De-identified information is still particular

On Friday, July 13, the Supreme Court of Canada had occasion to consider whether the personal health information of residents of British Columbia should be disclosed to tobacco companies in a fight over whether those companies are responsible for reimbursing B.C. for healthcare treatments for smoking-related diseases. Anyone expecting the court to lay out policy framework for balancing privacy rights and trial fairness was disappointed. The court treated the issue as a fairly dry (but still fascinating) exercise of statutory interpretation.

What was at stake

Like many other provinces, British Columbia has been in a battle with tobacco companies to recover costs relating to diseases caused or contributed to by smoking and second-hand exposure to tobacco products.

In the case of British Columbia, the province stacked the deck in their favour in the litigation in two important ways using the Tobacco Damages and Health Care Costs Recovery Act. First, the province is permitted to sue to recover the health care costs of individuals on an aggregate basis instead of  in respect of each affected individual.  Second, the province protected itself from having to disclose individual health records.

To calculate its damages, the province had created databases containing coded health care information of affected individuals. The province was going to use this information to prove that the tobacco companies were liable and to prove the amount of the claim. Naturally, tobacco companies wanted access to the data. Philip Morris brought a motion to compel production and said that trial fairness required disclosure.

Particular vs. Identifiable

The problem with the Philip Morris’ position was that s. 2(5)(b) of the Act stated that “the health care records and documents of particular individual insured persons or the documents relating to the provision of health care benefits for particular individual insured persons are not compellable”.

Philip Morris said that once the information was de-identified, it was no longer covered by s. 2(5)(b). It was no longer about a particular individual. Philip Morris won two times but lost when it counted – in the Supreme Court of Canada.

The Supreme Court focused on the meaning of the word “particular” in different places in the Act. The court concluded that treating the word “particular” as meaning “identifiable” rendered some of the provisions of the legislation absurd or superfluous. The word particular meant “distinct” or “specific”. Even if the information was no longer about an identifiable individual, it was still about a “distinct” or “specific” individual.

The BC Privacy Commissioner commented:

“I am pleased the Supreme Court has held that the province of BC will not be compelled to provide the personal health records of millions of British Columbians to Phillip Morris.” — Privacy Commissioner Michael McEvoy

I’m not sure that there is that much to cheer about for privacy advocates. The court’s distinction here that has within it a central problem facing privacy lawyers today. We often worry about the possibility of re-identification and argue that even de-identified data may still be about an “identifiable” individual because it could be combined with other information. That position requires reading some words into the definition of “personal information” in privacy statutes that are not there. So far, the courts have acceded to this interpretation but it is possible that they could reverse course unless legislatures clarify what they mean.

Trial Fairness

As for the argument that this was unfair, the court said it was premature.

In any event, the concern of “trial fairness” is, at best, premature. Data might be produced if it were relied on by an expert witness at trial. Also, the court could order the production of a “statistically meaningful sample” of the records in the database.

So, the cheers of the Privacy Commissioner may also be premature. It is unknown how big a sample of records will constitute a “statistically meaningful sample”.

Read the Supreme Court Decision here.

Find the BC Privacy Commissioner Press Release here.

Bill C-58 – Flaws in the government’s access to information reform

Freedom of information nerds may be interested in following the debate on reforms to Canada’s Access to Information Act proposed by the Liberal government. The Government is making enemies of lawyers (through the perceived incursion on solicitor-client privilege) and judges (by subjecting their expenses to proactive disclosure).

I’ve written a summary of the debate for the International Association of Privacy Professionals that you can find here.

Does the OPC really need a massive increase in funding?

In a recent letter to the Standing Committee on Access to Information, Privacy and Ethics, Daniel Therrien, the Privacy Commissioner of Canada, suggested that a 90% increase in funding for the Office of the Privacy Commissioner (OPC) was required to have a “true impact in protecting Canadians’ privacy rights”.

OPC receives $25 million already

The OPC’s current funding is approximately $25 million per year. The Commissioner considered a $23 million increase to be “realistic”. However, the Commissioner added that it had only sought a more “modest” $8 million increase, which represented a 30% increase to permanent funding. The Commissioner cited “rapidly evolving privacy threats” for the budgetary increases and noted that a 90% increase in funding would be in-line with increases to the UK Information Commissioner’s Office.

What a 90% increase buys

The Commissioner argues that a 30% increase would allow for a “limited number of proactive promotion and compliance activities”. The backlog of existing complaints would be “reduced” but not eliminated.

However, with a 90% increase, the Commissioner says that the OPC could provide more advisory services to businesses than it does at present. The increase in funding would also be used to engage in “targeted advertising to bring individuals to our site when they are about to make a decision on whether to disclose their personal information.” Backlogs could be reduced and more proactive activities could be undertaken.

Is a 90% increase necessary?

One of the justifications for a 90% increase is the desire to provide more advisory services. However, the OPC has not demonstrated that it has explored available options to work with stakeholders when developing guidance. The Personal Information Protection and Electronic Documents Act (PIPEDA) was borne out of a voluntary industry code. Quite literally, the main substantive protections in PIPEDA are in Schedule 1 to the legislation, which was that industry code. Arguably, PIPEDA has stood the test of time precisely because the provisions of Schedule 1 were developed by industry stakeholders with an understanding of the operational impacts of the provisions they were drafting.

The OPC could take a lesson from that success. The OPC could increase the use of working groups of stakeholders to draft guidance on important topics. This shared responsibility model would have the benefit of developing industry and consumer group buy-in.  It would also shift the expense of developing that advisory guidance to stakeholders. It would be more likely to produce guidance that is relevant and attuned to operational realities.

The OPC also wants money for advertising. In particular, the OPC wants to “use contextual advertising to bring individuals to [the OPC’s] site when they are about to make a decision on whether to disclose their personal information”. There is a certain irony in the OPC wanting to engage in targeted online advertising of individuals when the OPC has been so hostile to the interest-based advertising industry.

The fact that the OPC feels the need to engage in this type of advertising is an indictment of its resistance to developing model privacy notices. The OPC missed an opportunity during the consultations on consent to modernize and standardize how disclosures are made.

The OPC could have identified types and uses of data that a reasonable person would expect when engaging in online activities. Disclosures regarding these uses could have been done in a short-form manner and only those uses falling outside of these categories would need to be highlighted.

In exchange for using the short-form disclosure, the organization could have been required to link back to educational material at the OPC website. While large, international organizations may not have adopted this approach due to potential operational complexities, this would have solved a problem for numerous small and medium-sized enterprises.

No, the OPC does not need a 90% increase in funding. It needs to work more creatively with industry.

Check out Commissioner Therrien’s letter here.

Mandatory Breach Reporting Starts November 1, 2018

The Government of Canada has set November 1, 2018 as the date on which the mandatory breach reporting and recordkeeping provisions of Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) will come into force.

The mandatory recordkeeping provisions require organizations to keep records of any loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards or security safeguards or as a result of a failure to implement safeguards that should have been implemented by the organization. If it would be reasonable to believe that the breach creates a real risk of significant harm to an affected individual, the breach must also be reported to the Office of the Privacy Commissioner of Canada and to the affected individual.

The Order in Council also set the coming into force of certain ancillary provisions, such as provisions to maintain the confidentiality of breach reports to the OPC and the right of an individual to make a compliant about the organization’s breach reporting.

See the Order in Council here.

Trains, Voice and Video Recorders, and PIPEDA

In a late move, the Office of the Privacy Commissioner of Canada has raised concerns with the privacy exceptions in Bill C-49 regarding the use of locomotive voice and video recorders (LVVRs). The exceptions would diminish the protections of railway engineers under the Personal Information Protection and Electronic Documents Act, according to Commissioner Therrien. The Bill has already passed third reading before the House of Commons. When asked by the Senate Committee studying the Bill whether the OPC had raised the concerns before the House of Commons, Commissioner Therrien frankly admitted that the OPC had missed the significance of the amendments until they saw the debates in Parliament.

The LVVR Initiative

In 2015, the Transportation Safety Board of Canada (TSB) conducted a study on the potential use of LVVRs. The study was conducted in the wake of several high-profile railroad accidents in Canada. The TSB ultimately included that LVVR technology would enhance rail safety if implemented.

Photo by Irina Kostenich from Pexels

The Government of Canada included the mandatory use of LVVR in the Bill C-49, which promises to modernize aspects of Canada’s legislation governing rail, air and marine transportation. Unions have raised concerns regarding the privacy implications of the LVVR technology. Apart from the general objection to the constant surveillance that employees would be under in the locomotive, unions have objected to employers having access to LVVR recordings. Unions fear the data could be used against employees if it could be routinely reviewed by railway companies. They argue that the data should only be available to the TSB during an incident investigation.

The OPC’s Concerns

For privacy advocates, there is another aspect of Bill C-49 that is of interest and was the subject of concerns raised by the Privacy Commissioner of Canada, Daniel Therrien, when he appeared before the Senate Committee on Transportation and Communications to discuss Bill C-49. The role of the OPC in overseeing the privacy practices of the railway companies in connection with the LVVRs will be diminished, given the way that the Bill C-49 has been drafted.

It appears that the intention was to protect against the OPC scrutinizing the use of LVVR data by railway companies. To accomplish this, Bill C-49 provides explicit carve-outs from the application of the Personal Information Protection and Electronic Documents Act (PIPEDA). These carve-outs disturb the Commissioner. In particular:

  • Railway companies do not have to comply with section 7 of PIPEDA, which restricts the ability to collect, use or disclose personal information without consent
  • Railway companies do not have to comply with the principles in Schedule 1 of PIPEDA regarding the collection, use, disclosure and retention of information

The Commissioner is concerned that the OPC’s jurisdiction to investigate complaints under PIPEDA may be in doubt. Naturally, if a railway company may collect, use and disclose personal information in the LVVRs without regard to the section 7 of PIPEDA and Schedule 1 of PIPEDA, they will argue that the OPC has no jurisdiction to hear complaints on these issues.

Further, the OPC is concerned that an individual may not have a right of access to the personal information in the LVVRs as would otherwise be required by PIPEDA in light of section 28 of the Canadian Transportation Accident Investigation and Safety Board Act, which restricts to whom the LVVR data could be disclosed.

Find Bill C-49 on LegisInfo here.

Read the TSB Railway Safety Issues Investigation Report R16H0002 here.

Read the transcript of Commissioner Therrien’s remarks before the Senate Committee here.

ETHI Report on PIPEDA is Coming Soon

The Standing Committee on Access to Information, Privacy and Ethics will be tabling its report sometime soon following the resumption of Parliament on Monday, February 26th. The Report title will be “Towards Privacy by Design: A Review of the Personal Information Protection and Electronic Documents Act.” The title provides a strong hint that the report will be advocating including an express obligation in PIPEDA to require organizations to adopt privacy by design and by default. If adopted, this would bring Canada’s laws one step closer to Europe’s General Data Protection Regulation (GDPR), which will come into force on May 25, 2018. Privacy by Design is a made-in-Canada concept and so it would be fitting for it to “come home”.

Read my article for the International Association of Privacy Professionals (IAPP) titled “Legislating privacy by design in Canadahere.

Learn about Privacy by Design here.

Using the Criminal Code to Require News Media to “Un-Publish” Fails

In Canada, s. 486.4(2.1) of the Criminal Code to make an order protecting a victim of a crime from having any information that could identify the victim from being “published in any document or broadcast or transmitted in any way.” The victim has to be under 18 years of age.

A recent decision of the Supreme Court considered a case in which the Crown wanted information published online prior to a publication ban to be “un-published” by the news organization.

R. v. Canadian Broadcasting Corp, dealt with an application for an interim injunction to require the CBC to “un-publish” a story about a murder. Essentially, the facts of the case were: An individual was charged with the murder of a person under the age of 18. The CBC reported on the case and published the victim’s name before the Crown obtained a publication ban regarding the name of the victim. The Crown wanted the CBC to remove the information on the CBC’s website. The CBC refused. The Crown sought an interlocutory order requiring the CBC to remove the name of the victim until the hearing to decide whether the CBC was in criminal contempt for failing to remove the name of the victim.

The Crown was obliged to establish that it had a “strong prima facie case” in order to obtain the interlocutory order requiring the CBC to remove the identifying information of the victim. This is because the order would compel the CBC to “do” something. If the order simply required the CBC to refrain from doing something, the test would be lower.

The key issue was whether the Crown had a strong prima facie case that the CBC was intentionally disobeying a court order. The Crown attempted to argue that publishing on the CBC website was a continuous activity. On this theory, the CBC was directly and intentionally violating the publication ban, even if the original publication occurred prior to the publication ban. The Supreme Court did not rule out the possibility that the Crown would be successful. However, the court concluded that the Crown did not have a strong prima facie case that the publication was a continuous activity. The result was that the CBC did not have to remove the identifying information.

We should be cautious in suggesting that the court’s decision is relevant to the current debate in Canada regarding the type of “right to be forgotten” that Office of the Privacy Commissioner of Canada (OPC) has suggested exists under Canada’s private sector privacy law. I discussed this “right to be forgotten” in a recent post on the OPC’s draft Position on Online Reputation. In that draft Position paper, the OPC suggested that individuals have the right, in certain circumstances, to have inaccurate online information about them removed and could even require search engines remove or suppress search results for an individual’s name on the basis that the information about the individual was not accurate.

There is a fairly wide gulf between the CBC case and the type of “right to be forgotten” discussed by the OPC. Nevertheless, there is one intriguing point of relevance. The court seemed quite skeptical that the mere fact that information remained available online meant that it was being “continuously” published. Provided that the “story” was not “updated” (i.e. “republished”), perhaps the court might be reticent to require the editing of historical documents. It is too soon to tell but not too soon to think about. 

Read R. v. Canadian Broadcasting Corp, 2018 SCC 5.