Canada: Top 10 Privacy Law Developments Of 2017

Playing catchup on 2017 developments in Canadian privacy law? Here's a list of our Top 10:

  1. Supreme Court deals blow to choice of forum provisions in consumer contracts
    In Douez v. Facebook, a divided Supreme Court refused to enforce an otherwise valid forum selection clause in Facebook's terms of use agreement which would have required the plaintiff to sue Facebook for an alleged privacy breach in California rather than in British Columbia. The majority determined that unequal bargaining power between the parties and the quasi-constitutional nature of privacy rights provided "strong cause" not to enforce the clause. The decision casts into doubt a range of consumer contracts that purported to have consumers contract out of provincial jurisdiction.

  2. CASL: private right of action suspended, reform recommended
    In June 2017, the government slammed the brakes on implementing ss. 47-51 of Canada's Anti-Spam Legislation (CASL), which would have allowed individuals to sue organizations for breaches of CASL and related sections of the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Competition Act. With potential damage awards of up to $1 million per day, businesses and not-for-profits voiced concern that the private right of action could have serious unintended consequences. The government asked the Standing Committee on Industry, Science and Technology (INDU) to review the provision, as part of a more general statute-mandated review of CASL.

    In December, the Committee tabled its report following its review of CASL and the private right of action. INDU heard from 40 witnesses, many of whom were severely critical of the law. The Committee stopped short of making specific recommendations as to how CASL's provisions might be amended, but made 13 general recommendations for clarification, including with respect to key terms such as "commercial electronic message", the implied and express consent provisions, and how CASL applies to charities and non-profits. INDU also recommended that consideration of the coming into force of the private right of action should await an assessment of the impact of these recommended clarifications.

  3. Supreme Court confirms privacy of text messages
    In R. v. Marakah and R. v. Jones, a pair of decisions issued in December, the Supreme Court addressed the circumstances in which the unreasonable search and seizure protections of the Charter apply to text messages held by third parties. In Marakah, the majority determined that the defendant had a reasonable expectation of privacy in the text messages found on the iPhone of his accomplice (recovered at the accomplice's home), excluded the evidence and acquitted the defendant. Similarly, in Jones, the court found that the defendant had a reasonable expectation of privacy in the text messages, sent to his co-accused, that were stored by the accused's mobile service provider. However, as the court found that the seizure was made pursuant to a valid production order under the Criminal Code, the defendant's Charter rights were found not to have been breached.

  4. CASL survives first constitutional challenge
    In 2015, staff of the Canadian Radio-television and Telecommunications Commission (CRTC) fined CompuFinder $1.1 million for breaches of CASL. Exercising its right to make submissions to the appointed members of the CRTC, CompuFinder challenged CASL as an unconstitutional exercise of federal authority and an unjustifiable breach of Charter protections, including freedom of expression. The CRTC rejected these claims, finding that CASL was a valid exercise of Parliament's general trade and commerce powers, and that the limitations on freedom of expression were justified by the legislative goals of regulating spam and other electronic threats. It remains to be seen whether the case will be further appealed to the Federal Court of Appeal.

  5. An expanding tort of intrusion upon seclusion?
    In 2012, the Ontario Court of Appeal in Jones v. Tsige  recognized the tort of intrusion upon seclusion, a privacy tort that allows recovery for the intentional and "highly offensive" invasion of privacy. In Vanderveen v Waterbridge Media Inc., the Ontario small claims court found that a promotional video produced for the defendant real estate developer, which contained a two second clip of the plaintiff jogging on a public walking trail, was a "significant" privacy breach. The court awarded the plaintiff $4,000 for breach of privacy and $100 for appropriation of personality. Although it was a small claims decision, the judgement is noteworthy as previously, courts in the common law provinces have generally rejected "misappropriation of personality" common law tort claims by non-celebrities.

  6. Privacy and competition law meet in TREB case
    In Toronto Real Estate Board v. Commissioner of Competition, TREB argued that the allegedly anti-competitive policies that restricted the distribution of certain data to brokers arose from privacy obligations under PIPEDA. The Federal Court of Appeal disagreed, finding that the listing agreements between selling homeowners and brokers contained sufficient consents under PIPEDA to permit disclosure of the personal information in the data feed. Citing the Supreme Court's 2016 decision in Royal Bank of Canada v. Trang, which found a reduced expectation of privacy in mortgage statement information, the court also noted that the privacy interests involved in the TREB case were less sensitive because home selling prices were publicly available pursuant to land registry legislation.

  7. BC Privacy Commissioner rules against "Creep Catchers"
    Surrey Creep Catchers was a vigilante organization that impersonated minors online in order to lure potential child predators to a live meeting, at which the organization confronted the alleged predators, video-recording the confrontation and subsequently posting their interactions on social media. Two targets of the organization complained to the Office of the Information & Privacy Commissioner of British Columbia (BC OIPC). The BC OIPC determined that the organization collected, used and disclosed a range of personal information without consent, and ordered the organization to stop, rejecting the contention that the organization was conducting an "investigation" or carrying out a journalistic purpose.

  8. Eyes on Europe's GDPR
    Businesses around the world are readying themselves for Europe's General Data Protection Regulation, which goes into effect in May 2018. The regulations make significant changes to the previous 1995 directive, including higher penalties (up to 4% of global turnover), stricter consent provisions and a formalized "Right to be Forgotten". The law purports to have extra-territorial effect on online businesses dealing with European residents, leaving many Canadian companies with websites, or who might otherwise do incidental business with European residents, to wonder how the law might apply to them. Moreover, while the European Commission has long considered Canada's privacy legislation to be "adequate" to allow personal data to flow between Canada and the EU without additional safeguards, it is not clear, in light of the pending GDPR, whether that status may change, or whether Canada will be required to makes changes to its own privacy laws in order to maintain its adequacy status.

  9. PIPEDA  Breach of Security Safeguards Regulations tabled
    In 2015, the Digital Privacy Act amended PIPEDA to establish data breach reporting requirements, including notifying affected individuals of a "real risk of significant harm" and reporting the breach to the Privacy Commissioner of Canada (OPC). While those amendments are not yet in force, in September 2017 the government inched closer to implementation by unveiling proposed regulations that provide more specifics on the obligations. The draft regulations come amid a year of several highly publicized data breaches globally and in Canada, including Equifax, Uber, and the Canadian government.

  10. Company held responsible for privacy breaches of rogue sales representative
    A sales representative of Global RESP Corporation inappropriately obtained access to personal information of maternity patients of the Rouge River Hospital, which the representative used as leads to sell Registered Education Savings Plans to the parents of newborns. The representative, who had purchased the personal information from hospital employees, claimed to be acting alone.

    Following an investigation, the OPC concluded in a decision summary published in 2017 that the RESP company was nonetheless accountable under PIPEDA for the actions of its salesperson. The OPC also found that the company had breached its obligations under the law, as it had no reliable system to document how personal information was obtained and used by sales representatives, and no policies, procedures or training in place to ensure compliance with PIPEDA. The Commissioner made recommendations to the company about compliance, which the company accepted and implemented.

    In a widely reported decision, the Ontario Information and Privacy Commissioner had already found in 2014 that the hospital had failed to comply with its obligations under the Personal  Health Information Protection Act to adequately protect personal health information. The hospital employee and the sales representative also pled guilty in 2016 to criminal charges stemming from the incident, and a class action against the hospital is still pending.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
 
In association with
Related Topics
 
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions