You may recall that FATCA essentially requires Canadian financial institutions to submit filings about U.S. citizens with “reportable accounts” to the U.S. Internal Revenue Service. There really isn’t a PIPEDA exception that fits the fact scenario and institutions were looking at either obtaining consent (and the problem of what to do if they did not receive it) or some other workaround. According to press and other reports (see this Credit Union Central newsletter for details), the workaround appears to be Canadian reporting requirement and an intergovernmental agreement whereby “[i]nformation will be reported to the CRA, not the American IRS. The CRA will then turn the information over to the IRS.”  Reporting to the government pursuant to a law would eliminate the need for consent since arguably s. 7(3)(i) of PIPEDA would permit disclosure without consent.

What the government does with it is governed by the Privacy Act and given the broad exceptions in that statute, an intergovernmental agreement is likely to suffice to permit disclosure to the American IRS. Another blow to privacy but, in this day and age, the concept of financial privacy from tax authorities may well be going the way of the dodo.

The letter? It came to me via the office of Elizabeth May. I am not affiliated with the Green Party (but was a classmate of Ms. May’s at Dalhousie). Her office staff may have seen the previous posts and thought I’d be interested. I was. Peter Hogg, a well-regarded constitutional law expert, acting in a personal capacity, wrote the letter to the Department of Finance in response to a call for submissions. You can find it here.

While my previous posts wrote about the PIPEDA-related privacy aspects of FATCA compliance and were written before an inter-governmental agreement (“IGA”) was a gleam in anyone’s eye, Mr. Hogg addresses the IGA in the context of the Charter of Rights and Freedoms(“Charter”). In doing so, he based his comments on the American model FATCA IGA and how the procedures may result in a violation of the Charter’s equality section (s. 15) and raises the specter of liberty and privacy violations (sections 7 and 8). His view is that discrimination based on citizenship would be a Charter violation and his preferred approach is to limit reporting to US residents, which likely would not violate s. 15. All in all, the letter is an informative read and I recommend readers to have a look at it.

It will be interesting to see if the eventual form of the IGA heeds Mr. Hogg’s advice or plunges the Canadian government into the proverbial constitutional fire.

The short answer is: I’m not sure. I cannot help but think that there was some confusion as to the difference between “controls” and “objectives”.

Usually, “controls” can be considered as “means” and “objectives” as “ends” as in “means to an end”. For example, an organization asserts that it complies with applicable privacy laws. To determine whether this assertion is true, an auditor will tell you that an objective (sometimes referred to as a “control objective”) is a specific “target” used to evaluate the effectiveness of one or more controls. Privacy controls include the administrative, technical, and physical safeguards employed within organizations to protect personal information. If the organization meets the target(s) based on the controls or criteria, one can have a reasonable assurance that the risk of an error or omission related to that assertion is low or that an error can detected by controls on a timely basis.

In contrast, a deficiency exists when the design or operation of a control prevents an organization, in the normal course of business, from meeting its assertion-related targets. Minimize your deficiencies and, if you’ll allow the use of an idiom, one runs a “pretty tight ship”. Perhaps not the most elegant of explanations but I suspect I’ve already outraged auditors with this attempt to explain audit controls as simply as possible.

What NIST has done, in Appendix J of Security and Privacy Controls for Federal Information Systems and Organizations (Rev 4)  is to attempt to “provide a structured set of privacy controls, based on international standards and best practices, that help organizations enforce privacy requirements deriving from federal legislation, policies, regulations, directives, standards, and guidance”.

While the concepts in these “privacy controls” are intended for public sector institutions there are some useful ideas that should be considered for private sector organizations. However, they are “best practices” and could be considered more as policy statements. There are eight “families” of controls and much of the list will be familiar to anyone who has had to implement a privacy program in Canada.

As you go through the NIST Appendix containing the privacy controls, one might reasonably characterize them as objectives as opposed to controls. For example, the NIST document describes one control involving contractors: The organization “includes privacy requirements in contracts and other acquisition-related documents.” The presence of a set of standard contractual provisions to be included in contracts, whether “as is” or customized, would seem more like a control than a requirement to include such language in contracts – something that strikes me as more of an objective. An “objective” might be to obtain consent for the processing of personal information. A “control” would be a consent form signed by the subject individual filed and/or logged. Interestingly, when one looks at the security controls described in Appendix H, one finds more granular, operational requirements with different verbs and more specific requirements.

I suppose this could be a difference of opinion as to terminology but one can easily find organizations that can have NIST-like “controls” but fail to adequately protect personal information because they have not been translated into operational practices. How many private sector organizations out there have a privacy policy and little else? A lot more than there should be.

I asked a privacy colleague, John Wunderlich, for his thoughts on the subject of privacy audits and he responded with what I consider a rather precise and pithy comment: “if one has built a privacy program ‘properly’ using control objectives AND with processes in place to ensure that controls are in place and operating properly, then the reports/metrics/assurances flowing from such a program would provide the material basis for an audit to verify the same.”

In terms of accountability and moving beyond the NIST document, a privacy audit should provide the assurance that measures are in place to protect personal information – recognizing at all times that it is a risk-based exercise – rather than simply indicate that a “privacy program” is in place.

I’ve blogged about Cole here when the Court of Appeal decision came out. With the SCC decision, my initial view hasn’t changed but I do think the waters have been muddied to a certain degree.

To recap Cole briefly, a high school teacher was charged with possession of child pornography. The key factual aspects involved the handling of Cole’s employer-issued laptop. During maintenance activities, a school technician found the offending photographs and copied the laptop’s temporary Internet files onto a disc. The laptop and discs were provided to the police who then forensically created a mirror image of the laptop’s hard drive.

At issue at each level of trial and appeal was police conduct and whether there was a violation of Mr. Cole’s Charter rights under s. 8. At trial, all the computer material were excluded; on appeal, most of the material was excluded; at the SCC, the court found that there was a s. 8 violation but that it was “not high on the scale of seriousness” [para. 97] and ruled that exclusion of the evidence would bring the administration of justice into disrepute.

While the end result is the admissibility of all the evidence, the SCC nonetheless found that Mr. Cole had a real but diminished expectation of privacy. This finding is what has garnered the most attention.  I still think an important consideration is that this was a Charter case about police conduct. Granted the conduct was not considered egregious in this context but it was still a Charter breach. What I did note and what appears to have gotten lost, is the SCC’s comments as to the employer’s conduct and their implications for any expectation of privacy.

Mr. Justice Fish wrote: 

“…The principal had a statutory duty to maintain a safe school environment (Education Act, R.S.O. 1990, c. E.2, s. 265), and, by necessary implication, a reasonable power to seize and search a school-board-issued laptop if the principal believed on reasonable grounds that the hard drive contained compromising photographs of a student…I likewise agree with the Court of Appeal that other school board officials had the same implied powers of search and seizure as the principal (paras. 62-63).”

It was also noted that the Court of Appeal found that the employer’s seizure of the laptop did not violate s. 8 (i.e. any expectation of privacy). Finally, as Mr. Justice Fish succinctly stated:

 ”I leave for another day the finer points of an employer’s right to monitor computers issued to employees.” [para. 60]

So as between employers and employees, one should not read expectations of privacy into Cole. Vis-á-vis computers, such expectations may well exist but not from anything said in Cole. For now, when we speak of workplace privacy interests, employers often have a greater degree of control in order to better meet its responsibility to protect other employees. One need only look at Poliquin v. Devon Canada Corporation to see this starkly stated.

Poliquin was an appeal of a dismissed summary judgment application by an employer in a wrongful dismissal case. The Alberta Court of Appeal determined that the case had no merit and stated a rather strong view on the subject of computer-related expectations of privacy in the workplace:

“Employers have the right to set the ethical, professional and operational standards for their workplaces. Doing so not only falls within an employer’s management rights, it also constitutes an integral component of corporate good governance. The workplace is not an employee’s home; and employees have no reasonable expectation of privacy in their workplace computers. It therefore follows that while employers may permit employees limited personal use of workplace computers, the employer is entitled to restrict the terms and conditions on which that use may be permitted.”

Cole did nothing to displace this view.

So why do I think the waters may be muddied? Two reasons. First, this view of Cole may well find its way into arbitral decisions on computer-related expectations of privacy  A lot of the law surrounding employee privacy comes from such sources – especially in a labour context. Second, courts may apply Cole in different contexts that buttress this mistaken conclusion. One need only look at Communications, Energy and Paperworkers Union, Local 707 v. Suncor Energy Inc. where the Alberta Court of Appeal — in the context of drug testing — recently stated:

“…Suncor also argued that the level of intrusion on workers would be minor in light of the nature of the testing process, and that workers already faced other measures and were liable to testing for similar albeit more situation-specific reasons. This argument of Suncor was also related to the concept of the “reasonable expectation” of workers as to privacy on the work site. As of the date these reasons were completed, the Supreme Court affirmed that employees do not completely lose their expectation of privacy at a work place: R v Cole…”

What should employers do on this subject of expectations of privacy in employer-owned computers? Before reading too much into Cole, I suggest waiting for Mr. Justice Fish’s “another day”.

“Telematics” refers to the merger of telecommunications technology and infomatics. You might have seen ads from insurance companies offering rate discounts in exchange for driving habit information provided using telematic devices. I raise the subject because of recent reports that the use of vehicle telematics triggered an investigation that resulted in the firing of 29 employees.

According to this Globe and Mail report, City of Hamilton management began to suspect something when they examined the GPS records of city vehicles and found asphalt repair crews in places they were not supposed to be. This led to surveillance and the eventual discovery of the offending conduct. If the union challenges the mass dismissal it will be interesting to see if a privacy argument gets raised.

Privacy and telematics has been addressed periodically by Privacy Commissioners in Canada. While these decisions acknowledge a degree of “privacy invasiveness”, at the heart of the cases is a concern about the use of telematic information for employee monitoring and evaluation. Not to suggest that employers have crossed into surveillance territory but it appears in using telematics one can certainly see the border.

Telematics in Pictures
Source: L. Collins, Zurich Services, Presentation, 28 November 2012

At the federal level, Case Summary 2006-351 was the first instance where the use of telematics was challenged under PIPEDA. In that case, several employees of a telecommunications company complained about the installation of GPS in their work vehicles, alleging improper collection of personal information (i.e. their daily movements during work hours) and a failure to obtain consent.  The company’s position was that the GPS information related to a vehicle, not a particular individual, but acknowledged that GPS enhances a manager’s ability to learn the whereabouts of employees and to monitor certain aspects of their use of company vehicles. It viewed this as no different than in an office setting and claimed it was not an invasion of privacy.

The company indicated a number of purposes for installing GPS: the need to remain competitive, workforce productivity, safety, and asset protection and management.  The Assistant Commissioner sagely noted that another purpose, though not explicitly stated, was employee management. She nonetheless accepted most of the company’s purposes for collecting and using personal information gathered by GPS and found that implied consent was present for these purposes. Of note in the Finding:

There is no question that, generally speaking, there is some loss of privacy attached to the use of GPS in a vehicle that an employee uses in the course of carrying out his or her duties.  Whereas before, the employee’s whereabouts at any given moment were not necessarily known, with GPS they are, relatively speaking.  At least what is known is the location of the vehicle the employee is using…

While using GPS to track a vehicle is not overly privacy invasive, routinely evaluating worker performance based on assumptions draw from GPS information impinges on individual privacy.

The issue arose again in Case Summary 2009-011 with the same result. Here, the complainant was a driver employed by a contractor to provide door-to-door transportation services on behalf of a municipality to mobility-impaired residents. When the city began using a GPS coupled with a Mobile Data Terminal (MDT) on vehicles operated by the contractor, the complainant alleged the improper collection of personal information for job efficiency purposes. While personal information was collected, the complaint failed on the basis that the employees had provided an implied consent and there was no evidence that the MDT/GPS system was used for employee management.

The most recent and extensive discussion of the subject of privacy and telematics can be seen in Order P12-01, Schindler Elevator Corporation, issued by the Privacy Commissioner in British Columbia in December 2012. The facts are simple (i.e. the installation of telematic equipment) and the arguments are essentially the same as made at the federal level.  Towards the end of a lengthy and detailed Order, Commissioner Denham concluded:

In any event, I am not persuaded that any offence to the dignity of employees tips the scales against Schindler. I say this given the nature of the data being collected and the rules under which information is accessed and used by Schindler. I am particularly influenced by the fact that the GPS-derived location information is not continuously monitored. If an organization were to engage in continuous, real-time monitoring of employees’ whereabouts, during or outside work hours, for employment management purposes, I would want to look very carefully at the situation. 

Having considered these factors and the circumstances of this case overall, I am persuaded that Schindler’s collection and use of employee personal information for the purposes, and in the manner, described above is reasonable and is authorized under PIPA.

So the use of telematics, within reason, is permissible and reconcilable with Canadian privacy law. However, there’s not a lot of specific guidance as to how best to use telematics. It would seem that “mixed use” (i.e. personal as well as work use permitted) is an area of where an express employee consent would be desirable and with some mechanism to disable the monitoring at the employee’s option. (Doing so during working hours clearly being a red flag for employers). It’s also likely that where there may be a legal obligation to monitor vehicles, this would likely override any issues with respect to the collection of personal information.

Claiming telematics is “about the vehicle” clearly does not go very far these days so a more sophisticated policy approach is required. Given the attention it received in Schindler, it would also seem a GPS or Telematics Policy is also a necessity to provide the necessary notice and indicate the parameters surrounding the monitoring. While this may or may not involve an acknowledgement, some evidence should exist to ensure that the employees are aware of the policy.

Enormously pleased…

Cannot tell you how pleased…

To finally be able to say that the book manuscript has been submitted to the publisher earlier this week. Talk about something consuming an incredible amount of time and energy. I’m informed by the good folks at LexisNexis that The Law of Privacy will likely see the light of day in May.

All of this means that our regularly scheduled blogging program will resume next week.

I know I’ve not posted to this blog in what seems like an age. My explanation is two-fold. First, I’m working on a book on privacy law in Canada for Lexis Nexis. Between a very busy practice and that book, the blog…well, let’s just say it moved down in priority this year. Second, there didn’t seem to be much interesting (at least to me) to write about in the spring. That’s changed a bit this fall (think R. v. Cole for example) so I’m casting about for suitable topics and eventually plan to return to this blog.

The stats show a continued interest by those looking for privacy-related topics and I finally decided to get around to letting people know it hasn’t been abandoned. Hopefully, this is an efficient mea culpa, apology and explanation all rolled into one. Thank you for visiting.

As for the facts, Antoine Jones drove around Washington, DC and Maryland in a Jeep with a small GPS tracker installed on the vehicle and monitored over a 28-day period. Interestingly, given this is a 4th Amendment case, a warrant had been issued but expired before installation of the device. The tracking results provided evidence that led to the conviction of Mr. Jones on charges of conspiracy to traffic drugs.

The initial press reports simply suggest that this decision — with a focus on police use of a GPS tracking device — was a big win for privacy.  Privacy over technology, for a change. In the interest of full disclosure, I read those news reports and thought as much – then I looked at the opinions.

When you check the scorecard there are nine justices, three basic arguments and three opinions, one majority opinion by Mr. Justices Scalia; and two separate concurring opinions by Justices Alito and Sotomayor. The treatment of the arguments are at the heart of Jones  and here the press reports may result in a misinterpretation of the decision.

The arguments? Essentially, from the Response Brief, they are:

 1. The act of installing the GPS device is a search;

2. The act of tracking is a search; and

3. If tracking is not a search then tracking for an extended period of time is a search.

The significance of a “search” is that a warrant would be required so as to not violate the suspect’s 4th Amendment rights. Now I admit we’re way down in the legal weeds here but I read the Scalia decision – with 5 justices supporting it — as requiring a combination of Arguments 1 and 2 plus a property/trespass violation. Believe it or not, it’s found in footnote 5:

“A trespass on “houses” or “effects,” or a Katz invasion of privacy, is not alone a search unless it is done to obtain information; and the obtaining of information is not alone a search unless it is achieved by such a trespass or invasion of privacy.”

Four justices supporting Mr. Justice Alito’s decision explicitly rejected the first argument (see bottom of page 2 of Alito decision):

“It is clear that the attachment of the GPS device was not itself a search; if the device had not functioned or if the officers had not used it, no information would have been obtained. And the Court does not contend that the use of the device constituted a search either.

The majority supporting Scalia’s opinion didn’t accept it either.

Privacy advocates would want a clear statement that Argument 2 governs. They certainly didn’t get it. Argument 2 was rejected at page 13 of Alito’s decision:

“The best that we can do in this case is to apply existing Fourth Amendment doctrine and to ask whether the use of GPS tracking in a particular case involved a degree of intrusion that a reasonable person would not have anticipated. Under this approach, relatively short-term monitoring of a person’s movements on public streets accords with expectations of privacy that our society has recognized as reasonable.”

 In case you missed that, tracking is ok. As for Argument 3 (lengthy tracking), they left that for another day.

Madame Justice Sotomayor was the only Justice that wanted to look at the bigger picture in Argument 2. At page 3 of her opinion (cites omitted):

In cases involving even short-term monitoring, some unique attributes of GPS surveillance relevant to the Katz analysis will require particular attention. GPS monitoring generates a precise, comprehensive record of a person’s public movements that reflects a wealth of detail about her familial, political, professional, religious, and sexual associations…The Government can store such records and efficiently mine them for information years into the future…And because GPS monitoring is cheap in comparison to conventional surveillance techniques and, by design, proceeds surreptitiously, it evades the ordinary checks that constrain abusive law enforcement practices: “limited police resources and community hostility.”

To recap, putting a GPS device on a vehicle, by itself,  is not a search and short term tracking is ok as long as there is no violation of property rights.

Jones may have won in this case but from the language found in the opinions it’s arguable that “privacy” didn’t – at least not in this round.

For those unfamiliar with the case, Ms. Jones and Ms. Tsige worked at different branches of the same bank. They did not know each other but Ms. Tsige was involved in a relationship with Ms. Jones’ former husband. Over a 4 year period, Ms. Tsige used her workplace computer to access Ms. Jones’ personal bank accounts at least 174 times. The information displayed included transactions details, as well as personal information such as date of birth, marital status and address.

Ms. Jones became suspicious that Ms. Tsige was accessing her account and complained to the bank. When confronted by her employer, Ms. Tsige admitted that she had looked at Ms. Jones’ banking information, that she had no legitimate reason to do so and that she understood it was contrary to the Bank’s Code of Business Ethics. The employer disciplined Ms. Tsige by suspending her for a week without pay and denying her a bonus.

Ms. Jones didn’t want to involve her employer by making a complaint under PIPEDA and sued Ms Tsige directly claiming an invasion of her privacy. Counsel for Ms. Tsige made an application to strike out the pleadings. The motion judge granted the motion and awarded costs – rejecting arguments by Ms. Jones that costs should be denied on the ground that the issue was novel and that Ms. Tsige’s conduct was objectionable.

This decision was an appeal of that motion judge’s decision and Mr. Justice Sharpe, writing for the Court of Appeal, used the case to address the issue of whether or not there was a tort of invasion of privacy. There are three quotes that I think sums things up best:

 ”In my view, it is appropriate for this court to confirm the existence of a right of action for intrusion upon seclusion. Recognition of such a cause of action would amount to an incremental step that is consistent with the role of this court to develop the common law in a manner consistent with the changing needs of society.”

“One who intentionally intrudes, physically or otherwise, upon the seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the invasion would be highly offensive to a reasonable person.”

“A claim for intrusion upon seclusion will arise only for deliberate and significant invasions of personal privacy. Claims from individuals who are sensitive or unusually concerned about their privacy are excluded: it is only intrusions into matters such as one’s financial or health records, sexual practices and orientation, employment, diary or private correspondence that, viewed objectively on the reasonable person standard, can be described as highly offensive.”

With respect to damages, the court emphasized that the floodgates would not be opened by this decision:

“I believe it important to emphasize that given the intangible nature of the interest protected, damages for intrusion upon seclusion will ordinarily be measured by a modest conventional sum.”

Using criteria set out in Manitoba’s Privacy Act, the court provided benchmarks to assist in determining damages:

1.   the nature, incidence and occasion of the defendant’s wrongful act;

 2.   the effect of the wrong on the plaintiff’s health, welfare, social, business or financial position;

 3.   any relationship, whether domestic or otherwise, between the parties;

 4.   any distress, annoyance or embarrassment suffered by the plaintiff arising from the wrong; and

 5.   the conduct of the parties, both before and after the wrong, including any apology or offer of amends made by the defendant.

It also noted that claims for invasion of privacy had to be balanced with other societal interests:

 “…claims for the protection of privacy may give rise to competing claims. Foremost are claims for the protection of freedom of expression and freedom of the press….Suffice it to say, no right to privacy can be absolute and many claims for the protection of privacy will have to be reconciled with, and even yield to, such competing claims.”

I anticipate this tort may soon be recognized in other jurisdictions in Canada and individuals who thought no “privacy law” applied to them now must think more carefully about what they say and do. Similarly, while this decision does little to diminish the importance and application of personal information protection statutes in Canada, we all will need some time to sort through the implications for organizations when employees may be sued for an invasion of privacy.

People often assume “law enforcement authority” means police. In Ontario, the Police Services Act (“PSA”) sets out the duties of police officer. When part of your job is to investigate crimes and enforce the law, especially the Criminal Code, you pretty well have lawful authority to “ask”. This is a gross oversimplification of “lawful authority” but it tends to work for most situations where the request comes from police. Where the question really comes up (i.e. “do they have lawful authority?”) is where other types of government personnel conduct investigations (e.g. inspectors or auditors).

Assuming lawful authority is established and absent a warrant or order, the decision remains voluntary: the organization still has to decide whether to provide the personal information in question. So how does it do that? What criteria does it use in deciding to cooperate with law enforcement? If approached, is there an internal process to follow?

While the following is far from a comprehensive list, if you don’t have a “law enforcement cooperation” policy, here are some things to ponder in creating one:

Who makes the decision to cooperate? If you don’t have a General Counsel, is that person obliged to check with external legal counsel?

Is the nature of the personal information particularly sensitive?

Could the individual concerned have a reasonable expectation of privacy about that information?

Under what circumstances will the organization cooperate with law enforcement authorities?

• Only when there is a danger to organization’s property or personnel?
• Only in exigent circumstances (e.g. a missing person or a person identified as a danger to themselves)?
• In all circumstances, unless there is a risk to the organization’s property or personnel or unless the cooperation is disruptive to business operations?

Should the organization consider the perspective of its clients? (A large car rental company may answer the question differently than a small co-op housing association.)

Should the organization, unless prohibited by law, proactively advise the individual concerned that personal information has been shared with law enforcement authorities? Or disclose only when an access request is received.

The recent case of R. v. Chehil sheds an interesting light on an internal law enforcement cooperation policy.

In Chehil, a drug enforcement team at the Halifax Airport was allowed by Westjet administrative personnel to view the electronic passenger list of an overnight flight from Vancouver.  Drug couriers often travel alone on overnight flights, purchasing a last minute, walk-up ticket in cash and checking a single bag.  The police look for these kinds of indicators and the appellant fit the profile.  His baggage was dog-sniffed upon arrival. When Mr. Chehil collected the bag, he was arrested and the bag opened — three kilograms of cocaine were inside.

At trial, the court held that the police viewing of Westjet’s electronic records violated Mr. Chehil’s Charter right to be free from an unreasonable search and seizure and excluded the results of the search. On appeal, the court reversed that finding. It held that PIPEDA does not extend the Charter’s constitutional protection of privacy to the broader category of personal information covered by that personal information protection law.

The court essentially said if Westjet violated PIPEDA Mr. Chehil had recourse to the federal Privacy Commissioner. Any PIPEDA issue that existed in Westjet providing police access to their electronic records was separate from the issue of whether Mr. Chehil’s Charter privacy rights were violated and, by the way, those rights were not violated. (Another case that suggests PIPEDA is a regulatory as opposed to a quasi-constitutional statute.)

What is of interest here is the decision by local Westjet personnel to allow the authorities to “look” at the passenger information. The court noted:

“There was evidence from Westjet’s head of corporate security that in doing so, the employees of Westjet did not act in accordance with the company’s internal release policy.”

Once again, not only should you have a policy but make sure your people understand and follow it.

At the end of the day, when law enforcement authorities ask for personal information without a warrant or order, it comes down to a corporate decision. Asking about “lawful authority” only get you so far and organizations need to know whether and how they will respond to such requests.