nNovation LLP

Small Canadian regulatory law firm with a big presence

Dustin Moores

Federal Court Rules in Favour of OPC in Google Reference

by Leave a Comment

On July 8th,  the Federal Court ruled in the Office of the Privacy Commissioner’s (OPC) favour in a decision that touched PIPEDA’s application to search engines and what has become known in privacy law as “the right to be forgotten.” The decision brings clarity on whether search engines like Google, and potentially businesses with similar business models, will be subject to PIPEDA when they handle personal information.

The Backstory

The decision results from a reference filed by the OPC with the Federal Court involving an OPC investigation of Google. The OPC’s investigation began in 2017 after an individual complained to it that news articles Google displayed in its search results contained outdated and inaccurate information and disclosed sensitive information about him. He also complained he had endured direct harm, including physical assault, lost employment opportunities, and severe social stigma, because Google links these articles to his name in search results.

But even before the complaint was launched, the OPC began consultations on whether a right to be forgotten existed in Canada. The result was the OPC’s 2018 draft Position on Online Reputation. In that paper, the OPC stated that Canadians need better tools to help them protect their online reputation, including tools like de-indexing and source takedown. De-indexing is the process by which a webpage, image or other online resource is removed from search results when an individual’s name is entered as the search term. Source takedown means the removal of this content from the internet.

In its draft position, the OPC argues that PIPEDA applies to a search engine’s indexing of web content and displaying of search results, so search engines need to comply with PIPEDA by allowing individuals to challenge the accuracy, completeness, and currency of search results attached to their name. When an individual is successful in their challenge, the OPC argues, the search engine should de-index the inaccurate, incomplete, or outdated results.

PIPEDA also gives individuals a right to withdraw consent and requires that personal information that is no longer needed be destroyed, erased, or made anonymous. The OPC argues this gives individuals the right to remove information they have posted online. If the information was posted by someone else, the individual does not have an unqualified right to remove it, but they should be able to challenge the accuracy, completeness, and currency of the information.

Returning to the complaint, Google responded to it by saying that PIPEDA did not apply to its search engine because it was not a commercial activity within the meaning of PIPEDA (due to constitutional constraints, PIPEDA only regulates the collection, use, and disclosure of personal information in the course of commercial activities). Google also argued that even if its search engine was a commercial activity, it fell under PIPEDA’s exception for organizations who collect, use, or disclose personal information only for a “journalistic” purpose. Lastly, Google submitted that an interpretation of PIPEDA requiring it to delist lawful public content was against its freedom of expression as protected in the Charter of Rights and Freedoms. Without addressing Google’s constitutional argument, the OPC referred Google’s jurisdictional arguments to the Federal Court through the reference process that allows federal offices to refer certain legal questions to the Court.

The Decision

In brief, the issues considered by the Court were:

  1. Does Google’s search engine service collect, use, or disclose personal information in the course of commercial activities when it indexes webpages and provides search results in response to a search for an individual’s name?
  2. Does Google’s search engine service involve the collection, use, or disclosure of personal information for a journalistic, and no other, purpose?

Regarding the first issue — whether Google’s search engine collects, uses, or discloses personal information — this was never really in question. Google collects personal information when its web crawlers access text on public webpages and transmit it to Google’s servers for indexing. It uses personal information to make its search engine as comprehensive and valuable as possible for users and advertisers. And Google discloses personal information through the “snippets” that appear in its search results.

Google attempted to argue, however, that because there was no evidence advertisements appeared alongside search results when searching the complainant’s name, the activity was not commercial in the usual and traditional sense. The Court disagreed. Underlining the popularity and profitability of Google’s search engine and advertising business, the Court noted that even if Google provides free services to content providers and search engine users, it has “a flagrant commercial interest in connecting these two players.” Google users provide Google with personal information when using its search service and Google uses that information for profit. The Court went further stating that “every component of [Google’s search engine] business model is a commercial activity as contemplated by PIPEDA.”

On the second issue, the Court found that Google’s purposes for handling personal information for its search engine are not journalistic, and “certainly not exclusively so.” The Court concluded this after, among other considerations, applying the test introduced in another Federal Court decision used to determine whether an activity should qualify as journalism. According to this test, an activity should qualify as journalism only where its purpose is to,

  • inform the community on issues the community values,
  • it involves an element of original production, and
  • it involves a self-conscious discipline calculated to provide an accurate and fair description of facts, opinion and debate at play within a situation.

The Court found none of these factors applied to Google. Google makes its information universally accessible (broader than informing a community); it does not “produce,” rather it only displays search results; and Google makes no effort to determine the fairness or accuracy of its search results. Even if there was some journalistic purpose to Google’s activities, the Court found that its primary purpose — to index and present search results — was not journalistic.

What’s Next?

Thanks to this decision, we have more clarity on whether PIPEDA applies to search engines and similar services and the factors courts will look to when making that assessment. We also now have a concrete example of how courts will apply the journalistic activity test, as it was not fully considered in the original Federal Court decision in which it was introduced.

As for Google, unless it appeals the decision, the OPC will continue its investigation and issue a Report of Findings and recommendations likely aligned with its draft Position on Online Reputation. If Google does not implement those recommendations, the OPC could take Google to the Federal Court again in a “de novo” application. In any case, this decision will continue to have important implications on whether Canadians will someday enjoy a legal “right to be forgotten,” and may well be seen as the first step should it come to be.

CRTC releases latest CASL enforcement highlights

by Leave a Comment

The CRTC recently released its CASL enforcement highlights for the period from October 1, 2020, to March 31, 2021.

This period saw the largest CASL penalty issued to an individual — $75,000 —  issued to Scott William Brewer for sending upwards of 650,000 unsolicited emails.

The highlights note that the Supreme Court of Canada declined to hear an appeal of CompuFinder’s constitutional challenge to CASL. Recall that the Federal Court of Appeal upheld the law’s constitutionality last June.   

The CRTC’s Spam Reporting Centre has now received over 144,000 complaints – that’s an average of 5560 per week! The highlights contain an interesting breakdown of the sources of spam, the reasons for complaints, and other statistics.

Lastly, the highlights also bring attention to the CRTC’s domestic and international partnerships through which it works to promote anti-spam enforcement.  

The highlights serve as an important reminder to individuals and organizations alike that anti-spam enforcement is alive and well. And for those worried they might have been the subject of one or more of those 144,000 complaints, it’s never too late to start bringing your electronic communications into compliance with CASL!

Sidewalk gridlock: A tale of two (smart) cities

by Leave a Comment

“It was the best of times, it was the worst of times” could easily capture the “simultaneous utopia and dystopia” of today’s digital landscape. Smart Cities, cities that employ modern sensor, networking, and big data technologies to “manage and control urban environments in real-time” are quickly evolving from the theoretical musings of technologists and sci-fi writers to reality. Yet they have been greeted with a mix of public optimism and trepidation. The opportunity for digital transformation is great, but so are the privacy and other risks in the absence of robust governance structures and thoughtful policy decisions. while privacy laws have the potential to provide a helpful framework for grappling with these issues, they need to be understood in their broader social context. Smart cities are, after all, populated by (smart) people who are concerned about a range of social issues. Such is one of the valuable lessons to be gleaned from Sidewalk Labs’ 2017 entry and May 2020 departure from Toronto’s Quayside Smart City initiative. Toronto’s experience stands in contrast to that of the ongoing Smarter London Together initiative (Smart London), which launched in 2018. In this article, we examine the two initiatives through a privacy lens but with a view to broader issues privacy professionals should consider when advising
on Smart City initiatives.

Full article here (login required).

Federal Court of Appeal Weighs In On Canada Anti-Spam Legislation’s Business to Business Exemption, Conspicuous Publication Implied Consent, Unsubscribe Mechanisms

by Leave a Comment

On Friday, June 5, 2020, Canada’s Federal Court of Appeal (FCA) handed down its first decision regarding Canada’s Anti-Spam Legislation (CASL, the Act) in 3510395 Canada Inc v Canada (Attorney General). Many will likely know this case as “CompuFinder,” the operating name of 3510395 Canada Inc. The decision tackled some very big issues, namely the constitutionality of CASL itself, as discussed here by my colleague Shaun Brown, but also drilled down into humbler matters, such as the interpretation of CASL’s business to business exemption, “conspicuous publication” implied consent, and the law’s required unsubscribe mechanism for commercial electronic messages (CEMs). This post will focus on some of the practical outcomes of the FCA’s decision relating to these smaller matters. 

As any Canadian marketer will tell you, CASL’s 2014 coming into force led to a mad-dash among organizations in this country to bring their email marketing practices into compliance with the law. At the time, the CRTC provided some welcome guidance, however, as with any new law, there were lingering ambiguities as to where the line was drawn with regards to certain compliant versus non-compliant practices. In the intervening years, the CRTC has provided further guidance and decisions on CASL, but the FCA’s foray into CASL interpretation brings with it added clarity for lawyers and organizations regarding some of the law’s somewhat fuzzier concepts.  

Background 

CompuFinder was the subject of one of the CRTC’s first administrative monetary penalties under CASL, and it was a whopper: $1.1 million for some four violations of the Act (later reduced to $200,000). CompuFinder’s transgressions? It had sent 317 CEMs without the recipients’ consent or without a functioning unsubscribe mechanism as required by CASL (however, it should be noted that an Office of the Privacy Commissioner of Canada investigation suggested CompuFinder was a spammer of much larger proportions than this number suggests). Namely, CompuFinder, a provider of professional training courses, sent unsolicited emails to employees of businesses to whom it had previously provided courses and to certain email addresses it seemed to have gathered from telemarketing, online sources, and third parties. Eighty-seven of the CompuFinder emails cited by the CRTC contained two unsubscribe links, one functioning and one non-functioning.  

CompuFinder submitted representations to the CRTC, arguing that the emails it sent to the employees of its customers were subject to CASL’s “business to business” exemption and that it had individuals’ implied consent for other emails under CASL’s “conspicuous publication” provision. CompuFinder also argued that the functioning unsubscribe links within its emails should have negated the effect of the non-functioning links. The CRTC was unsympathetic to CompuFinder’s representations and upheld the $200,000 penalty. CompuFinder then appealed the CRTC’s decision to the FCA as permitted by Section 27 of CASL. 

What does CASL Say? 

BusinesstoBusiness Exemption 

CASL’s “business to business” exemption is found in section 3(a)(ii) of its Electronic Commerce Protection Regulations. Section 3(a)(ii) states that CASL’s general consent requirement does not apply to a CEM that is sent by an employee, representative, consultant or franchisee of an organization to an employee, representative, consultant or franchisee of another organization if the organizations have a relationship and the message concerns the activities of the organization to which the message is sent. So in order for a CEM sent by an organization to fall into this category, three main conditions must be met:  

  1. the recipient must be an employee, representative, consultant or franchisee of another organization; 
  2. the two organizations must have a relationship; and 
  3. the message must concern the activities of the recipient organization (in other words, must be relevant to the activities of the recipient). 

Sounds easy enough doesn’t it? But what exactly does it mean for two organizations to have a “relationship”? Is it the same thing as an “existing business relationship” as defined in CASL’s Section 10(10)? And organizations undertake many activities. For example, most organizations perform at least some accounting outside of their core activities, so would it be offside to send a message about accounting courses to an employee at a marketing company? Or conversely, a message about a marketing course to an employee at an accounting company?  

Not always so clear-cut is it?  

Implied Consent by Conspicuous Publication 

Section 10(9)(b) of CASL says that a person’s consent to receive CEMs is implied if three conditions are met:  

  1. the recipient must have conspicuously published their electronic address or “caused” it to be conspicuously published; 
  2. where published, the electronic address is not accompanied by a statement that the person does not wish to receive unsolicited CEMs; and 
  3. the message must be relevant to the person’s business, role, functions or duties in a business or official capacity. 

The CRTC has provided some interpretation of this provision in its CASL FAQ. But the “relevance” of a message to a person’s business, role, functions or duties, tends to be somewhat of a subjective judgement call. As discussed below, likely the biggest implication from the FCA’s decision for marketers is its reiteration that the onus is on the sender to provide evidence that the three 10(9)(b) conditions are met.  

Functioning Unsubscribe 

I won’t delve into the specifics of CASL’s mandated unsubscribe mechanism here, but will highlight what the regulations say about the form it must take. Section 3 of the Electronic Commerce Protection Regulations (CRTC) requires the unsubscribe mechanism within a CEM “be set out clearly and prominently” and “be able to be readily performed.” So what happens when the sender includes two unsubscribe links in their CEM, one functioning and one non-functioning? Spoiler alert: the FCA deferred to the CRTC’s judgement on this one, and it wasn’t favourable to CompuFinder. 

Takeaways from the FCA Decision 

The Threshold for Establishing a Business-to-Business Relationship is Higher than that of an Existing Business Relationship 

Just because an organization sells a product or service to another doesn’t entitle it to send CEMs to the purchasing organization’s employees. CompuFinder argued that because certain organizations had purchased its courses in the past, it therefore had a relationship with the organizations’ employees for the purpose of the business-to-business exemption. The FCA deferred to the CRTC’s interpretation here, stating that there was nothing wrong with its determination that “contractual relationships comprehending a very limited number of transactions affecting very few employees do not constitute relationships for the purposes of the business-to-business exemption.” CompuFinder had provided proofs of payment from its customers for single training sessions of one or two employees as evidence of there being a relationship. Evidently, that was just not enough to form a relationship between CompuFinder and the recipient employees who had not purchased courses in the past. 

The threshold for establishing a “relationship” under the business-to-business exemption is higher than that of establishing an existing business relationship. CompuFinder argued that because an “existing business relationship” is defined within CASL, a “relationship” for the purpose of the business-to-business exemption must have a broader scope and be easier to make out. The FCA flatly disagreed, pointing out that while an existing business relationship would allow CompuFinder to send CEMs to the individuals who had paid for its courses, CompuFinder’s interpretation of the business-to-business exemption would allow it to not only send CEMs to those individuals, but to every one of their colleagues as well. In other words, it would open the floodgates to spam, an interpretation squarely at odds with CASL’s purpose. 

Lastly, CompuFinder argued that the CRTC inappropriately read into the business-to-business exemption a requirement that relationships can only be established through employees with authority to bind their organizations. The FCA did not agree. It noted that the CRTC said this might help in establishing evidence of a relationship, but it was neither determinative nor required.  

A Past Similar Purchase or Evidence of Intent to Purchase Can Satisfy Relevance Requirement of Business-to-Business Exemption 

Recall that to qualify for the business-to-business exemption, a CEM must concern the activities of the recipient organization (aka relevance). As the FCA noted, “The required connection between a good or service promoted in a CEM and the activities of the recipient organization will often be established simply by virtue of the relationship between the CEM-sending and receiving organizations, which will typically be based on the provision of that same good or service by the former to the latter.” In this regard, a past purchase or evidence of the recipient’s intention to purchase will likely meet the threshold for establishing relevance.  

If Relying on “Conspicuous Publication” Implied Consent, Be Diligent and Ready to Provide Proof 

The FCA sided with the CRTC’s finding that CompuFinder failed to show that the recipients of its emails had “conspicuously published or caused to be conspicuously published” their email addresses. The CRTC found that emails in a table of addresses provided by CompuFinder as evidence were taken from third-party directory websites that did not indicate whether their content was user-submitted. The takeaway here is that if you collect addresses from online directories, ensure there is a way to document that the corresponding individuals had either submitted the addresses themselves or caused them to be submitted. And don’t forget to make sure there is no disclaimer accompanying the addresses that the corresponding individuals do not wish to receive unsolicited emails (CompuFinder had apparently dropped the ball in that regard as well). 

Job Title Not Necessarily Enough to Establish Relevance to Person’s Business, Role, Functions or Duties for “Conspicuous Publication” Implied Consent 

As evidence of the relevance of its emails to recipients’ business, role, functions, or duties (the third requirement to meet the “Conspicuous Publication” exception), CompuFinder had included recipients’ job titles in its evidence table. The CRTC disagreed this was sufficient to establish relevance, finding that CompuFinder “merely speculated, from recipients’ job titles, what their functions might be, and then assumed that CEMs sent to them were relevant to those functions.” While the FCA did not rule out that job titles could adequately establish relevance in certain cases, it found CompuFinder’s speculative practices fell short.  

The lesson here is that organizations who wish to rely on the “conspicuous publication” exception should be ready to explicitly state the “business, role, functions or duties” of its CEM recipients and be prepared to demonstrate the relevance of the corresponding CEMs it sends as they relate to such business, role, functions, or duties.  

Unsubscribe Mechanisms: “Clearly and Prominently” Means Avoiding Obscurity and Confusion  

To meet the “clearly and prominently” requirements for unsubscribe mechanisms, organizations must avoid any elements within CEMs that may create obscurity or confusion around unsubscribe links. In other words, including a non-functioning unsubscribe link, even in the presence of another one that works, is a clear no-go.   

Conclusion 

CompuFinder’s saga is a lesson on the importance of having a diligent CASL compliance strategy in place. Such a strategy must include clearly documenting how consent is obtained and if relying on the business-to-business exemption or “conspicuous publication” implied consent, evidence of how CEMs are relevant to their recipients. Oh, and don’t forget to clean up those unsubscribe links!  

Certification Refused in Quebec Equifax Class Action

by Leave a Comment

Class action plaintiffs were dealt yet another blow in Quebec recently. In a huge victory for Equifax, the Quebec Superior Court declined to certify the class action brought against it in that province stemming from a massive 2017 data breach.

In his October 21st decision, Justice Donald Bisson stated that the representative plaintiff, Daniel Li, did not establish a right of action nor was he adequately representative of the class he sought to represent.

The Quebec Rules of Civil Procedure list four requirements for class certification:

  • the claims of the members of the class raise identical, similar or related issues of law or fact;
  • the facts alleged appear to justify the conclusions sought;
  • the composition of the class makes it difficult or impracticable to apply the rules for mandates to take part in judicial proceedings on behalf of others or for consolidation of proceedings; and
  • the class member appointed as representative plaintiff is in a position to properly represent the class members.

Justice Bisson found that Li failed on requirements (2) and (4).

Hypothetical Harm Not Enough

The Court agreed with Li that Equifax had failed to take necessary measures to protect Li’s personal information or preventing it from falling into the hands of third parties without his consent. It also found Li successfully demonstrated a violation of his right to privacy, reputation, and non-disclosure. The problem for Li, however, was proving that he had actually suffered damages. In this respect, the Court found that the facts alleged did not appear to justify the conclusions sought.

The Court grouped the compensatory damages Li sought into three categories: (i) expenses, troubles, and inconveniences arising from the data breach, including the cancellation of credit cards and arranging for credit monitoring, (ii) moral prejudice, and (iii) “other losses”.

Li had not been a victim of identity theft, had not yet paid for credit monitoring, and had not suffered inconveniences like having to cancel credit cards or arrange for credit monitoring. The Court, following its reasoning from Zuckerman v Target Corporation, concluded that the mere risk of Li suffering any of the above, was insufficient to sustain his claim. The court was equally unpersuaded by Li’s claims of “mental distress” and “other losses.”

Strike one.

Punitive Damages Under Quebec Charter Require Intent, Disregard

Li also sought punitive damages on the basis that Equifax had unlawfully interfered with his and other class members’ right to respect for private life and right to non-disclosure of confidential information protected by Quebec’s Charter of Human Rights and Freedoms. Quebec’s Charter allows plaintiffs to seek punitive damages in cases where illicit and intentional conduct leads to a breach of one’s Charter rights.

But justice Bisson found Li’s statement of claim failed to establish sufficient allegations that Equifax’s conduct merited punitive damages. For a court to award punitive damages under Quebec’s Charter, the person who committed the unlawful interference must have had a state of mind that implies a desire or intent to cause the consequences of the wrongful conduct, or to have acted with full knowledge of the immediate or extremely probable consequences of the conduct. Justice Bisson held that Li’s statement of claim was too light on details to back up such allegations and only stated there was an “unlawful” breach.

Lastly on the subject of punitive damages, justice Bisson found that the fact there was a settlement in an American class action brought against Equifax for the same data breach did not make a difference to the Quebec class action nor the allegations brought by Li.

Strike two.

No Interest, No Representation

To be certified as a representative plaintiff for a class under Quebec law, three factors are considered:

  • the interest pursued;
  • the representative plaintiff’s competence; and
  • the absence of conflict between the representative plaintiff and the other class members.

While the Court appeared not to take issue with the second and third factors, it found that since Li failed to show he had suffered damages, he had no interest to pursue.

Strike three.

The Takeaway

This case makes clear that claimants in any future data breach class action in Quebec will need to show they have suffered actual damages. Hypotheticals just won’t work. And if seeking punitive damages under Quebec’s Charter, claimants must bring allegations showing intent to bring about the consequences of the bad conduct or a willful disregard of the consequences.

Also of note is that the Quebec action is not necessarily closed, as another plaintiff who has suffered damages could come forward and successfully persuade the Court to certify the class. This occurred in Belley v TD Auto Finance Services Inc. Belley was the second attempt to authorize a class action against TD, following an attempt that failed on similar grounds to Equifax. Belley achieved class certification after bringing an arguable case to the Court that he was the victim of identity theft immediately following TD’s loss of his and other customers’ personal information. It now remains to be seen: is there a Belley-in-waiting for Equifax?