Click here to see full sized version.
Please contact us at email@example.com.
Please include your name, your law firm or company name and address.
Privacy statutes passed by federal and provincial governments over the past 20 years are notorious for employing vague and general language. Because they are usually considered at first instance by privacy regulators — whose role as “privacy advocates” is well-known — these laws have tended to be interpreted in a “pro-privacy” manner. However, several recent cases illustrate that courts are now willing to take a more balanced view of the meaning of privacy laws.
Federal and provincial privacy regulators have many opportunities to state their preferred interpretations of the laws. In addition to decisions made on specific cases, they regularly publish bulletins and papers expressing their views of the scope and meaning of the legislation.
In addition, early decisions by the Federal Court under the Personal Information Protection and Electronic Documents Act (for example, the 2004 Court of Appeal decision in Englander v. Telus Communications Inc.) gave significant deference to the interpretations made by the federal privacy commissioner.
For some time, it appeared that the liberal interpretations of the laws preferred by regulators would be dominant. But the landscape is changing. One example is the applicability of PIPEDA to investigations carried on by or on behalf of individual litigants.
In 2004, the Ontario Superior Court in Ferenczy v. MCI Medical Clinics, held that the collection of personal information by an investigator acting for a defendant in a personal injury action was not restricted by PIPEDA, since such investigations were not “commercial” even if carried on by businesses. For some time, privacy regulators took the position that the Ferenczy decision was “strictly obiter” and was “not viewed as precedent.”
In 2010, the Federal Court (in State Farm Mutual Automobile Insurance Company v. Privacy Commissioner of Canada) rejected the position of the commissioner and determined that PIPEDA does not apply where insurance companies and their investigators collect personal information when defending individuals. This decision has significantly limited the application of privacy laws to information-gathering by or on behalf of individuals.
A threshold question in all Canadian privacy legislation is whether the data in question is “personal information,” which is generally defined as “information about an identifiable individual.” Canadian regulators have consistently held that data that on its face is not “about an individual” may nevertheless be “personal information” if it possibly can be linked back to an individual.
In 2009, the Alberta privacy commissioner interpreted the phrase “personal information” to include licence plate numbers collected by the store whenever a furniture order was picked up. In 2011, the Alberta Court of Appeal in Leon’s Furniture Limited v. Alberta (Information and Privacy Commissioner) found that the commissioner’s interpretation was unreasonable, and that the licence plate number was about a vehicle, not an individual. As Justice Frans Slatter stated: “Information that relates to an object or property does not become information ‘about’ an individual, just because some individual may own or use that property. Since virtually every object or property is connected in some way with an individual, that approach would make all identifiers ‘personal’ identifiers.” Leave to appeal the Alberta Court of Appeal’s decision was refused by the Supreme Court of Canada.
In addition to the interpretation issues, courts are now looking at whether privacy restrictions on the collection and disclosure of personal information are breaches of the freedom of expression guaranteed by the Charter.
United Food and Commercial Workers, Local 401 v Alberta (Attorney General) involved a union’s videotaping of replacement workers during a strike. The commissioner held that the union had breached Alberta’s Personal Information Protection Act (despite the union’s novel argument that it was engaged in exempted “journalistic” activities) because the union had collected personal information without consent.
In April, the Alberta Court of Appeal decided that the commissioner’s decision was unreasonable and a breach of the union’s freedom of information right under the Charter (which guarantees the ability to collect as well as disseminate information).
The Court of Appeal also pointed out that other provisions of the Alberta act may be overbroad (and therefore subject to constitutional challenge) since too much information is covered, the definition of “publicly available information” is overly restrictive, there is no general exemption for information collected and used for free expression and “[t]here is no exemption allowing organizations to reasonably use personal information that is reasonably required in the legitimate operation of their businesses.” The Alberta privacy commissioner is seeking leave to appeal to the Supreme Court of Canada.
As these cases illustrate, courts are increasingly undertaking critical examinations of the scope and meaning of Canadian privacy statutes. While federal and provincial privacy regulators will likely still play a dominant role in interpreting and applying these laws, it is reassuring to those businesses which are the targets of privacy regulators that those regulators will not always have the last word on these issues.
Mark Hayes is managing director of Heydary Hayes PC, a boutique IP, technology and privacy law firm in Toronto. He is past president of the Ontario Bar Association privacy section and the author of “Privacy Law in Canada,” a chapter of the U.S. publication Proskauer on Privacy.
Click here to see this article in our digital edition (available to subscribers).