As for the facts, Antoine Jones drove around Washington, DC and Maryland in a Jeep with a small GPS tracker installed on the vehicle and monitored over a 28-day period. Interestingly, given this is a 4th Amendment case, a warrant had been issued but expired before installation of the device. The tracking results provided evidence that led to the conviction of Mr. Jones on charges of conspiracy to traffic drugs.

The initial press reports simply suggest that this decision — with a focus on police use of a GPS tracking device — was a big win for privacy.  Privacy over technology, for a change. In the interest of full disclosure, I read those news reports and thought as much – then I looked at the opinions.

When you check the scorecard there are nine justices, three basic arguments and three opinions, one majority opinion by Mr. Justices Scalia; and two separate concurring opinions by Justices Alito and Sotomayor. The treatment of the arguments are at the heart of Jones  and here the press reports may result in a misinterpretation of the decision.

The arguments? Essentially, from the Response Brief, they are:

 1. The act of installing the GPS device is a search;

2. The act of tracking is a search; and

3. If tracking is not a search then tracking for an extended period of time is a search.

The significance of a “search” is that a warrant would be required so as to not violate the suspect’s 4th Amendment rights. Now I admit we’re way down in the legal weeds here but I read the Scalia decision – with 5 justices supporting it — as requiring a combination of Arguments 1 and 2 plus a property/trespass violation. Believe it or not, it’s found in footnote 5:

“A trespass on “houses” or “effects,” or a Katz invasion of privacy, is not alone a search unless it is done to obtain information; and the obtaining of information is not alone a search unless it is achieved by such a trespass or invasion of privacy.”

Four justices supporting Mr. Justice Alito’s decision explicitly rejected the first argument (see bottom of page 2 of Alito decision):

“It is clear that the attachment of the GPS device was not itself a search; if the device had not functioned or if the officers had not used it, no information would have been obtained. And the Court does not contend that the use of the device constituted a search either.

The majority supporting Scalia’s opinion didn’t accept it either.

Privacy advocates would want a clear statement that Argument 2 governs. They certainly didn’t get it. Argument 2 was rejected at page 13 of Alito’s decision:

“The best that we can do in this case is to apply existing Fourth Amendment doctrine and to ask whether the use of GPS tracking in a particular case involved a degree of intrusion that a reasonable person would not have anticipated. Under this approach, relatively short-term monitoring of a person’s movements on public streets accords with expectations of privacy that our society has recognized as reasonable.”

 In case you missed that, tracking is ok. As for Argument 3 (lengthy tracking), they left that for another day.

Madame Justice Sotomayor was the only Justice that wanted to look at the bigger picture in Argument 2. At page 3 of her opinion (cites omitted):

In cases involving even short-term monitoring, some unique attributes of GPS surveillance relevant to the Katz analysis will require particular attention. GPS monitoring generates a precise, comprehensive record of a person’s public movements that reflects a wealth of detail about her familial, political, professional, religious, and sexual associations…The Government can store such records and efficiently mine them for information years into the future…And because GPS monitoring is cheap in comparison to conventional surveillance techniques and, by design, proceeds surreptitiously, it evades the ordinary checks that constrain abusive law enforcement practices: “limited police resources and community hostility.”

To recap, putting a GPS device on a vehicle, by itself,  is not a search and short term tracking is ok as long as there is no violation of property rights.

Jones may have won in this case but from the language found in the opinions it’s arguable that “privacy” didn’t – at least not in this round.

For those unfamiliar with the case, Ms. Jones and Ms. Tsige worked at different branches of the same bank. They did not know each other but Ms. Tsige was involved in a relationship with Ms. Jones’ former husband. Over a 4 year period, Ms. Tsige used her workplace computer to access Ms. Jones’ personal bank accounts at least 174 times. The information displayed included transactions details, as well as personal information such as date of birth, marital status and address.

Ms. Jones became suspicious that Ms. Tsige was accessing her account and complained to the bank. When confronted by her employer, Ms. Tsige admitted that she had looked at Ms. Jones’ banking information, that she had no legitimate reason to do so and that she understood it was contrary to the Bank’s Code of Business Ethics. The employer disciplined Ms. Tsige by suspending her for a week without pay and denying her a bonus.

Ms. Jones didn’t want to involve her employer by making a complaint under PIPEDA and sued Ms Tsige directly claiming an invasion of her privacy. Counsel for Ms. Tsige made an application to strike out the pleadings. The motion judge granted the motion and awarded costs – rejecting arguments by Ms. Jones that costs should be denied on the ground that the issue was novel and that Ms. Tsige’s conduct was objectionable.

This decision was an appeal of that motion judge’s decision and Mr. Justice Sharpe, writing for the Court of Appeal, used the case to address the issue of whether or not there was a tort of invasion of privacy. There are three quotes that I think sums things up best:

 ”In my view, it is appropriate for this court to confirm the existence of a right of action for intrusion upon seclusion. Recognition of such a cause of action would amount to an incremental step that is consistent with the role of this court to develop the common law in a manner consistent with the changing needs of society.”

“One who intentionally intrudes, physically or otherwise, upon the seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the invasion would be highly offensive to a reasonable person.”

“A claim for intrusion upon seclusion will arise only for deliberate and significant invasions of personal privacy. Claims from individuals who are sensitive or unusually concerned about their privacy are excluded: it is only intrusions into matters such as one’s financial or health records, sexual practices and orientation, employment, diary or private correspondence that, viewed objectively on the reasonable person standard, can be described as highly offensive.”

With respect to damages, the court emphasized that the floodgates would not be opened by this decision:

“I believe it important to emphasize that given the intangible nature of the interest protected, damages for intrusion upon seclusion will ordinarily be measured by a modest conventional sum.”

Using criteria set out in Manitoba’s Privacy Act, the court provided benchmarks to assist in determining damages:

1.   the nature, incidence and occasion of the defendant’s wrongful act;

 2.   the effect of the wrong on the plaintiff’s health, welfare, social, business or financial position;

 3.   any relationship, whether domestic or otherwise, between the parties;

 4.   any distress, annoyance or embarrassment suffered by the plaintiff arising from the wrong; and

 5.   the conduct of the parties, both before and after the wrong, including any apology or offer of amends made by the defendant.

It also noted that claims for invasion of privacy had to be balanced with other societal interests:

 “…claims for the protection of privacy may give rise to competing claims. Foremost are claims for the protection of freedom of expression and freedom of the press….Suffice it to say, no right to privacy can be absolute and many claims for the protection of privacy will have to be reconciled with, and even yield to, such competing claims.”

I anticipate this tort may soon be recognized in other jurisdictions in Canada and individuals who thought no “privacy law” applied to them now must think more carefully about what they say and do. Similarly, while this decision does little to diminish the importance and application of personal information protection statutes in Canada, we all will need some time to sort through the implications for organizations when employees may be sued for an invasion of privacy.

People often assume “law enforcement authority” means police. In Ontario, the Police Services Act (“PSA”) sets out the duties of police officer. When part of your job is to investigate crimes and enforce the law, especially the Criminal Code, you pretty well have lawful authority to “ask”. This is a gross oversimplification of “lawful authority” but it tends to work for most situations where the request comes from police. Where the question really comes up (i.e. “do they have lawful authority?”) is where other types of government personnel conduct investigations (e.g. inspectors or auditors).

Assuming lawful authority is established and absent a warrant or order, the decision remains voluntary: the organization still has to decide whether to provide the personal information in question. So how does it do that? What criteria does it use in deciding to cooperate with law enforcement? If approached, is there an internal process to follow?

While the following is far from a comprehensive list, if you don’t have a “law enforcement cooperation” policy, here are some things to ponder in creating one:

Who makes the decision to cooperate? If you don’t have a General Counsel, is that person obliged to check with external legal counsel?

Is the nature of the personal information particularly sensitive?

Could the individual concerned have a reasonable expectation of privacy about that information?

Under what circumstances will the organization cooperate with law enforcement authorities?

• Only when there is a danger to organization’s property or personnel?
• Only in exigent circumstances (e.g. a missing person or a person identified as a danger to themselves)?
• In all circumstances, unless there is a risk to the organization’s property or personnel or unless the cooperation is disruptive to business operations?

Should the organization consider the perspective of its clients? (A large car rental company may answer the question differently than a small co-op housing association.)

Should the organization, unless prohibited by law, proactively advise the individual concerned that personal information has been shared with law enforcement authorities? Or disclose only when an access request is received.

The recent case of R. v. Chehil sheds an interesting light on an internal law enforcement cooperation policy.

In Chehil, a drug enforcement team at the Halifax Airport was allowed by Westjet administrative personnel to view the electronic passenger list of an overnight flight from Vancouver.  Drug couriers often travel alone on overnight flights, purchasing a last minute, walk-up ticket in cash and checking a single bag.  The police look for these kinds of indicators and the appellant fit the profile.  His baggage was dog-sniffed upon arrival. When Mr. Chehil collected the bag, he was arrested and the bag opened — three kilograms of cocaine were inside.

At trial, the court held that the police viewing of Westjet’s electronic records violated Mr. Chehil’s Charter right to be free from an unreasonable search and seizure and excluded the results of the search. On appeal, the court reversed that finding. It held that PIPEDA does not extend the Charter’s constitutional protection of privacy to the broader category of personal information covered by that personal information protection law.

The court essentially said if Westjet violated PIPEDA Mr. Chehil had recourse to the federal Privacy Commissioner. Any PIPEDA issue that existed in Westjet providing police access to their electronic records was separate from the issue of whether Mr. Chehil’s Charter privacy rights were violated and, by the way, those rights were not violated. (Another case that suggests PIPEDA is a regulatory as opposed to a quasi-constitutional statute.)

What is of interest here is the decision by local Westjet personnel to allow the authorities to “look” at the passenger information. The court noted:

“There was evidence from Westjet’s head of corporate security that in doing so, the employees of Westjet did not act in accordance with the company’s internal release policy.”

Once again, not only should you have a policy but make sure your people understand and follow it.

At the end of the day, when law enforcement authorities ask for personal information without a warrant or order, it comes down to a corporate decision. Asking about “lawful authority” only get you so far and organizations need to know whether and how they will respond to such requests.

These amendments to PIPEDA were reintroduced in the House of Commons on 29 September 2011 in Bill C-12 (with the ironic and, one might suggest, “Orwellian” short title of Safeguarding Canadians’ Personal Information Act). A lot of the focus was on the bill’s “breach notification” provisions but of particular interest, in light of this latest discussion about “access”, are the other amendments that dispense with PIPEDA’s consent requirements in a number of instances.

For example, Bill C-12 will change PIPEDA to permit the disclosure of personal information without the knowledge or consent of the individual for the purposes of performing police services, preventing, detecting or suppressing fraud, or protecting victims of financial abuse. “Financial abuse” isn’t defined. “Preventing, detecting and suppressing” covers the waterfront. Under the proposed language, even if you haven’t committed fraud, an organization can disclose information about you to “prevent” fraud.

“Performing police services” is also broad language. Especially when the actual text says that performing police services is something other than  “for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law”  — language already in PIPEDA. Since just about anything a police officer says or does can be captured by the phrase “performing police services”, this means an organization can simply release personal information without consent to the police.

One could say that it will easy to discern when something is not financial abuse or fraud. But in the real world it’s easy to never see all the dots connected in a complete picture. Unless something’s wonky on the face of the request, you may never know if it really is about financial abuse or fraud.  And we may never know if anyone is abusing these “reasons” until a complaint sees the full light of day. And even then it may be argued that it’s an “isolated incident”.

But it’s not just the police who can get information without consent. C-12 will also permit disclosure by one organization to another without consent if the disclosure is “necessary” to investigate a breach of an agreement, that has been, is being or is about to be committed, or to prevent, detect or suppress fraud when it is reasonable to expect that the disclosure with the knowledge or consent of the individual would undermine the ability to prevent, detect or suppress the fraud. Again, if  you are suspected of being — in any way, shape or form — associated with fraud, the organization can release information about you. That’s a pretty broad “permission slip” for the exchange of information between organizations. Forget about disclosure to investigative bodies. Nobody really needs them anymore.

Currently organizations have to go through a notification process if they receive an access request in connection with the disclosure of personal information without consent to a government institution for purposes enumerated in s. 9(2.1) of PIPEDA. That will be extended under a new provision so that the organization cannot voluntary inform the individual concerned that a disclosure took place. Read the proposed new s. 7(5) of PIPEDA and then ask yourself if you should really concern yourself about the Americans and their PATRIOT ACT?

Finally, you have to admit that the insurance industry has a good lobby. With C-12, personal information can be collected, used and disclosed when the information is contained in a witness statement and the collection, use or disclosure is necessary to assess, process or settle an insurance claim.  One might ask why just insurance claims? Is this the thin edge of the wedge?

The lives of privacy officers just became more complicated. Law enforcement and security requests got easier to make; personal information exchanges are likely to increase. At one level, all of these changes to PIPEDA come across as a straightforward “clarifications”; at another level they are ripe for abuse. Remember, it isn’t the rules you have to watch; it’s the exceptions  – and how the exceptions will be used in practice.

For those not familiar with the PATRIOT Act, the Foreign Intelligence Surveillance Act (“FISA”) provides American authorities with the power to gather intelligence on foreign agents in the United States and abroad, pursuant to orders issued by the Foreign Intelligence Surveillance Court.

To better protect the United States against international terrorism and against foreign intelligence activities, the PATRIOT Act amended FISA to allow US authorities to obtain records and other “tangible things” (Section 215) and that intelligence gathering need only be “a significant purpose”, rather than the sole purpose, of FISA searches or surveillance in the US (section 218).

Section 505 of the Patriot Act lowered the threshold for the issuance of “national security letters” which require financial institutions, telephone companies and ISPs to disclose information about their customers. The threshold went from requiring specific facts to simply being relevant to an authorized investigation. The scope of coverage was later expanded to include travel agencies, real estate agents, the US Postal Service, jewellery stores, casinos and car dealerships.

In Canada, the popular view appears to be that American authorities use these powers to obtain access to personal information located in Canada about Canadians because of such information is in the custody or control of an American company.

It doesn’t help that US courts have no difficulty ordering disclosure of records held outside the US, as long as a person or organization — subject to the US court’s jurisdiction — has a legal or practical ability to access those records. Some American courts have found that control of records exists whenever there is a US parent-Canadian subsidiary corporate relationship.

While failure to comply with a FISA order may result in contempt charges, section 215 relieves a person of liability in the US for complying with a FISA order. As a result, American corporations have an incentive to comply with such orders — even if it may breach contractual or legal obligations in other countries, including Canada.

By the way, if you thought the PATRIOT Act was all about fighting terrorism, read this story and think again.

Is this “easier” access to your “state-side” records the real issue though? If people in Canada are concerned about law enforcement access through the PATRIOT Act, why aren’t they saying anything about similar Canadian laws?

What laws? See Part II of the Canadian Security Intelligence Service Act which allows designated judges from the Federal Court secret to issue warrants authorizing (1) the interception of communication, (2) obtaining any information, record, document or thing by (a) entering any place, (2) searching, removing and examining any thing, or (installing, maintaining or removing any thing.

Then read s. 273.65 of the National Defence Act with respect to the abilities of the Communications Securities Establishment to intercept communications pursuant to a Ministerial authorization.

Even in PIPEDA, some access requests need to be run by law enforcement authorities and denied if an institution is:

“of the opinion that compliance with the request could reasonably be expected to be injurious to (a) national security, the defence of Canada or the conduct of international affairs; (a.1) the detection, prevention or deterrence of money laundering or the financing of terrorist activities; or (b) the enforcement of any law of Canada, a province or a foreign jurisdiction, an investigation relating to the enforcement of any such law or the gathering of intelligence for the purpose of enforcing any such law.”

Just as our federal Privacy Commissioner cooperates with the U.S. Federal Trade Commission (see Accusearch Inc.) law enforcement authorities in our two countries cooperate as well. The process of getting information under mutual legal assistance treaties can be slow but the mechanisms do exist and, in an emergency, you can imagine things move very quickly on an informal basis.

You may (or may not) question the interpretation, effectiveness or ongoing utility of these intelligence gathering tools but the legal frameworks to allow their use exist both in Canada and the United States. Why then do people single out the PATRIOT Act? Perhaps not unsurprisingly, people cite the PATRIOT Act and “privacy concerns” when they really have another agenda.

It seems that people are starting to recognize this grandstanding for what it is. We’re seeing a more critical eye being cast on PATRIOT Act arguments. See this 2009 Lakehead University arbitral decision and, reported in this blog post, this 2010 Alberta arbitral decision.

In the emerging world of cloud computing, Canadians will have to recognize that more of our personal information will go “offshore”. If it does, should law enforcement access be the primary concern? I think we need to worry less about “where” and more about “how secure” and “how accessible”.

I’m referring to the issuance of guidance on reporting corporate cyber risk management. Why might this be a “tipping point? Because it didn’t come from the Federal Trade Commission, a Canadian Privacy Commissioner or a European Data Protection Authority – it came from the Securities and Exchange Commission (“SEC”). Cybersecurity now seems to be drawing the attention of securities regulators. It would seem that concerns about cyber risks — with the potential to negatively impact a company’s financial performance  – have reached a point where cyber risk management warrants public disclosure.

Granted it’s not a rule, regulation or statement – think recommendation — but the fact that it comes from the SEC will no doubt make people serious about money sit up and take notice.  And many a recommendation has eventually become a rule. If you’re Canadian and think of this as only an American development, please note that a good number of public Canadian companies are interlisted on American stock exchanges.

Securities laws in the United States and Canada require public companies to disclose information to allow potential investors to know about risks and events that may influence a decision to invest in that company. “Timely”, “comprehensive” and “accurate” are the adjectives most often used to describe the kind of information disclosure required. And, without compromising security, the SEC wants the details:

“Depending on the registrant’s particular facts and circumstances, and to the extent material, appropriate disclosures may include:

•  Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences;
• To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks;
  
• Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences;
• Risks related to cyber incidents that may remain undetected for an extended period; and
• Description of relevant insurance coverage.”

What I think is significant is that this new SEC guidance extends beyond breach notification for personal information to disclosures about corporate data including the “misappropriation of assets or sensitive information, corruption of data or operational disruption.” (Ironically, the SEC had to issue its own breach notification the week before it issued these cybersecurity guidelines.) While not about personal information per se, measures to mitigate such risks will likely result in the protection of personal information as well. As sailors know, rising tides lift all boats.

Also significant is that the SEC suggests that cyber incidents be taken up in the “Management’s Discussion and Analysis of Financial Condition and Results of Operations” (“MD&A”) section of filings.

“For example, if material intellectual property is stolen in a cyber attack, and the effects of the theft are reasonably likely to be material, the registrant should describe the property that was stolen and the effect of the attack on its results of operations, liquidity, and financial condition and whether the attack would cause reported financial information not to be indicative of future operating results or financial condition. If it is reasonably likely that the attack will lead to reduced revenues, an increase in cybersecurity protection costs, including related to litigation, the registrant should discuss these possible outcomes, including the amount and duration of the expected costs, if material. Alternatively, if the attack did not result in the loss of intellectual property, but it prompted the registrant to materially increase its cybersecurity protection expenditures, the registrant should note those increased expenditures.”

If I was a CISO for a public company I’d try to ensure my senior management didn’t have to sign off on an MD&A statement that included cyber incidents. Why? Because I wouldn’t want the CEO to ask why I didn’t reduce the risk of such incidents in the first place or, heaven forbid, start thinking maybe it’s time to replace me.

I’m not suggesting that this is an across-the-board problem  - this recent story points out that the energy industry considers “cybercrime” to be a larger problem than terrorists. However, the proliferation of data breaches, the increase in cyber incidents, the reports of cyber espionage — all point to the fact that cyber security is no longer a risk to be euphemistically “managed”. For public companies, to do so would soon reveal to the world just what kind of job their executives really do concerning cybersecurity — and maybe not in a good way.

No one should expect perfection or absolute cyber-security – the world moves too fast these days – but now transparency mechanisms for shareholders are to be used to highlight the issue. This “spotlight”, however narrow it might be, may result in better security postures and ultimately better data protection.

Data protection statues in Canada generally apply to organizations engaged in business activities. These statutes do not address the actions of individuals who misuse the personal information of others and, given the growth and popularity of social media, the potential for such misuse is high. It’s not easy to undo a “slip of the tongue” on Twitter or Facebook and because of this potential for individual “abuse”, interest in the case of Jones v. Tsige is high. In Jones, the Plaintiff and the Defendant worked at different branches of the same bank. The Defendant accessed the plaintiff’s banking records on 174 occasions over four years with no legitimate reason to do so.

The Plaintiff sued and the Defendant, taking the position that there was no tort of invasion of privacy, asked for a summary judgment dismissing the claim. The judge hearing the application agreed.The appeal of that decision was heard on 29 September 2011. Based on two reports I received – from people in the court room that day — the line of questioning from the bench would suggest that the Ontario Court of Appeal may well follow the UK House of Lords in recognizing that the tort of invasion of privacy does exist in the common law.

While we await the Jones decision, Alberta’s Court of Queen’s Bench rendered another privacy-related tort decision in June 2011 — Martin v. General Teamsters, Local Union No. 362. Martin is a challenging case to understand.

In Martin, the Plaintiff alleged that the business agent of the Defendant violated her privacy by releasing private medical information without consent. In rendering its decision, the court discussed the tort of invasion of privacy, citing Bank of Montreal v. Cochrane, which in turn cited Mohl v. University of British Columbia. The court in Martin quoted a key portion of the Cochrane decision:

“If the pleading claims a common law claim for breach of privacy, BMO argues that there is no such claim: Mohl v. University of British Columbia, [2009] B.C.J. No. 1096 (B.C.C.A.). BMO also argues that the litigation process is intended to be a public process so that anything contained in pleadings cannot be a breach of privacy.

I agree with BMO.”

It is doubtful any reasonable person would argue with BMO’s second point. Privacy legislation tends to recognize that documents in court files are not covered under these statutes and it would seem incongruent to think that privacy (whether in tort law or otherwise) could be used to frustrate the litigation process. The first argument though raises questions and the context of Mohl is important. The key quote from Mohl reads:

“As to the judge’s consideration of the breach of privacy claim, in my view he made no reviewable error.  There is no common-law claim for breach of privacy.  The claim must rest on the provisions of the Act.” [Emphasis added]

The “Act” in question is the Privacy Act – a statute that creates a statutory tort of invasion of privacy in British Columbia. It’s hard to say a common law tort of invasion of privacy exists when your legislature has expressly enacted legislation to create such a tort.   

So Martin cites Cochrane, which cites Mohl. But Mohl is from a province that has a statutory tort of invasion of privacy – something Alberta doesn’t have and a distinction that the court in Cochrane does not appear to have considered.

Where things get more interesting in Martin is that the Court then says:

“If a claimant wishes to make a claim for damages arising from a breach of privacy, the Personal Information Protection Act, S.A. 2003, c.P-6.5 requires a claimant to proceed with his or her claim before the Commissioner appointed under that Act. If the Commissioner makes an Order under the Act against an organization, an individual affected by the Order then has a cause of action against the organization for damages for loss or injury that the individual has suffered as a result of the breach of the Act by the organization. (Para. 60 of the Act)”

But what if an alleged invasion of privacy is outside the scope of Alberta’s PIPA? What legal remedy exists in Alberta for individuals if no organization is involved? If PIPA does not apply, how can the section dealing with a claim for damages under the Act apply? Is Mohl distinguishable by reason of the fact that there is a statutory tort of invasion of privacy in BC? All in all, Martin raises more questions than it answers.

Tort law and privacy seem to make strange bedfellows. Hopefully, we’ll get clarity soon.

The first case involves, of all things, license plates. When a person  – other than the purchaser – arrived at the loading dock to collect a purchase at Leon’s Furniture, the company’s practice  was to collect driver’s license and vehicle plate numbers.

In addressing a complaint about this practice under the Alberta’s Personal Information Protection Act (“PIPA”), the OIPC adjudicator determined that recording the driver’s licence and licence plate numbers went beyond what was necessary for preventing fraudulent pickup. It was reasonable only to record the name and address of the person picking up the furniture, and to examine the identification produced to verify the identity of the person, but that it was not reasonable to record the number of the identification being used. Leon’s subsequent application for judicial review was dismissed.

Things got interesting when the case got to the Alberta Court of Appeal.

In writing for the majority in Leon’s Furniture Limited v. Alberta (Information and Privacy Commissioner), Justice Slatter held that license plate numbers are not personal information and the OIPC erred in finding that that Leon’s failed to comply with the standard for collecting personal information under Alberta’s PIPA .

The essential rationale for the first finding is that there is no reasonable expectation of privacy in a license plate number because it is displayed openly in public. This importation of a “reasonable expectation of privacy” test into what constitutes personal information – usually a defined term in statutes with no reference to expectations – is a new and intriguing development.

The second — and perhaps the most important — aspect is the conclusion that the OPIC was wrong to find that Leon’s business process was not “reasonable”:

“…The respondent [OIPC] is not empowered to direct an organization to change the way it does business, just because the respondent thinks he has identified a better way. So long as the business is being conducted reasonably, it does not matter that there might also be other reasonable ways of conducting the business.”

It seems that it’s one thing for Privacy Commissioners to suggest best practice; quite another to find that a practice is wrong if it is not patently unreasonable.

The second case, United Food and Commercial Workers, Local 401 v. Alberta (Information and Privacy Commissioner), involves videotaping at a picket line by a union and the applicability of PIPA to that activity.  In short, can employers and unions videotape picket line activity without one party or the other invoking privacy claims? Since no consent was going to be forthcoming, the focus shifted to two exceptions to the “no collection without consent” rule: journalistic purpose and publicly available information. Neither fit well in this fact situation.

A plain reading of the PIPA Regulation would suggest information from a public protest or picket line does not fit within the very narrow definition of “publicly available” and no one in their right mind would (or did) suggest that the information collection was for journalistic purposes. The Court essentially said as much.

PIPA, unlike its BC counterpart, has no exception for personal information collected at a public event, including a public, political event. It appears this was too much for the Court to bear and it found that PIPA violates freedom of expression under Section 2(b) of the Charter of Rights and Freedoms in a manner not justified by Section 1 of the Charter.

Of particular interest is the Court’s finding that PIPA is regulatory and not human rights legislation. As noted by the Court, “[h]uman rights legislation” is given a liberal and purposive interpretation in Canada. Protected rights receive a broad interpretation, while exceptions and defences are narrowly construed.” Apparently privacy legislation is not to have the same treatment. This perspective varies from the approach taken by the federal Privacy Commissioner and it will be interesting to see if this decision colours future judicial interpretation of personal information protection statutes in Canada.

If anything, Alberta’s courts have given those interested in Canadian privacy law further things to ponder.

Meters can already collect a unique meter identifier, timestamp, usage data, and time synchronization every 15 to 60 minutes. With “smart meters”, outage, voltage, phase, frequency data, and detailed status and diagnostic information from networked sensors and appliances can also be collected.  What does this mean? “Load signatures” can provide a lot of detail about life in your own home: whether you’re using the microwave or stove to cook; whether and when you’re watching television, what medical equipment, if any, is being used; how many times you get up in the middle of the night. All because you’ve turned on something that uses electricity. While the curtains may be drawn, the smart meter can blithely reveal.

Sophisticated analytics of voltage, current and consumption can say a lot about the existence and detailed use of anything that uses electricity in one’s home. And rest assured, there will be a lot of interest in that information.

Electricity distribution companies (“EDCs”) want to use usage data for a variety of purposes such as remote meter reading, outage management, load forecasting and peak load billing. Appliance manufacturers could conduct market research to find out how their products are used or how they operate in the field. Insurers may want to use the data determine how and when a loss occurred. Law enforcement authorities would naturally look to these records for evidence of criminal activity. We’ve already seen the Supreme Court of Canada sanction the admissibility of evidence gathered through the use of digital recording ammeters in R. v. Gomboc.

On privacy, the policy objective of Ontario’s energy regulator seems to be:

 ”Respect and protect the privacy of customers. Integrate privacy requirements into smart grid planning and design from an early stage, including the completion of privacy impact assessments”

That’s a nice position but it doesn’t say a lot. Privacy assessments, in and of themselves, don’t solve problems.

Ontario’s Information and Privacy Commissioner and The Future of Privacy Forum have a comprehensive paper on the subject of smart grids and privacy. There is also a “case study” involving Ontario’s Hydro One that has clearly good intentions and some interesting tidbits of information but not a lot of details and leaves one wanting more. For example, it appears to suggest that energy consumption, power statistics and the meter identifier are the only data elements collected from smart meters. Just how detailed is the consumption information and power statistics collected? You do get the sense that Hydro One wants to make sure privacy isn’t used as an impediment to smart meter use.

Ontario’s Privacy Commissioner has jurisdiction over only those EDCs owned by municipalities through MFIPPA. However, not all of Ontario’s 80 local electricity distribution companies are publicly owned and therefore subject to that legislation. And under MFIPPA, the Commissioner may only order an institution to cease a collection practice or destroy collections of personal information that contravene this Act – very draconian measures that really don’t make much sense in the context of provisioning electricity.

Similarly, a search of the federal privacy Commissioner’s site for documentation reveals a reference that shows it to be a research priority for 2011-12. It may be that the federal Privacy Commissioner is only tackling the issue now with respect to non-publicly owned EDCs.

One jurisdiction has proactively implemented some of the good thinking out there on smart grid privacy. California’s Public Utilities Commission last month adopted a privacy and security rule for “smart grid” electricity consumption and there are some concepts that are worth repeating in other jurisdictions. The decision is available here and the rule, in Attachment D, is available here.

Some of the interesting concepts found in the rule are:

Real-time access requests are to be treated as wiretaps requiring approval under the federal or state wiretap law.

Prior notification, in writing, of subpoenas for disclosure, unless otherwise prohibited from doing so by a court order, law, or order of the Commission.

An independent privacy and security audit — to be reported to Commission as part of the utility’s general rate case filing.

“Reasonably necessary” requirements for data collection, retention and disclosure.

The rule applies not only to “electrical corporations” subject to the jurisdiction of the Commission but also any service provider and any third party who accesses, collects, stores, uses or discloses “covered information” whether by order of the Commission itself or with the consent of the customer concerned.

California’s efforts with respect to the personal information that can be gleaned from electricity use data is laudable as an attempt to assuage the unease about what metering technology may or may not be able to say about us. Perhaps the Ontario Energy Board should think about doing the same.