Timothy M. Banks

Quebec privacy reform: the business-friendly provisions

June 23, 2020 by Timothy M. Banks Leave a Comment

Quebec’s proposed modernization of its private sector privacy legislation (Quebec Privacy Act) certainly contains a number of additional operationally burdensome demands on enterprises. However, the proposed amendments in Bill 64 contain several pragmatic, or even business-friendly, provisions. These provisions are not as headline grabbing as big administrative monetary penalties or the right to de-indexing / right to erasure. In this post, I review several of the pragmatic and business-friendly provisions that might otherwise be overlooked.

Business contact information is excluded

Section 93(3) of Bill 64 clarifies that the Quebec Privacy Act does not apply to personal information concerning the performance of duties within an enterprise by the individual, including the individual’s name, title, and duties, work address, work email address and work telephone number.

The exclusion of “org chart” and business contact information is entirely sensible and consistent with reasonable expectations. Moreover, Quebec has avoided overthinking this exception. The Quebec approach stands in contrast to the federal Personal Information Protection and Electronic Documents Act (PIPEDA)and Alberta’s Personal Information Protection Act. Under PIPEDA and Alberta PIPA, business contact information is only exempted to the extent it is being used for business contact purposes. That narrow exception is out of touch with reality and overly restrictive given the relative sensitivity of that information.

Data analytics are okay

The Quebec government appears to understand that modern businesses have a legitimate interest in conducting data analytics. Helpfully, section 102 of Bill 64 provides that consent is not required to de-identify data and use that data for research and the preparation of statistics. Moreover, the Quebec government has set a low and reasonable threshold for de-identification for these internal data analytics uses. Information is de-identified if it no longer allows the person concerned to be directly identified.

In section 111 of Bill 64, Quebec also proposes that an organization can retain data indefinitely if it is anonymized. The amendments clarify that information is anonymized if it irreversibly no longer allows the person to be identified directly or indirectly. Information must be anonymized according to generally accepted best practices.

This statutory distinction between de-identification and anonymization is helpful. Moreover, the lower standard of de-identification for internal data analytics comports with business needs and balances the interests of individuals with those of the organizations they do business with.

Outsourcing is okay

The federal Privacy Commissioner has had a hard time coming to grips with how to handle outsourcing under PIPEDA. Unsatisfied with the accountability principle, Commissioner Therrien attempted a short-lived interpretation of PIPEDA that would have required consent to transfer personal information for processing. A hue and cry followed. This episode seems to have been a cautionary tale for those drafting the proposed amendments to the Quebec Privacy Act.

Section 107 of Bill 64 recognizes the reality of outsourcing and supply chains. No consent is required to transfer information to an agent or service provider, provided it is necessary to the performance of that agency or the outsourced services.

Moreover, Quebec has also helpfully clarified that a data processing agreement is required and provided guidance on its minimum content. This is an improvement over PIPEDA. Clause 4.1.3 of Schedule 1 to PIPEDA requires an organization to use contractual or other means to protect personal information when it is transferred to a third party. However, the vagueness of the wording has left privacy-minded organizations in uphill battles with some large SaaS service providers to get data processing agreements in place. The Quebec government is giving these customers a leg-up by requiring that transfers to agents and service providers must be documented in a writing and must specify the measures the agent or service provider must take to protect the confidentiality of the information, to protect the information from unauthorized use, and to ensure the information is deleted after the expiry of the agency or service contract.

Moreover, Quebec is imposing direct obligations on the processor (the direct application of PIPEDA to processors is another contested area under PIPEDA). The agent or service provider must notify the client “without delay” of any violation or attempted violation of the obligation of confidentiality and allow for verification relating to confidentiality requirements.

These provisions should help take the wind out of arguments about whether a service provider needs to permit some kind of audit right. These provisions also clarify that service providers must notify their clients of security breaches – something altogether missed in PIPEDA. Unfortunately, the extension of notification requirements to “attempted violation” of confidentiality obligations is too broad. It will be interesting to see if this wording gets modified, since on any particular day, a SaaS provider fends off many, many “attempts”.

Commercial transactions

Quebec is taking steps to catch up with the rest of Canada regarding transfers of personal information as part of a commercial transaction. In section 107 of Bill 64, the Quebec government proposes amendments that permit the transfer personal information as part of a commercial transaction without consent. The party transferring the personal information and the recipient to have an agreement in place that requires the recipient to use the information only for concluding the commercial transaction, to not further disclose the information, to protect the information, and to destroy the information if the transaction is not completed. If the transaction is completed, the recipient must notify the individual if the recipient wants to continue to be able to use the personal information.

Unfortunately, the definition of commercial transaction is limited to transfers of ownership of all or part of a business. However, this provision is likely to have mergers and acquisitions rejoicing that there is now at least a process for transferring personal information.

Most importantly, the Quebec government is not placing unnecessary restrictions on the use of this commercial transaction provision as is the case under PIPEDA. Under PIPEDA the exception to consent does not apply to a transaction of which the primary purpose or result is the purchase, sale or other acquisition or disposition, or lease, of personal information. Quebec clearly understands that the most valuable asset a business might have is its customer list.

Conclusion Bill 64 has a ways to go before becoming law. Any of these provisions could change in substantive and material ways. However, these more business-friendly provisions demonstrate that balancing privacy protections for individuals can be blended with pragmatic provisions that do not require over-reliance on consent in order to provide a framework for responsible business practices.

Court agrees class actions necessary to enforce PIPEDA

October 28, 2019 by Timothy M. Banks Leave a Comment

The Ontario Superior Court of Justice recently approved a class action settlement involving a case that arose out of an insurer’s practice of conducting credit checks on claimants for accident benefits. The procedural history of the case is interesting and suggests a possible roadmap for other class proceedings. What is also interesting is the court’s statement that the limited powers of the Office of the Privacy Commissioner of Canada (OPC) are a reason why class actions are important tool for behavioural modification to encourage compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA). Justice Glustein stated:

[88] Behavioural modification is a key objective of the Settlement Agreement. If systemic PIPEDA privacy breaches are not rectified by a class procedure, it is not clear what incentive large insurers and others will have to avoid overcollection of information. While the Privacy Commissioner may encourage or require changes to future practices, it has very limited powers to enforce compliance through strong regulatory penalties (see s. 28 of PIPEDA).
Haikola v. The Personal Insurance Company, 2019 ONSC 5982 at para. 88

Procedural History

After a car accident, the plaintiff, Kalevi Haikola, made a claim for accident benefits from his insurer, the Personal Insurance Company. An adjuster from the Personal Insurance Company contacted Haikola and asked for his consent to conduct a credit check. Haikola agreed, allegedly fearing that refusing to permit the credit check might affect his claim. According to the court’s findings, Haikola repeatedly sought answers about why a credit check was necessary but did not obtain a satisfactory answer. So, Haikola complained to the OPC, who found that the Personal Insurance Company was using these credit checks as part of a fraud detection model. In PIPEDA Report of Findings #2017-003, the OPC determined that Haikola’s complaint was well-founded. The OPC concluded that the Personal Insurance Company was unable to justify the use of the credit score and had failed to obtain meaningful consent.

Although the Personal Insurance Company undertook to cease the practice of conducting credit checks, Haikola was not satisfied. Section 14 of the PIPEDA permits individuals to bring an application to Federal Court for a remedy once the OPC renders a decision with respect to an investigation. However, instead of bringing an individual claim, Haikola sought to use section 14 to bring a class action against the Personal Insurance Company. The Personal Insurance Company argued that section 14 could not be used in this way and took the position that the Federal Court could not certify a class action.

Settlement

Haikola and the Personal Insurance Company entered into settlement discussions and, after a mediation, agreed to a settlement in which the Personal Insurance Company would pay an amount of $2,250,000. After taking into account proposed class action counsel fees, the court estimated that the value of the settlement for each affected individual would range between $150 – $180 depending on the take-up by class members.

As part of the settlement Haikola agreed to discontinue the proceeding in Federal Court and commence a class proceeding before the Ontario Superior Court of Justice. This avoided the necessity of determining the jurisdictional question regarding whether the Federal Court could certify a class proceeding. Because the Ontario Superior Court of Justice does not have jurisdiction to hear an application under section 14 of PIPEDA, the answer was to plead the breach of an implied contractual term that the Personal Insurance Company would comply with PIPEDA. Having allegedly failed to do so, Haikola and the class would be entitled to at least a nominal damages award. But a nominal damages award can certainly add up when there are 8,525 affected individuals.

Takeaways

The Ontario court was very receptive to the use of class proceedings to enforce PIPEDA. It was debatable whether or not the claim of an implied term would have been successful had there been a trial. However, Justice Glustein noted that there were reasons why a class proceeding might be preferable than individual complaints to the OPC followed by individual Federal Court actions for a remedy.

Glustein J. found that the likely small damages award hardly justified class members jumping through the hurdles created by PIPEDA. As Haikola’s case itself showed, an individual had to launch a complaint, wait for the OPC to investigate, obtain a report of findings from the OPC and then go to the Federal Court. Indeed, it took the OPC a few months shy of 3 years to issue a final Report of Findings. (Yes, you read that correctly – nearly 3 years! – even though s. 13(1) PIPEDA says that the Commissioner must issue a Report of Findings in 1 year.)

Even with a successful report of findings, the individual would then have to start all over again in Federal Court. As Glustein J. noted, the Federal Court would then conduct a hearing de novo, meaning that the complainant would have to convince the court that the OPC was correct and there was a violation of PIPEDA – all for a small damage award.

The whole set up of PIPEDA was not, in the court’s judgment, designed to achieve individual remedies for systemic breaches.

Look for more cases in which plaintiffs claim breaches of an implied term to comply with PIPEDA in order to avoid the OPC complaints and section 14 process under PIPEDA.

OPC wins again in Google right to de-indexing case

August 19, 2019 by Timothy M. Banks Leave a Comment

The Office of the Privacy Commissioner’s Reference before the Federal Court to determine whether Google is subject to the Personal Information Protection and Electronic Documents Act has passed another procedural milestone. Once again, the OPC can claim victory.

Google and media try to expand Reference

The OPC brought the reference in 2018 to ask the Federal Court to determine whether PIPEDA applies to Google when Google indexes webpages and presents search results in response to searches of an individual’s name. In essence, the question is whether Google is engaged in a form of commercial activity (otherwise PIPEDA does not apply). Google says it is not. The Reference also asks whether Google is exempt from PIPEDA because it involves the collection, use or disclosure of personal information for journalistic, artistic or literary purposes (and no other purposes). Google says it is.

Google countered the OPC’s move by attempting to expand the scope of the Reference to consider the application of the Canadian Charter of Rights and Freedoms. In particular, Google wanted the court to consider whether the application of PIPEDA to Google search would infringe section 2(b) of the Charter – freedom of thought, belief, opinion and expression, including freedom of the press and other media of communication. Google claims that the mere application of PIPEDA to Google search would breach its right to free speech. In essence, Google claims a special zone of operation for Google search – free from the constraints of privacy laws. Google was joined by media parties who wanted to intervene to make this argument.

Federal Court twice shuts down Google and media request

On July 22, 2019, Associate Chief Justice Jocelyne Gagné released her reasons dismissing appeals that Google and certain news media had launched from orders of Prothonotary Mireille Tabib. Prothonotary Tabib had rejected the news media’s request to intervene and had dismissed Google’s attempt to broaden the reference.

In confirming Prothonotary Tabib’s orders, Justice Gagné concluded that the premise of Google’s argument regarding freedom of expression rested on the assumption that PIPEDA applied to Google search. However, that was the very question to be determined by the court. Moreover, even if PIPEDA did apply, the question of how it would apply would depend on particular facts. Justice Gagné called Google’s bluff. If Google really thought that the very hint of application of PIPEDA to Google search rendered PIPEDA unconstitutional, why, she asked, hadn’t Google just brought an application seeking a declaration of invalidity of PIPEDA?

With the expanded scope of the Reference off the table, the news media remain shut out of the Reference.

Federal Update: Can the Government Push Through Legislative Reform?

May 14, 2019 by Timothy M. Banks Leave a Comment

Prime Minister Justin Trudeau took the opportunity while he was attending a technology conference in Paris to announce that his government intends to unveil a “digital charter” soon. The digital charter will apparently hold social media companies to account and include potential monetary penalties. The 2019 Budget in March also mentioned cybersecurity legislation.

However, with four weeks left before the House of Commons starts its summer recess followed by a fall election, Prime Minister Trudeau is racing the clock to get anything new accomplished. There are a number of important Bills that remain before Parliament and that are at risk of dying on the order paper if the Trudeau government cannot get them passed before Parliament dissolves. Some of these Bills relate to 2015 election promises. Can the government get those Bills passed before getting distracted by the 2019 campaign?

Modernizing the Access to Information Act

During the 2015 election campaign, Prime Minister Trudeau promised to modernize Canada’s Access to Information Act. The government introduced Bill C-58 in June 2017. This legislation would be the first phase in overhauling the federal access to information regime. The Bill includes new powers for the Information Commissioner. If passed, the Commissioner would be able to make orders requiring government institutions to produce records sought by a requester or requiring the government institution to reconsider its decision. In the course of conducting an investigation of a complaint, the Commissioner would also be able to review records over which the government institution claimed privilege. The Commissioner could also begin publishing her orders.

Bill C-58 has passed the Senate, but the Senate made a number of significant amendments to the Bill. As a result, the Bill will be back before the House of Commons. Most of the amendments should not be controversial to the government. Indeed, some of the amendments, such as changes to the level of detail required in an access request were recommended by the government itself. The one exception are the amendments to the provisions relating to judges. The amendments weaken the Bill because now only anonymized expenses for judges need to be disclosed; however, it would be surprising if this became a sticking point of the government.

Meaningful reform of the Access to Information Act is close. The Trudeau government will need to stay focused and not chase new policy initiatives in the waning days before the summer recess in order to get the job done.

National Security

Bill C-59, the National Security Act was supposed to be the Liberal government’s attempt to make good on a campaign promise to overhaul Bill C-51, the Anti-terrorism Act, 2015, which had been passed by the former Conservative government. Concerns regarding security intelligence oversight and information sharing were heightened following a 2016 court decision that revealed unauthorized retention and use of metadata by the Canadian Security Intelligence Service that was collected and retained as a by-product of its investigations and subsequently mined for intelligence services. Bill C-59 would legitimize this type of data collection and use but would subject this data collection, retention and mining to greater oversight.

Even though Bill C-59 was introduced in June 2017, it has not yet been passed. On May 15, 2019, the Senate Standing Committee on National Security and defence issued its Report and recommended four amendments to the Bill.

The first amendment has to do with the powers of the Intelligence Commissioner. The Intelligence Commissioner Act, which is part of Bill C-59, creates the role of the Intelligence Commissioner. Under section 13 of the Act, the Intelligence Commissioner has an obligation to review, among other things, the basis on which a foreign intelligence authorization is issued by the Minister of National Defence. A foreign intelligence authorization could permit the Canadian Security Establishment to hack and disrupt global information infrastructure. If the Commissioner found the basis for the authorization to be reasonable, the Commissioner could approve it. The Senate Committee proposes an amendment to permit the Commissioner to require the Minister to reconsider the authorization if the Commissioner concludes that the basis for the authorization was unreasonable.

Bill C-59 would also amend the Criminal Code with respect to certain terrorist related offences. The Senate Committee recommended changes to broaden what would be covered by the offence of “counselling commission of a terrorist related offence” to clarify that the offence did not require that the offence actually be committed or that the person counselling the offence even knows the person being encouraged to engage in terrorism.

The Senate Committee also wants to shorten the timeframe for when the government would be required to review the new legislation enacted under Bill C-59. The government was to review the legislation in 6 years. The Senate wants that reduced to 4 years. Finally, the Senate Committee wants Ministerial Directions with respect to avoiding complicity in mistreatment by foreign entities to be scheduled to the Act.

The Senate must still accept and vote on the amendments proposed by the Committee. If approved, Bill C-59 will have to make its way back to the House of Commons and find its way back onto a busy legislative agenda.

National Cybersecurity Standards

In a surprise announcement on December 14, 2018, Public Safety and Emergency Preparedness Minister Ralph Goodale told an audience at the Empire Club that federal regulation on cybersecurity would be imminent. The Minister is reported to have suggested that the government would be introducing new legislation to lay out corporate and business responsibilities to prevent cyber attacks.

On March 19, 2019 the Federal Budget revealed that the Government intends to propose new legislation and make necessary amendments to existing federal legislation in order to introduce a new critical cyber systems framework. The mammoth omnibus Bill C-97 that would implement many of the budget measures did not contain any specific cyber security provisions.

Will the cybersecurity strategy be folded into the “digital charter” that Prime Minister Trudeau hinted at? If legislation is coming, there doesn’t seem to be much time to get anything done before the summer break.

New Digital Charter – Spin or Substance?

The federal Privacy Commissioner, Daniel Therrien, has been a vocal critic of the government for failing to provide his office with more powers. Indeed, recently the Commissioner highlighted deficiencies in his powers when he released a Report of Findings with respect to Facebook and the “thisisyourdigitallife” app that was part of the Cambridge Analytica scandal. We’ll have to wait to see what the “digital charter” involves. But, for the moment, it looks like this might well just be spin. This close to the end of the government’s first term, it is hard to believe that we would see any significant new legislation enacted. More consultation, anyone?

Smart City Challenge Winners and Governance Innovation

May 1, 2019 by Timothy M. Banks Leave a Comment

On May 14, 2019, Infrastructure Canada announced four winners of the Canadian Smart Cities Challenge. Each of the winners recognized that new models of governance might be required to address issues of privacy and civic engagement and control. Although short on details at this stage, the winners each believe that their projects will need to develop new governance models to address the challenges of data in smart cities.

Do public-private partnerships require giving up control?

The Town of Bridgewater wants to tackle “energy poverty” in its community with its $5 million ward. Energy poverty is the inability to meet basic energy and transportation needs. Although Bridgewater received the smallest award, it also asked a critical question: “How can the Town remain the decision maker about data usage in public-private partnerships or in data-driven projects that impact the common good?” Too often, the debate begins with a belief in the “inevitability” of the municipal authority having to give up control. Bridgewater doesn’t have the answer yet, but at least it is asking the question.

Is open data always the right approach?

The impact of open data on vulnerable populations was front-and-centre for the Nunavut Association of Municipalities who won $10 million. Nunavut noted that the Inuit are the most studied Indigenous peoples on earth; frequently without free and informed consent.

Nunavut’s proposal considers “Inuit data sovereignty” to be a critical part of privacy and data governance. The proposal involves the establishment of a new non-profit entity that would serve 25 participating hamlets to increase “the amount and accessibility of life promoting activities, resources and support systems like peer networks, educational initiatives and creative outlets”. A core feature of the proposal is the creation of a digital platform.

The proposal states that at a minimum, each community participating in the program would have control and oversight about how the data from the community is used. Part of the project will include a detailed framework “that outlines clear protocols with respect to indigenous intellectual property rights, which identify the consents required to access and use high-value cultural information.”

Is a “data utility” the answer for smart city governance?

The City of Guelph & Wellington County won a $10 million award. Guelph/Wellington proposes to become Canada’s first technology-enabled “circular foot economy”. One of Guelph/Wellington’s initiatives is establishing a “data utility”. The “data utility” would be operated as a public trust. The data utility would be underpinned by a data collaboration platform to provide access to the data. Guelph/Wellington is leaving all options on the table for whether a new institution is required to govern the data utility or whether it can be housed within existing trusted institutions.

Is digital governance of urban data a proper extension of municipal governance?

The grand prize of $50 million went to the City of Montreal. Montreal’s bid focused on mobility and access to fresh local food for vulnerable populations. Interestingly, Montreal expressly stated that it considers digital governance as an extension of municipal governance. However, Montreal recognizes new regulations might be required to embed principles of good data governance in operational models that service the public interest. The City will work with the Montreal Urban Innovation Laboratory, which will engage experts and the public to research new governance methods.

More than just technology

The Smart Cities Challenge may provide to be important not only for the technologies that are developed but also for regulatory experimentation that will accompany these initiatives. Each of the winners believe that new governance structures are required. All seem to believe that the choice of governance structure will need to be determined through a process of public engagement and iteration.