg v. Canada (Minister of Finance), supra note 41 at para. 48. 68 H.J. Heinz Co. of Canada Ltd. v. Canada (Attorney General), 2006 SCC 13, [2006] 1 S.C.R. 441 (S.C.C.) at para. 2. 69 Access Act, s. 3. 70 Privacy Act, supra, note 52, s 3. Courts have held that if no other information is revealed, a person’s name is not personal information. See for example Mackenzie v. Canada (Minister, Department of National Health & Welfare), 1994 CarswellNat 1528 (Fed. T.D.) at paras. 12-13; Noe¨l v. Great Lakes Pilotage Authority Ltd. (1987), [1988] 2 F.C. 77 (Fed. T.D.) at para. 10 71 In Gordon v. Canada (Minister of Health), 2008 FC 258 (F.C.) at paras. 43-44, 53, the Federal Court ruled that fields of information in databases maintained by the Minister of Health constituted personal information which could not be disclosed because in context the information could be used to identify an individual; but also see: Bombardier v. Canada (Public Service Commission), 1990 CarswellNat 145 (Fed. T.D.) where the Federal Court determined that an individual’s public service “basket test” results for assessing management skills did not constitute personal information and Dagg v. Canada (Minister of Finance), supra note 41 at paras. 8-12 where the Supreme Court of Canada considered an access to information request for logs from the Department of Finance which included names, identification numbers, and signatures of employees and the Court held the information disclosed. See also: Canada (Information Commissioner) v. Canada (Secretary of State for External Affairs) (T.D.) (1989), [1990] 1 F.C. 395 (Fed. T.D.) at paras. 17-18. Annual Review of Civil Litigation / 556 disclosure of information by a government institution and improper refusal to provide access.72 She also has power to initiate a complaint where there are reasonable grounds to investigate under the Privacy Act.73 The Privacy Commissioner has broad investigative powers including the power to enter a government institution’s premises, examine information under the institution’s control,74 and inspect and disclose solicitor-client privileged documents when absolutely necessary.75 Once an investigation is complete, and if the Commissioner determines that a complaint is well-founded, the Commissioner reports the results of the investigation and recommends next steps to the head of the government institution in control of the information.76 If satisfied that the government institution followed its report, the Privacy Commissioner will inform the complainant of the results of the investigation.77 An individual refused access to personal information under section 41 of the Privacy Act may apply to the Federal Court for judicial review and the Court may grant relief if the refusal to provide information was unlawful.78 If a complainant applies to the Federal Court without first filing a complaint with the Privacy Commissioner, the application will be denied as premature.79
72 Ibid., s 29(1). 73 Ibid., s 29(3). 74 Ibid., s 34-35. 75 Canada (Information Commissioner) v. Canada (Minister of Environment) (2000), 187 D.L.R. (4th) 127 (Fed. C.A.) at paras. 11, 21, leave to appeal refused 2000 CarswellNat 2725 (S.C.C.) However, see decisions where interpretation of other privacy statutes led to conclusion that there was no intention for the Commissioner’s powers to extend to solicitor-client privileged documents, including the Commissioner of Canada’s powers under PIPEDA in Blood Tribe (Department of Health) v. Canada (Privacy Commissioner), 2006 FCA 334, [2007] 2 F.C.R. 561 (F.C.A.) at para. 29, affirmed 2008 CarswellNat 2244 (S.C.C.), or the Privacy Commissioner of Alberta’s powers under the Freedom of Information and Protection of Privacy Act, R.S.A. 2000, c. F-25 in Alberta (Information and Privacy Commissioner) v. Alberta Teachers’ Association, 2011 SCC 61, (sub nom. Alberta (Information & Privacy Commissioner) v. Alberta Teachers’ Association) [2011] 3 S.C.R. 654 (S.C.C.) at para. 49. 76 If the head of the government institution intends to not follow the Federal Commissioner’s recommendations, they must explain why. Privacy Act, supra, note 52, s 35(1). 77 Ibid., s 35(3) and 35(5). 78 Privacy Act, supra, note 52, s 41;Wheaton v. Canada Post Corp. (2000), 186 F.T.R. 108 (Fed. T.D.) at paras. 16-18; Doyle v. Canada (Minister of Human Resources Development), 2011 FC 471 (F.C.) at paras. 21-24; also see: Clancy v. Canada (Minister of Health), 2002 CarswellNat 3717 (Fed. T.D.) at paras. 10-12 and for a similar decision, but applied to the Access Act. Relief will not be granted if an institution merely advised the complainant that the requested records do not exist Friesen v. Canada (Health), 2017 FC 1152 (F.C.) at paras. 10-11; Olumide v. Canada (Attorney General), 2016 FC 934 (F.C.) at para. 18; Blank v. Canada (Minister of Justice), 2016 FCA 189 (F.C.A.) at para. 36, leave to appeal refused 2017 CarswellNat 205, [2016] S.C.C.A. No. 403 (S.C.C.). 557 / Untangling the Web of Canadian Privacy Laws
If the Federal Court decides judicial review is appropriate, the Court may review the institution’s decision to refuse access or the Privacy Commissioner’s procedures and decisions. 80 The standard of review of the Commissioner’s decision before the Federal Court has recently undergone significant change. Previously, the Federal Court ruled that the standard of review for a government institution’s refusal to disclose records was correctness and the standard of review for a Privacy Commissioner’s discretionary investigative decision was reasonableness. However, in Canada (Minister of Citizenship and Immigration) v. Vavilov, the Supreme Court held that reasonableness is the presumptive standard of review for all administrative decisions.81 This presumption is rebutted where there is clear indication of legislative intent otherwise, or the rule of law requires the standard of correctness to be applied because of a constitutional question, a general question of law of central importance to the legal system, or a question related to the jurisdictional boundaries between administrative bodies. The reasonableness standard would therefore likely apply to a decision of a federal institution denying disclosure of information and to the Privacy Commissioner’s investigative decision.82 The Privacy Act is not a comprehensive regime; it leaves room for its application in tandem with provincial acts.83 However, there are no civil remedies available for violations of the Privacy Act, such as unauthorized disclosure of personal information.84 With the relatively recent recognition of
79 Blank v. Canada (Minister of Justice), supra note 78 at para. 30; Canada (Information Commissioner) v. Canada (Minister of Environment), supra note 75 at paras. 15-20; Statham v. Canadian Broadcasting Corp., 2010 FCA 315 (F.C.A.) at para. 55. 80 Federal Courts Act, R.S.C., 1985, c. F-7, s. 18(1). 81 Canada (Minister of Citizenship and Immigration) v. Vavilov, 2019 SCC 65 (S.C.C.) at para. 10. 82 In Thomas v. Canada (Public Safety and Emergency Preparedness), 2020 FC 290 (F.C.) the Federal Court referenced Vavilov in dismissing an application for judicial review of a decision of a Canada Border Services Agency officer. In challenging the officer’s decisions to charge him with breaches of the Customs Act and Export and Support of Rough Diamonds Act, the Applicant sought a confidentiality order, relying on protections from disclosure under section 45 of the Privacy Act. In dismissing the application Justice Pentney noted that, following Vavilov, reasonableness is the presumptive standard in reviewing the officer’s decision, which the Court held was reasonable. 83 See for example: Romana v. The Canadian Broadcasting Corporation et al, 2016 MBQB 33 (Q.B.) at paras. 22-24 wherein the Manitoba Court of Queen’s Bench refused to strike out portions of a statement of claim that relied upon the Manitoba Privacy Act, C.C.S.M. c. P125 and rejected arguments that the Federal Privacy Act alone constituted a comprehensive legislative regime. 84 See for example Kim v. Canada, 2017 FC 848 (F.C.) at para. 24, where the Federal Court of Canada refused to recognize an independent tort of statutory breach; or where the Federal Court ruled that it and the Privacy Commissioner lacked jurisdiction to award monetary damages in an application for judicial review. Annual Review of Civil Litigation / 558 the tort of intrusion upon seclusion, explored below,85 some commentators have queried whether a civil remedy will be fashioned for breach of the Privacy Act.86 For now the Privacy Act and Access Act, constitute the primary means of requesting personal information from and seeking recourse against federal public institutions. 3. The Personal Information Protection and Electronic Documents Act
(a) General scheme of PIPEDA PIPEDA87 is quasi-constitutional legislation that affects personal information in the hands of commercial organizations.88 While section 4(3) provides that PIPEDA takes primacy over other legislation, its quasi- constitutional status gives PIPEDA primacy over other legislation even without the existence of that section.89 PIPEDA’s stated purpose is a response to an “era in which technology increasingly facilitates the circulation and exchange of information”,90 However, PIPEDA was initially a response to international pressure.91 In 1995, the European Commission established a Directive on personal data and protection which required countries receiving data from a member state to have adequate protections.92 The Directive was superseded by European Union Regulation (EU) 2016/67993 which expressed the same objective of European Union-wide data privacy. The Privacy Commissioner
85 See for example: Jones v. Tsige, 2012 ONCA 32 (C.A.) at para. 86. 86 McIsaac, supra note 63, 3.1.10.1. 87 S.C. 2000, c. 5. See statutes in provinces with ‘‘substantially similar” legislation Personal Information Act, SBC 2003, c 63; Personal Information Protection Act, SA 2003 c P-6.5, Act respecting the protection of personal information in the private sector RSQ c P-39.1. 88 Mountain Province Diamonds Inc. v. De Beers Canada Inc., 2014 ONSC 2026 (S.C.J.) at para. 37; Blood Tribe (Department of Health) v. Canada (Privacy Commissioner), 2006 FCA 334, [2007] 2 F.C.R. 561 (F.C.A.) at para. 24, affirmed 2008 CarswellNat 2244 (S.C.C.); Eastmond v. Canadian Pacific Railway, 2004 FC 852 (F.C.) at para. 100; With respect to equivalent legislation in British Columbia see Alberta (Information and Privacy Commissioner) v. United Food and Commercial Workers, Local 401, 2013 SCC 62, [2013] 3 S.C.R. 733 (S.C.C.) at para. 19. 89 S. 4(3) ‘‘Every provision of this Part applies despite any provision, enacted after this subsection comes into force, of any other Act of Parliament, unless the other Act expressly declares that that provision operates despite the provision of this Part.” 90 Ibid., s 3. 91 McIsaac, supra note 63, 4.1.1. 92 European Commission, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, s 57, Article 25.1-25.2. 93 European Union, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2017 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), Article 44. 559 / Untangling the Web of Canadian Privacy Laws continues to seek guidance from the European Union and international authorities to modernize PIPEDA.94 PIPEDA applies to private institutions nation-wide except in provinces that have enacted ‘‘substantially similar” privacy legislation which presently includes Quebec, Alberta and British Columbia.95 Federally regulated organizations that conduct business in Canada, and their employees’ information, are also subject to PIPEDA.96 The Act applies to the collection, use or disclosure of personal information by an organization in the course of “commercial activities”.97 In Englander v. Telus Communications Inc., the Federal Court of Appeal described PIPEDA as a “compromise both as to substance and to form”, balancing individual privacy interests with commercial needs of organizations.98 An “organization” under PIPEDA includes an association, partnership, person or trade union.99 However, identifying “commercial activity” is more difficult. PIPEDA defines commercial activity to include any particular transaction, act or regular course of conduct that is of a commercial character.100 Charitable and non-profit organizations engaged in commercial activities are not exempt from PIPEDA.101 In Ontario Regional Assessment Commissioner v. Caisse Populaire du Heart Lte´e the Supreme Court of Canada held that if the “preponderant purpose” of an organization is other than to
94 See for example: Office of the Privacy Commissioner of Canada, Policy and Research Group, “A discussion paper exploring potential enhancements to consent under the Personal Information Protection and Electronic Documents Act” (2016), online: < https://www.priv.gc.ca/en/opc-actions-and-decisions/research/explore-privacy-re- search/2016/consent_201605/>. 95 PIPEDA, s. 26(2); In Quebec, starting November 19, 2003, as per the Organizations in the Province of Quebec Exemption Order, SOR/2003-374; In Alberta, starting October 12, 2004, as per the Organizations in the Province of Alberta Exemption Order, SOR/ 2004-219; in British Columbia, starting October 12, 2004, as per the Organizations in the Province of British Columbia Exemption Order, SOR/2004-220. 96 Office of the Privacy Commissioner, Summary of privacy laws in Canada, January 2018, online:
102 Ontario Regional Assessment Commissioner v. Caisse Populaire du Hearst Lte´e, [1983] 1 S.C.R. 57 (S.C.C.); also see: 103 Rodgers v. Calvert, 2004 CarswellOnt 3602, [2004] O.J. No. 3653 (Ont. S.C.J.) at paras. 55-56. By contrast, in T. (A.) v. Globe24h.com, 2017 FC 114 (F.C.) at paras. 65-66 the Federal Court ruled that a Romanian website which charged individuals to remove information regarding their involvement in legal proceedings from its search engines was commercial activity. 104 Officer of the Privacy Commissioner of Canada, PIPEDA Report of Findings #2009- 008: Report of Findings into the Complaint Filed by the Canadian Internet Policy and Public Interest Clinic (CIPPIC) against Facebook Inc. Under the Personal Information protection and Electronic Documents Act, online:
109 Office of the Privacy Commissioner, PIPEDA Case Summary #2002-54: Couple alleges improper disclosure of telephone records to a third party, online:
118 Office of the Privacy Commissioner of Canada, The Application of PIPEDA to Municipalities, Universities, Schools and Hospitals, December 2015. online: < https:// www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information- protection-and-electronic-documents-act-pipeda/rop/0205d25/>. 119 PIPEDA, s 5(1), Schedule 1. 120 Ibid., s 5(3); see an example of application in: Office of the Privacy Commissioner of Canada, PIPEDA Case Summary #2002-106: Pilot required to consent to open-ended collection and disclosure of personal information, online:
Third, organizations must obtain consent from individuals, consider their reasonable expectations, and provide an opportunity to withdraw consent any time.125 An organization cannot require an individual to consent to more than is necessary to fulfill the organization’s purposes.126 For example, Facebook is not required to seek permission to upload user contact information on its site, but must seek consent from non-users.127 Implied consent may be used only if the information is not sensitive.128 Opt-out consent may be used if the information is non-sensitive, the information-sharing and purposes are limited and well defined, and the organization has clear opt-out or withdrawal of consent procedures.129 Information may be collected without consent if collection is in the individual’s interest and consent cannot be obtained in a timely way, or if collection is for the purpose of disclosure to a government institution, or investigative party, or as required by law.130 Information may be disclosed without consent in limited circumstances, including where necessary for national security or defence.131
Report of Findings into the Complaint by the Canadian Internet Policy and Public Interest Clinic (CIPPIC) against Facebook Inc. Under the Personal Information Protection and Electronic Documents Act“ online:
Fourth, organizations must limit collection, retention or disclosure to personal information that is required for purposes properly identified by an organization. This principle is closely tied to the identified purpose principle and is intended to prevent collection through deception.132 Fifth, an organization’s use, disclosure and retention of personal information should be limited to purposes for which it was collected, except with consent, as required by law or in accordance with subsections 7(2) and (3) of PIPEDA. The information should be destroyed after it has been used for its intended purpose,133 unless the information is subject to a request.134 The Federal Court has ruled that an organization is not required to retain or disclose information outside of the scope of information it reasonably collects, uses or discloses in the course of its business operations.135 Sixth, organizations are required to ensure that personal information in their possession is accurate, complete and up-to-date as required for the purposes for which it is used.136 The Federal Court has ruled that this standard should be followed despite “industry standards” to the contrary.137 Seventh, organizations must ensure information is protected by sufficient security safeguards, including protection against theft or loss, commensurate with the sensitivity of the information.138 Physical, organizational and technological measures must be taken, in addition to care with disposal or destruction of information.139 For example, the Privacy Commissioner found that an organization’s failure to institute adequate safeguards over personal account information was a violation of PIPEDA.140
131 PIPEDA, s 7(3)(c.1); Ontario Power Generation Inc. v. Society of Energy Professionals, 2004 CarswellOnt 4296 (Ont. Arb.). 132 PIPEDA, Schedule 1, 4.4.1 — 4.4.3. 133 Ibid., Schedule 1, 4.5.1, 4.5.3. 134 Ibid., s 8(8), an organization that has personal information subject to a request shall retain the information for as long as necessary to allow the requester to exhaust all available recourse. 135 Johnson v. Bell Canada, supra note 98 at paras. 49, 52. 136 PIPEDA, 52, Schedule 1, 4.6.1; also see: PIPEDA Case Summary #2006-344: Couple’s safety deposit box opened in error. online:
Eighth, organizations’ practices must promote openness, making information about its policies and practices concerning management of personal information available in a variety of ways.141 Ninth, upon request, an individual must be informed of the existence, use and disclosure of their personal information and be given individual access to it. The organization must respond to requests for access within a reasonable period of time and amend inaccurate information.142 Tenth, an individual is entitled to challenge an organization’s compliance with the Model Code. Organizations must implement, and advise complainants of, procedures to address complaints; investigate complaints; and take steps to remedy legitimate complaints.143 An organization which fails to address legitimate concerns, may be the subject of a complaint to the Federal Privacy Commissioner. In response to a complaint that Microsoft failed to change a customer’s email address on his account despite multiple attempts, the Commissioner determined that Microsoft breached PIPEDA. Microsoft adopted technical solutions to avoid future non-compliance.144 (c) Enforcement of PIPEDA Similar to the Privacy Act, the Privacy Commissioner has power under PIPEDA to receive complaints, conduct investigations, and issue reports. The Commissioner may also initiate complaints herself if there are reasonable grounds to investigate.145 Upon receiving a complaint, the Privacy Commissioner must investigate except where reasonable grievance procedures have not been exhausted,146 procedures provided for under federal or provincial laws are more appropriate for dealing with the complaint,147 or the complaint
141 PIPEDA, Schedule 1, 4.8.1 to 4.8.3. 142 PIPEDA, Schedule 1, 4.9.1 to 4.9.5, s 8. Minimal fees may be charged in connection with access. PIPEDA, , Schedule 1, 4.9.4; also see: Office of the Privacy Commissioner of Canada, PIPEDA Case Summary #2006-341: Fees and the role of a medical practitioner considered in denial of access complaint, online:
company because the documents could have been requested in ongoing civil litigation. Office of the Privacy Commissioner, PIPEDA Case Summary #2010-001, Commissioner does not issue report to individual seeking access to her personal information being withheld for reasons of solicitor-client privilege, online: < https://www.priv.gc.ca/en/opc-actions- and-decisions/investigations/investigations-into-businesses/2010/pipeda-2010-001/>. 148 PIPEDA, s 12(1). 149 Including the right to: issue and enforce summons; compel testimony and documentary disclosure; administer oaths; receive any form of evidence of information; enter any premises occupied by an organization, other than a dwelling house, after satisfying security requirements; conduct inquiries; privately consult with any persons; or take extracts from any documents PIPEDA, s 12.1(1). However, there are limits to the Commissioner’s investigative powers. For example, in Blood Tribe (Department of Health) v Canada (Privacy Commissioner), the Supreme Court of Canada ruled that the Federal Commissioner’s powers, both expressly or impliedly, do not extend to ordering production of solicitor-client privileged documents. Blood Tribe Department of Health v. Canada (Privacy Commissioner), 2008 SCC 44, (sub nom. Canada (Privacy Commissioner) v. Blood Tribe Department of Health) [2008] 2 S.C.R. 574 (S.C.C.) at paras. 21-22, 31 nor can a commissioner require an organization to justify its assertion of privilege through affidavit. 150 Lawson v. Accusearch Inc., 2007 FC 125 (F.C.) at paras. 40-43. In Lawson v. Accusearch Inc., the Federal Court ruled that the Commissioner should have investigated a complaint against an American online business for collecting and disclosing personal information about Canadian background checks. Also see: T. (A.) v. Globe24h.com, 2017 FC 114 (F.C.). The Commissioner has made similar decisions. Office of the Privacy Commissioner of Canada, PIPEDA Case Summary #2007-365: Responsibility of Canadian financial institutions in SWIFT’s disclosure of personal information to US authorities considered, online: < https://www.priv.gc.ca/en/opc-actions-and-decisions/ investigations/investigations-into-businesses/2007/pipeda-2007-365/>. 151 Under section 28(1) of PIPEDA, any organization that knowingly contravenes sections 8(8) (retention of records), 10.1(reporting breaches of security safeguards), 10.3(1) (maintenance of records) or 27.1 (disclosure of information by employee to the Commissioner) or obstructs the Commissioner or their delegate in investigation of complaint or in the course of an audit is guilty of an offence. The penalties are either an offence punishable under summary conviction with a fine not exceeding $10,000 or an indictable offence and a fine not exceeding $100,000. 152 PIPEDA, s 13. 567 / Untangling the Web of Canadian Privacy Laws
Federal Court’s jurisdiction is limited to matters complained of to the Commissioner, referred to in a Commissioner’s Report, or specified in section 14.154 The Commissioner may also apply to the Court for a hearing either with the consent of the complainant, on behalf of the complainant, or with leave of the Court.155 An application to Federal Court is a de novo proceeding; the Commissioner’s report is afforded no deference and is treated as evidence.156 The Federal Court determines whether the complaint is justified and will only grant relief in respect of actual (not attempted) breaches of PIPEDA.157A complainant may also seek judicial review of the Commissioner’s report but only after exhausting an application under section 14.158 The Federal Court has broad jurisdiction under PIPEDA to grant remedies to a successful complainant. In addition to “any other remedies”, the Court may order an organization to correct its practices to comply with PIPEDA, order an organization to publish a notice of action taken or proposed to be taken or award damages.159 In Randall v. Nubodys Fitness Centres the Federal Court held that damages will only be awarded under PIPEDA in egregious situations, where the breach is of a very serious and violating nature.160 In that case, the Privacy Commissioner found that a fitness centre had improperly disclosed to the complainant’s employer how frequently the complainant used the fitness centre. The Commissioner determined that the complaint was well-founded and recommended that the fitness centre modify its procedures for using and disclosing information which the fitness centre did. Relying on Poirier v. Wal- Mart Canada Corp., decided under the BC privacy statute, the Federal Court ruled that damages were not justified because the breach was not of a ‘‘serious and violating nature such as video-taping or wire-tapping”.161
153 PIPEDA, s 14, with contravention required of either sections 4.1.3, 4.2, 4.3.3, 4.4, 4.6, 4.7 or 4.8 of Schedule 1, in clause 4.3, 4.5 or 4.9 of that Schedule as modified or clarified by Division 1, in subsection 5(3) or 8(6) or (7), in section 10 or in Division 1.1. 154 Nammo v. Transunion of Canada Inc., supra note 137 at paras. 24-25. 155 PIPEDA, s 15. 156 Vanderbeke v. Royal Bank, 2006 FC 651 (F.C.) at para. 12; also see: Bertucci v. Royal Bank of Canada, 2016 FC 332 (F.C.) at para. 11; Englander v. Telus Communications Inc., supra note 98 at para. 48. 157 For example, in Morgan v Alta Fights Charters Inc., where a Charter flight company unsuccessfully attempted to record its employees’ conversations, the Federal Court held there was no breach because the company did not actually manage to collect and/or use any personal information. Morgan v. Alta Flights (Charters) Inc., 2005 FC 421 (F.C.) at para. 20, affirmed 2006 FCA 121 (F.C.A.); also see: Waxer v. McCarthy, 2009 FC 169 (F.C.); Surrey Creep Catcher, Re, 2017 BCIPC 38 (Information & Privacy Commr.) at para. 54. 158 Kniss v. Canada (Privacy Commissioner), 2013 FC 31 (F.C.) at para. 36. 159 PIPEDA, s 16. 160 Randall v. Nubodys Fitness Centres, 2010 FC 681 (F.C.) at paras. 54-55; also see: Townsend v Sun Life Financial, 2012 FC 550 (F.C.). Annual Review of Civil Litigation / 568
However, in Nammo v. Transunion of Canada Inc., the Federal Court awarded damages against the respondent credit union for disclosing incorrect information about the applicant’s credit score. Although there was no precedent for an award of damages under PIPEDA at the time, the Federal Court awarded the applicant $5,000. The Court reasoned that the respondent’s disclosure was directly linked to refusal of the applicant’s loan, the respondent profited from the disclosure, and the respondent acted in bad faith by failing to take responsibility for or rectify the error in a timely manner.”162 Following Nammo, damages have been awarded in the following cases: (i) $1,500 against a law firm for unauthorized publication of the Privacy Commissioner’s report that a privacy complaint was not well-founded;163 (ii) $5,000 against a website for making the complainant’s litigation-related information easily searchable and charging a fee to remove the informa- tion;164 (iii) $10,000 against a telecommunications provider for failure to highlight its policy of authorizing a credit check that would impact the applicant’s credit score.165 The case law is unclear as to whether provincial courts have jurisdiction over breaches of PIPEDA. In Yakobi v. Canadian Imperial Bank of Commerce, the British Columbia Supreme Court rejected an application brought by a complainant regarding the bank’s alleged privacy breach. The Court held that PIPEDA does not create a statutory cause of action enforceable by superior courts but rather establishes exclusive jurisdiction in the Privacy Commissioner and the Federal Court.166 The Ontario Superior Court has followed Yakobi.167 However, provincial courts have made production orders under PIPEDA. For example in Southlake Regional Health Centre Employees’ Credit Union Ltd., the Ontario Superior Court granted an application by a health centre for an order under section 7(3)(c) of PIPEDA, requiring the respondent credit union to disclose personal information.168 Similarly, in Royal Bank of Canada v. Trang,
161 Randall, supra note 160 paras. 55-56. 162 Nammo v. Transunion of Canada Inc., supra note 137 at para. 71. 163 Girao v. Zerek Taylor Grossman Hanrahan LLP, supra note 107. 164 T. (A.) v. Globe24h.com, supra note 150. 165 Chitrakar v. Bell TV, 2013 FC 1103 (F.C.). 166 Yakobi v. Canadian Imperial Bank of Commerce, 2007 BCSC 923 (S.C.) at para. 113. 167 Lee v. Magna International Inc., 2019 ONSC 102 (S.C.J.) at para. 60, additional reasons 2019 CarswellOnt 3048 (Ont. S.C.J.); also see: Wilson v. Bourbeau, 2009 CarswellOnt 2583 (Ont. Div. Ct.) at para. 56. 168 In the Matter of an Application Under Rules 14.05(3)(d), 2012 ONSC 2530 (S.C.J.) at paras. 1, 13; also see: Mountain Province Diamonds Inc. v. De Beers Canada Inc., 2014 ONSC 2026 (S.C.J.) wherein the Ontario Superior Court refused to order disclosure of documents due to anticipated contravention of section 7(3)(c) of PIPEDA. 569 / Untangling the Web of Canadian Privacy Laws on appeal from Ontario Court of Appeal, the Supreme Court ruled that an order to produce a mortgage discharge statement constituted ‘‘an order made by the court” under section 7(3)(c) of PIPEDA and therefore justified disclosure of personal information.169 While PIPEDA does not create a statutory cause of action for breach of privacy, the Act does not preclude common law tort claims for breach of privacy. In Jones v. Tsige, explored below, the Ontario Court of Appeal ruled that the plaintiff could proceed with a damages claim based on the tort of intrusion upon seclusion without lodging a complaint with the Privacy Commissioner, even though the bank records which had been improperly accessed were subject to PIPEDA.170 (d) Intersection between PIPEDA and the Charter PIPEDA and the Charter intersect because section 7(3) of PIPEDA allows an organization to disclose information to government authorities without an individual’s consent. In R v. Ward, the police relied on section 7(3) of PIPEDA to request records from an Internet Service Provider (ISP) about a customer suspected of accessing and posting child pornography. The police used the information disclosed by the ISP to link the customer’s account to specific Internet activity. The police then obtained a search warrant for the customer’s residence and computer where they seized child pornography. The accused was charged with accessing and possession of child pornography. At trial, the accused argued that the search violated his section 8 Charter right against unreasonable search and seizure and therefore the evidence should be excluded.171 The trial judge rejected the Charter claim and admitted the evidence and the accused was convicted. On appeal, the Ontario Court of Appeal held that disclosure by organizations to government authorities under section 7(3) of PIPEDA is discretionary and should be exercised in accordance with the overarching principle enunciated in section 5(3) that disclosure is for purposes that “a reasonable person would consider are appropriate in the circumstances.”172 The Court dismissed the appeal and upheld the conviction. The Court explained that PIPEDA does not create any police search and seizure powers, rather it sets out the circumstances in which organizations may lawfully choose to disclose personal customer information, which must normally be kept
169 Royal Bank of Canada v. Trang, supra note 128 at paras. 26-27, 50. The SCC also determined that the subject of the personal information had impliedly consented to disclosure. 170 Jones v. Tsige, 2012 ONCA 32 (C.A.) at para. 50. Similar logic was followed in a defamation claim in Chandra v. Canadian Broadcasting Corp., 2015 ONSC 5303 (S.C.J.) at paras. 33-38; Romana v. The Canadian Broadcasting Corporation et al, supra note 83. 171 Under s. 24(2) of the Charter. 172 R. v. Ward, 2012 ONCA 660 (C.A.) at paras. 45, 47. Annual Review of Civil Litigation / 570 confidential, to third parties, including, in some circumstances, the police.173 Further, nothing in PIPEDA empowers the state to interfere with an individual’s rights under section 8 of the Charter.174 However, in R. v. Spencer, on similar facts, the Supreme Court of Canada held that disclosure by an ISP to police investigating child pornography was not justified by PIPEDA and breached the Charter. The Court did not accept that the police gained a new search power through PIPEDA since in the circumstances of that case the police had no power to conduct a search for subscriber information, absent exceptional circumstances or a reasonable law.175 (e) PIPEDA and the Digital Charter While PIPEDA has broad application, critics argue that it fails to adequately address the increasingly complex digital world. In response to these concerns, on June 19, 2018, the Federal Government commenced National Digital and Data Consultations to canvas, amongst other things, privacy and trust.176 These discussions gave birth to the Digital Charter on May 21, 2019, described as a “foundation of trust for Canadians in the digital sphere”.177 The Digital Charter is not a statute, but rather a list of ten draft principles intended to inform the government’s approach to security, consent, control and transparency of data: (a) universal access, promoting equal opportunity for participation in the digital world and the necessary tools to do so; (b) safety and security, so that Canadians can rely on the integrity, authenticity and security of services to feel safe online; (c) control and consent, emphasizing that Canadians will have control over the data they are sharing, who is using their data and for what purposes;
173 Ibid. at para. 46 174 Ibid. at para. 47. The Court also held that Subsection 487.014(1) of the Criminal Code is also germane given the disclosure regime established by PIPEDA: 487.014(1) For greater certainty, no production order is necessary for a peace officer . . . enforcing or administering this or any other Act of Parliament to ask a person to voluntarily provide to the officer documents, data or information that the person is not prohibited by law from disclosing. 175 R. v. Spencer, 2014 SCC 43, [2014] 2 S.C.R. 212 (S.C.C.) at para. 73. 176 Innovation, Science and Economic Development Canada, “Canada’s Digital Charter in Action: A Plan by Canadians, for Canadians” (October 23, 2019) online:
(d) transparency, portability and interoperability, so that Canadians will have clear and manageable access to their personal data with freedom to share or transfer it; (e) open and modern digital government, which will be secure and simple to use; (f) a level playing field, ensuring fair competition in the online marketplace; (g) data and digital for good, emphasizing the ethical use of data to create value, promote openness and improve lives; (h) strong democracy, with the Federal Government defending freedom of expression and protecting against online threats and disinformation; (i) free from hate and violent extremism, ensuring that Canadians can expect digital platforms not to foster or disseminate these threats; and (j) strong enforcement and real accountability, with meaningful penalties.178 In conjunction with the publication of the Digital Charter, the Federal Government released commentary and proposed improvements to PIPEDA including: (a) increasing individuals’ control over their data and organizational transparency in the use of data; (b) focusing on how de-identification is captured by PIPEDA; (c) enhancing individuals’ capacities to delete their information; (d) considering management of de-identified data in PIPEDA by a digital data trust; (e) enhancing the Privacy Commissioner’s powers with respect to education, outreach, audit, advice, guidance and redress for non-compliance; (f) clarifying PIPEDA’s objectives to allow for it to be more easily accessible to individuals and small organizations.179 The Federal Government’s extensive work in considering how best to modernize PIPEDA will likely inform future amendments of the statute. 4. Statutes Protecting Health Information
(a) Generally While PIPEDA covers personal health information, Nova Scotia, Newfoundland and Labrador, New Brunswick and Ontario have adopted their own statutes which are ‘‘substantially similar” and therefore exempt from
178 Canada’s Digital Charter, supra note 177. 179 Innovation, Science and Economic Development Canada, May 21, 2019, “Strengthen- Strengthening Privacy for the Digital Age: Proposals to modernize the Personal Information Protection and Electronic Documents Act”. online:
PIPEDA on this issue.180 For example Ontario’s Personal Health Information Protection Act (“PHIPA”) establishes rules for the collection, use and disclosure of personal health information and gives individuals a right to access, correct or amend their personal health information.181 All provinces have health-related rules including health professions legislation, pertinent regulations and profession-specific Codes of Ethics to regulate the conduct and obligations of health professionals. PHIPA specifically provides that where there is a conflict between PHIPA (and its regulations) and other acts or regulations, PHIPA (and its regulations) prevail.182 This section is consistent with the quasi-constitutional nature of privacy legislation which, as noted above, takes primacy over other legislation regardless of the existence of a primacy clause.183 Under PHIPA,“personal health information” generally means identifying information about an individual in oral or recorded form.184 The legislation defines ‘‘identifying information” to mean information that identifies an
180 PIPEDA, s. 26(2).Personal Health Information Act, SNS 2010, c. 41, of Nova Scotia deemed substantially similar to Part 1 of the Personal Information Protection and Electronic Documents Act as of March 24, 2016; Newfoundland and Labrador’s Personal Health Information Act deemed substantially similar to Part 1 of the Personal Information Protection and Electronic Documents Act as of October 10, 2012; Personal Health Information Act, 2008; New Brunswick’s Personal Health Information Privacy and Access Act deemed substantially similar to Part 1 of the Personal Information Protection and Electronic Documents Act as of November 17, 2011; Personal Health Information Privacy and Access Act, 2010 Ontario’s Personal Health Information Protection Act deemed substantially similar to Part 1 of the Personal Information Protection and Electronic Documents Act as of November 28, 2005. 181 Personal Health Information Protection Act, 2004, SO 2004, c 3, Sched A, s 1 [PHIPA]; E-Health (Personal Health Information Access and Protection of Privacy) Act, SBC 2008, c 38; Health Information Act, RSA 2000, c H-5; Health Information Protection Act, SS 1999, ch H-0.021; Personal Health Information Protection Act, CCSM c P33.5; Personal Health Information Act, SNS 2010, c 41;Personal Health Information Act, SNL 2008, c P-7.01; Personal Health Information Privacy and Access Act, SNB 2009, c P-7.05; Health Information Act, RSPEI 1988, c H-1.41; Health Information Privacy and Management Act, SY 2013, c 16; Health Information Act, SNWT 2014, c 2.; Information and Privacy Commissioner of Ontario, December 2004, “A guide to the Personal Health Information Protection Act”, online:
185 Ibid., s. 4 (2). 186 Ibid., s. 4 (1)(e). 187 Ibid., s. 4 (3). 188 PHIPA, supra, s 65. 189 Ibid., ss 2 and 3; ‘‘health information custodians” includes regulated health care professionals, hospitals, long-term care homes, retirement homes, pharmacies, laboratories, ambulance services, ministries, etc. A health information custodian does not include an aboriginal healer, an aboriginal midwife or a person who treats another person solely by prayer or spiritual means in accordance with the tenets of the religion of the person giving the treatment. As of November 28, 2005, any health information custodian subject to PHIPA became exempt from the application of Part 1 of PIPEDA in respect of the collection, use and disclosure of personal information that occurs within the Province of Ontario. Health Information Custodians in the Province of Ontario Exemption Order SOR/2005-399 (November 28, 2005). 190 Ibid., s.15(2). A health information custodian that is a natural person, meanwhile, can opt not to designate a contact person if the custodian is willing to perform the functions that would otherwise need to be assigned to such an agent s. 15(1). 191 Ibid., s.17(4). 192 Ibid., s.15(3). Annual Review of Civil Litigation / 574 under PHIPA.193 They must ensure that records of personal health information are retained, transferred and disposed of in a secure manner that accords with the requirements of the regulations.194 Similar to the federal statutes, a custodian must retain personal health information that is subject to a request for access as long as necessary to allow the individual to exhaust their remedies under PHIPA.195 Provinces differ on how long information must be kept after an individual dies. For example, Saskatchewan’s Health Information Protection Act, ceases to apply to personal health information concerning an individual 30 years after their death or to records that are more than 120 years old. Ontario, Newfoundland and Labrador, and Nova Scotia’s statutes cease to apply to an individual’s health information 50 years after their death.196 PHIPA reflects the principles under the Model Code.197 Health information custodians must take reasonable steps to ensure that health information is as accurate, complete and current as required for the purpose for which the information was collected while maintained or disclosed.198 If there are known limitations affecting the accuracy, completeness or currency of personal health information slated for disclosure, the custodian must advise the recipient.199 In the interests of accuracy, custodians are permitted to collect personal health information indirectly if the information is necessary to provide health care to the individual and reliable information cannot be collected directly.200 Where a custodian requires consent to collect, use or disclose personal health information, the consent must be obtained from the individual based on knowledge and cannot be obtained through deception or coercion.201 Health information custodians may treat consent received from an individual, or a document received from a source purporting to be consent of the individual, as valid unless it is unreasonable to do so.202
193 Ibid., s. 10. These are custodian policies for actions in relation to personal health information, including: (a) when, how and the purposes of which the custodian routinely collects, uses, modifies, discloses, retains or disposes of personal health information, and (b) administrative, technical and physical safeguards and practices that the custodian maintains with respect to the information. 194 Ibid., s. 13 (1). 195 Ibid., s. 13 (2). 196 PHIPA, supra note 181 ss.9(1); Personal Health Information Act, SNL 2008, c P-7.01, ss.10(1); Personal Health Information Act, SNS 2010, c 41, para. 5(2)(b). 197 McIsaac, supra note 63, section 6.2.7.6. 198 PHIPA, s. 11. 199 Ibid. 200 Ibid. 201 Ibid., s. 18 (1). 202 Ibid., s. 20 (1). 575 / Untangling the Web of Canadian Privacy Laws
(b) Requests for information and enforcement of PHIPA Under PHIPA, an individual has a right to access their personal health information in the custody or control of a health information custodian. A health information custodian may deny access if: the record is subject to legal privilege; an Act of Canada or court order prohibits disclosure; granting access could result in a risk of serious harm to treatment or recovery; or granting access would lead to identification of a person who provided information to the custodian in confidence.203 An individual who has been refused access to or correction of their personal health information, or has not received a response from the custodian, may request that the Ontario Commissioner investigate the refusal.204 The Ontario Commissioner’s broad powers, include authorizing a mediator to review the complaint and to trying to effect a settlement.205 If no settlement mechanism is invoked or if no settlement is effected, the Commissioner may review the matter206 and make an order or comments and recommendations to all relevant parties.207 If the order is final, it may be filed with the Ontario Superior Court of Justice208 and becomes enforceable as a judgment or order of the Court.209 A party affected by the Commissioner’s Order may appeal the order to the Divisional Court on a question of law.210 The Ontario Commissioner has the power to refer investigations of complaints to the Attorney General for prosecution. In 2017, the Ontario Commissioner investigated a complaint that a masters of social work student had accessed the personal health records of 139 people without authorization during an educational placement,211 including the records of family, friends, local politicians and clinic staff.212 Following an investigation, the Ontario Commissioner referred the matter to the Attorney General of Ontario for prosecution.213 The student pled guilty to willfully accessing the personal health information of five individuals. In her reasons for sentence, the Justice of the Peace stated that, due to the accused’s actions the victims no longer trusted and
203 PHIPA, supra note 181, s. 52(1). 204 Ibid., s. 56(3). 205 Ibid., s. 57(1). 206 Ibid., s. 57(3). 207 Ibid., s. 61(3). 208 Ibid., s. 63. 209 Ibid., The Ontario Commissioner may also rescind or vary the order or may make a further order if new facts relating to the subject-matter of the review come to the Commissioner’s attention or if there is a material change in the circumstances relating to the subject matter of the review even if the order has been filed with the Superior Court of Justice under section 63 of PHIPA. (s. 64). 210 Ibid., ss. 62(1) and 64(4). 211 Ibid. 212 Ibid. 213 Ibid. Annual Review of Civil Litigation / 576 were reluctant to share information with health care providers.214 The student was ordered to pay a $20,000 fine and a $5,000 victim surcharge for accessing personal health information without consent.215 At the time, it was the highest fine ever awarded for a health-related privacy breach in Canada.216 As discussed more fully below, PHIPA does not preclude common law torts for invasion of privacy. In Hopkins v. Kay the representative plaintiff in a class action alleged that her patient records at the Peterborough Regional Health Centre were improperly accessed.217 She based her claim on the common law tort of intrusion upon seclusion.218 On appeal from the defendant’s motion to dismiss the claim, the Ontario Court of Appeal held that PHIPA is not an exhaustive code and therefore does not oust the jurisdiction of the Superior Court to entertain common law claims for invasion of privacy relating to patient records.219 By contrast, in Broutzas v. Rouge Valley Health System, a class action claim for intrusion upon seclusion was brought against three employees of a public hospital who accessed hospital records to obtain the personal contact information for parents of newborns.220 One of the employees used the contact information to sell RESPs to the newborns’ parents and the other employees sold the contact information to RESP investment dealers. Although the Ontario Superior Court found violations of section 65 of PHIPA and violations of the employees’ employment contracts, the Court rejected the claim for intrusion upon seclusion.221 5. Still More Privacy Statutes In addition to the Privacy Act, PIPEDA and PHIPA, every province and territory has its own laws that apply to provincial government agencies and their handling of personal information. For example Ontario has two pieces of legislation that regulate government institutions’ dealing with personal information: The Freedom of Information and Protection of Privacy Act (“FIPPA”) and the Municipal Freedom of Information and Protection of Privacy Act (“MFIPPA”).222 These acts have many identical provisions,
214 Ibid. 215 Information and Privacy Commissioner of Ontario, ‘‘Health Record Snooping Case Prosecuted in Goderich”, (March 16, 2017) online:
222 Freedom of Information and Protection of Privacy Act, RSO 1990, c F 31 [FIPPA]; Municipal Freedom of Information and Protection of Privacy Act, RSO 1990, c M 56 [MFIPPA]. Freedom of Information and Protection of Privacy Act, RSBC 1996, c 165; Freedom of Information and Protection of Privacy Act, R.S.A. 2000, c. F-25; Freedom of Information and Protection of Privacy Act S.S. 1990-91, c. F-22.01; Local Authority Freedom of Information and Protection of Privacy Act S.S. 1990-91, c. L-27.1; Freedom of Information and Protection of Privacy Act CCSM c F175; Right to Information and Protection of Privacy Act, S.N.B. 2009, c. R-10.6; Freedom of Information and Protection of Privacy Act SNS 1993, c. 5; Access to Information and Protection of Privacy Act, S.N.L. 2002, c. A-1.1; Access to Information and Protection of Privacy Act SNWT 1994, c 20; Access to Information and Protection of Privacy Act S.Y. 1995, c. 1; Freedom of Information and Protection of Privacy Act, RSPEI 1988, c F-15.01. 223 Barbara McIsaac, Kris Klein & Shaun Brown, Privacy Law in Canada, Volume 1 (Toronto: Thomson Reuters, 2018) Section 3.7.2.2 — What is an Institution? See Children’s Lawyer for Ontario v. Ontario (Information and Privacy Commissioner), 2017 ONSC 642 (Div. Ct.), reversed 2018 CarswellOnt 9575 (Ont. C.A.), leave to appeal refused Information and Privacy Commissioner of Ontario v. Children’s Lawyer for Ontario, et al., 2019 CarswellOnt 4698 (S.C.C.); David v. Ontario (Adjudicator, Information & Privacy Commissioner), 2006 CarswellOnt 6755 (Ont. Div. Ct.). 224 FIPPA, supra note 222, s. 1; MFIPPA, supra note 222, s. 1. 225 Ibid. 226 For British Columbia, Personal Information Protection Act, S.B.C 2002, c. 63 and Freedom of Information and Protection of Privacy Act, RSBC 1996, c. 165; for Alberta, Personal Information Protection Act, SA 2003, c. P-6.5 and Freedom of Information and Protection of Privacy Act, RSA 2000, c. F-25. 227 S.C. 1991, c. 46. 228 Credit Unions and Caisses Populaires Act, 1994 S.O. 1994, c. 11; Savings and Credit Unions Act, C-4, 1988 c. 64, s. 592; Financial Institutions Act, RSBC 1996, c. 141; Credit Union Act, RSA 2000, c. C-32; The Credit Union Act, 1998, SS 1998 c. C-45.2; The Credit Unions and Caisses Populaires Act, CCSM c. C301; Credit Union Act, SNS 1994, c-4.; Annual Review of Civil Litigation / 578 reporting which impose an obligation on credit reporting agencies to, amongst other things, ensure the accuracy of the information, limit the disclosure of information and give consumers access to information.229 There are also provincial laws that contain confidentiality provisions concerning personal information collected by professionals.230 The sheer volume of laws makes it difficult to navigate the privacy landscape.
VI. WHEN IS A BREACH OF PRIVACY A TORT? In the seminal article by William L. Prosser, ‘‘Privacy”,231 adopted by the American Law Society in the Restatement (Second) of Torts (2010), Prosser identified four privacy torts: 1. Intrusion upon the plaintiff’s seclusion or solitude, or into his private affairs. 2. Public disclosure of embarrassing private facts about the plaintiff. 3. Publicity which places the plaintiff in a false light in the public eye. 4. Appropriation, for the defendant’s advantage, of the plaintiff’s name or likeness. Each of these torts has now been adopted by Canadian courts. We address each in turn and discuss in the next section how they fit together with the statutory rights described in the previous sections. 1. Intrusion upon Seclusion In Jones v. Tsige,232 the Ontario Court of Appeal recognized the tort of intrusion upon seclusion based on the elements of the cause of action from the American Restatement (Second) of Torts (2010): one who intentionally intrudes, physically or otherwise, upon the seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the invasion would be highly offensive to a reasonable person.233 In
Credit Unions Act, SNB 1992, c. C-32.2; Credit Union Act, 2009, SNL 2009 c. C-37.2; Credit Unions Act RSPEI 1988, c. C-29.1; Credit Union Act RSNWT (Nu) 1988, c. C-23. 229 Consumer Reporting Act, R.S.O. 1990, c. C.33; Consumer Protection Act, CQLR c. P- 40.1; Business Practices and Consumer Protection At, SBC 2004, c. 2; Consumer Protection Act, RSA 2000, c. C-26.3; Consumer Protection Act, CCSM, c. C200; Consumer Protection Act, RSNS 1989, c 92; Consumer Protection Act, CQLR c. P-40.1; Consumer Protection and Business Practices Act, SNL 2009, c. C-31.1; Consumer Protection Act, RSPEI 1988, c. C-19; Consumer Protection Act, RSNWT (Nu) 1988, C. C-17. 230 See for example Regulated Health Professions Act, 1991, S.O. 1991, c. 18.. 231 (1960), 48 Cal. L. Rev. 383 232 2012 ONCA 32 (C.A.). 233 Ibid. at para. 19. 579 / Untangling the Web of Canadian Privacy Laws recognizing the new tort, the Court carefully reviewed Charter jurisprudence and found that the Supreme Court of Canada had identified privacy as “worthy of constitutional protection and integral to an individual’s relationship with the rest of society and the state.” Further the Supreme Court had consistently interpreted section 8 of the Charter, protection against unreasonable search and seizure, as protecting the underlying right to privacy. The Court of Appeal quoted and referenced R. v. Dyment where Justice La Forest wrote in 1988, before the Internet was ubiquitous, about the importance of privacy in modern society and the reasonable expectations of the individual that ‘‘information shall remain confidential to the persons to whom, and restricted to the purposes for which it is divulged.“234 The Court of Appeal also noted that Charter jurisprudence had recognized three distinct privacy interests, personal privacy, territorial privacy, and informational privacy.235 Informational privacy was at stake in Jones v. Tsige, and the Court adopted the following definition: Beyond our bodies and the places where we live and work, however, lies the thorny question of how much information about ourselves and activities we are entitled to shield from the curious eyes of the state (R. v. S.A.B., [2003] 2 S.C.R. 678, 2003 SCC 60). . . . Informational privacy has been defined as “the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others”: A. F. Westin, Privacy and Freedom (1970), at p. 7. Its protection is predicated on the assumption that all information about a person is in a fundamental way his own, for him to communicate or retain . . . as he sees fit. 236 The facts of Jones are important from the perspective of understanding the parameters of the tort. In that case, the plaintiff and defendant did not know one another but worked for different branches of the same bank. The defendant formed a common law relationship with the plaintiff’s ex-husband. Over a period of four years, the defendant used her workplace computer to access the plaintiff’s bank accounts multiple times. Although the defendant did not publish, distribute or record the information, the plaintiff brought an action for invasion of privacy which was dismissed on a summary judgment motion but upheld on appeal by the Ontario Court of Appeal. The key features of the cause of action for intrusion upon seclusion are that the defendant’s conduct is intentional, including recklessness; the defendant invaded, without lawful justification, the plaintiff’s private affairs or concerns;237 and a reasonable
234 Ibid. at para. 40. 235 Dyment, supra note 16 at 428-29 S.C.R.; R. v. Tessling, 2004 SCC 67, [2004] 3 S.C.R. 432, [2004] S.C.J. No. 63 (S.C.C.) at paras. 19-23. 236 (Report of a Task Force established jointly by Department of Communications/ Department of Justice, Privacy and Computers (1972), at p. 13), Jones v. Tsige, supra note 170 at para. 41. Annual Review of Civil Litigation / 580 person would regard the invasion as highly offensive, causing distress, humiliation or anguish.238 The Court of Appeal was concerned to keep the floodgates of privacy litigation closed while still recognizing that privacy rights are worthy of common law protection. They restricted the tort to “deliberate and significant invasions of personal privacy”239 and excluded claims by individuals who are sensitive or unusually concerned about their privacy. Private information which the Court indicated would be protected includes financial or health records, sexual practises and orientation, employment, diary or private correspondence.240 Jones was the first case where intrusion upon inclusion was recognized as a tort in Canada. However, before Jones, British Columbia had a well-developed common law privacy regime based upon the statutory right to privacy provided for in the BC Privacy Act.241 Since Jones, many of the Canadian provinces have adopted a tort of intrusion upon seclusion. In Trout Point Lodge Ltd. v. Handshoe242 the Nova Scotia Supreme Court confirmed that, in an appropriate case, Nova Scotia would make an award for an invasion of privacy.243 However, since that case was also pleaded as a defamation case, the Court did not consider whether intrusion upon seclusion applied.244 The tort has also been adopted by the Federal Court of Appeal.245 Some provinces, like New Brunswick, have yet to recognize the tort.246
237 The tort does not apply to matters of public record. See for example Baldwin v. Morningstar, 2019 ONSC 1276 (S.C.J.) at para. 41. 238 Jones, supra note 170 at para. 71; See Filbey v. Ashe, 2018 ONSC 4615 (S.C.J.) at para. 90; Larizza v. Royal Bank of Canada, 2018 ONCA 632 (C.A.) at paras. 10-11. 239 Jones, supra note 236 at para. 72. 240 Ibid. at para. 72. 241 Malcolm v Fleming, 2000 CarswellBC 1316, [2000] B.C.J. No. 2400 (B.C. S.C.). See also Watts v. Klaemt, 2007 BCSC 662, 71 B.C.L.R. (4th) 362, [2007] B.C.J. No. 980 (S.C.); Lee v. Jacobson (1994), 99 B.C.L.R. (2d) 144, 120 D.L.R. (4th) 155, 53 B.C.A.C. 75, [1994] B.C.J. No. 2459 (B.C. C.A.), reversing (1992), 87 D.L.R. (4th) 401, [1992] B.C.J. No. 132 (B.C. S.C.); Weber v. Jacobson (1992), 87 D.L.R. (4th) 401, [1992] B.C.J. No. 132 (B.C. S.C.), reversed Lee v. Jacobson (1994), 120 D.L.R. (4th) 155, [1994] B.C.J. No. 2459 (B.C. C.A.); Hollinsworth v. BCTV, a division of Westcom TV Group Ltd. (1996), 34 C.C.L.T. (2d) 95, [1996] B.C.J. No. 2638 (B.C. S.C.), affirmed (1998), 113 B.C.A.C. 304, [1998] B.C.J. No. 2451 (B.C. C.A.); Heckert v. 5470 Investments Ltd., 2008 BCSC 1298, 299 D.L.R. (4th) 689, [2008] B.C.J. No. 1854 (S.C.). 242 2012 NSSC 245 (S.C.). 243 Trout Point Lodge Ltd. v. Handshoe, 2012 NSSC 245 (S.C.) at paras. 57-58. 244 See also VonMaltzahn v. Koppernaes, 2018 NSSC 192 (S.C.) at para. 48. 245 Condon v. Canada, 2014 FC 250 (F.C.) at paras. 52-64, reversed Condon v. R., 2015 FCA 159 (F.C.A.). While the Federal Court’s jurisdiction is limited to administering the law of Canada, the Federal Court may also apply provincial law incidentally necessary to resolve the issues presented by the parties where the case is in pith and substance within the court’s statutory jurisdiction.“ ITO-Int’l Terminal Operators v. Miida Electronics, 581 / Untangling the Web of Canadian Privacy Laws
The fact that a plaintiff’s damages are nominal does not preclude an action or a class action for intrusion upon seclusion. For example, in Stewart v. Demme247 the defendant nurse engaged in a series of daily thefts of opioids by accessing, without authorization, patient information for over 11,000 patients. The defendant accessed the patient’s name, identification number, hospital unit visited, applicable allergy information, and in some cases the medicine they were prescribed while in hospital. She viewed the information for a matter of seconds and did not share it with anyone else. The defendant used the name of the patients, in particular, those who had been pre-prescribed Percocet for their surgery, in order to dispense pills for herself and not for any other purpose.248 There was no evidence of adverse medical treatment as a result of the defendant’s accessing these records.249Nine years later the Hospital discovered the breach and advised the affected patients in writing, apologized, and adopted internal remedial measures after a review by the Ministry of Health. The nurse defendant was criminally punished and professionally sanctioned for her wrongdoing. Although the patients had not suffered any specific damages, they brought a class proceeding seeking damages for intrusion upon seclusion. On a motion to certify the class action, the Ontario Superior Court considered whether a class action was a preferable procedure for litigating the claim. The Court noted that “when privacy is alleged to be invaded by means of an institutional data breach, the situation is particularly amenable to analysis on a class basis.”250 Acknowledging the quasi-constitutional status accorded to privacy by the Supreme Court,251 the Court concluded that the law must protect privacy from all manner of breaches,252 and that a class proceeding was appropriate. The Court found that physical injury or monetary loss was not a necessary ingredient
(sub nom. ITO — International Terminal Operators Ltd. v. Miida Electronics Inc.) [1986] 1 S.C.R. 752 (S.C.C.) at 78. 246 Rancourt-Cairns v. The Saint Croix Printing and Publishing Company Ltd., 2018 NBQB 130 (Q.B.). 247 2020 ONSC 83 (S.C.J.), additional reasons 2020 CarswellOnt 3480 (Ont. S.C.J.). See also Broutzas v. Rouge Valley Health System, 2018 ONSC 6315 (S.C.J.), additional reasons 2019 CarswellOnt 762 (Ont. S.C.J.), appeal quashed 2019 CarswellOnt 15049 (Ont. C.A.), a case similarly dealing with improper access to health records in a hospital setting where Perell J. found that information such as a patient’s name and contact information is public record and is not confidential and dismissed the certification motion. 248 Stewart v. Demme, 2020 ONSC 83 (S.C.J.) at para. 17, additional reasons 2020 CarswellOnt 3480 (Ont. S.C.J.). 249 Ibid. at para. 18. 250 Ibid. at para. 40; Tocco v. Bell Mobility Inc., 2019 ONSC 2916 (S.C.J.) at para. 26, additional reasons 2019 CarswellOnt 10550 (Ont. S.C.J.). 251 Lavigne v. Canada (Office of the Commissioner of Official Languages), note 27 at paras. 24-25, and Douez v. Facebook, Inc., note 2 at para. 59. Annual Review of Civil Litigation / 582 for liability for intrusion upon seclusion. The “offensiveness” of the privacy infringement is based on the nature of the privacy interest infringed, not the magnitude of the infringement.253 A class action for intrusion upon seclusion was also certified in Grossman v. Nissan Canada254 where an unknown Nissan employee accessed a company data base that contained the personal information of thousands of customers who had financed the lease or purchase of their vehicle. The employee emailed a ‘‘sample” of the stolen data to company executives and demanded the payment of a ransom. Although the customers did not suffer any financial loss, the Court certified the class action because symbolic or moral damages may be awarded for intrusion upon seclusion and Nissan was potentially vicariously liable for the intrusion by its employee.255 2. Public Disclosure of Private Facts Since Jones, our courts have recognized a second form of invasion of privacy: public disclosure of private facts. The elements of the cause of action are: a. the defendant publicized an aspect of the plaintiff’s private life; b. the plaintiff did not consent to the publication; c. the matter publicized or its publication would be highly offensive to a reasonable person; and d. the publication was not of legitimate concern to the public.256 Jane Doe 464533 v. N.D.257 and Jane Doe 72511 v. N.M.258 are the two principal cases dealing with this tort. Both cases involved publication of pornographic videos on the Internet and in both cases the Court granted default judgment for the plaintiff. The default judgment in the first Jane Doe was ultimately set aside. In the second Jane Doe case, the plaintiff’s boyfriend posted a sexually explicit video of the plaintiff on a pornographic website, without her knowledge or consent. It was a case of ‘‘revenge porn” as the video was allegedly
252 Stewart v. Demme, 2020 ONSC 83 (S.C.J.) at para. 48, additional reasons 2020 CarswellOnt 3480 (Ont. S.C.J.). 253 Ibid. at paras. 78-79. 254 Grossman v. Nissan Canada, 2019 ONSC 6180 (S.C.J.) at para. 30, additional reasons 2019 CarswellOnt 20826 (Ont. S.C.J.). 255 Ibid. at para. 12; See also Agnew-Americano v. Equifax Canada Co., 2019 ONSC 7110 (S.C.J.); Kaplan v. Casino Rama, 2019 ONSC 2025 (S.C.J.), additional reasons 2019 CarswellOnt 9260 (Ont. S.C.J.); Tucci v. Peoples Trust Company, 2017 BCSC 1525 (S.C.); Stewart v. Demme, 2020 ONSC 83 (S.C.J.) at para. 52, additional reasons 2020 CarswellOnt 3480 (Ont. S.C.J.); Tocco v. Bell Mobility Inc., 2019 ONSC 2916 (S.C.J.), additional reasons 2019 CarswellOnt 10550 (Ont. S.C.J.). 256 Jane Doe 72511 v. N.M, 2018 ONSC 6607, [2018] O.J. No. 5741 (S.C.J.) at para. 99. 257 Doe 464533 v. N.D., 2016 ONSC 541 (S.C.J.). 258 Jane Doe 72511 v. N.M, supra note 256. 583 / Untangling the Web of Canadian Privacy Laws posted in retaliation for the defendant’s arrest and conviction for physical violence against the plaintiff, much of which took place in his parent’s house. In addition to claiming the tort of public disclosure of private facts, the plaintiff claimed general, aggravated and punitive damages for assault and battery, and claimed against the defendant’s parents in negligence because, as occupiers of the house, they failed to take reasonable steps to protect her from their son’s behaviour. Justice Gomery found that Ontario had not recognized a civil right of action for posting intimate images without consent, and that in Jones v. Tsige, the Ontario Court of Appeal declined to decide whether Canadian law should recognize other privacy torts.259 She also reviewed Justice Stinson’s decision in the first Jane Doe case, and considered Bill C-13, the Protecting Canadians from Online Crime Act, making it a criminal offence to publish an intimate image without consent.260 She decided that where misconduct attracts criminal sanction, it makes sense that the same misconduct should provide a civil remedy, Parliament’s criminalization of the publication of an intimate image without consent recognizes that this behaviour is highly offensive and should give rise to a civil remedy for a person who suffers damages as a result of it. The only question is how this is best accomplished . . . It is difficult to conceive of a privacy interest more fundamental than the interest that every person has in choosing whether to share intimate or sexually explicit images and recordings of themselves. Every person should have the ability to control who sees images of their body. This is an important part of each individual’s personal freedom to decide how they share the most intimate aspects of themselves, their sexuality and their bodies. A cause of action which protects this privacy interest is rooted in our deepest values as a society. Failing to develop the legal tools to guard against the intentional, unauthorized distribution of intimate images and recordings on the internet would have a profound negative significance for public order as well as the personal wellbeing and freedom of individuals.261 Justice Gomery adopted the elements of the tort set out above,262 and found the ex-boyfriend liable. Based on the seriousness of the tort, Justice Gomery awarded general damages of $50,000, aggravated damages of $25,000, and $25,000 in punitive damages. She noted that ‘‘the breach of the plaintiff’s privacy rights in a case like this are much more serious than in an action for
259 Ibid. at para. 60. 260 At para. 92 Justice Gomery also acknowledged that Manitoba was then the only Canadian jurisdiction that had enacted legislation to address this issue: Intimate Image Protection Act C.C.S.M. c. 187. This law came into force on January 15, 2015. Since then other provinces have passed similar legislation Intimate Images and Cyber-protection Act, SNS 2017, c 7; Protecting Victims of Non-consensual Distribution of Intimate Images Act, RSA 2017, c P-26.9; Intimate Images Protection Act, RSNL 2018, c I-22; Privacy Act, RSS 1979, c P-24, Part 2, s. 7.1-7.8. 261 Jane Doe 72511 v. N.M, supra note 256 at paras. 85, 88. 262 Ibid. at paras. 99-100. Annual Review of Civil Litigation / 584 intrusion on seclusion” and therefore the $20,000 limit on damages set in Jones v. Tsige did not apply.263 In assessing damages she explained that the tort could have devastating consequences especially where sexually explicit images of very young people have been shared without their consent causing feelings of intense shame and social isolation.264 Despite the overall success of the plaintiff in this matter, the decision was a default judgment and therefore has limited precedential value; however, in our view, Justice Gomery’s analysis is persuasive and pragmatic. As of the time of writing, there has been one other case in Canada in which the tort of public disclosure has been considered which is discussed below.265 3. Publicity Placing Person in False Light The tort of ‘‘publicity placing a person in a false light” was recently recognized in Yenovkian v. Gulian,266 a case involving prolonged and vicious Internet posts by an ex-husband about his wife and her family. The Court found that the tort applies where publicity is given to a matter concerning a person that places that person before the public in a false light if (a) the false light in which the person was placed would be highly offensive to a reasonable person, and (b) the actor had knowledge of or acted in reckless disregard as to the falsity of the publicized matter and the false light in which the other would be placed.267 Mr. Yenovkian made serious allegations online about his wife including that she was a kidnapper, abused and drugged their children, forged documents, and defrauded governments.268 The Court found that the posts would be highly offensive to a reasonable person and also constituted the tort of public disclosure of private facts. The Court awarded $100,000 in damages.269 Defamation is not a required element of the cause of action for ‘‘false light” even though the publicity associated with this cause of action is often defamatory. ‘‘It is enough for the plaintiff to show that a reasonable person would find it highly offensive to be publicly misrepresented as they have been. The wrong is in publicly representing someone, not as worse than they are, but
263 Ibid. at paras. 130 -132. 264 Ibid. at para. 123. 265 Yenovkian v. Gulian, 2019 ONSC 7279 (S.C.J.). 266 Ibid. at para. 171. 267 Ibid. at para. 170. 268 Ibid. at para. 175. 269 The Court relied on the extent of damage caused by Internet postings recognized in cases like Rutman v. Rabinowitz, 2018 ONCA 80 (C.A.) at para. 11, additional reasons 2018 CarswellOnt 4195 (Ont. C.A.), leave to appeal refused Saul Rabinowitz, et al. v. Ronald Rutman, 2018 CarswellOnt 13174, [2018] S.C.C.A. No. 130 (S.C.C.). 585 / Untangling the Web of Canadian Privacy Laws as other than they are. The value at stake is respect for a person’s privacy right to control the way they present themselves to the world.”270 This cause of action shares common elements with the tort of public disclosure of private facts as both require publicity which is highly offensive to a reasonable person. The main distinguishing factor is that public disclosure of private facts involves true statements, while ‘‘false light” publicity involves false or misleading claims. Further, ‘‘false light” invasion of privacy requires that the defendant know or be reckless as to the falsity of the information, while public disclosure of private facts requires that there be no legitimate public concern justifying the disclosure.271 4. Appropriation of Name or Likeness The tort of appropriation of name or likeness has been around for some time in Canadian common law. In Athans v. Canadian Adventure Camps Ltd.,272 the defendant operated a summer camp for children. The camp published a brochure and an advertisement containing a picture of a water-skier, which was based on photographs of the plaintiff, and was used for commercial purposes without his consent. The plaintiff was a professional athlete recognized for his prowess in water-skiing, both in Canada and internationally. He promoted his image, expertise, and personality commercially. The Court found that the plaintiff had used the photograph as an essential component in marketing his personality. The commercial use of his representational image by the defendants without his consent constituted an invasion and impairment of his exclusive right to market his personality and therefore was an appropriation of personality. The tort was separate and distinct from any action based on infringement of trademark or copyright.273 The Court awarded the plaintiff $500 in damages in 1977. By contrast in Joseph v. Daniels,274 the British Columbia Supreme Court held that the tort of misappropriation of personality did not apply to a photograph taken with the subject’s permission but later distributed broadly without his consent. The plaintiff was a body builder whose photograph was taken and paid for by a commercial photographer for the purpose of an advertisement. Only the plaintiff’s torso was shown in the photograph. The photographer used the photograph as part of a newspaper advertisement but subsequently also used it
270 Yenovkian v. Gulian, supra note 265 at para. 171. 271 Ibid. at para. 172. 272 (1977), 17 O.R. (2d) 425, [1977] O.J. No. 2417 (Ont. H.C.). 273 Athans v. Canadian Adventure Camps Ltd. et al., 1977 CarswellOnt 453 (Ont. H.C.); but see Gould Estate v. Stoddart Publishing Co., 1996 CarswellOnt 3537 (Ont. Gen. Div.), affirmed (1998), (sub nom. Succession Gould c. Stoddart Publishing Co.) 39 O.R. (3d) 555 (Fr.) (Ont. C.A.), leave to appeal refused 1999 CarswellOnt 5722, [1998] S.C.C.A. No. 373 (S.C.C.). 274 1986 CarswellBC 172 (B.C. S.C.). Annual Review of Civil Litigation / 586 in posters without the plaintiff’s consent. The Court held that the plaintiff had not made out a case for misappropriation of personality. By using the model’s torso, the defendant photographer deliberately designed his composition to avoid referencing the plaintiff. Therefore, the photograph did not represent any proprietary interest associated by the public with the plaintiff’s individuality.275 There have been very few cases of misappropriation of personality in Canada.276 5. The Intersection between Tort and Statute One of the most confusing issues about privacy litigation is how privacy torts fit together with statutory provisions. This differs from province to province. In British Columbia and Alberta, the courts have held that their privacy statutes occupy the field and preclude a common law proceeding in the courts. In those jurisdictions however, the statutory regime specifically establishes a statutory cause of action for breach of privacy. For example, in Mohl v. University of British Columbia277 the British Columbia Court of Appeal stated that “there is no common law claim for breach of privacy” in British Columbia.278 Section 1 of the BC Privacy Act includes the following statutory causes of action for breach of privacy: (1) It is a tort, actionable without proof of damage, for a person, wilfully and without a claim of right, to violate the privacy of another. (2) The nature and degree of privacy to which a person is entitled in a situation or in relation to a matter is that which is reasonable in the circumstances, giving due regard to the lawful interests of others.279
275 Joseph v. Daniels, 1986 CarswellBC 172 (B.C. S.C.) at para. 15. 276 See also Heath v. Weist-Barron School of Television Canada Ltd., 1981 CarswellOnt 582 (Ont. H.C.); Horton v. Tim Donut Ltd., 1997 CarswellOnt 521 (Ont. Gen. Div.), affirmed (1997), 104 O.A.C. 234, [1997] O.J. No. 4154 (Ont. C.A.); Gould Estate v. Stoddart Publishing Co. (1996), 30 O.R. (3d) 520, 74 C.P.R. (3d) 206 (Ont. Gen. Div.), affirmed 1998 CarswellOnt 1901 (Ont. C.A.), leave to appeal refused 1999 CarswellOnt 5722 (S.C.C.). 277 2009 BCCA 249 (C.A.), leave to appeal refused 2009 CarswellBC 3122, [2009] S.C.C.A. No. 340 (S.C.C.). 278 Mohl v. University of British Columbia, 2009 BCCA 249 (C.A.), leave to appeal refused 2009 CarswellBC 3122, [2009] S.C.C.A. No. 340 (S.C.C.) at para. 13; See also Facilities Subsector Bargaining Association v. British Columbia Nurses’ Union, 2009 BCSC 1562 (S.C.) at para. 59. Hung v. Gardiner, 2002 BCSC 1234 (S.C.), additional reasons 2003 CarswellBC 509 (B.C. S.C.), affirmed 2003 BCCA 257 (C.A.) at para. 110; Bracken v. Vancouver Police Board, 2006 BCSC 189 (S.C.) at para. 28; Demcak v. Vo, 2013 BCSC 899 (S.C.) at para. 8; Ari v. Insurance Corporation of British Columbia, 2013 BCSC 1308 (S.C.) at para. 63, affirmed 2015 CarswellBC 3319 (B.C. C.A.) [Ari BCSC]; Ari v. Insurance Corporation of British Columbia, 2015 BCCA 468 (C.A.) at para. 9 [Ari BCCA]; Cook v The Insurance Corporation of British Columbia, 2014 BCSC 1289 (S.C.) at paras. 48, 72. 279 RSBC 1996, Chapter 373, s. 1. 587 / Untangling the Web of Canadian Privacy Laws
Similarly, in Alberta, where PIPA280 establishes a statutory cause of action for breach of privacy, the courts have held that there is no common law claim for breach of privacy and plaintiffs are precluded from pursuing a common law remedy.281 There is no similar statutory cause of action for breach of privacy in Ontario. In Hopkins v. Kay,282 the Ontario Court of Appeal concluded that Ontario privacy legislation did not preclude a common law action. Specifically, the Court considered whether PHIPA precluded an action for intrusion upon seclusion. In that case, the named plaintiff in a proposed class proceeding against a hospital alleged that her health records were improperly accessed and claimed intrusion upon seclusion. The Hospital defended the action on the basis that PHIPA is an exhaustive code that ousts the jurisdiction of the Superior Court to entertain any common law claim for invasion of privacy in relation to patient health records.283 The Court of Appeal held that PHIPA does not constitute a complete code and therefore the class action could proceed.284 Justice Sharpe applied a three-prong test to determine exclusivity: first, whether the process for dispute resolution established by the legislation is consistent with exclusive jurisdiction; second, whether the essential character of the dispute is regulated by the legislative scheme and the extent to which the court’s jurisdiction would be inconsistent with that scheme; and third, the capacity of the scheme to afford effective redress.285 Applying the first prong of the test, Justice Sharpe determined that PHIPA does not give the Ontario Commissioner a comprehensive role in dealing with individual complaints. PHIPA’s informal and highly discretionary review process was not tailored to deal with individual claims and expressly contemplates the possibility of other proceedings.286 Section 57(4)(b) of PHIPA provides that one of the factors to be considered by the Commissioner in deciding whether to investigate a complaint is whether “the complaint has been or could be more appropriately dealt with, initially or completely, by means of a procedure, other than a complaint under this Act”.
280 S.A. 2003, c.P-6.5. 281 Bank of Montreal v. Cochrane, 2010 ABQB 541, [2010] A.J. No. 1210 (Q.B.) at paras. 6, 7, and 8, additional reasons 2010 CarswellAlta 2473 (Alta. Q.B.); Martin v. General Teamsters, Local Union No. 362, 2011 ABQB 412 (Q.B.) at para. 45. 282 2015 ONCA 112 (C.A.), leave to appeal refused Peterborough Regional Health Centre v. Hesse, 2015 CarswellOnt 16503 (S.C.C.). 283 Ibid. 284 Ibid. para. 30 quoting Pleau v. Canada (A.G.), 1999 NSCA 159, (sub nom. Pleau (Litigation Guardian of) v. Canada (Attorney General)) 182 D.L.R. (4th) 373 (C.A.), leave to appeal refused 2000 CarswellNS 318, [2000] S.C.C.A. No. 83 (S.C.C.) at para. 48. 285 Hopkins, supra note 283, paras. 31-33. 286 Ibid. paras. 44-45. Annual Review of Civil Litigation / 588
On the second prong of the test, Justice Sharpe found that the essential character of a common law claim based on intrusion upon seclusion was not covered by PHIPA. He reasoned that the elements of intrusion upon seclusion are more difficult to prove than a breach of PHIPA and the tort is subject to a two-year rather than the one-year limitation period under the Act; court proceedings would not therefore undermine the PHIPA scheme. On the third prong of the test, Justice Sharpe found that PHIPA confers a broad discretion on the Ontario Commissioner to investigate complaints, which reflects a statutory focus on systemic issues rather than on individual complaints. The Commissioner could review a complaint and then decline to conduct a review or to make an order that could form that basis for a claim in damages. “Even if the Commissioner investigates a complaint, his primary objective in achieving an appropriate resolution will not be to provide an individual remedy to the complainant, but rather to address systemic issues.”287 For these reasons, the Court of Appeal concluded that the legislature did not intend for PHIPA to be a complete code for the resolution of disputes over misuse of personal health information. More recently in Chandra v. CBC,288 the Ontario Superior Court considered whether PIPEDA was a complete legislative scheme which ousts common law breach of privacy claims. The plaintiff, a world-renowned expert in nutrition and immunology and a professor at Memorial University, was the subject of a CBC documentary which asserted that his scientific studies and reports were based upon fabricated research results. The plaintiff sued the CBC and included a claim for damages for intrusion upon seclusion on the basis that the CBC engaged in a campaign of harassing conduct including disclosure of embarrassing private facts about the plaintiff, monitoring his emails without his knowledge or consent, and describing intimate details about his personal life. At the time of the documentary, the CBC was subject to PIPEDA.289 While PIPEDA provides a process for an individual to file a complaint with the Privacy Commissioner, it also contemplates civil proceedings. Section 14 of PIPEDA allows a complainant whose complaint has been investigated and reported on by the Commissioner to apply to Federal Court for a hearing respecting any matter covered by the complaint or referred to in the Commissioner’s report. PIPEDA also provides that it is open to the court to award monetary damages, including damages for humiliation suffered by the complainant.290 The Court quoted and relied upon the observations of the
287 Ibid. paras. 54-56. 288 2015 ONSC 5303 (S.C.J.). 289 PIPEDA applies to all institutions subject to federal jurisdiction except those described in s. 4(2) of the Act. Since September 2007, the CBC ceased to be subject to PIPEDA and is governed by the Privacy Act, R.S.C. 1985 c. P-21. 290 PIPEDA, s. 16(c). 589 / Untangling the Web of Canadian Privacy Laws
Court of Appeal in Jones that PIPEDA did not preclude the tort of intrusion upon seclusion as it is not a complete code.291 The Manitoba Court of Queen’s Bench came to the same conclusion that PIPEDA is not an exclusive code and does not preclude a tort action for intrusion upon seclusion in Romana v. The Canadian Broadcasting Corporation et al.292
VII. CRIMINAL CODE PRIVACY PROVISIONS As noted above, Canadian courts have relied on rights contained in the Charter to protect citizens against unreasonable invasions of privacy. Privacy laws are quasi-constitutional and therefore take primacy over other laws. However, the Criminal Code293 includes a number of criminal offences that specifically protect privacy including publishing an intimate image without consent294and the offence of voyeurism.295 Section 162 of the Criminal Code provides: 162 (1) Everyone commits an offence who, surreptitiously, observes — including by mechanical or electronic means — or makes a visual recording of a person who is in circumstances that give rise to a reasonable expectation of privacy, if (a) the person is in a place in which a person can reasonably be expected to be nude, to expose his or her genital organs or anal region or her breasts, or to be engaged in explicit sexual activity; (b) the person is nude, is exposing his or her genital organs or anal region or her breasts, or is engaged in explicit sexual activity, and the observation or recording is done for the purpose of observing or recording a person in such a state or engaged in such an activity; or (c) the observation or recording is done for a sexual purpose. The offence of voyeurism was considered recently by the Supreme Court of Canada in R. v. Jarvis. A teacher was charged with voyeurism for secretly videotaping images of the upper bodies, faces and breasts of female students in the hallways and classrooms of a high school with a video pen. He was acquitted at trial because the trial judge found there was insufficient evidence to prove the recordings were made for a sexual purpose, as required by s. 162(1)(c). The
291 Chandra v. CBC, 2015 ONSC 5303 (S.C.J.) at para. 33; Jones v. Tsige, supra note 236 at para. 49. The Court in Chandra therefore permitted the tort of intrusion to be put to the jury. However, the plaintiff was ultimately unsuccessful and a large cost award was made against the plaintiff, 2015 ONSC 6519 (S.C.J.). 292 Romana v. The Canadian Broadcasting Corporation et al, 2016 MBQB 33 (Q.B.) at para. 24. 293 RSC 1985, c. C.46. [Criminal Code]. 294 Criminal Code, s. 162.1. 295 Ibid., s. 162(1). Annual Review of Civil Litigation / 590
Ontario Court of Appeal upheld the trial decision.296 While the Court of Appeal was of the unanimous opinion that Mr. Jarvis had made the videos for a sexual purpose, the majority held that the recordings were not made in circumstances that give rise to a reasonable expectation of privacy. Not surprisingly, the Supreme Court overturned the acquittal and convicted the teacher. The Court held that the circumstances that give rise to a reasonable expectation of privacy for the purposes of section 162 are ‘‘circumstances in which a person would reasonably expect not to be the subject of the type of observation or recording that in fact occurred”.297 To determine whether a person had a reasonable expectation of privacy in this sense, a court must consider the entire context in which the observation or recording took place which includes: ‘‘the location where the observation or recording occurred; the nature of the impugned conduct; the awareness or consent of the person who was observed or recorded; the manner in which the observation or recording was done; the subject matter or content of the observation or recording; any rules, regulations or policies that governed the observation or recording; the relationship between the parties; the purpose for which the observation or recording was done; and the personal attributes of the person who was observed or recorded.”298 Based upon a review of this list of considerations, the Court concluded that the students were in circumstances that gave rise to a reasonable expectation of privacy for the purposes of section 162.299 The Chief Justice expounded a broad definition of privacy to include ‘‘the concept of freedom from unwanted scrutiny, intrusion or attention.”300 The Chief Justice also explained that a reasonable expectation of privacy depends upon the context and that public places do not necessarily eliminate expectations of privacy: These examples illustrate that ‘‘privacy,” as ordinarily understood, is not an all-or- nothing concept. Furthermore, being in a public or semi-public space does not automatically negate all expectations of privacy with respect to observation or recording. Rather, these examples indicate that whether observation or recording would generally be regarded as an invasion of privacy depends on a variety of factors, which may include a person’s location; the form of the alleged invasion of privacy, that is, whether it involves observation or recording; the nature of the observation or recording; the activity in which a person is engaged when observed or recorded; and the part of a person’s body that is the focus of the recording.The fact that a variety of factors may influence whether a person would expect not to be observed or recorded is also consistent with Parliament’s choice to express the element of the offence in s.
296 2017 ONCA 778, 139 O.R. (3d) 754 (C.A.), reversed 2019 CarswellOnt 1921 (S.C.C.). 297 R. v. Jarvis, 2019 SCC 10, [2019] 1 S.C.R. 488 (S.C.C.) at para. 5. 298 Ibid. at para. 5, 29. 299 Ibid. at para. 6. 300 Ibid. at para. 36. 591 / Untangling the Web of Canadian Privacy Laws
162(1) with which we are concerned by reference to the ‘‘circumstances” that give rise to a reasonable expectation of privacy. The word ‘‘circumstances”, in the sense in which it is used in s. 162(1), connotes a range of factors or considerations — which are not limited to a person’s location or physical surroundings.301 The Jarvis decision is important not only for its interpretation of section162(1) of the Criminal Code but also because it informs our understanding of privacy generally. As the Court stated, being in a public or semi-public space ‘‘does not automatically negate all expectations of privacy with respect to observation or recording.” This broad understanding of privacy is likely to expand the scope of privacy torts like intrusion upon seclusion and to expand our understanding of privacy rights outside of privacy legislation and protected by the Charter.
VIII. PUTTING IT ALL TOGETHER The process of defining the legal right of privacy is still underway. In large part, this is because the scope of the threats to privacy are not yet fully known or understood. The widespread use of the Internet, smart phones, and other devices has challenged our understanding of what is private. Canadian courts and legislatures have recognized the gravity of the threat to privacy and the resulting need for robust remedies for breaches of privacy. Although the process of defining those remedies and their scope of application is far from complete, the courts have articulated fundamental premises that can and should be utilized in analyzing privacy claims and developing the law of privacy. There are two fundamental premises, both recognized by the Supreme Court, on which the law of privacy rests, and which together provide a starting point for analyzing privacy claims. The first is that the right to personal privacy is itself a Charter right and underlies the right to be free from unreasonable search and seizure that is set out in section 8 of the Charter. The second is that statutory privacy laws have a quasi-constitutional status whether or not the enabling statute includes a primacy clause. This means that statutory privacy laws have primacy over other legislation and determine how these statutes will be applied by the courts. Federal privacy laws cover two aspects of privacy: the privacy of information provided to the federal government under the Privacy Act and information held by private organizations under PIPEDA. Some provinces have independent PIPEDA type legislation and others have independent legislation dealing with health records, such as PHIPA in Ontario. Other provincial statutes deal with information held by provincial and municipal governments. Several federal and provincial sector-specific laws include provisions dealing with the protection of
301 Ibid. at paras. 41-42. Annual Review of Civil Litigation / 592 personal information. Although all of these statutes deal with informational privacy, except in provinces where there is a statutory cause of action for breach of privacy, the privacy statutes do not preclude the tort of intrusion upon seclusion or other privacy torts which have been recognized by Canadian courts. Privacy law therefore combines constitutional, quasi-constitutional, statutory (federal and provincial) and common law. This is indeed a tangled web urgently in need of reform to better meet the demands of the ever-changing digital environment and in need of simplification so that it can be more readily understood and applied.