2014 Canadian Legislative Review: From Anti-Everything to Access Nothing

There was no shortage of developments in privacy and access to information laws in Canada in 2014. Questions remain, however, whether those developments constitute advances in creating workable and clear privacy laws to protect Canadians and access laws to promote open government. In this look-back, we’ll reflect on some of the most noteworthy legislative activities of 2014.

Anti-Everything

The biggest single development in Canada in 2014 was the coming into force of the commercial electronic message (CEM) provisions of Canada’s Anti-Spam Legislation (CASL).

Critics of CASL have questioned whether it is constitutional. However, whether CASL’s commercial electronic message (CEM) provisions constitute an unjustifiable interference with freedom of expression, which is protected under Canada’s Charter of Rights and Freedoms, will have to wait for a future test case. In the meantime, Canada now has one of the most restrictive regimes governing the use of email, text messages and other electronic forms of communication for commercial purposes. Failure to comply could lead to up to CA$10 million in administrative monetary penalties per violation.

CASL’s “ban all” approach means that, unless an exception applies, the sender of a CEM must have the consent of the recipient before sending it. If express consent is sought, it must be sought separately from other agreements and consents, and it must contain mandatory identification disclosures as well as a notice that the proposed recipient can withdraw consent at any time. Although implied consent may be relied on in the case of, for example, an existing business relationship, the categories of “existing business relationship” are narrowly defined and the length of time that implied consent can be used has been arbitrarily limited (6 months in the case of an inquiry; 2 years in the case of a purchase, among others). What constitutes a CEM is also difficult to determine. One thing is for certain, there is no “primary purpose” rule. As long as one of the purposes of the message is to encourage participation in a commercial activity, the message is a CEM.

So far, CASL has hardly been a success. Legitimate businesses have poured money into compliance programs. The Canadian Radio-television and Telecommunications Commission (CRTC), which has primary enforcement responsibilities for the CEM provisions, may have contributed to unrealistic expectations for Canadians. Ironically, the first major public enforcement action against a suspected spammer turned out to be a small business that had been unwittingly infected with a virus. While the CRTC worked with the company to remove the virus and stop the spam messages, this episode demonstrates that the true problem is not going to be combatted by labyrinthine consent provisions.

A second phase of CASL will come into force on January 15, 2015, involving the installation of computer programs. The CRTC appears to be taking a more measured approach with this phase. These provisions require a person to have the express consent of an owner or authorized user of a computer system before installing a computer program on that owner/user’s device. The CRTC has taken the position that these provisions will not apply to self-installations or pre-installed software. Although the provisions could apply to automatic updates, the CRTC appears to be taking the position that auto-updates that are controlled by device settings or other software controlled by the user will not be subject to CASL.

Tinkering with Privacy Legislation

The year also had some interesting developments with respect to private sector privacy legislation. The Alberta government had 12 months to rescue its Personal Information Protection Act (PIPA) after the Supreme Court of Canada declared the entire Act unconstitutional. In a bit of a nail-biter, the government was about to miss its deadline when it requested (and received) a six-month extension.

PIPA had been declared unconstitutional following a union challenge. The union had taken pictures of people crossing a picket line. Several individuals appearing in the photos successfully complained to the Information and Privacy Commissioner of Alberta. The union then challenged the constitutionality of PIPA, arguing that PIPA unreasonably interfered with the union’s right to freedom of expression under section 2(b) of the Charter of Rights and Freedoms. The union won. The Supreme Court of Canada concluded that PIPA restricted the union’s ability to communicate and persuade the public of its cause and that this interference was disproportionate to the government’s objective of providing individuals with control over the personal information that they expose by crossing a picket line.

Rather than re-think the balancing of personal information protection and freedom of expression, the Alberta government opted to address only the interference with union activities. The government introduced Bill 3, which has now passed third reading and awaits Royal Assent and coming into force. This bill permits a trade union to collect, use and disclose personal information about an individual without the consent of the individual for the purpose of “informing or persuading the public about a matter of significant public interest or importance relating to a labour relations dispute involving the trade union” if two conditions are met. First, the collection, use or disclosure of the personal information is reasonably necessary for that purpose. Second, it must be reasonable to collect the personal information without consent for that purpose, taking into consideration all relevant circumstances, including the nature and sensitivity of the information. In addition, the collection, use and disclosure of the information may be subject to additional restrictions made by way of regulation. Whether that amendment is sufficient to save PIPA or whether other aspects of PIPA violate the Charter of Rights and Freedoms will wait for another day.

British Columbia’s Personal Information Protection Act shared the same basic legislative structure with Alberta PIPA. To date, no amending legislation has been introduced to save the British Columbia legislation from a similar challenge. However, the BC act is under review.

The provinces have not been the only ones examining aspects of their private sector privacy legislation, when CASL came into force on July 1, the Personal Information Protection and Electronic Documents Act (PIPEDA) was amended in several important ways addressing procedural issues.

• Refusal to Investigate. The privacy commissioner may now refuse to investigate a complaint if there are other grievance or review procedures available that should be exhausted, if there are provincial laws under which the complaint could be dealt with more appropriately or if the complaint was not filed within a reasonable period of time.
• Discontinue a Complaint. The privacy commissioner now has broader discretion to discontinue a complaint. In particular, the privacy commissioner can discontinue the complaint if the organization has provided a reasonable response or the Privacy Commissioner has already investigated.
• Coordination with Other Regulators. The privacy commissioner has been given express powers to coordinate with provincial and territorial privacy commissioners and foreign regulators to develop guidelines or model instruments governing the handling of personal information by private sector organizations.
• Sharing Information with Other Regulators. The privacy commissioner has express powers to share information with provincial counterparts and with foreign regulators. Sharing with provincial counterparts may be done confidentially. The information is to be shared for the same purpose for which it was collected. The Privacy Commissioner is also empowered to share information relevant to a foreign investigation.

There was also one important substantive change to PIPEDA as part of CASL’s coming into force that relates to website scraping and the unauthorized access of personal information from a person’s computer system. Although PIPEDA permits the collection, use and disclosure of personal information without consent for certain purposes, the amendments restrict the application of these provisions. In particular, the harvesting or scraping of websites for electronic addresses or the use of telecommunications services to access a person’s computer in an illegal manner to obtain personal information will result in most of the exceptions to consent being unavailable for that personal information.

There are also pending substantive revisions to PIPEDA before Parliament. Bill S-4, known as the Digital Privacy Act, is currently before the House of Commons. This legislation would amend PIPEDA in many significant ways. The following are some of the highlights of Bill S-4, if enacted, and not a complete catalogue of all of the changes (we will revisit S-4 in detail in next month’s post as it makes its way through the House of Commons):

• Records of Breaches. Organizations would be required to keep and maintain records of any breaches of security safeguards and provide those records to the privacy commissioner on request.
• Breach Notification. An organization would be required to report a breach of security safeguards to the commissioner and notify individuals if it is “reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual”.
• Fines. It would be a criminal offense for an organization to knowingly fail to keep prescribed records for breaches or to knowingly fail to report breaches in compliance with PIPEDA. These offenses would be punishable by fines of up to CA$100,000 for organizations.
• Compliance Agreements. The privacy commissioner would have additional enforcement powers to enter into compliance agreements with organizations. These compliance agreements could include any terms that the privacy commissioner considers necessary to ensure compliance with PIPEDA. If the organization does not fulfill the terms of the compliance agreement to the satisfaction of the privacy commissioner, the privacy commissioner could enforce the compliance agreement before the federal court.
• Investigations and Fraud. The proposed amendments include new possibilities of disclosure without consent. Organizations would be able to share information in order to investigate a breach of an agreement or a contravention (or anticipated contravention) of a federal or provincial law. It must be reasonable to expect that obtaining the consent from the individual for the disclosure would compromise the investigation. Organizations could also share information for the purposes of detecting or suppressing fraud.
• Financial Abuse. A new provision would permit disclosure of personal information without consent to a government institution or to the individual’s next of kin or authorized representative if there are reasonable grounds to believe that the individual has been the victim of “financial abuse”. It must be reasonable to expect that obtaining the consent from the individual for the disclosure would compromise the ability to prevent or investigate the abuse.

Intimate Images (Revenge Porn)

Recently, Parliament passed Bill C-13, Protecting Canadians from Online Crime Act. This legislation addresses a number of issues, including the distribution of intimate images, as well as enhancing law enforcement powers. Bill C-13 amends the Criminal Code (Canada) to include a new offense of non-consensual distribution of intimate images. New s. 162.1 makes it an offense to knowingly publish, distribute, transmit, sell, make available or advertise an intimate image of a person knowing that the person depicted in the image did not give their consent to that conduct, or being reckless as to whether or not that person gave their consent to that conduct. The definition of what constitutes an “intimate image” is not straightforward. The definition includes not only certain content requirements (nudity or the performance of a sexual act) but also a requirement that at the time of the recording there was a reasonable expectation of privacy and the person retained a reasonable expectation of privacy at the time that the offense was committed. Violating new s. 162.1 is punishable by up to 5 years in prison. The court may also make a number of ancillary orders to prohibit the convicted person from using the Internet or requiring the convicted person to use the Internet under certain conditions. The court may also order the seizure of copies of the images from third parties.

In addition to creating the new offense, Bill C-13 has extended law enforcement powers. A few of these provisions are mentioned here.

• Preservation Demands: Bill C-13 makes it possible for law enforcement to make preservation demands requiring the recipient of the demand to preserve computer data. The demand lasts for 21 days if it is made in connection with a domestic offense and 90 days if made in connection with the investigation of an offense under a foreign law. This time period can be extended by a preservation order made by a judge. Alternatively, the peace office can obtain a preservation order from the court at the outset.
• Production Orders: The court may issue a production order if there are reasonable grounds to suspect that an offense has been or will be convicted. These production orders can be used to obtain “transmission data” (metadata or telecommunications) and “tracking data” (location data). A higher standard will apply for obtaining an order to place a tracking device on a mobile phone or wearable device that an individual would normally carry. Law enforcement will need to establish that there are reasonable grounds to believe that an offense has been or will be committed, instead of merely “reasonable grounds to suspect.”

Access Nothing

The federal government has shown no public interest in updating the Access to Information Act (ATI Act), which provides individuals and companies with the right of access to government information. The ATI Act is more than 30 years old. Information Commissioner Suzanne Legault commenced her own review, without funding, and is expected to table proposed recommendations to Parliament to modernize the ATI Act.

One of the key deficiencies in the ATI Act is that the information commissioner has no power to order the federal government to produce records. The information commissioner can only issue non-binding recommendations and attempt to cajole the government to release documents in response to a proper ATI Act request. A private-members’ bill (C-613) sponsored by the leader of the Liberal party, the Hon. Justin Trudeau, would (among other things) provide the information commissioner with order-making powers.

Bill C-613 has virtually no chance of becoming law. In any event, the biggest single challenge facing the information commissioner at present seems to be a lack of resources. Recently, the information commissioner appeared before the Standing Committee on Access to Information, Privacy and Ethics regarding her budget. Legault stated that she has faced a 30-percent increase in complaints during the last fiscal year. This means that the number of disputes between requesters and the government over the government’s response or failure to respond to an access request has increased by almost one-third. Legault stated that she may have to cut her activities if she does not receive more funding. The information commissioner did not receive a sympathetic hearing by the governing Conservative Party Members of Parliament on the Standing Committee. They suggested she look to new sources of revenue, such as an increase in the cost of making an ATI Act request. One might well ask whether the Canada is truly committed to “open government”.

One bright spot on the access to information horizon is that the Ontario Legislature is close to passing Bill 8 (as of the date of writing this article). Bill 8 includes amendments to the Freedom of Information and Protection of Privacy Act (Ontario) (FIPPA) and the Municipal Freedom of Information and Protection of Privacy Act (Ontario). These amendments include a requirement that public sector and other organizations subject to that legislation ensure that reasonable measures respecting the records in the custody or under the control of the organization are developed, documented and put into place. The purpose of this new provision is to ensure the preservation of records in accordance with any record-keeping or records retention requirements, rules or policies that apply to the organization. Bill 8 would also make it a provincial offense to alter, conceal or destroy a record with the intent of defeating an access to information request. These amendments respond to calls by Ann Cavoukian, former Ontario information and privacy commissioner, following a special investigation. The investigation concerned allegations that the former chief of staff to the former minister of energy violated FIPPA by routinely deleting all of his emails and allegations of improper conduct involving record deletion during the transition from the former premier of Ontario to the new premier.

Looking Forward to 2015

Next year is likely to be an interesting year in privacy. We should expect to see a number of constitutional challenges to the new law enforcement powers granted under the Criminal Code. The British Columbia review of that province’s private sector legislation and Information Commissioner Suzanne Legault’s report to Parliament on the ATI Act may provoke debate on the future of privacy and access legislation. If the government does not lose its nerve, Canada may see mandatory data breach recording and reporting backed by the possibility of fines. Happy New Year!