1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

European Court of Justice declares Data Retention Directive invalid

The Data Retention Directive requires public electronic communications providers to retain certain communications data (essentially traffic data) to help in the fight against serious crime.  It applies to telcos and ISPs and came into force in 2006 after a number of terrorist attacks in mainland Europe added impetus to efforts to harmonise EU member state laws.  However, in  a ruling published yesterday, the ECJ has concluded that the Directive “interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data” and declared it invalid.

How has this come about?

This is not the first time that the Directive has come under scrutiny.  The European Commission looked at the Directive in 2011 and had a number of criticisms (particularly as to the balance between the privacy of individuals and security).

In this latest development, the ECJ was asked to consider whether the Directive complied with the EU Charter of Fundamental Rights which sets out individuals’ rights to a private life and the protection of personal data.  The request came from the Irish and Austrian national courts which have before them a number of actions disputing the validity of corresponding national measures (as the Directive was implemented in EU member states through national laws).

What were the Court’s concerns?

The ECJ is of the view that, whilst the content of communications is not retained, the data that is retained could reveal potentially precise information about individuals’ private lives, and that the use of their data (when they have not been informed of that use) is “likely to generate in the persons concerned a feeling that their private lives are subject to constant surveillance“.

Therefore, the ECJ concluded that, although, data retention is appropriate in the fight against serious crime, the Directive is disproportionate.  The ECJ was particularly concerned at:

  1. The generality of the Directive – it covers all individuals and electronic communications without exception
  2. The lack of objective criteria for, and procedures regulating, access to and use of the data,
  3. The minimum data retention period of 6 months not taking into account the type of data or its usefulness
  4. Data retention being permitted for up to 2 years when there are no objective criteria to determine what data retention period is necessary in the circumstances
  5. The insufficient safeguards against possible abuse,  and unlawful access or use, of data
  6. The absence of a requirement to keep the data in the EU so that compliance with the rules can be ensured.

So what does this mean?

Well, in view of the continuing Snowden revelations and increased focus on protecting personal information, we can be sure that this will add fuel to the fire of the on-going surveillance v privacy debate.  It would also seem to suggest that surveillance for security purposes will have to move in the direction of more targeted action and stringent controls to be acceptable. So we expect big changes in the practical steps telcos and ISPs are required to take to retain communications data and make it available to law enforcement agencies.

However, in the short term, the ruling is likely to have little practical effect.  The ECJ has suspended the effect of the ruling until measures to remedy the invalidity are adopted, which, as the new Data Protection Regulation shows, could take some time!  So, things are likely to continue as they are for now.  In the meantime, the British Government and European Commission have both already said that they are assessing the impact of the ruling. Telcos and ISPs hang fire for now.

European Court of Justice declares Data Retention Directive invalid

Allowing Ontario’s Privacy Tort to Develop in the Health Information Sphere — for Now

In the 1980’s the Supreme Court of Canada pre-emptively ended the development of a common law tort of discrimination. The case, Seneca College v. Bhadauria, stands out as one of the lost opportunities in the development of the common law in Canada. The battle lines have re-emerged in the context of the development of Ontario’s new privacy tort – intrusion upon seclusion. How it will play out is yet to be seen.

Bhadauria

Although the cases involving the tort of intrusion upon seclusion do not mention Bhadauria — that case casts a long shadow and is essential reading to understand what is currently at stake for those who seek to advance a common law privacy tort.

In Bhadauria, the plaintiff complained that she had been repeatedly discriminated by the defendant college on the basis of her ethnic origin. She had applied for 10 positions on the teaching staff of the college and had never been granted an interview. Bertha Wilson J.A., writing for a unanimous bench of the Court of Appeal, recognized a new common law tort of discrimination and concluded that the Human Rights Code did not impede or exclude the development of the common law in this area in Ontario.

The college appealed the decision in Bhadauria to the Supreme Court of Canada with leave of that court. Chief Justice Laskin, writing for the court, concluded that the Human Rights Code was comprehensive legislation providing for a complaint procedure, a board of inquiry and judicial scrutiny. Laskin C.J. concluded that the Human Rights Code had – for better or worse – overtaken the development of the common law and foreclosed any development of the tort based on the anti-discrimination policy underlying the Human Rights Code. There ended the development of the tort of discrimination. Although the Supreme Court was asked to reverse its decision in 2008 in Honda Canada Inc. v. Keays, it did not do so.

Intrusion Upon Seclusion

Fast forward to 2012 and Ontario’s Court of Appeal recognized the tort of intrusion upon seclusion in Jones v. Tsige. In that case the defendant, an employee of the bank, had repeatedly accessed the banking information of the plaintiff who was in a relationship with the defendant’s former husband. The court recognized a new privacy tort and awarded damages for the intrusive behaviour of the defendant.

An open question was whether and how this new tort would fare in the context of Canada’s federal and provincial privacy legislation. The Ontario Court of Appeal made no mention of Bhadauria and the fateful attempt to establish a new tort in that case, although the issue appears to have been on Sharpe J.A.’s mind in his reasons. The defendant argued that privacy was already subject to provincial and federal legislation. However, the court concluded with brief reasons that “it would take a strained interpretation to infer from these statutes a legislative intent to supplant or halt the development of the common law in this area” (para. 49).

The court distinguished the federal Personal Information Protection and Electronic Documents Act (PIPEDA) on the basis that it applied to “organizations” and not an individual tortfeasor. The plaintiff’s recourse would have been to make a complaint against her own employer rather than the culpable person. Moreover, PIPEDA did not speak to the existence of a civil cause of action in Ontario. The Ontario Freedom of Information and Protection of Privacy Act addressed the practices of governments and public institutions and was not applicable.

Personal Health Information – Another Frontier

However, whether the tort could apply in other contexts was not entirely put to rest. There remained an open question whether the tort could apply in respect of conduct or events that might be the subject of a complaint under Ontario’s Personal Health Information Protection Act (“PHIPA”). This issue arose last month in the case of Hopkins v. Kay. The case involved the alleged the improper access of personal health records of 280 patients of a hospital without consent of the patients.

The hospital brought a motion to strike the claim based on the new tort on the basis that PHIPA covered the field. The hospital might have had the better argument based on Bhadauria. Complaints could be made to the Information and Privacy Commissioner of Ontario who has broad administrative and enforcement powers under PHIPA. Once the Commissioner made an order that had become final, a person affected by the order could commence a proceeding in the Superior Court of Justice for damages for actual harm that the person suffered as a result of a contravention of PHIPA. Damages are limited to $10,000 for mental anguish and there is an immunity provision to protect health information custodians and their agents from any action that seeks damages for acts or omission that have been made in good faith and that are reasonable in the circumstances.

Nevertheless, the motions judge refused to strike out the pleading finding that it was not so plaint and obvious that the claim was doomed to fail on the basis that PHIPA covered the field. The motions judge held “[i]f the position of the Hospital is to be sustained, it will require a decision of the Court of Appeal, which […] determines that there is no claim for breach of privacy and that the claim must rest on the provisions of PHIPA.”

The battle is clearly not over.

, ,

Allowing Ontario’s Privacy Tort to Develop in the Health Information Sphere — for Now

Supreme Court of Canada to Police: Get a Warrant to Search Computers and Mobile Phones

Yesterday, the Supreme Court of Canada issued a unanimous decision in R. v. Vu recognizing important privacy interests in information stored in a computer or mobile phone. The court held that specific, prior judicial authorization is required to search the contents of those devices when executing a search warrant for a premises. Building on prior jurisprudence, the court held that “[it] is difficult to imagine a more intrusive invasion of privacy than the search of a personal or home computer.” The court extended that proposition to smart phones. Writing for the court, Justice Cromwell held:

“I do not distinguish, for the purposes of prior authorization, the computers from the cellular telephone in issue here. Although historically cellular phones were far more restricted than computers in terms of the amount and kind of information that they could store, present day phones have capacities that are, for our purposes, equivalent to those of computers.”

Result – Get a Warrant

The law of search and seizure is complex and the assistance of a qualified lawyer should be sought regarding any particular set of circumstances. As a general rule, it appears that going forward, a computer and mobile phone will not be treated as a filing cabinet or other receptacles that could be searched incident to the search and seizure of a premises. This means that if police intend to search computers or mobile phones, they must satisfy the authorizing justice that there are reasonable grounds to believe that any computers or mobile phones at the premises to be searched will contain information that is relevant information. If they do not have prior authorization, the police may seize the computer or mobile phone but must seek authorization before searching them.

The court did not, however, modify the law regarding the search of a computer or mobile phone incident to arrest or in exigent circumstances. The decision was specifically limited to warrants to search a place.

What happened?

The issue arose in the context of an investigation of an investigation into electricity that was observed being diverted from one premises to another. The police filed an information to obtain a search warrant indicating the police intended to seize any evidence supporting a charge of theft of electricity contrary to s. 326(1)(a) of the Criminal Code. This included records and documentation relating to occupancy and control over the property and electrical services. A Justice of the Peace issued a search warrant.

When the police executed the search, they found marijuana growing in the basement. They found two computers and a mobile phone. The police appear to have proceeded on the basis of the general principle that authorization to search a place includes authorization to search places and receptacles within that place. Apparently, neither of the computers was password protected at the time of the search. One of the computers was connected to a security system. By reviewing the images, the police were able to identify a car that was then determined to be registered to the appellant. The second computer was running an online chat. The user was still logged in. The appellant was also logged into a social networking account. The police officer reviewed the accounts and also searched for photographs and files. He also obtained the serial number of a modem and used that to obtain subscriber information from the Internet service provider. The computers, a portable computer storage device, and a mobile phone were sized and made subject to a 90-day detention order.

A Computer is Not just another Receptacle

The court held that specific, prior judicial authorization was required. A computer (or mobile phone) compromises the ability of the user to control information about his or herself. The following features make computers fundamentally different from physical receptacles found at a premises.

  • Computers store vast amounts of information, which can be expected to touch the “biographical core of personal information”.
  • Computers contain information that is automatically generated, often unbeknownst to the user.
  • A computer file and other data will remain on a computer even after the user may believe the file has been deleted.
  • A computer may permit the search of items that are not “physically present” at the premises if the computer is connected to the Internet, thereby permitting a search that is of an ambit far greater than the traditional search of a premises.

Although the court did not find that a search warrant must contain a protocol for the search (identifying the manner of search or specific files that could be searched), the court held that the issuing justice would have the discretion to impose conditions including a two-stage approach, authorizing the seizure and then requiring the police to return to seek authorization for the search.

It should be that, in the result, the evidence was not excluded in this case, notwithstanding that the search violated the appellant’s right to be free from unreasonable search and seizure. The infringing conduct was not egregious and the law was unsettled.

, , ,

Supreme Court of Canada to Police: Get a Warrant to Search Computers and Mobile Phones

Social Media & Employees: When Every Little Thing Is Searchable

The scope of an employer’s right to discipline and terminate an employee for indiscreet or inappropriate remarks in social media is far from settled. Given that an employee’s social media activities have the potential to “go viral” (or at least be seen by hundreds, if not thousands of people), organizations must assess whether the activities of employees outside of work have the potential to negatively affect, even transiently, the reputation and goodwill of the organization.

Currently, the legal battle over an employer’s legitimate interest in an employee’s use of social media is being played out among employees who are relatively junior within organizations and may, justifiably or unjustifiably, believe that their actions are not under the gaze of their employers.

This post compares two recent cases from the United States and the United Kingdom with an earlier case from Canada.

Don’t Make Fun of the Customers

In a recent U.S. National Labour Relations Board (NLRB) decision, Karl Knauz Motors, Inc. (Re), the NLRB considered whether a car dealership could terminate a salesperson for comments on Facebook about an accident that involved a customer of the dealership. The customer had driven into a pond and the salesperson posted photos on Facebook with sarcastic comments. The employer argued that the comments violated employee handbook rules that required employees to be “courteous, polite, and friendly to our customers, vendors and suppliers, as well as to their fellow employees” and which prohibited conduct that was “disrespectful” or involved the “use of profanity or other language which injures the image or reputation” of the employer. In addition, not long before the post about the customer, the same salesperson had posted photos and comments criticizing food that had been served at a sales event at the dealership. The tenor of the earlier post was that the dealership should have served better food given the profile of the sales event.

The salesperson claimed that he was terminated in violation of the protections afforded by section 7 of the National Labor Relations Act (NLRA), which, among other things, provides rights to participate in concerted activity for the purpose of collective bargaining or other mutual aid or protection. The NRLB has previously issued decisions and guidance documents this year warning that social media policies must not stifle workers from communicating about workplace conditions as this would offend section 7 of the NLRA.

An administrative law judge concluded that the postings about the car accident did not fall within section 7 of the NLRA because it was posted by the employee on his Facebook page and not discussion took place on Facebook about the post. By contrast, the comments about the food at the sales event were made in the context of an exchange among employees on Facebook. The administrative law judge concluded that the comments were related to the dealership’s image at the event and this could affect the working conditions of the employees by affecting sales.

In a split decision, the NLRB upheld the decision of the administrative law judge. The employee’s termination for the comments about the customer was not protected by the NLRA. However, the NLRB ordered that the employee handbook rules were overbroad and not enforceable.

The dissenting NLRB member concluded that the requirement to be courteous did not violate section 7 of the NLRA and held that:

“[r]easonable employees know that a work setting differs from a barroom, room and they recognize that employers have a genuine and legitimate interest in encouraging civil discourse and non-injurious and respectful speech.”

Say What You Will About Gay Marriage

In the Smith v. Trafford Housing Trust, a housing manager of the Trust read a news article online regarding gay marriage and posted the link to his Facebook account with the comment “an equality too far”. The manager’s Facebook privacy settings had been set so that his posting could be viewed by his “Friends” and also “Friends of Friends”. This prompted an exchange with one of the employee’s colleagues at work, which was quite tempered but suggested that those gays and lesbians “have no faith and don’t believe in Christ”. The employee was suspended and subjected to a disciplinary proceeding that resulted in a finding of gross misconduct. The employee was offered a demotion to a non-managerial position in view of the length of his service.

According to the decision of the English High Court of Justice (Chancery Division), the Trust had over 300 employees. The court found that at the material time, the employee listed that he was a manager at the Trust. His profile stated “What can I say – it’s a job and it pays the bills”. He described his religious views as “full on charismatic Christian.” His profile and wall pages also listed that he was a manager at the Trust. In putting the post into context, the court held that it was one of a number of posts about “sport, food, motorcycles and cars.”

The court concluded that a reasonable reader of the manager’s wall would not have understood him to be a spokesperson for the Trust. The court rejected that any loss of reputation by the Trust would arise in the mind of a reasonable reader. The manager’s Facebook wall “was primarily a virtual meeting place at which those who knew of him, whether his work colleagues or not, could at their choice attend to find out what he had to say about a diverse range of non-work related subjects.” The court minimized the broader access to his wall by “friends of friends” by stating that “actual access would still depend upon the persons in that wider circle taking the trouble to access it.” The court found that the manager did not thrust his views onto colleagues at the office. The medium and context was not “inherently” work related. In the result, the court concluded that the manager had been constructively dismissed.

Don’t Diss and Threaten Other Employees or Your Employer

The problems for the employees in Lougheed Imports Ltd. (West Coast Mazda) v. United Food and Commercial Workers International Union, Local 1518 started when one of the employees posted on Facebook a post that could be interpreted as threatening: “Sometimes ya have good smooth days when nobody’s [expletive] with your ability to earn a living … and sometimes accidents DO happen, its [sic] unfortunate but thats [sic] why there [sic] called accidents right?” Another employee also was posting derogatory comments about managers.

The employees had close to 100 and 377 “friends” respectively. Significantly, the posts were escalating in tone and extreme enough that one person “de-friended” and even the girlfriend of one of the employees commented that ”[s]omethings just shouldn’t be broadcasted on facebook, especially when you still work there.”

The employer terminated the employment of the two employees. The union grieved but lost. In an interesting counterpoint to the Trafford Housing Trust case, the British Columbia Labour Relations Board concluded that there the comments on Facebook had sufficient proximity to the employer’s business. The comments had been used as a “verbal weapon”. They went beyond shop floor comments to insubordination in front of employees who were friends of the employees by degrading a manager and referring to discipline. The comments also counselled Facebook friends not to shop at the employer. In the result, the termination was upheld.

Substance, Purpose and Context

One should be careful to draw conclusions from a handful of cases in multiple jurisdictions with different approaches to employment and privacy laws. However, one theme that emerges in all three cases is that, in addition to the substance of the social media posts, the purpose and context for those postings are important considerations in concluding whether the employer has a legitimate interest in the activity of the employee’s social media activities.

 

Social Media & Employees: When Every Little Thing Is Searchable

Sex, E-mail & Privacy – You Have Privacy Rights For As Long As No One Is Interested

On November 15, 2012, the Sexual Orientation and Gender Identity Conference (SOGIC) of the Ontario Bar Association (OBA) held a seminar on “Sexual Orientation & Gender Identity: Managing Personal Privacy and Reputational Risks in an Online Era“. I was invited to participate as a speaker. 

One of my (tongue-in-cheek) messages at the event was that you only have privacy rights for as long as no one is interested in what you are doing. It might be 45 years since the late Rt. Hon. Pierre Trudeau said that the State has no business in the bedrooms of the nation, but the continual parade of sex scandals demonstrates the State and the public still considers to what happens between consenting adults to be very interesting and worthy of opinion. Just open any North American daily newspaper this past week.

Certainly, there are numerous criminal and civil protections for privacy in Canada that Canadians and members of the LGBTQ community can rely on for privacy protections depending on the nature of the breach.  These include public and private sector privacy legislation, Criminal Code provisions (interception of private communications, harassing phone calls, spreading false messages and hate speech), the new tort of intrusion upon seclusion, statutory invasion of privacy torts (in some provinces), appropriation of personality, libel and defamation, nuisance and breach of confidence.

However, these remedies all have significant limitations. Private sector privacy legislation has no teeth when dealing with a non-commercial blogger. All of the court-based remedies require seeking vindication in a public forum. For defamation, the facts and photos might be embarrassing but if the defendant can prove they are true or part of responsible journalism or a qualified privilege defence applies, the subject of the facts and photos has no remedy. Even when privacy rights are vindicated, any monetary remedy is relatively small and the publicity and the digitized record of the event giving rise to the intrusion of privacy is likely, at least at the present time, to continue on with a life of its own unless publication of the intrusion was relatively contained and the operators of the site are willing to take the material down.

My colleagues on the panel were very thought-provoking. Here are some of my “take-aways” for further thinking and discussion:

  • There is a gap in privacy protection for employees and job candidates (other than in British Columbia, Alberta and Quebec, public sector employees, and employees of federal undertakings). We are principally relying on Human Rights legislation for moral suasion.
  • There is a gap in privacy protection with respect to electoral information gathered by political parties and information collected by elected officials. Can this be justified on the basis of promoting our democratic system of government? Or, do elected officials lose credibility when dealing with private sector privacy mistakes when they have exempted themselves from an obligation to protect the privacy of their constituents?
  • We need to have a serious conversation about the “right to be forgotten”. A right of minors might be a useful starting point. Should an indiscreet photo or a story posted by a minor’s friend when the minor is 16 have an unlimited shelf-life on the Internet, or does this impinge too far on freedom of expression?
  • The time may soon be ripe to recognize a tort of publication of embarrassing private facts based on the U.S. and New Zealand tort. What will it look like? How do we protect robust freedom of expression and at the same time provide individuals with protection from becoming the subject of targeted shaming by groups who do not share the same values as the target?
  • Will the limit of $20,000 for general damages for the tort of intrusion upon seclusion be exceeded in the short-term? Or, will plaintiffs be able to demonstrate successfully to the court that the breach of privacy caused specific economic harm?
  • Is the term “privacy” confusing the issue (except to privacy advocates)? Is the main issue systematic and unwelcome private-sector and public-sector surveillance? In other words, a question of control? Is a necessary ingredient of a free society, in the digital age, one in which individuals have protection from the unauthorized use of information that is public in a nominal sense?

Thank you SOGIC for putting on this timely seminar.

Sex, E-mail & Privacy – You Have Privacy Rights For As Long As No One Is Interested