The Canadian Privacy Cases of 2014
As we move more into 2015, I thought I’d put together my own list of the more interesting Canadian privacy cases of 2014. These are judicial decisions so there’s no Commissioner findings or orders here. Some of these I’ve blogged about; others I’ve simply noted for future reference. I’ve not seen a similar list so feel free to debate my choices and the order I’ve placed them.
10. R. v. Colbourne is a case where the defendant, a hospital employee, violated Newfoundland’s Personal Health Information Act in accessing patient files (1,043 of them!). This is the first conviction under that statute. With a guilty plea and fine, there’s no decision but there is a press report here. This is one of the few instances in Canada of a criminal conviction concerning unauthorized access to personal health information. Fear of losing money should serve as good motivation to stop “snooping” on patients.
9. Bernard v Canada concerns the intersection of union rights with the privacy interests of “Rand formula” employees. In a story with a long and tortured history, the Public Service Labour Relations Board had determined that the government had to provide home contact information of bargaining unit members to the union. Ms Bernard didn’t want that to happen. This 2-1 decision concluded that the Board’s finding was reasonable in finding that the provision of a home address was “a necessary incident” of the union’s representational obligations. In that context, there can be no reasonable expectation of privacy in that information.
8. Consent means consent in Royal Bank of Canada v. Trang. This decision highlights the balancing of interests required under PIPEDA between individual wants and organizational needs. All the more interesting is the Bank should have made a motion for the production of information (here a mortgage discharge statement) under Ontario’s civil procedure rules as opposed to simply seeking production with no legal basis to do so.
7. R v. Godbout is a BC case concerning privacy rights in the contents of delivered packages. The court found no Charter violation because the sender had contractually authorized the inspection of the package both by the courier company and government authorities. As a result, the addressee was found to have no reasonable expectation of privacy. The case suggests the contractual waiver is sufficient to lose privacy interests but can one really sign away Charter rights? Especially if you didn’t sign the shipping contract in the first place. Or is this more a case of everyone runs the risk of inspection so one can’t expect privacy in delivered packages?
6. Hopkins v. Kay concerns a motion to dismiss a class action involving the disclosure of personal health information at a hospital in Peterborough. The argument was simply that Ontario had a regime in place in PHIPA to deal with privacy violations. Can the common law tort of intrusion upon seclusion be used if there’s a statutory regime already in place? The motions judge shrewdly decided that there was a legitimate issue here – one significant enough that it should be dealt with not by a motions judge but rather the Court of Appeal.
5. The “right to be forgotten” and the role of search engines is a hot topic these days. In that context, is it right to require search engines to enforce court decisions? While it didn’t attract much attention, that concept has already been applied in Canada in the BC decision of Equiteck v. Jack. The defendants were prohibited from carrying on business through any website. Google – a non-party — voluntarily complied with the plaintiffs’ request to remove specific uniform resource locations (“URLs”) from its Google.ca search results but was unwilling to block the URLs from its search results worldwide. Following an extensive analysis, the court issued an interim injunction to require Google to do just that.
4. Do those who download copyrighted material from the Internet have a right to privacy? Can their ISP provide their contact information to the copyright owner? This question came up in Voltage Pictures LLC v. John Doe. The ISP in this instance, Teksavvy, was a non-party from which the plaintiff sought the production of names, addresses and IP addresses. In a “privacy vs. IP” case, IP won.
3. Can wiretaps authorized as part of a criminal investigation be disclosed in the discovery process of a civil case? Imperial Oil v. Jacques addressed this question. In a class action involving the fixing of gas prices in Québec, the respondents sought the disclosure of wiretap recordings that had already been disclosed to the accused appellants but not introduced and accepted in court in parallel criminal proceedings. The Superior Court agreed, subject to specific conditions to protect the privacy of third parties. Québec’s Court of Appeal saw no reason to disagree nor did the Supreme Court of Canada. Madame Justice Abella, in dissent, argued that “such communications can only be disclosed in a civil case where they have already been made public in a criminal trial, or where the targets of the interception have either consented to the disclosure or otherwise waived their privacy interests.”
2. Mobile phones and privacy were highlighted in the decision of R. v. Fearon. Can the police search such phones under the common law power to “search incident to a lawful arrest”. The Supreme Court of Canada said yes, with some constraints being added. It is important to consider that the majority decision also noted that such phones are gateways to our personal world and such searches have the potential to be significant invasions of privacy.
1. In my view, the most significant case of the year is R. v. Spencer. Here the police obtained ISP subscriber information associated with an IP address without prior judicial authorization. Upon appeal, the Supreme Court of Canada decided that (i) Canadians have a reasonable expectation of privacy in their use of the Internet; (ii) a police investigation does not, in and of itself, constitute “lawful authority” to obtain personal information without a warrant; and (iii) a police request to an ISP to voluntarily disclose customer information is a “search” under the Charter.