Privacy Update – New Laws and Cases of Interest
Canada’s privacy and data protection laws have undergone significant evolution, bringing them more in line with those of its international partners and advancing technology. Legislative reforms reflect a general trend towards stricter regulations for the use, collection and disclosure of personal information and higher penalties for non-compliance. The courts have tempered these advancements by establishing a higher bar for advancing claims under the tort of intrusion upon seclusion against database defendants in third-party cybersecurity attacks.
Law 25: The Privacy Legislation Modernization Act
Law 25 (formerly Bill 64), enacted by the Quebec government, made significant changes to Quebec’s Act Respecting the Protection of Personal Information in the Private Sector (QC ARPPIPS). Law 25 applies to all organizations that are headquartered in Quebec or hold personal information of Quebec residents. While a number of the new provisions came into force September 22, 2022, the rest are set to come into effect September 2023 and 2024.
As of September 2022, organizations are required to identify a Privacy Officer and begin mandatory breach reporting to the Commission d’accès à l’information (CAI). By default, the person with the highest authority at the organization, such as the CEO, will be deemed the person in charge of the protection of personal information. However, they can choose to delegate, in writing, to any other person within the organization. The Privacy Officer’s role is to oversee the protection of personal information and ensure compliance with Law 25. Mandatory breach reporting requires organizations to report “confidentiality incidents” involving personal information that present a “risk of serious injury”, to the CAI and affected individuals. Organizations must also keep a register of confidentiality incidents and demonstrate measures taken to prevent similar incidents from occurring in the future.
The amendments under Law 25 coming into effect September 2023 will require organizations to develop a detailed policy and practices plan, privacy impact assessments (PIAs), and prepare for new requirements regarding cross-border transfers, consent, outsourcing, retention and destruction, transparency, and increased penalties. PIAs help ensure continuous protection of personal information and will be mandatory: (1) when personal information is transferred outside Quebec; (2) when an organization outside of Quebec is entrusted with collecting, using, disclosing or retaining the personal information; (3) before communicating personal information without consent for research purposes; and (4) for any project to acquire, develop or redesign an information system or electronic service delivery system involving the collection, use, disclosure, destruction or retention of personal information. Law 25 also introduces new and more severe penalties for non-compliance. Organizations can be held liable for up to $10 million or 2% of their worldwide turnover in administrative monetary penalties (AMPs), and up to $25 million or 4% of their worldwide turnover for penal offences. Fines will double in the event of a subsequent offence. Additionally, Law 25 maintains a Private Right of Action for citizens whose privacy was breached or infringed upon intentionally, or from gross fault. Although these amendments will not be coming into force for some months, organizations should be mindful of these future policies when developing their long-term privacy strategy.
Lastly, in September 2024, organizations will have to start accounting for a user’s data portability rights. This expands on users’ right to access provisions and allows users to request that their personal information be communicated to them or an authorized third party in a commonly used technological format. Businesses will need to prepare for processing and responding to such requests come September 2024.
The Digital Charter Implementation Act, 2022
The Government of Canada introduced Bill C-27, the Digital Charter Implementation Act (2022) in June 2022, which strives to strengthen Canada’s private sector privacy laws and proposes to enact the following Acts:
- The Consumer Privacy Protection Act (CPPA);
- The Personal Information and Data Protection Tribunal Act (PIDPA); and
- The Artificial Intelligence and Data Act (AIDA).
The CPPA would repeal and replace substantial portions of PIPEDA with respect to the collection, use and disclosure of personal information. Generally, the CPPA proposes a more stringent enforcement regime, by granting the Privacy Commissioner of Canada (the “Commissioner”) broader powers, establishing significant fines for non-compliance, and a private right of action for individuals. The CPPA would also change consent provisions, by adding new consent exceptions and differentiating between de-identified and anonymized data. Moreover, the CPPA strives to increase transparency in how personal information is handled, provide Canadians with better portability rights, and the ability to request deletion of personal information when no longer needed.
With respect to consent, the CPPA articulates that an organization may collect or use an individual’s personal information without their knowledge or consent for specified business activities, or for a legitimate interest, in an attempt to balance privacy rights with business needs. Other exceptions to consent include the use of personal information to de-identify it, or use of personal information for research and development purposes if it has already been de-identified. Thus, while “de-identified” and “anonymized” information were used interchangeably in PIPEDA, the CPPA differentiates between the two. To de-identify is to “modify personal information so that an individual cannot directly be identified from it, though a risk of the individual being identified remains”. To anonymize is to “irreversibly and permanently modify personal information, in accordance with generally accepted best practices, to ensure that no individual can be identified from the information, whether directly or indirectly, by any means”. While de-identified personal information would constitute “personal information” under the CPPA, anonymized information would not.
If the CPPA is passed, businesses may need to modify their practices for de-identifying or anonymizing personal information, while keeping apprised of the new enforcement measures.
The PIDPA would establish a new Personal Information and Data Protection Tribunal (the “Tribunal”). Based on the Commissioner’s recommendation, this new Tribunal would be empowered to impose AMPs on non-compliant individuals and organizations, and hear appeals from the Commissioner’s decision. On appeal, the Tribunal could substitute its own order, which, for the purposes of enforcement may be made an order of the Federal Court or of any superior court and would be enforceable in the same manner.
Lastly, the new AIDA proposes to regulate artificial intelligence (AI) systems, by establishing common requirements for the design, development, and use of AI systems, while prohibiting certain AI practices that may result in serious harm to individuals, during the course of international and interprovincial trade and commerce. More specifically, it applies to persons carrying out regulated activities during the course of international or interprovincial trade and commerce, wherein “regulated activities” is broadly defined as:
- processing or making available data related to human activities for the purpose of designing, developing or using an AI system;
- designing, developing, or making available an AI system or managing its operations.
If passed, this will be the first Canadian law to regulate AI systems. It will be interesting to see how the AIDA progresses through the second House of Commons reading, and if passed, how it will be operationalized by regulations.
The Employment Standards Act
The Employment Standards Act (ESA) was amended April 11, 2022. The amended ESA requires Ontario employers with 25 or more employees as of January 1, to have a written electronic monitoring policy in place before March 1 of that year. This amendment does not create any new privacy rights for employees, nor does it establish a right for employees not to be electronically monitored by their employer.
The employer’s electronic monitoring policy must contain:
- A statement as to whether the employer electronically monitors employees, and if so, (i) a description of how, and in what circumstances the employer may electronically monitor employees, and (ii) the purposes for which the information obtained by electronic monitoring may be used by the employer; and
- The date the policy was prepared and the date for any changes that were made to the policy.
Although not defined in the ESA, examples of “electronic monitoring” may include use of GPS to track employee’s movement in delivery vehicles; use of an electronic sensor to track how quickly an employee scans items at a grocery store check-out; and tracking websites that employees use during working hours.
Cases of Interest
Below we provide an overview of notable privacy class action cases in Canada. In particular, the Ontario Court of Appeal provided much-needed clarity on the responsibility and potential liability of database defendants under the intrusion upon seclusion tort, while a decision rendered by the Supreme Court of British Columbia signalled the importance of obtaining consent prior to using a person’s image or name in advertising.
In June 2022, the Ontario Court of Appeal (ONCA) heard three companion appeals referred to as the Equifax Trilogy, arising out of three separate class actions: Owsianik v. Equifax Canada Co., 2021 ONSC 4112 (Equifax); Obodo v Trans Union of Canada, Inc., 2021 ONSC 7297 (Obodo); and Winder v Marriott International, Inc., 2022 ONSC 390 (Winder). The relevant facts regarding intrusion upon seclusion were similar in each, and thus ONCA released its decision for all three appeals regarding that issue, in the context of the Owsianik v Equifax Canada Co., 2022 ONCA 813 decision.
Limiting Intrusion Upon Seclusion Claims in Data Breach Cases
In Equifax, the motion judge certified a class action against Equifax for a number of causes of action, including intrusion upon seclusion. Despite holding themselves out as “trusted stewards of personal information”, Equifax was subject to a security breach after being warned of a security vulnerability months earlier [paras 36 and 55]. Between May-July 2017, hackers accessed Equifax users’ personal information such as their names, addresses, social security numbers and credit card information [para 41]. The Certification Judge held that it was not settled law that a Database Defendant, who “recklessly enables a hacker attack to occur” could not be held for the tort, and that the issue should be decided on its merits [para 112]. On appeal, the Divisional Court set aside the class action certification for intrusion upon seclusion. The majority held that the tort as defined in Jones v Tsige, 2012 ONCA 32 [Jones], did not concern database defendants, and extending liability to them would be more than an incremental change to the common law.
Obodo and Winder were heard following the Divisional Court’s decision in Equifax.
The plaintiffs in Obodo were seeking class certification for several causes of action against Trans Union of Canada Inc. (Trans Union), including intrusion upon seclusion. Like Equifax, Trans Union provided credit reporting services, and was subject to a data breach by third-party hackers who gained access to Trans Union’s users’ personal information [paras 2, 4, 12]. The ONSC did not certify the action for intrusion upon seclusion, asserting that the decision in Equifax was binding authority that the tort cannot apply to a database defendant for a hacker attack [para 22].
Winder brought a pretrial motion for determination of a question of law on whether they had a legally viable cause of action in intrusion upon seclusion against Marriott International Inc. (Marriott). Winder creatively argued that Marriott “deceptively” obtained the users’ personal information, making it a reckless intruder who exposed sensitive information [paras 8-10]. While an imaginative argument, the ONSC did not certify the action.
The Ontario Court of Appeal’s reasons in Owsianik v. Equifax Canada Co., 2022 ONCA 813, affirmed that a Database Defendant’s recklessness in protecting private information of users, that is hacked by a third party, does not fulfill the conduct component of intrusion upon seclusion. The ONCA asserted that extending liability to database defendants would not be an incremental change, but rather “a giant step in a very different direction”, which could lead to defendants being held liable for any intentional tort, committed by anyone [paras 63-65].
The Court of Appeal’s decisions are good news for businesses as it shows that the bar to class certification for intrusion upon seclusion is not easily overcome. While organizations should be diligent in protecting their users’ personal information, it is unlikely they will be held liable for intrusion upon seclusion or the moral damages associated with it when security breaches are instigated by third-party hackers. However, businesses may still be held liable for breach of contractual or statutory obligations to plaintiffs, and these instances will require plaintiffs to provide evidence of pecuniary loss.
Limitations on Privacy Class Actions- Consistency Between Ontario and Quebec
Notably, in Lamoureux c. OCRCVM, 2022 QCCA 685, the Court of Appeal in Quebec confirmed the lower court’s decision regarding a loss of personal information matter, in the first privacy class action heard on its merits. The case arose after an Investment Industry Regulatory Organization of Canada (IIROC) inspector forgot his laptop on the train which contained investors’ personal information. The laptop was never found. The important takeaways affirmed by the Quebec Court of Appeal include: (1) normal inconveniences of life in society are not compensable. The negative feelings following a loss of personal information, the annoyance and time required to implement protective measures, and additional identity verification when dealing with credit agencies, are considered normal inconveniences that anyone living in society today encounters and should accept; (2) there must be a causal link between the loss of the computer and the unlawful uses alleged by the class members; and (3) a claim for punitive damages is less likely to be found if the organization adhered to best practices and diligently responded to the incident and notified affected individuals.
While the Equifax trilogy increased the bar to class action certification, Lamoureux emphasizes that damages in class action privacy breach matters are not so easily awarded.
Liability in Privacy Class Action- Consent and the Burden of Proof
 The CAI uses the term “confidentiality incident” to refer to any unauthorized disclosure/access to personal information.
 https://www.parl.ca/DocumentViewer/en/44-1/bill/C-27/first-reading ; https://ised-isde.canada.ca/site/innovation-better-canada/en/canadas-digital-charter/bill-summary-digital-charter-implementation-act-2020.
 CPPA ss.18(1) and 18(3).
 CPPA ss.20 and 21.
 CPPA s.2(1).
 CPPA s.2(1).
 CPPA s.95.
 PIDPA s.16(2); CPPA s.105.
 AIDA s.5(1).
 ONCA’s analysis and reasons regarding the intrusion upon seclusion issue for Owsianik, Obodo, and Winder was released in Owsianik v Equifax, 2022 ONCA 813 see para 7.