TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Canada Dashboard Digest | Notes from the IAPP Canada Managing Director, Feb. 3, 2023 Related reading: Meta launches default encrypted messaging



The newest term at the Ottawa University Law School started up this week and it felt good to be back in the classroom, live and in person. As much as we made the best of it over Zoom the last couple of years, I will definitely vouch for in-person learning anytime. It just gives so much more opportunity for dialogue and discussions.

To get the class started, I always ask the students to come prepared to talk about a “privacy in the news” article. On Thursday, we discussed two of them.

The first was the Home Depot case from last week. The vast majority of the students agreed with the privacy commissioner’s decision that admonished Home Depot for sharing customers’ email addresses for reasons other than what the customers had signed up for (i.e., they just wanted their email address used to send them a receipt, not to then be used to evaluate the effectiveness of Home Depot’s marketing campaigns). I know a few lawyers who don’t like the decision as much, but I find it comforting to speak to a group of two dozen students to help me gauge what the “reasonable expectations of the average customer” might be, before getting into the weeds and legalities of the case.

The other case raised by the students was another one we covered in the digest a little while back: the Tim Hortons case involving the over-collection of geolocation data through its customer loyalty application. This one, too, resulted in a pretty scathing report by the privacy commissioner but it also resulted in a class action. That lawsuit settled recently in typical Canadian fashion — the plaintiffs in the class were awarded a free pastry and beverage. The settlement actually spells it out: The plaintiffs are to be awarded a “…. a croissant, a muffin, a cookie, a bun, a biscuit …” Seems almost silly, but … yum?

We used the two cases to talk about what meaningful remedies we ought to have in privacy law. The students were overwhelmingly appalled the organizations that were deemed to have violated the law were left without any real consequences, be it monetary or other — although I suppose those coffees and pastries could add up! I asked them to imagine Bill C-27 passing, with the commissioner having the power to either impose fines directly or through a mechanism via a tribunal. Then, I asked them if they were commissioner, what would the fine be? The only student to offer an actual number said $500 million for the Tim Hortons breach. Think about that for a moment while you sip your double-double this weekend.


If you want to comment on this post, you need to login.