CyberLex

CyberLex

Insights on cybersecurity, privacy and data protection law

Goldilocks and the Interactive Bear: The Privacy Nightmare

Posted in Cybersecurity, Internet of Things, Privacy
Anaïs GalpinCamille Marceau

A Wake-up Call: The Rise and Demise of Hello Barbie

Once upon a time, which happened to be close to around March 2015, Mattel introduced Hello Barbie, the world’s first “interactive doll”. With the press of a single button, the voice of its user was to be recorded and processed, and the Hello Barbie would respond to the question or statement recorded. The interactive doll appeared to be a dream come true for children and parents alike: for the former, an ever-present friend with whom to babble and play, and, for the latter, someone to provide answers and explanations to the incessant curiosity of their child, granting them a little respite. How could this not be a miracle?

However, soon after the release of Hello Barbie, cybersecurity commentators warned against the potential privacy risks of the interactive doll, and “connected toys” generally. As reported in a previous blog post, in November 2015, VTech, a Hongkong supplier of children’s connected learning toys, was hacked, compromising the personal data of over 6.5 million child profiles. VTech fixed the breach and amended its terms of use to warn against the risk of data piracy, and that was that.

Following the publicity around the incident, and VTech’s quick fix of the situation, interactive dolls and their engineers and makers largely vanished from the headlines. Presumably, toy manufacturers, and parents, had learned their lesson on the privacy risks that come along with connected toys.

The Comeback of Interactive Toys and Dolls: A Messy Affair

History tends to repeat itself, however, and this story is no exception. CloudPets, essentially an app that allows parents and friends to record and send messages to a connected CloudPet stuffed animal from anywhere in the world, suffered a similar incident. In what was reported to be the result of a lapse of security, private conversations between family members could be overheard via a listening device installed in the kids’ teddy bear.

In addition, the personal data of over 821,000 users and owners of CloudPets was reportedly discovered to be easily accessible online. How easy was it really, you ask? Too easy, apparently, since it was reported that an unidentified number of individuals managed to hack the database and personal accounts and recover sensitive data by using brute force. The database storing the personal data was, according to reports, protected by neither a firewall nor a password, and the personal accounts of the users and owners used overly simplistic secured passwords and usernames such as “123456, “qwerty”, and “password”.

Another interactive toy also made the news in early 2017. The My Friend Cayla doll was declared to be an “illegal espionage apparatus” by Germany’s Federal Network in February 2017 as it was deemed to be a surveillance device disguised as another object, which cannot be legally manufactured, sold or possessed in Germany. The access to the doll was unsecured, and any hacker within 15 meters of the doll could access the doll via the Bluetooth connection and interfere with messages received and sent by the doll. The doll cannot be sold in Germany anymore, and owners of the doll were ordered to disable its “smart” feature at the very least.

Moving Forward: How to Compromise between Companionship and Cybersecurity

Two lessons can be learned from these three attempts to provide children with the companionship of a virtual friend.

First, there seems to be a higher expectation of privacy for children, which has been expressed by a call to boycott Hello Barbie following the 2015 incident, as well as the strict implementation of espionage rules by Germany. The interactive dolls described above are not significantly different in their purpose and functioning from the Siris (Apple) and Alexas (Amazon) of this world: both record, process and store voices and personal data in order to provide companionship and on-the-spot information to their owners and users. However, they differ greatly in their targeted audience: one is aimed at adults, while the other is for  children, generally regarded as vulnerable.

In this regard, the Office of the Privacy Commissioner of Canada (“OPC”) made this distinction clear in its guide to collecting personal data from children, published in December 2015, stating: “the [OPC] has consistently viewed personal information relating to youth and children as being of particular sensitivity, especially the younger they are, and that any collection, use or disclosure of such information must be done with this in mind (if at all)”. Keeping this warning in mind, the OPC’s first tip is to limit or, avoid altogether, the collection of personal information. Other tips touch on the retention of data and ways to obtain proper consent.

Second, while some first attempts to provide children with interactive toys have resulted in significant missteps, , interactive toys are here to stay, as evidenced by their comeback following the Hello Barbie incident. Toy-makers must therefore find a way to manufacture a toy that satisfies Papa Bear, Mama Bear and Baby Bears’ wants and needs.

For more information, please see McCarthy Tétrault’s guide on cybersecurity risk management, which is available here.

Camille Marceau is an articling student in McCarthy Tétrault’s Montreal Office.

U.S. Consumer Protection Regulator Consults on Use of Alternative Credit Data

Posted in Big Data, Financial, FinTech
Ana BadourD.J. LyndeTaha QureshiKirsten Thompson

On February 16, 2017, the U.S. Consumer Financial Protection Bureau (the “CFPB”) issued a Request for Information (“RFI”) seeking feedback from the public on the use or potential use of alternative data and methodologies to assess consumer credit risk, thereby expanding access to credit for credit invisible segments of the population. Presently, most lenders make credit decisions using modeling techniques that rely on “traditional data” such as loan history, credit limits, debt repayment history, and information relating to tax liens and bankruptcy. Lenders use this information to assess creditworthiness of consumers to determine the likelihood of whether a consumer will default or become delinquent on a loan within a given period of time.

However, in the U.S. approximately 45 million Americans do not have access to credit as a result of not having a credit file with any credit bureau, or credit files that are too limited or stale to generate a reliable score (“credit invisible consumers”). The CFPB is seeking feedback on whether “alternative data”,  such as payment information on phone bills, rent, insurance, utilities, as well as checking account transaction information and social media activities, could provide an innovative solution to this problem. Enhanced data points could potentially address the information asymmetry that currently prevents lenders from serving “credit invisible consumers”.

In Canada, privacy legislation and other laws place restrictions on the types of personal information and other information that can be used in making credit decisions; the role of consent is critical. In contrast, the U.S. lacks a comprehensive privacy regime and has not examined credit risk assessment from that perspective.

Through its RFI, the CFPB is seeking information from interested parties on the development and adoption of innovations relating to the application of alternative data, and current and potential consumer benefits and risks associated with such application. The following is a summary of some of the risks and benefits identified by the CFPB:

Benefits

  • Greater Access to Credit: Consumers without a traditional loan repayment history could substitute such data points with regular bill payments for cell phones, utilities or rent. This information could in some cases prove sufficient for a lender to assess the creditworthiness of consumers and perhaps deem them to be viable credit risks.
  • Improved Credit Prediction: Access to more practical and nuanced information about a consumer’s financial behaviour, pattern and context could allow lenders to identify trends in the consumer’s profile. Social media job status changes could perhaps help identify those individuals with low credit scores who have surmounted previous financial obstacles, and have a much better future credit outlook than the credit score snapshot would suggest.
  • Profitability, Cost Savings and Convenience: Currently, many lenders forego providing credit to consumers with poor credit scores or non-existent credit history. With better data, lenders can market their products and services to more consumers, thereby increasing revenues and profits.

Risks

  • Privacy: As is the case with big data generally, the CFPB has identified privacy issues as one of the primary risks associated with the use of such alternative data. Most forms of alternative data include information that can reveal fairly intimate details about an individual, such as social media activity, behaviour and location patterns. Lender access to such data would likely need to be regulated and protected explicitly at the legislative level.
  • Data Quality: Some types of alternative data may be prone to greater rates of error due to the potential that the quality standards required to be met for their original purpose are less rigorous relative to those applied to traditional data destined to be used in the credit approval process. Incomplete, inconsistent or inaccurate data could have a detrimental impact on lenders’ ability to correctly and fairly assess a consumer’s credit viability.
  •  Discrimination: Greater access to information also introduces the potential for discrimination. Machine learning algorithms may predict a consumer’s likelihood of default, but could correlate such probabilities with race, sex, ethnicity, religion, national origin, marital status, age or some other basis protected by law. Using alternative data as a proxy for identification of certain sub-groups of the population could be a violation of anti-discrimination laws.
  •  Unintended Consequences and Control: The CFPB has expressed concern that use of alternative data could have unintended negative consequences for some consumers. For example, frequent moves and address changes by members of the military could create a false impression of overall instability. Alternative data could also include information about consumers that is beyond their control. Such data would make it difficult for consumers to improve their credit profile and thereby harden barriers to economic and social mobility.

Canadian Perspective

The Canadian regulatory landscape already addresses many of the risks identified in the CFPB RFI. Provincial credit reporting legislation governs the use of traditional credit data and includes a number of safeguards intended to protect consumers.  For example, an entity which for profit furnishes credit information or personal information, or both, pertaining to a consumer to a third party for the purposes of that third party’s credit assessment is required to be licensed and regulated as a credit reporting agency in Ontario.

In addition, under such legislation, consumers have certain rights, including the right to be notified when a credit application they have made has been refused based on their credit score (otherwise known as the requirement to provide “adverse action letters” to credit applicants), and the ability to access, review and correct their credit report (for example if the credit report includes incorrect information as a result of identity theft or error).

However, the potential use by lenders of non-traditional credit data which consumers may not be aware of, or able to access and correct, could lead to similar data quality concerns in Canada as identified above in the U.S. It is worth noting that the to the extent the non-traditional data points are “personal information”, Canadian consumers would have a right under privacy legislation to access and/or correct any such information.

The privacy and discrimination concerns as outlined above in the U.S. have , in large part, been addressed in Canada through human rights legislation and privacy laws, although the advent of Big Data and analytics techniques (including the use of aggregate and anonymous personal information) is making once-clear regulatory boundaries significantly murkier. The Office of the Privacy Commissioner of Canada (“OPC”) recognized this in its recent Discussion Paper Exploring Potential Enhancements to Consent under the Personal Information Protection and Electronic Documents Act, where it noted that the challenges of obtaining meaningful, valid consent in a Big Data world. The OPC thought that some of the Big Data concerns could potentially be addressed by sectoral “codes of practice” (and observed that in Australia,  credit reporting bureaus can develop codes of practice which are then registered by the commissioner there).

The OPC has also explored the idea of legislating “no-go zones” of data – in short, prohibiting the collection, use or disclosure of personal information in certain circumstances. They could be based on a variety of criteria, such as the sensitivity of the data, the nature of the proposed use or disclosure or vulnerabilities associated with the group whose data is being processed. Alternative means of assessing credit risk, and attend concerns about the sensitivity of this information and the potential for discriminatory impacts, suggest that this type of use of this information may attract future regulatory scrutiny.

For more information about our firm’s Fintech expertise, please see our Fintech group‘s page.

In New CASL Case, CRTC Sends $15,000 Message

Posted in CASL
Jade Buchanan

The biggest changes to CASL since CASL are on the horizon but the Canadian Radio-Television and Telecommunications Commission (“CRTC”) just showed us that it still cares about the little things. All it took was complaints about 58 emails – fewer emails than many people receive in a day – for the CRTC to impose an administrative monetary penalty (“AMP”) of $15,000.

Background

The CRTC just released a Compliance and Enforcement Decision (the “Decision”) regarding the ill-fated email campaigns of one Mr. William Rapanos. In a rare act of true irony, Mr Rapanos sent a series of unsolicited emails advertising his business of designing, printing and distributing paper flyer advertisements.

After receiving complaints between July 8, 2014 and October 16, 2014, the CRTC investigated and, on April 22, 2016, sent Mr Rapanos a Notice of Violation (“NoV”). The NoV cited 10 violations related to Mr Rapanos’ commercial electronic messages (“CEMs”), which violated CASL in almost every way an email can, including being sent without the recipients’ consent and not including an unsubscribe mechanism. Mr Rapanos ran three separate campaigns, committing a total of ten violations. The NoV also assessed an AMP of $15,000.

Mr Rapanos exercised his right to respond to the NoV, arguing that because his wi-fi connection was unsecured, an unknown person and sent the offending emails and that he had been “potentially the victim of a personal vendetta or of identity theft” and that the CRTC had not proven “beyond a reasonable doubt” that he sent the CEMs.

The Decision

Mr Rapanos was not successful. The CRTC was satisfied – on the balance of probabilities (the actual legal test that applied, and not “reasonable doubt”) – that Mr Rapanos had committed all of the violations listed in the NoV and maintained the $15,000 penalty.

Unfortunately, Mr Rapanos’ case does not lend itself to clarifying CASL’s more pressing ambiguities (such as the “6(6)” issue and the handling of consents obtained prior to CASL coming into force). The emails were unambiguous violations.

The Decision does contain some useful guidance on how to manage investigations and how to minimize AMPs. The Decision is particularly notable for maintaining the AMP imposed by the NoV. This differs from the recent Blackstone decision, which decreased the AMP from $640,000 to $50,000. Here are some of the lessons from the Decision:

  1. Documenting compliance efforts can help reduce an AMP. As in Blackstone, the CRTC considered indicators of self-correction (a factor not explicitly listed in CASL). Mr Rapanos showed an unwillingness to self-correct, including by running a fourth CASL-violating email campaign after learning the CRTC was taking action. The CRTC used this to further justify the quantum of the AMP. It is probable that Mr Rampanos could have helped lower the AMP by demonstrating self-correction, or at least a willingness to correct. In fact, evidence of self-correction – before and after the investigation began – did justify a lower AMP in Blackstone.
  2. The CRTC found a fine of $1,500 per-violation to be reasonable. This is a helpful benchmark for future AMPs against individuals. For comparison, the per-violation penalty for a small business in Blackstone was roughly $5,500. However, due to the high volume of emails in Blackstone (385,668), Mr Rapanos is paying dramatically more on a per-email basis: $259 per email compared  to Blackstone’s 13 cents per email.
  3. The Decision further clarifies the calculation of violations. The number of emails did not factor into the number of violations (even though it may have affected the AMP). Just as in Blackstone, the CRTC considered the number of email campaigns. However, unlike Blackstone, Mr Rapanos committed multiple violations in each email campaign by violating three to four different provisions of CASL.
  4. Violators must produce evidence if they want the CRTC to consider their ability to pay. Mr Rapanos claimed “he never had a career due to health issues and that he and his wife subsist solely on social assistance.” The CRTC, faced with a sympathetic offender, noted they had “taken into account” Mr. Rapanos’ submissions on the AMP, but ultimately disregarded this claim because Mr Rapanos did not provide supporting evidence.
  5. The CRTC will use its power to compel evidence liberally. Notices for production were issued to Mr Rapanos (twice), his wife, the owner of the house where he resided, the host of his website domain and both of the companies that provided him with cell phone services (and that is just the notices that were mentioned in the Decision.

U.S. Federal Insurance Office Issues Report Addressing InsurTech and Traditional Insurance

Posted in Big Data, Cybersecurity, Discrimination, FinTech
Dan DolinerZachary MasoudShauvik ShahKirsten Thompson

The Federal Insurance Office, U.S. Department of the Treasury (“FIO”) released its first annual Report on Protection of Consumers and Access to Insurance (the “Report”). The Report reviews developments and concerns relating to five insurance issues: technology; environmental hazards; fairness in insurance practices; fairness in state insurance standards; and retirement and related issues. The Report identifies options available to consumers, industry, and state and federal policymakers to address certain noteworthy gaps in protection for insurance consumers.

Of note is the Report’s observations on technology (Section II of the Report), and the manner in which technology issues (such as big data and cybersecurity) affect both traditional insurance companies and innovative InsurTech companies.

Big Data

The Report notes that the use of big data holds promise for both insurers and consumers, as it facilitates innovation and modernization in insurance product design, distribution, and delivery. However, the Report identifies some of the concerns regarding the use of big data by insurers in the U.S., specifically in respect of the risks for consumers. “Big data” is defined in the Report as the “ability to gather large volumes of data, often from multiple sources, [which] produce[s] new kinds of observations, measurements and predictions.” Big data can accumulate consolidated information which is gleaned from different sources, such as information collected from GPS devices, mobile phones, internet searches, social media, public record, surveys, and more.

Big data supports insurers’ analysis and development of premium pricing based on “risk classification” for insurance products, by increasing the number of variables that could be assessed. At the same time, big data also enables insurers to practice “price optimization” in which data about an individual, such as shopping habits or pricing tolerance, is used to set premiums for an individual consumer. This practice may lead to individuals paying different premiums for similar policies. Certain states have restricted price optimization

Insurance companies in the U.S. are increasingly using data brokers, which purchase, sell, collect and analyse big data, and develop related products (for example, by integrating data from social media). Data brokers do not have a direct relationship with the individuals from whom the data originates, which can raise privacy and transparency concerns (see publication in this regard by the U.S. Federal Trade Commission (“FTC”), here, and by the Privacy Commissioner of Canada, here).

The FIO called on state insurance regulators to specifically enforce state and federal legal requirements that are applicable to use of big data by insurers. The Report further highlights significant legislative and regulatory gaps in the U.S.

Cyber Risk

Insurance companies maintain vast databases of personal information regarding past, present and potential consumers. The use of big data, as well as increased use of outsourcing by insurers, can lead to significantly larger cybersecurity risk.

U.S. state insurance regulators have been cooperating on several regulatory initiatives, in order to set a mandatory cybersecurity standard for insurance companies. These initiatives include the Cyber Security Task Force and  the Insurance Data Security Model Law (IDSML), which is not yet finalized. Of special note are the Cybersecurity Requirements for Financial Services Companies, issued by the New York State Department of Financial Services (“DFS“), which came into effect on March 1, 2017.

The FIO encourages insurers to adopt cybersecurity strategies based on best practices guidelines, such as the Framework for Improving Critical Infrastructure Cybersecurity, published by the National Institute for Standards and Technology. At the same time the FIO is pressing on state regulators to promote increased cybersecurity and data protection awareness among insurance companies, through new legislation and regulations, cybersecurity training and hiring, and frequent cybersecurity examinations.

Conclusion

Protection of insurance consumers is critical to the functioning of a stable and fair insurance marketplace. Technology and big data, in particular, have enabled growth and development of traditional insurance products. In fact, big data is often at the core of InsurTech products. Regulators are catching up with such advancements, and have identified what they see as regulatory gaps. Insurers that sell insurance, through traditional and technology-enabled channels, should consider anticipated regulatory requirements, when developing new products, and be prepared to address new regulatory standards.

Insurers in Canada operate in a different legal and regulatory landscape. The use of big data in Canada is subject to human rights legislation, privacy legislation, and personal health information. However, Canadian insurers that operate in the U.S., and Canadian companies which provide services to U.S. insurance companies, may wish to consider the trend in the U.S. of increased enforcement and regulation with respect to big data and cybersecurity.

For more information about our firm’s Fintech expertise, please see our Fintech group page. Information about McCarthy Tétrault’s Cybersecurity, Privacy and Data Management Group is available here. Please visit our firm’s 2017 edition of the Cybersecurity Risk Management Guide.

Genetic Discrimination Bill One Step Closer to Becoming Law

Posted in Legislation, Privacy
Krupa Kotecha

On March 8, 2017 Liberal backbench MPs united with opposition parties to pass Bill S-201, an act to prohibit and prevent genetic discrimination. As noted in this prior Cyberlex post, Bill S-201 follows the enactment of legislation in the United States and United Kingdom and protects individuals from the involuntary disclosure of genetic results.

Specifically, the legislation prohibits requiring an individual from undergoing genetic testing or disclosing genetic test results as a condition of: (a) providing goods and services; (b) entering into or continuing a contract or agreement with that individual; or (c) offering or continuing specific terms or conditions in a contract or agreement with that individual. The legislation amends the Canada Labour Code to prevent employees from being required to take a genetic test or disclose the results of such testing to employers. It further introduces “genetic characteristics” as a prohibited grounds of discrimination under the Canadian Human Rights Act. Contravention of the legislation gives rise to criminal sanctions, which include both monetary penalties (up to $1,000,000) and imprisonment (up to a term of five years).

The bill has now successfully passed through the House of Commons and the Senate. It is anticipated to receive Royal Assent, and thus become effective law, within the next few days.

Cyberbullying & Revenge Porn: An Update on Canadian Law

Posted in Privacy
Kirsten Thompson

The current nature of social media and, more broadly, the Digital Age, continues to create challenges for legislators and law enforcement officials alike. One such challenge arises in the cyberbullying context, where intimate (or otherwise private) images are uploaded to the Internet. These files can be copied, forwarded and shared instantaneously, making them seemingly impossible to delete retrospectively. There have been developments in both common law in statute.

Manitoba

In order to address this issue and provide recourse for victims of such digital distribution, Manitoba  introduced The Intimate Image Protection Act, CCSM c I87, specifically to deal with the non-consensual sharing of intimate images. The Act, which came into force in January, 2016 creates a private right of action with respect to intimate images, which are defined as those over which an individual would have a reasonable expectation of privacy, both at the time the image was recorded and at the time of distribution.

Possible defences to a claim are extremely limited. Section 12 of the Act makes clear that, in an action for the non-consensual distribution of an intimate image, the person depicted in the image does not lose his or her expectation of privacy in respect of the image if he or she consented to the recording or provided the image to another person in circumstances where that perpetrator knew or reasonably ought to have known that the image was not to be distributed to any other person. The result is that the only statutory defence available is where the distribution of the intimate image is in the public interest (and does not go beyond what is in the public interest).

Section 14 of the Act empowers the Court to award damages to the plaintiff, to issue an injunction on publication of the image, to prohibit publication of the name of the person depicted in the image, or to make any other order that is just and reasonable in the circumstances.

In addition to creating a private right of action, the Act also provides for the possibility that certain agencies or organizations may be designated to assist people who have had intimate images distributed without their consent.

The effectiveness and longevity of the Act remains an open question, given that cyber-bullying laws enacted in other provinces have been struck down on the basis of being unconstitutional.

Nova Scotia

Nova Scotia enacted the Cyber-safety Act, S.N.S. 2013, c. 2  in 2013 response to alleged acts of sexual humiliation and cyberbullying against a teenager, Rehtaeh Parsons, who committed suicide in April of 2013.

However, in the recent decision of Crouch v. Snell, 2015 NSSC 340, the Nova Scotia Supreme Court struck down the Cyber-safety Act on the basis that the Act violated sections 2 (the right to freedom of thought, belief, opinion and expression) and 7 (right to life, liberty and security of the perso) of the Canadian Charter of Rights and Freedoms, and that such violations could not be demonstrably justified.

The court described the overreaching definition of “cyberbullying” in the  Cyber-safety Act as a “colossal failure” and as a consequence did not minimally impair the right to free expression.

Ontario

On January 21, 2016, the Superior Court of Justice released its decision in Doe 464533 v N.D., 2016 ONSC 54, . Building on the “intrusion upon seclusion” tort recognized in Jones v. Tsige, 2012 ONCA 32, the Court recognized for the first time the new privacy tort of “public disclosure of private facts.”

This case arose from a situation in which the defendant posted a sexually explicit video of the plaintiff to a pornographic website. The video had been supplied in confidence, and with the defendant assurances that it would not be shared. When the plaintiff became aware of it being posted online  she confronted the defendant who admitted to uploading it and removed it from the website. The Court noted that although the video was only online for  about three weeks, there was no way of knowing how many off-line copies had been made and were still in existence.

In addition to the new tort, the Court also found the defendant had committed the torts of breach of confidence and intentional infliction of mental distress.

In the end, the defendant was noted in default (not having bothered to appear to defend himself) and the plaintiff proceeded by a motion for default judgment. The Court ultimately held that the defendant was liable for the torts of breach of confidence, intentional infliction of mental distress, and invasion of privacy, and granted judgment against the defendant for general damages in the amount of $50,000, aggravated damages in the amount of $25,000, punitive damages in the amount of $25,000 and costs on a full indemnity basis.  The court also issued a mandatory injunction that the defendant destroy any and all intimate images or recordings of the plaintiff in his possession, power or control.

However,  the defendant brought a motion to set aside the default judgment.  In reasons  dated September 26, 2016 (Doe v N.D., 2016 ONSC 4920), Dow J. set aside the findings of liability and the assessment of damages, upon payment by the defendant of costs of $10,000. This setting aside of the default judgment was not published at the time, however, because on September 20, 2016, Dow J. issued an addendum to the decision dealing with the release and publication of the decision because the plaintiff intended to seek leave to appeal.

On January, 9, 2017,the plaintiff brought a motion pursuant to Rule 62.02(4)(b) for leave to appeal from that decision setting aside the default judgement. The motion was dismissed (Jane Doe 464533 v N.D., 2017 ONSC 127).

As a result, the current common law (at least in Ontario) is in a state of flux, as jurists wait to see if this case will now proceed to a full trial on the merits. Currently, the original default judgement has been overturned and its value as a precedent is uncertain.

Saskatchewan Court Upholds Electronic Waiver as Enforceable

Posted in E-Commerce
Krupa Kotecha

The Saskatchewan Court of Queen’s Bench recently upheld an electronic waiver as enforceable in Quilichini v Wilson’s Greenhouse, 2017 SKQB 10.

The plaintiff in the case  was injured while go-karting at a racing facility operated by Velocity, a business owned by the defendant Wilson’s Greenhouses. It was contended by the plaintiff that the defendants either: (a) breached their contractual obligations to maintain the go-kart in sufficient working condition, or (b) engaged in a negligent breach of the same obligation.

The defendants contended that the plaintiff’s injuries were incurred as a result of his own conduct, including driving at excessive speed. Moreover, the defendants brought an action for summary judgement dismissing the plaintiff’s action, given that the plaintiff executed an electronic form of waiver and release that the defendants argued was binding on him.

The Form of Waiver

Velocity’s go-kart customers are required to proceed through a kiosk system where they must provide personal information, complete a membership application, pay for such membership, be photographed, and go through a series of electronic pages on a computer screen and click “next” to move from one page to the next. As a final step, customers must agree to terms of a waiver and release. As the plaintiff had proceeded through the kiosk system and successfully completed all of the steps required to race at the facility, the defendants asserted that the plaintiff had no claim enforceable at law. The plaintiff countered by arguing that whether he had signed the waiver or not was equivocal and that, even if signed, the waiver did not absolve the defendants from liability.

Analysis

Saskatchewan, like all the other provinces in territories in Canada, has electronic commerce legislation. This type of legislation is intended, generally, to mandate the equivalency of electronic documents with traditional paper documents.  As with most legislation, there are exceptions to this statutory equivalency. The statutes also generally specify the conditions under which electronic documents and electronic signatures will be valid and enforceable.

In considering the parties’ assertions, Scherman J properly focused the scope of the inquiry on the section of the Electronic Information and Documents Act (2000, SS 2000, c E‑7.22) that  pertains to the formation and operation of contracts (i.e. section 18), as opposed to the section of the Act that focuses on signatures (i.e. section 14). Considering the legislation in the context of the case at bar, Scherman J held that:

The legislation is clear. Agreement to contractual terms can be expressed by touching or clicking on an appropriately designated icon or place on a computer screen. The fact that the contract could have alternatively been executed by printing a hard copy and having a participant sign a hard copy form does not detract from the foregoing. The fact that there are optional ways to execute the contract does not lead to the conclusion that using only one of those options does not constitute agreement.

Further, the Court held that the waiver was indeed enforceable, given that the plaintiff had the full opportunity to read the waiver and there was nothing obscure in the presentation of the waiver and release or the choice of whether to accept or not:

In my opinion, there can be no question but that when the plaintiff clicked “I agree”, he was intending to accept and assume responsibility for any possible risk involved and knew he was agreeing to discharge or release the defendants from all claims or liabilities arising, in any way, from his participation. The words “all claims, liabilities, demands and/or actions for damages (including legal costs) arising in any way from my participation in go‑kart racing” mean what they say and include claims arising from negligence.

Scherman J supported this conclusion by pointing to various concurring common law decisions addressing the enforceability of waiver and release agreements. The Court consequently provided for summary judgement in favour of the defendants (with costs).

Lessons for Business

The decision in Quilichini v Wilson provides affirmation to business owners (especially those in the recreational industry) that a well-drafted electronic waiver and release that is properly presented in an understandable format will likely be held to be enforceable. The result thus helps provide for commercial certainty in the electronic era, as it properly places the emphasis on substance (i.e. the clear understanding and intent of the parties to waive liability) rather than form (i.e. the use of electronic waiver as opposed to traditional paper signatures).

Bill S-201 and the Protection Against Genetic Discrimination.

Posted in Discrimination, Employment, Legislation, Privacy
Carole Piovesan

You have done testing to determine whether you have a genetic predisposition to certain medical conditions. The results come back: You do. This is important information for you and your doctor to make more informed decisions about your health care.  But now that you know, are there circumstances in which you should be required to disclose the results to others?

The heart of the debate about one’s privacy in genetic testing concerns whether an individual may suffer discrimination where it is or may be determined that he or she is genetically predisposed to a particular disease. This is the heart of Bill S-201, an act to prohibit and prevent genetic discrimination.

Those in favour of robust protections caution that required disclosure of genetic results may have a chilling effect on undergoing testing. The argument goes that, for many, the risk of discrimination (namely in the employment and insurance contexts) could outweigh the benefits of information that could lead to more personalized and efficient health care. That is, some people would opt out of genetic testing despite its profound potential benefits.

Those in favour of select disclosure, including the insurance industry, underscore the relevance of genetic information in certain contexts, particularly for the purposes of risk assessment and risk pooling, upon which insurance products are built. For instance, where an applicant for life insurance has information regarding her increased risk to a potentially life-threatening condition, this information is critical to the risk assessment in determining her insurance premiums. The Canadian Institute of Actuaries (CIA), in a research paper proposing amendments to the bill, concluded that if insurers are not able to access the results of genetic tests, “the impact on insurance companies will be substantial”, concluding that insurance premiums for term life insurance “could go up by 30 percent for males and 50 percent for females”. This would occur, says the CIA, in order to counter the fact that those with a genetic predisposition to develop a serious health issue would have an incentive to buy more insurance because they would know that since they need not report this predisposition to a prospective insurer, their insurance premiums would be below cost and thus a very good deal.

The Canadian Life and Health Insurance Association (CLHIA), which opposes the bill, has taken the position that regulation is unnecessary and  recently announced that the Canadian life and health insurers would, on a voluntary basis, not request or use genetic testing information for new life insurance applications up to $250,000, effective January 1, 2018. This commitment is included in the CLHIA voluntary Industry Code on genetic testing and is to be implemented by all CLHIA members. Among other things, the Industry Code also requires that companies have a dispute resolution system to deal with complaints relating to underwriting decisions involving genetic testing information.

Bill S-201: A Response to Genetic Discrimination

The United States and United Kingdom have already established legislation to protect individuals from required disclosure of genetic results. Canada is now following suit with the introduction of Bill S-201, an act to prohibit and prevent genetic discrimination. Senator James Cowan is championing the bill, which recently passed the Senate and is now in the House of Commons.

Bill S-201 prohibits requiring an individual from undergoing genetic testing or disclosing genetic test results as a condition of: (a) providing goods and services; (b) entering into or continuing a contract or agreement with that individual; or (c) offering or continuing specific terms or conditions in a contract or agreement with that individual.

Parenthetically, the bill is silent on whether an individual may be required to disclose the mere fact of having undergone genetic testing, which in itself is valuable information.

The bill amends the Canada Labour Code to prevent employees from being required to take a genetic test or disclose results of a test to employers. It further amends the Canadian Human Rights Act to prohibit discrimination based on “genetic characteristics”.

The bill makes it a criminal offence to contravene the operative sections of the proposed legislation. A conviction on indictment would attract a maximum penalty of $1,000,000 and/or imprisonment for a term not exceeding five years.  A summary conviction would attract a maximum fine of $300,000 and/or imprisonment for a term not exceeding twelve months.

Constitutionality of the Bill

An important issue facing this bill is whether it is properly conceived as federal legislation. While the criminal law aspect of the bill – the penalties for contravention – are unlikely to face constitutional scrutiny, it can be argued that Bill S-201 seeks to regulate matters falling under the province’s jurisdiction, namely employment and insurance contracts. While Bill S-201 does not make any reference to a specific industry or type of contract, it is conceivable that, if passed, it could face a constitutional challenge on this basis.

Conclusion

The increasing popularization of genetic testing is challenging privacy legislation in new ways. While there are those who argue that the provinces already have the legislative armour to protect privacy interests in genetic testing, it remains to be seen whether Canada will formalize protection in a manner similar to the U.S. and U.K.

The New U.S. Executive Order: Effects on Canadian Privacy Laws and Cross Border Data Transfers

Posted in Privacy
Keith RoseEmily MacKinnon

President Donald J. Trump’s executive order issued January 25, 2017, contained one little paragraph with big words about Canadians’—and other non-U.S. citizens’—privacy:

Sec. 14.  Privacy Act.  Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.

This paragraph has triggered alarm in some corners of the Internet. However, on closer inspection, it doesn’t appear to change much, at least legally speaking and from a Canadian private-sector perspective.

This section of President Trump’s order concerns only one statute: the Privacy Act. The order, like the Act itself, is directed only at executive departments and agencies. And it concerns only their policies.  Thus, the executive order does not appear to change any person’s substantive legal rights or obligations.

The context of section 14 suggests its intention. The executive order, as a whole, deals primarily with measures to promote “interior enforcement” of U.S. immigration laws—including against “removable aliens”.  Hence, section 14 is plausibly aimed at ensuring U.S. federal departments and agencies comply with requests for information about non-citizens.

That said, the executive order has no direct impact on the treatment of personal information by the private sector.  In particular, the order does not appear to change the circumstances in which US law enforcement or security agencies can compel private actors to disclose information about Canadians (or other non-U.S. citizens).

On the Canadian side of the border, the public and private sectors have long paid attention to the information they send to the U.S., pursuant to both policy and legislative requirements.

In the private sector, s. 13.1 of Alberta’s Personal Information Protection Act requires organizations to provide notice of certain transfers of personal information outside of Canada. The federal Personal Information Protection and Electronic Documents Act requires organizations to provide similar notice and to ensure that personal information in the hands of a third party—whether inside Canada or elsewhere—receives a “comparable level of protection” to that provided by the organization itself.

The effect of the executive order on Canadian regulators’ views of cross border information transfers in the private sector is uncertain at this point in time. Canadian regulators generally require Canadian organizations to disclose the consequences of information sharing across national borders and it is currently unclear what, if any, effect, the executive order have on those disclosures.

In the public sector, s. 30.1 of BC’s Freedom of Information and Protection of Privacy Act requires all personal information to be stored and accessed in Canada, subject to an extensive list of exceptions. Nova Scotia’s Personal Information International Disclosure Protection Act imposes similar requirements, again subject to certain exceptions. And s. 50(1) of Ontario’s Personal Health Information Protection Act, 2004 prohibits the disclosure of personal information outside of Ontario unless the affected individual consents or certain other conditions are met.  None of these restrictions is conditioned on the legal treatment of the information by U.S. agencies, and their application does not appear to be affected by the executive order.

On the international stage, the order may be of a similarly limited legal effect. The order does not appear to alter obligations under the Judicial Redress Act to extend portions of the Privacy Act to citizens of “covered countries”—a measure that was specifically implemented to satisfy European requirements for transfers of personal information. This order should have little impact, if any, on the legal foundations of the EU-U.S. Privacy Shield—which, in any event, does not apply to U.S. federal agencies.

It is apparent, however, that the U.S. executive is moving quickly to implement its policy agenda.  President Trump’s next steps are far from clear.

And while President Trump’s executive order may not have altered substantive legal protections for personal information, it has clearly attracted public attention to the issue. Moving forward, it appears likely that the public will pay increased attention to cross-border information-sharing with the U.S.—a development of which organizations should remain cognizant.

PIPEDA’s global extra-territorial jurisdiction: A.T. v. Globe24h.com

Posted in Privacy
Barry Sookman

The Federal Court of Canada released a landmark decision finding that the court has the jurisdiction to make an extra-territorial order with world-wide effects against a foreign resident requiring the foreign person to remove documents containing personal information about a Canadian citizen that violates the person’s rights under Canada’s privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA). In A.T. v. Globe24h.com, 2017 FC 114 the Honourable  Mr Justice Mosely ordered the individual operator of the website Globe24h.com to remove all Canadian tribunal and court decisions  posted on the site that contain personal information and to take all necessary steps to remove the decisions from search engines caches.

The decision arose from an application made under section 14 of PIPEDA which enables a complainant to the Office of the Privacy Commissioner, after receiving the Commissioner’s report, to apply to the court for a hearing in respect of any matter in respect of which the complaint was made, or that is referred to in the Commissioner’s report. The legal process was used by an individual who complained that Globe24th.com, a site hosted and operated from Romania, was re-publishing decisions of Canadian courts and tribunals containing personal information including personal information about him, for the purpose of demanding fees from aggrieved persons to take the content down.

While the decisions published were generally available on other sites such as Canlii those sites did not make the information available for indexing by search engines. Thus, while the public could find the decisions online, this would not happen merely by virtue of searching on someone’s name using a search engine like Google.

The site operator claimed that PIPEDA did not have extra-territorial application over him because the activities were conducted from the foreign website. The argument was rejected by the court relying on prior decisions that clearly confirmed the potential extra-territorial application of PIPEDA where a real and substantial connection is established.

[50]           Section 4 of PIPEDA, the application provision for Part I, is silent with respect to the statute’s territorial reach. However, there is no language expressly limiting its application to Canada. In the absence of clear guidance from the statute, the Court can interpret it to apply in all circumstances in which there exists a “real and substantial link” to Canada, following the Supreme Court’s guidance in Society of Composers, Authors and Music Publishers of Canada v Canadian Assn. of Internet Providers, 2004 SCC 427, [2004] 2 SCR 427 at paras 54-63 [SOCAN] and the other authorities cited therein…

[52]           As Mr. Radulescu and Globe24h.com are foreign-based, the Court must consider whether there is a real and substantial connection between them and Canada to find that PIPEDA applies to their activities. The operative question underlying the test is “whether there is sufficient connection between this country and the [activity] in question for Canada to apply its law consistent with the ‘principles of order and fairness’” and international comity: SOCAN, above, at paras 57 and 60.

[53]           This Court has applied PIPEDA to a foreign-based organization where there was evidence of a sufficient connection between the organization’s activities and Canada: Lawson v Accusearch Inc (cob Abika.com), 2007 FC 125 (CanLII), [2007] FCJ No 164 at paras 38-43 [Lawson]. The relevant connecting factors include (1) the location of the target audience of the website, (2) the source of the content on the website, (3) the location of the website operator, and (4) the location of the host server: SOCAN, above, at paras 59 and 61; see also Lawson, above, at para 41; Davydiuk v Internet Archive Canada, 2014 FC 944 (CanLII), [2014] FCJ No 1066 at paras 31-32 [Davydiuk]; Desjean v Intermix Media, Inc, 2006 FC 1395 (CanLII), [2006] FC 1395, [2007] 4 FCR 151 at para 42 [Desjean], aff’d 2007 FCA 365 (CanLII); Equustek Solutions Inc v Google Inc, 2015 BCCA 265 (CanLII), leave to appeal to the SCC granted [2015] SCCA No 355 [Equustek].

[54]           In this case, the location of the website operator and host server is Romania. However, when an organization’s activities take place exclusively through a website, the physical location of the website operator or host server is not determinative because telecommunications occur “both here and there”: Libman v The Queen, 1985 CanLII 51 (SCC), [1985] 2 SCR 178 at p 208 [Libman].

[55]           In its submissions, the OPCC highlights three key connecting factors between the foreign-based website and Canada. First, the content that is at issue is Canadian court and tribunal decisions containing personal information which was copied by the respondent from Canadian legal websites. Second, the website directly targets Canadians by specifically advertising that it provides access to “Canadian Caselaw”/”Jurisprudence de Canada”. The evidence is that the majority of visitors to Globe24h.com are from Canada. Third, the impact of the website is felt by members of the Canadian public. This is evidenced by the complaints received both by the OPCC and media reports of individuals suffering distress, embarrassment and reputational harm because of Globe24h.com republishing their personal information and making it accessible via search engines. The respondent is aware of these complaints.

[56]           There is evidence that the Romanian authorities have acted to curtail the respondent’s activities and that they have cooperated with the OPCC investigation.  Is that sufficient reason not to exercise the PIPEDA jurisdiction in this context? I think not.  I accept the submission of the OPCC that the principle of comity is not offended where an activity takes place abroad but has unlawful consequences here: Libman, above, at p 209….

[57]           In Chevron Corp v Yaiguaje, 2015 SCC 42 (CanLII), [2015] 3 SCR 69 [Chevron], the Supreme Court was asked to determine whether the Ontario Courts have jurisdiction over a Canadian subsidiary of Chevron, an American corporation and a stranger to the foreign judgment for which recognition and enforcement was being sought in Canada. In that case, the Ontario Court of Appeal had affirmed an Ecuadorian judgment against Chevron.

[58]           In upholding the Ontario Court of Appeal’s decision, Justice Gascon noted that “Canadian courts, like many others, have adopted a generous and liberal approach to the recognition and enforcement of foreign judgments”: Chevron, above, at para 23. The only prerequisite for recognizing and enforcing such a judgment is that the foreign court had a real and substantial connection with the litigants or with the subject matter of the dispute, or that the traditional bases of jurisdiction were satisfied: Chevron, above, at para 27.

[59]           On the principle of comity, Justice Gascon observes that “the need to acknowledge and show respect for the legal action of other states has consistently remained one of the principle’s core components”: Chevron, above, at para 53. In this regard, comity militates in favour of recognition and enforcement. The principle of comity further provides that legitimate judicial acts should be respected and enforcement not sidetracked or ignored: Chevron, above, at para 53.

[60]           In the case at bar, since Romanian authorities have cooperated with the OPC investigation and taken action to curtail the respondent’s activities, the legitimate judicial acts of this Court will not be seen as offending the principle of comity. The respondent was fined for contravening Romanian data protection laws by, among other things, charging a fee for the removal of personal information from Globe24h.com. The respondent has appealed this fine to a Romanian court. Given the involvement of the Romanian counterpart to the OPCC, this Court’s findings would compliment rather than offend any action that may be taken in a Romanian court.

Justice Mosely also used the occasion to clarify a passage from the Van Breda decision of the Supreme Court which has sometimes mistakenly been read as suggesting that Canadian courts do not have personal jurisdiction (or territorial competence) over persons whose only connections to the Canadian forum are electronic.

[61]           During the OPCC’s investigation, the respondent relied on the Supreme Court’s decision in Club Resorts Ltd v Van Breda, 2012 SCC 17 (CanLII), [2012] 1 SCR 572 [Van Breda] to argue that the PIPEDA did not apply to his activities in Romania. Van Breda concerned two individuals that were injured while on vacation outside of Canada. Actions were brought in Ontario against a number of parties, including Club Resorts Ltd., a company incorporated in the Cayman Islands.

[62]           Club Resorts Ltd., the appellant in Van Breda, argued that the Ontario courts lacked jurisdiction. To determine the issue of jurisdiction, the Supreme Court applied the “real and substantial connection” test. The Court had to consider whether carrying on business in the jurisdiction may also be considered an appropriate connecting factor. Ultimately, the Court found that the notion of carrying on business requires some form of actual, not only virtual, presence in the jurisdiction, such as maintaining an office there or regularly visiting the territory of the particular jurisdiction: Van Breda, above, at para 87.

[63]           However, I note that the Supreme Court was careful to distinguish between traditional categories of business and “e-trade”. Justice LeBel noted that the Court was not asked to decide whether e-trade in the jurisdiction would amount to a presence in the jurisdiction. Had there been a discussion about jurisdiction in the context of e-trade, I would have considered the connecting factors discussed in Van Breda as helpful to the analysis in the case at bar.

[64]           Van Breda was limited to the specific context of tort claims. The Supreme Court was clear that it was not, in that case, providing an “inventory of connecting factors covering the conditions for the assumption of jurisdiction over all claims known to the law”: Van Breda, above, at para 85. The Court was concerned about creating what would amount to forms of universal jurisdiction in respect of tort claims arising out of certain categories of business or commercial activity. As such, Justice LeBel confined the application of Van Breda to limited areas of private international law and international tort: Van Breda, above, at para 87; see also Chevron, above, at paras 38-39; Davydiuk, above, at paras 28-29.

The site operator claimed he was protected by the journalism and publicly available exceptions in PIPEDA. Both the Commissioner and the court easily dismissed those defenses. The court also had no trouble concluding that the collection, use and disclosure of personal information in the decisions on the website was not for an appropriate purpose under subsection 5(3) of PIPEDA.

Having found personal jurisdiction over the respondent website operator, the court then examined whether it had the jurisdiction to make an order with extra-territorial effects. Following recent decisions including the decision of the British Columbia Court of Appeal in Equustek Solutions Inc v Google Inc, 2015 BCCA 265 (CanLII), leave to appeal to the SCC granted [2015] SCCA No 355, the court concluded that the jurisdiction existed and could be exercised on the facts of the case without impinging any concerns related to comity.

[80]           The OPCC supports the applicant’s request for an order requiring the respondent to correct his practices in order to comply with PIPEDA under paragraph 16(a). The respondent not being a resident of Canada does not bar the making of an extra-territorial order where the underlying dispute is within the jurisdiction of the court: Impulsora Turistica de Occidente, SA de CV v Transat Tours Canada Inc, 2007 SCC 20 (CanLII), [2007] 1 SCR 867 [ImpulsoraTuristica] at para 6; Barrick Gold Corporation v Lopehandia et al, 2004 CanLII 12938 (ON CA), [2004] OJ No 2329 (ONCA) [Barrick Gold] at paras 73-77; Equustek, above, at paras 81-99…

[82]           The jurisprudence is clear that courts must exercise restraint in granting remedies that have international ramifications. That said, in some circumstances, courts do issue extraterritorial orders where there is a “real and substantial connnection” between the organization’s activities and Canada: Equustek, above, at paras 51-56.

[83]           The OPCC has presented considerable evidence as to the nature of the respondent’s enterprise based in Romania, and the degree to which it can be said to do business in Canada. As mentioned above, the content of Globe24h.com that is at issue is Canadian court and tribunal decisions. The OPCC’s evidence demonstrates that these decisions containing personal information were deliberately downloaded by the respondent from Canadian legal websites, such as CanLII, and republished on Globe24h.com. Moreover, the respondent has made a profit from Canadians by requiring them to pay a fee to have their personal information removed from the website.

[84]           As noted by the British Columbia Court of Appeal in Equustek, above, at paragraph 85, “[o]nce it is accepted that a court has in personam jurisdiction over a person, the fact that its order may affect activities in other jurisdictions is not a bar to it making an order.” Further, in the context of Internet abuses, courts of many other jurisdictions have found orders that have international effects to be necessary: Equustek, above, at para 95, citing APC v Auchan Telecom, 11/60013, Judgment (28 November 2013) (Tribunal de Grand Instance de Paris); McKeogh v Doe (Irish High Court, case no. 20121254P); Mosley v Google, 11/07970, Judgment (6 November 2013) (Tribunal de Grand Instance de Paris); and ECJ Google Spain SL, Google Inc v Agencia Espanola de Protecciób de Datos, Mario Costeja González, C-131/12 [2014], CURIA.

[85]           I was concerned about the enforceability of any order against the respondent as he and his server are not physically present in Canada. However, having considered the matter I am satisfied that the issuance of a corrective order in Canada may assist the applicant in pursuing his remedies in Romania. Moreover, as argued by the Commissioner, it may assist in persuading the operators of search engines to de-index the pages carried by the respondent web site.

[86]           Paragraph 16(a) of PIPEDA does authorize this Court to grant a corrective order requiring the respondent to correct his practices to comply with sections 5 to 10 of that legislation. Having reviewed the relevant authorities and having found that the underlying dispute is within the jurisdiction of this Court, I do not find that there is either a jurisdictional or a practical bar to granting a corrective order with extraterritorial effects.

The court was also asked to grant declaratory relief that the respondent had contravened PIPEDA, combined with a corrective order, that would allow the applicant and other complainants to submit a request to Google or other search engines to remove links to decisions on Globe24h.com from their search results. The OPCC contended that this may be the most practical and effective way of mitigating the harm caused to individuals since the respondent is located in Romania with no known assets. The court agreed and made an order that transcended the complaint before it to cover all decisions containing personal information published by Canadian courts and tribunals on the website. After referring to other cases decided under PIPEDA and the Charter the court stated:

[95]           These cases demonstrate that remedies may transcend the particular circumstances of an applicant where it has been established that an organization’s practices are deficient. In such cases, broadly crafted remedies were required in order to ensure that the organization’s practices going forward did not result in further violations of constitutional and quasi-constitutional rights.

[96]           The request for a systemic remedy in the present matter is supportable because the evidence demonstrates that the effects of the respondent’s actions are not confined to the single applicant named in this application. The OPCC has received a total of 49 complaints relating to Globe24h.com. Moreover, affidavit evidence filed by the OPCC demonstrates that over 150 complaints have been received by CanLII regarding personal information found on Globe24h.com. As a result, I agree that the circumstances of this case justify a broadly crafted corrective order pursuant to paragraph 16(a) of PIPEDA.

The Judgment of the court, reproduced below, ordered, among other things, the Romanian operator of the foreign website to remove all Canadian court and tribunal decisions containing personal information from the globe24h.com website and to take steps to remove them from caches of search engines as well.

THIS COURT’S JUDGMENT is that:

  1. It is declared that the Respondent, Sebastian Radulescu, contravened the Personal Information Protection and Electronics Documents Act, SC 2000, c 5 by collecting, using and disclosing on his website, www.Globe24h.com (“Globe24h.com”), personal information contained in Canadian court and tribunal decisions for inappropriate purposes and without the consent of the individuals concerned;
  2. The Respondent, Sebastian Radulescu, shall remove all Canadian court and tribunal decisions containing personal information from Globe24h.com and take the necessary steps to remove these decisions from search engines caches;
  3. The Respondent, Sebastian Radulescu, shall refrain from further copying and republishing Canadian court and tribunal decisions containing personal information in a manner that contravenes the Personal Information and Electronic Documents Act, SC 2000, c 5

As can be seen, the order was not limited to removing access to the personal information to Canadians or to searches from IP addresses in Canada. Nor was the order to remove the decisions from search engines limited to any country domain e.g., google.ca or to search engines that make the decisions available only to Canadians. In this regard, the decision is consistent with the interpretation of France’s data protection authority, the CNIL, which fined Google € 100,000  for not removing personal information from all of its search engines after being ordered to remove information about a Spanish citizen in Google Spain SL, Google Inc v Agencia Espanola de Protecciób de Datos, Mario Costeja González, C-131/12 [2014]. It is also consistent with the decision of the EU Article 29 Working Party Guideline which considered, amongst other things, the appropriate territorial scope of de-indexing orders against search engines.

The decision is also consonant with rulings by other courts that have ordered online service providers to remove or disable access to personal information made available over the Internet. For example, courts in France and Germany ordered Google to de-index websites that published personal information violating Max Mosley’s privacy rights. The Court of Justice of the European Union in the Google Spain case referred to above, also ordered Google to de-index information about an individual in the “right to be forgotten” case. The desirability of search engines de-indexing websites to help enforce privacy injunctions was recently also endorsed by the UK Supreme Court in the PJS case.

Most recently, the Irish Court of Appeal in CG v Facebook Ireland Limited [2016] NICA 42 (21 December, 2016) affirmed an injunction ordering Facebook to remove a site posted on Facebook that was used to harass an individual and which involved the misuse of private information. For good summaries of that case, see, Lorna Woods When is Facebook liable for illegal content under the E-commerce Directive? CG v. Facebook in the Northern Ireland courts, Aidan Wills, The Facebook Ireland cases: Intermediary Liability and defences under the E-Commerce Regulations (Part 1, the Judgments )The Facebook Ireland cases: Intermediary Liability and Defences under the E-Commerce Regulations (Part 2).

The decision demonstrates that Canadian courts consider privacy to be an important right and are willing to fashion remedies to ensure these statutory rights can be vindicated online. It also confirms the court’s jurisdiction to make global take down orders against foreign operators of foreign websites to protect privacy. The court’s ruling that Canada’s privacy law PIPEDA can be violated by publishing materials that are lawfully published in a more limited way on another website is also consistent with the Google Spain “right to be forgotten” case and suggests that such a remedy may be available in Canada as well in certain circumstances such as where personal information is made available online for a purpose that a reasonable person would not consider to be appropriate.

This article was originally published on http://www.barrysookman.com and is republished here with permission.