CyberLex
CyberLex Insights on cybersecurity, privacy and data protection law

Defending a Lawsuit is Not a “Commercial Activity” Under Privacy Legislation

Posted in Privacy
Krupa Kotecha

In a case dating back to 2016 but just recently published, the Office of the Privacy Commissioner of Canada has ruled that the collection and use of a plaintiff’s personal information for the purpose of defending against a civil lawsuit is not a “commercial activity” and, as such, the Personal Information Protection and Electronic Documents Act, SC 2000, c 5, (“PIPEDA“)does not apply.

The complaint at issue arose as a result of a motor vehicle accident involving two parties, following which the plaintiff commenced civil litigation proceedings against the defendant. A psychiatric assessment was carried out by an independent psychiatrist, retained on behalf of the defendant’s insurance company. The plaintiff requested access to the personal information gathered by the psychiatrist. Although the psychiatrist did provide the plaintiff with some information, including a redacted copy of the psychiatric report, the plaintiff filed a complaint with the federal Privacy Commissioner on the basis that the plaintiff believed there was additional information to which he was entitled. In addition, the plaintiff was also concerned about the accuracy of the personal information held by the psychiatrist.

The Privacy Commissioner determined that the psychiatrist’s collection and use of the plaintiff’s personal information did not fall within the term “commercial activity”, as defined in section 2 of PIPEDA. Despite the existence of commercial activity between the defendant and the insurance company, as a result of the defendant being insured by the insurance company, the Privacy Commissioner held that there was no commercial activity between the plaintiff and the defendant, and likewise, no commercial activity between the plaintiff and the defendant insurance company or its outside medical expert. The issue of access to the psychiatrist’s records was therefore beyond the scope of the Privacy Commissioner’s jurisdiction.

The decision serves to provide further guidance with respect to the types of activities which will or will not be held to fall under the Privacy Commissioner’s purview.