Canada: Individuals' Privacy Interests

Charest c. Procureur général du Québec, 2023 QCCS 1050

Read more about the case: Charest c. Procureur général du Québec, 2023 QCCS 1050

Facts

In April 2017, a newspaper company published documents relating to the plaintiff, Jean Charest, former Premier of Québec, obtained or created by Québec's anti-corruption agency, the Unité permanente anticorruption (UPAC). The documents were leaked to the press in the context of an investigation into sectoral financing by the Québec Liberal Party when it was the ruling party. This was – and still is – a high-profile case.

Decision

The Superior Court of Québec ruled in favour of the plaintiff, awarding $35,000 in compensatory damages and $350,000 in punitive damages. The Court found that UPAC had failed to protect Mr. Charest's personal information, contrary to the provisions of the Act respecting Access to documents held by public bodies and the Protection of personal information. Under the Act, disclosure of personal information to the media without the knowledge of the individual concerned is not permitted. The Attorney General argued that the plaintiff could not have had a significant expectation of privacy as a politician. The Court rejected this argument.

Bellevue West Building Management Ltd., Re, 2022 BCIPC 74

Read more about the case: Bellevue West Building Management Ltd., Re, 2022 BCIPC 74

Facts

The complainant owns an apartment in a building where all the owners incorporated Bellevue West Building Management Ltd. to coordinate the use and enjoyment of the building. Bellevue is run by a management committee that installed a video surveillance system to combat break-in attempts and minor property damage. The complainant complained to the Information and Privacy Commissioner for British Columbia that Bellevue had collected and used her personal information consisting of the images captured by the surveillance.

Decision

The Commission first considered whether the complainant had consented to the collection of her personal information and found that, while the signs that had been put up did constitute sufficient notice, the complainant's use of the public spaces under surveillance did not constitute her consent as Bellevue argued – inherent in consent is an element of choice, and the complainant had to use the laundry room and lobby to access her suite. Bellevue relied on sections 12(1)(c), 12(1)(h) and 12(1)(j)(i) to justify why it didn't require the complainant's consent, but the Commission found that none of these sections applied. Because Bellevue was not authorized to collect the personal information to begin with, the Commission also found that it was not authorized to use it under ss. 6(1) and 6(2).

Métis Addictions Council of Saskatchewan Inc., Re, 2023 CarswellSask 124

Read more about the case: Métis Addictions Council of Saskatchewan Inc., Re, 2023 CarswellSask 124

Facts

Sensitive personal information of patients of the Métis Addictions Council of Saskatchewan Inc. (MACSI) was found in a recycling bin by a member of the public, who then provided it to the media. The files contained confidential information about clients' addictions and mental health issues, and had not been properly disposed of by MACSI. A member of the media advised the Office of the Saskatchewan Information and Privacy Commissioner of the files.

Decision

An investigation by the Office of the Saskatchewan Information and Privacy Commissioner found that the files contained sensitive personal information, including details of clients' addictions and mental health issues, and had not been properly disposed of. MACSI was found to be in breach of the Health Information Protection Act; it was determined that MACSI did not take all the steps it could have to contain the breach nor did it make enough effort to provide notification to the affected individuals. MACSI was ordered to pay a fine and take steps to prevent similar breaches in the future.

James v. Amazon.com.ca, Inc., 2023 FC 166

Read more about the case: James v. Amazon.com.ca, Inc., 2023 FC 166

Facts

The applicant, Tamara James, claimed that she created an account with Amazon.com.ca, Inc., but forgot her password. She sought access to customer account information, including account receipts and audio recordings of her dealings with Amazon customer service. Amazon tried to assist James in resetting the password, but James declined to accept that assistance.

James filed a complaint to the Privacy Commissioner and corresponded with the Amazon Privacy Officer, Amazon Executive Customer Relations employees and Amazon counsel to try to resolve the issue. Amazon concluded that it could not authenticate James as the requestor because (i) James was unwilling to follow the steps provided to reset her password; and (ii) the information James provided did not correspond with the information on Amazon's server.

The Commissioner's Report found that "Amazon provided [James] with a fair and reasonable response to [her] access request when it could not verify [her] identity." James then brought the dispute before the Federal Court pursuant to section 14 of PIPEDA.

Decision

The Court dismissed the application. James did not discharge her burden of establishing any violation of PIPEDA. Amazon was under an obligation to protect the account information (PIPEDA, Principle 7); in the Court's words: "that is the very purpose of the PIPEDA." Accordingly, the Court found, Amazon "was justified in refusing to give access to personal information without being able to authenticate the identity of the requester in the circumstances of this case."

The Court dismissed several other issues raised by James, including arguments that Amazon violated Principle 6 (on the basis that allegedly inaccurate information in Amazon's possession prevented authentication of the requestor's identity) and that Amazon violated the timeliness requirement under section 8 of PIPEDA.

Barrett v. Royal Bank of Canada, 2022 FC 1534

Read more about the case: Barrett v Royal Bank of Canada, 2022 FC 1534

Facts

Maureen Barrett resigned from her job at RBC Life Insurance Company and assumed a new role as a financial adviser with Sun Life Financial. At the time of her resignation from RBC Life, the company was investigating Barrett for alleged fraudulent conduct involving her personal bank account. Sun Life also undertook its own independent investigation into Barrett's conduct as an employee of Sun Life. After Sun Life terminated Barrett's employment, Barrett alleged it was because RBC had disclosed her personal banking information to Sun Life without her consent, in contravention of PIPEDA. Barrett brought an application pursuant to s. 14 of PIPEDA. She sought a declaration that RBC's disclosure of her personal information to Sun Life contravened PIPEDA, damages and costs.

Decision

The Court dismissed Barrett's application, finding that the disclosure of personal information was made in accordance with subsection 7(3)(d.1) of PIPEDA, which permits disclosure of personal information without knowledge or consent of the individual in order to further an investigation. The Court found that RBC reasonably disclosed Barrett's personal banking information in furtherance of Sun Life's investigation of Barrett's conduct. The Court stated that the information was relevant to Sun Life's investigation and it was reasonable for RBC not to inform Ms. Barrett or seek her consent prior to the disclosure, because this could have compromised the investigation.

The Court explained that it would not have found that the disclosure was authorized by RBC's own investigation, alone, because disclosing the personal information to Sun Life would have done nothing to further RBC's investigation or to prevent any fraud, since the alleged fraudulent activity with Barrett's bank account had already happened.

Finally, the Court stated that, even if Ms. Barrett could demonstrate a violation of PIPEDA, an award of damages would not be appropriate. Any breach by RBC would not have been egregious and her employment was not terminated because of the very limited disclosure of her personal information by RBC.

Al-Husseini v. Altaif Inc., 2022 FC 1497

Read more about the case: Al-Husseini v. Altaif Inc., 2022 FC 1497

Facts

The applicant, Sadeq Al-Husseini, brought an application under section 14 of PIPEDA against Altaif Inc. for disclosing financial information that allegedly exceeded the scope of a production order related to Al-Husseini's divorce proceedings in the Ontario Superior Court of Justice (the Production Order).

Decision

The Federal Court dismissed the application, finding that Altaif had not breached Al-Husseini's privacy rights because the foreign exchange transfers that Altaif disclosed were within the scope of the Production Order. The Court also accepted Altaif's submissions that Altaif reasonably believed that the information was required to be disclosed under the Production Order.

Given that finding, there was no need to address the issue of damages. However, the Court explained that even if the Court's interpretation of the scope of the Production Order was incorrect, Al-Husseini had not established that he suffered damages as a result of the disclosure. The Court further stated that, although PIPEDA gives the Federal Court discretion to grant remedies for privacy breaches, an award for privacy law damages should only be made in the "most egregious of circumstances."

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.