Cloud computing update: Alberta Health Privacy Breach Provisions

On August 31st, new provisions in Alberta’s Health Information Act will come into force that have important implications for users and providers of cloud computing services.

These provisions impose new breach reporting obligations on healthcare service providers and other individuals and entities subject to the Health Information Act.

However, it is important for cloud computing service providers to know that they also have a statutory duty to report certain types of breaches to their custodians – irrespective of what the cloud computing contract says and irrespective of whether the breach is a result of an error or omission by the cloud computing service provider.

What happens on August 31st?

Beginning on August 31st, custodians in Alberta that are covered by the Health Information Act will be required to report certain privacy breaches to the Office of the Information and Privacy Commissioner of Alberta (OIPC), the Minister of Health, and affected individuals. In addition, an affiliate of a custodian (such as an information manager) will have a duty to report certain privacy breaches to the custodian. In each case, the report must be made as soon as practicable.

What are the penalties for noncompliance?

Failure to comply with the new breach reporting provisions is a provincial offence. Fines for noncompliance range between $200,000 and $500,000 for organizations and between $2,000 and $10,000 for individuals. Alberta has a track record of prosecuting Health Information Act offences.

Who are custodians?

Custodians include a wide-range of healthcare service providers and stakeholders in the Alberta healthcare sector. Custodians include regulated health professionals (like doctors, pharmacists, and dentists), healthcare service delivery organizations (like hospitals, nursing homes, and ambulance operators) as well as other governmental bodies involved in the healthcare sector (like provincial health boards, regional health authorities and community health councils).

What do cloud service providers have to do?

A cloud service provider may be an “affiliate” under the Alberta Health Information Act. Cloud service providers should obtain legal advice as to whether they fall under the definition of “affiliate” in the Health Information Act and, if they operate outside of Alberta, whether they are subject to Alberta’s jurisdiction when they provide services to Alberta entities.

Beginning August 31, affiliates have direct obligations under the Health Information Act to notify the custodian of any loss of individually identifying health information or any unauthorized access to or disclosure of individually identifying health information in the custody or control of the custodian. Reports must contain prescribed information and be made as soon as is practicable.

An “affiliate” includes (among others) “information service managers” and other individuals and entities that perform a service for a custodian under a contractual relationship. An “information service manager” is an individual or organization that does any of the following:

  • processes, stores, retrieves or disposes of health information,
  • strips, encodes or otherwise transforms individually identifying health information to create non‑identifying health information, or
  • provides information management or information technology services.

What do custodians have to do?

Custodians should ensure that they have implemented policies, procedrues and training to meet their new statutory obligation to give notice of any loss of individually identifying health information or unauthorized access to or disclosure of individually identifying health information in the custody or control of the custodian if there is a risk of harm to an individual as a result of the loss or unauthorized access or disclosure. The notice must be given as soon as practicable and contained certain prescribed information.

Custodians should ensure that their cloud service providers are aware of their broad obligation to report privacy breaches in accordance with these new provisions. Custodians should review their contracts to make sure that the terms relating to breach notification are broad enough to cover the scope of what is reportable under the Health Information Act. This is particularly important if there is an argument that the cloud service provider is beyond Alberta’s jurisdictional reach.

In addition, custodians should ensure that all individually identifying health information is encrypted at rest and in transit. Effective encryption is a factor that may avoid having a reportable breach. The Regulations provide that if a custodian is able to demonstrate that the information was encrypted and could not be accessed or would be unintelligible, the custodian is not required to give notice of the loss or unauthorized access or disclosure to the OIPC, the Ministry or the individual.

Do these provisions only cover unauthorized access by to or disclosure of health information to third parties?

No, the provisions are not limited to access by or disclosure to third parties. Unauthorized internal access and unauthorized disclosure between custodians are subject to the breach reporting provisions.

Do cloud service providers only have to report breaches where there is a risk of harm?

No, the risk of harm analysis test does not apply to cloud service providers. Whether there is a risk of harm is for the custodian to decide.

What factors can the custodian consider when evaluating a risk of harm?

The Regulations set out a non-exhaustive list of factors to be considered by the custodian when considering whether there is a risk of harm to an individual. These factors include (but are not limited to) whether:

  • the information has been or may be accessed and/or disclosed
  • the information has been misused or will be misused;
  • the information could be used for the purpose of identity theft or to commit fraud;
  • the information could cause embarrassment or physical, mental or financial harm to or damage to the reputation of the affected individual;
  • the breach has adversely affected or will adversely affect the provision of a health service to the individual;
  • the information was encrypted or otherwise secured in a manner that would prevent the information from unauthorized access or render the information unintelligible by a person who is not authorized to access the information;
  • the information was lost in circumstances in which the information was destroyed or rendered inaccessible or unintelligible;
  • the information was not accessed before it was recovered if it was recovered; and
  • any access or disclosure was only to a custodian or an affiliate and (i) that person is subject to confidentiality policies and procedures that meet the requirements of the Act, (ii) the person accessed the information in a manner that is in accordance with the person’s duties as a custodian or affiliate and not for an improper purpose, and (iii) the individual did not use or disclose the information except in determining that the information was accessed by or disclosed to the person in error and in taking any steps reasonably necessary to address the unauthorized access or disclosure.

Read more!

Find the amendments to the Health Information Act here.

The amendments to the Regulations can be found here.

Free trials and deceptive trade practices

Earlier this week, I wrote about an interesting development in Quebec regarding the interpretation of section 230(c) of the Quebec Consumer Protection Act. A Quebec court concluded that this provision did not require a merchant to obtain the fresh agreement of a consumer at the end of a free trial or introductory rate period before rolling the consumer over into a regular rate plan if the consumer expressly agreed to the regular rate plan when signing-up for the free trial or introductory rate period. You can read my blog post here.

As mentioned in that post, the court’s interpretation of section 230(c) remains open to debate given that the plaintiff filed an appeal. Although the court’s judgment appears to be consistent with explanatory material from the Quebec Office of Consumer Protection (at least at the time of writing), the Court of Appeal is not bound to give deference to that material. It is still possible that the Quebec Court of Appeal might conclude that the policy behind the law is simply to outlaw these types of inducements unless the merchant obtains the positive agreement of the consumer to continue the subscription during or after the free trial or introductory rate period.

So what are the policy considerations that might support a bright line approach prohibiting automatic rollover into full rate plans without the consumer’s fresh consent?

The most compelling reason for a bright line rule is the frequency with which free trial and introductory rate offers are used as deceptive marketing practices. A bright-line approach makes enforcement easier. The U.S. Federal Trade Commission enforcement shows a robust history of enforcement action against marketers using free trials as part of a deceptive marketing plan. A particularly egregious example is detailed in an FTC complaint against a teeth whitening product marketer. Consumers who enrolled in a supposed low introductory offer actually agreed to an on-going full rate monthly charge. The agreement was buried in the fine print. You can read the FTC complaint here. Arendt Fox has a quick summary that you can find here.

Another reason has to do with the psychology of the consumer. Free trials and introductory rate offers emphasize the “no risk” or “free” or “low price” aspect of the offer. Marketers do not give equal prominence to the true cost of the goods or services. The consumer is induced to enroll on the basis that they can change their mind. The consumer may be less apt to comparative shop or reflect on whether the value of the product or service is reflected in the true “after deal” price.

Finally, the effectiveness of free trial and introductory rate offers depends, in part, on consumer inaction. This is the heart of the “negative option billing” issue. While it may be paternalistic for governments to effectively “save” the consumer from doing something as theoretically simple as sending a cancellation notice, all consumer protection law is intended to relieve the consumer of what would otherwise be the outcome of freedom to contract.

Notwithstanding the arguments in favour of a bright-line approach, a prohibition against free trials and reduced rate offers that automatically roll over into full rate plans seems heavy-handed for online contracts.

While there are policy options to support this approach, governments have other policy options available to them. Most Canadian consumer protection laws require the merchant to deliver a copy of the consumer agreement formed online to the consumer in a form that can be retained and containing specific details. Theoretically, the government could simply require merchants to provide an easy and effective online method to opt-out that is promimently displayed at the beginning of that agreement, followed by a notice to the consumer prior to the full-rate plan kicking in. 


Free trials, introductory offers and negative option billing

An interesting decision of the Quebec Superior Court of Justice came out this year throwing cold water on a class action by consumers in Quebec against well-known telecommunication companies and online media service providers. The case is interesting because it clarifies that the use of free-trials as consumer incentives is not prohibited by the negative option billing prohibitions in section 230(c) of the Quebec Consumer Protection Act. The decision has been appealed though. So, it is possible it will be overturned.

What is negative option billing?

Negative option billing involves requiring a consumer to specifically reject goods and services or be forced to pay for them. The supplier of the goods or services relies on the fact that the consumer accepts receipt of the goods or services as forming an agreement by the consumer to pay for those goods or services.

Periodically, examples of negative option billing have made headlines and led to consumer backlash. For example, in 1995, there was a backlash against Rogers Cablesystems and other cable television providers when they altered their cable packages to add new specialty channels. Consumers received these channels for a short period of time for free. If they did not change their packages to remove these channels, Rogers and other telecommunications providers would begin charging extra for them. There was broad outrage, and Rogers and other industry players relented.

Negative option billing laws in Canada

There are many laws that prohibit negative option billing in Canada. I won’t address all of them here. A few examples will be enough. Section 13 of the Ontario Consumer Protection Act, 2002 and section 12 of the British Columbia Business Practices and Consumer Protection Act state that a consumer has no legal obligation with respect to unsolicited goods or services (with limited exceptions). Unsolicited goods or services includes goods and services provided to a consumer who did not request them. A change to a good or service may result in the goods being unsolicited if the change is material.

The Alberta Consumer Protection Act is stricter than Ontario and British Columbia’s laws. Section 20 of the Alberta Consumer Protection Act deems an unsolicited enhancement of a service to be a negative option if the consumer is required to send a notice that it does not wish to pay for the goods or services. Alberta expressly prohibits suppliers from supplying goods or services to a consumer using a negative option practice.

Federally, the government enacted the Negative Option Billing Regulations in 2012, which apply to federally regulated financial institutions.

How is Quebec different?

The negative option billing provisions in Section 230 of the Quebec Consumer Protection Act appear to cover a broader set of practices than those in other provinces. Section 230(a) contains the usual prohibition against unsolicited goods. Section 230(c) goes further and says that a merchant cannot provide free trials or discounted services to a consumer for a fixed period and then automatically roll the consumer over to the higher price if the consumer does not send a notice stating that the consumer does not want the service.

230. No merchant, manufacturer or advertiser may, by any means whatever,

(a)   charge any sum whatever for any goods or services that he has sent or rendered to a consumer without the consumer having ordered them;

(b)   give any reason as a pretext for soliciting the sale of goods or the provision of services;

(c)   require that a consumer to whom he has provided services or goods free of charge or at a reduced price for a fixed period send a notice at the end of that period indicating that the consumer does not wish to obtain the services or goods at the regular price.

In Benabu c. Vidéotron, the class action plaintiff sued several telecommunication companies and online media service providers for violations of section 230(c). The plaintiff’s theory was that section 230(c) prohibited all forms of free trials or introductory rate offers if the supplier was not required to obtain consent from the consumer at the end of the free trial or introductory rate period. The court disagreed.

The defendants offered a free trial or introductory rates for a limited period when a consumer signed up for month-to-month services for an indefinite term. The court said that the monthly rate was clearly set out in the contract. The court also said that the consumer clearly knew at the time of entering into the contract that this rate would be charged after the initial free trial or introductory rate period. The consumer could cancel the contract at anytime – either before or after the initial free trial or introductory rate period. In these circumstances, the court thought it was absurd that the consumer would have to reaffirm the contract at the end of the free trial or introductory rate period.

Is the Benabu decision sound?

The Benabu decision is under appeal. There are arguments that the decision might not survive the appeal.

Section 230(a) of the Quebec Consumer Protection Act is like provisions in the Ontario, British Columbia and Alberta legislation. If the consumer did not request the services, the consumer would not be required to pay. Like the provisions of other provinces, section 230(a) would not prohibit the use of free trials or introductory rates as an incentive when the consumer signed up. Arguably, section 230(a), like the provisions in other provinces, would apply to “add-ons” such as the specialty channel add-ons that caused problems for Rogers in 1995.

So, if section 230(c) doesn’t require a consumer to expressly agree – at the end of a free trial or introductory rate period – to the continuation of the contract, what is its purpose? The court took some guidance from the Quebec Office of Consumer Protection. In each case, the Office of Consumer Protection seemed to indicate that the consumer could agree in advance to the ongoing purchase of the product following the free trial.

The court noted that the text of section 230(c) uses the past tense “to whom he has provided services or goods free of charge or at a reduced price for a fixed period”. Although the court did not say so, this would support the idea that the provision is intended to prohibit a deceptive sales practice of having the consumer sign up for a free trial period without telling the consumer that he or she must provide a notice to cancel before the free trial period has ended or the consumer will be forced into an ongoing agreement.

Caution: The Benabu decision is one of the few cases dealing with section 230 of the Quebec Consumer Protection Act. Other judges or the Court of Appeal could disagree. The status of free trials in Quebec is far from completely settled.

Read Benabu c. Vidéotron here.

Bringing competing values in consumer protection into focus

The Competition Bureau recently brought into focus ongoing regulatory barriers to online sales of prescription eyewear. The Competition Bureau’s advocacy comes in the middle of a dispute between Ontario self-regulatory bodies and a major player in the online sale of prescription eyewear. An appeal from a decision finding online sales violated Ontario’s Regulated Health Professions Act is pending before the Ontario Court of Appeal. At stake is whether non-Ontario companies operating online need to comply with Ontario regulations governing the provision of healthcare in Ontario.

Competition Bureau calls for change

In a recent article in the Competition Bureau’s Advocate, the Competition Bureau took aim at regulations that limit the ability of consumers to purchase prescription eyewear online. The Competition Bureau asserted that online purchasing led to less-expensive and more convenient options than in-store sales. The Competition Bureau questioned whether Ontario regulations that require licensed physicians, optometrists and opticians to prepare, adapt and deliver prescription eyewear were too restrictive.

The Competition Bureau agreed that regulated health professionals had an important role to play but questioned whether the regulations were narrowly directed to preventing harm to consumers.

However, decision-makers should consider whether it is strictly necessary for licenced professionals to be involved in all aspects of the eyewear dispensing process (i.e. preparation, adaptation and delivery), and to what degree.

The Essilor Case

The timing of the Competition Bureau’s advocacy suggests that it may be intending to influence an issue that is before the Ontario Court of Appeal.

In College of Optometrists of Ontario et al v. Essilor Group Canada Inc., the self-regulatory bodies for Optometrists and Opticians successfully challenged whether online sales by the Essilor Group are permitted under Ontario’s regulations.

The Ontario Superior Court of Justice held that online sales by Essilor were subject to Ontario regulations that restricted who could dispense eyewear. The court held that the activities of Essilor in making eyeglasses, filling prescriptions and delivering eyeglasses involved “dispensing” of eyeglasses within the meaning of the Regulated Health Professions Act. The court then needed to decide whether the Ontario legislation applied to Essilor given that Essilor was based in British Columbia and sold the eyeglasses over the Internet. Although the court accepted that most of the activities at issue occurred outside of Ontario, the court nevertheless held that the Ontario law applied because there was a sufficient connection between the activities of Essilor and Ontario.

In this case prescription eyewear is ordered by people in Ontario. It is delivered to them in Ontario. Presumably it is to be used by them while resident in Ontario. This represents a sufficient connection to Ontario. To find otherwise would mean the eyeglasses are provided without obligation to adhere to Ontario regulation. Ordering eyeglasses is the catalyst for, and delivery is part of, dispensing the eyewear; indicating that it is at least part of a “controlled act” as defined in s. 27(2) of the Regulated Health Professions Act.

Appeal Pending

Essilor has appealed the Ontario Superior Court of Justice’s ruling. The Ontario Court of Appeal granted a stay of the Superior Court decision pending the hearing of the appeal in May 2018. The case remains under reserve by the Ontario Court of Appeal.

Interested? Read more!

College of Optometrists of Ontario et al v. Essilor Group Canada Inc.

Competition Bureau encourages online competition in the eyewear industry

College of Optometrists response to Competition Bureau

Linear points programs – Legal and marketing challenges

Given the cost and effort associated with customer acquisition, loyalty programs are an important customer-retention tool. However, linear reward programs in which customers simply accumulate points that can be used towards the purchase of goods and services may not always be the best choice – for both marketing and legal reasons.

The stockpiling problem

A linear points program has the advantage of simplicity. Buy a certain value of goods or services and get a certain number of points. Accumulate a certain number of points and redeem them for a certain value of goods. These concepts are simple to explain to consumers and the conversion factor into points and out of points is relatively easy to manage.

However, research has shown that consumers tend to “stockpile” points. The reasons why consumers stockpile points is not entirely clear. However, some research suggests that consumers have a notional “cash account” and “points account” in their mind. Spending cash or redeeming points involves the “loss” of something in exchange for gaining something else. The relative value of the cash over the points may depend on several motivating factors. One factor is that there may be an intrinsic value in the stockpile of the points. In other words, looking at my points balance provides me with satisfaction and allows me to dream about attaining a future goal, which has value on its own.

Does this matter? Yes. From the company’s perspective, the value of the points is a liability. The consumer can call on the points at any time and the company must be able to make good on the conversion into goods and services either out of its own inventory or by procuring those goods or services for the consumer. Points providers carry this liability on their books. Customers may stop purchasing goods and services but may hold onto their stockpile of points. So, the liability remains. Moreover, in some jurisdictions (although likely not in Canada) there have been concerns that these points could be considered unclaimed property, which could require organizations to make special efforts to locate the individual and ultimately remit the value of the property to the government.

No-expiry laws

To address the problem of the ever-increasing liability on their books and to overcome the intrinsic value of stockpiling and motivate consumers to use the points, some companies took to the practice of creating expiry dates for points. This triggered a consumer backlash – no doubt because these points had acquired a psychological value in and of themselves. Perhaps inevitably, the result was Canadian consumer protection legislation prohibiting the expiry of loyalty program points.

Ontario led the charge in 2017 to create a special consumer protection regime for consumers who participate in points programs. The provisions addressing loyalty point programs in the Consumer Protection Act, 2002 (Ontario) and the accompanying regulations prevent loyalty program providers form setting an expiry-date for reward points. Quebec is also in the process of amending the Regulation respecting the application of the Consumer Protection Act (Quebec) for the same purpose.

There are exceptions in both provinces to the no-expiry rule. For example, in both provinces points can expire if they can only be used to purchase goods and services of less than $50 in value. Similarly, points can expire if the account is dormant for a specified time-period. In Quebec, that time-period cannot be less than a year and the consumer must be given notice no less than 30 days and no more than 60 days before the points expire. There are also other exceptions and points program providers should seek legal advice on the most advantageous and legally compliant program structure.

Moving beyond linear points

These laws probably come a bit late in the development loyalty programs and, if anything, they will probably accelerate a shift away from simple linear points programs to benefits-based programs. Of course, there is still an important place for linear points programs and the law will not affect programs with low-value rewards. However, some research suggests that consumers want “benefits” or “status”. Yes, points are nice, but they want to get to the front of the line; they want experiences or service not available to others; they want value added services; and they want access to special promotions. These types of earned benefits do not fall within the points provisions of the consumer protection laws discussed above. Certainly, there are still consumer protections laws that apply (and marketers would do well to seek legal advice). However, these types of benefits programs are not subject to the points laws in Ontario and Quebec.

Interested? Read more!

Should marketers be worried by the latest OPC decision?

Canadians would likely find it difficult to argue with the outcome of a recent Report of Findings issued by the Office of the Privacy Commissioner of Canada (OPC) involving the repurposing of public profile information of Facebook users by a New Zealand company. However, one aspect of the case may have implications that will concern companies that use publicly available social media profile information for sales, marketing and advertising.

Company obtains social media profile information

The OPC alleged that a New Zealand based company had taken public information from the profiles of Facebook users to populate the company’s own social network platform. The OPC alleged that the company’s purpose for collecting the Facebook public profile information may have originally been to develop advanced search capability for Facebook users. However, at some point, this purpose changed. The company began developing its own social network using the information that it took from public profiles of Facebook users without the knowledge of those individuals.

Use for a parallel social media account was not appropriate

The OPC found that the company’s activities failed the “appropriate purpose” test under the Personal Information Protection and Electronic Documents Act (PIPEDA). The “appropriate purpose” test is found in section 5(3) of PIPEDA. It states that:

An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.

The OPC concluded that the development of a parallel social network profile without the involvement of the individual about whom that information related failed the test of appropriateness.

[…] we are of the view that the creation and display of this static replicate of an individual’s Facebook page for the purpose of developing and populating the respondent’s website, which persists outside the individual’s control, and which is not changed or updated or deleted as the individual intends it to be, is not a purpose that a reasonable person would consider to be appropriate in the circumstances, within the meaning of subsection 5(3) of PIPEDA.

OPC finds public information was not really publicly available information

Although the OPC’s finding that the collection and use of the personal information failed the “appropriate purposes” test was dispositive, the OPC went further. The OPC decided that an individual’s publicly available profile information on Facebook was not actually “publicly available information” within the meaning of PIPEDA.

It is unclear why the OPC thought it needed to address this issue. However, the OPC’s discussion and conclusions are consistent with its ongoing policy objectives of strengthening the consent requirement under PIPEDA (further limiting the use of information for sales, marketing and advertising) and attempting to develop a “right to be forgotten” (if consent is required, the individual can also withdraw consent).

One of the exceptions to the requirement for consent to the collection and use of information is that the information is “publicly available information” as specified in the Regulations to PIPEDA. Section 1(e) of the Regulations Specifying Publicly Available Information states that publicly available information includes:

personal information that appears in a publication, including a magazine, book or newspaper, in printed or electronic form, that is available to the public, where the individual has provided the information.

The OPC interpreted “publication” narrowly. The OPC asserted that a social media profile is not published within the meaning of paragraph 1(e) of the Regulations. The OPC did so without relying on any judicial authority for such a narrow interpretation of the word “publication”.

The OPC’s argument rested on the following propositions.

  • Paragraph 1(e) of the Regulations requires the inference of consent by the individual to making it public. However, the information was created at a time when profiles were indexed by search engines by default. Individuals may not have realized the consequences of leaving the information public.
  • The intention of the individuals could not be inferred. Individuals may have posted the information for the purposes of being contacted by friends and not to disseminate the information to the public at large.
  • The profiles are dynamic and the information might no longer be public.

These arguments are not convincing. A publication does not lose its character of being a publication merely because it can change. Paragraph 1(e) of the Regulations requires that the person “provide” the information. It says nothing about the individual’s ongoing intentions. Finally, the Regulations do not require that the individual consent to the types of future uses that could be made of the information. The test is simply voluntariness in the sense that the individual volunteered the information that is in the publication.

The OPC’s conclusions in this case have very significant implications for sales, marketing and advertising. These implications must have been known to the OPC. The OPC should clarify through additional guidance how organizations should apply the principles in this decision to sales, marketing and advertising activities that rely on public social media profile information.

Read PIPEDA Report of Findings #2018-002 here.

De-identified information is still particular

On Friday, July 13, the Supreme Court of Canada had occasion to consider whether the personal health information of residents of British Columbia should be disclosed to tobacco companies in a fight over whether those companies are responsible for reimbursing B.C. for healthcare treatments for smoking-related diseases. Anyone expecting the court to lay out policy framework for balancing privacy rights and trial fairness was disappointed. The court treated the issue as a fairly dry (but still fascinating) exercise of statutory interpretation.

What was at stake

Like many other provinces, British Columbia has been in a battle with tobacco companies to recover costs relating to diseases caused or contributed to by smoking and second-hand exposure to tobacco products.

In the case of British Columbia, the province stacked the deck in their favour in the litigation in two important ways using the Tobacco Damages and Health Care Costs Recovery Act. First, the province is permitted to sue to recover the health care costs of individuals on an aggregate basis instead of  in respect of each affected individual.  Second, the province protected itself from having to disclose individual health records.

To calculate its damages, the province had created databases containing coded health care information of affected individuals. The province was going to use this information to prove that the tobacco companies were liable and to prove the amount of the claim. Naturally, tobacco companies wanted access to the data. Philip Morris brought a motion to compel production and said that trial fairness required disclosure.

Particular vs. Identifiable

The problem with the Philip Morris’ position was that s. 2(5)(b) of the Act stated that “the health care records and documents of particular individual insured persons or the documents relating to the provision of health care benefits for particular individual insured persons are not compellable”.

Philip Morris said that once the information was de-identified, it was no longer covered by s. 2(5)(b). It was no longer about a particular individual. Philip Morris won two times but lost when it counted – in the Supreme Court of Canada.

The Supreme Court focused on the meaning of the word “particular” in different places in the Act. The court concluded that treating the word “particular” as meaning “identifiable” rendered some of the provisions of the legislation absurd or superfluous. The word particular meant “distinct” or “specific”. Even if the information was no longer about an identifiable individual, it was still about a “distinct” or “specific” individual.

The BC Privacy Commissioner commented:

“I am pleased the Supreme Court has held that the province of BC will not be compelled to provide the personal health records of millions of British Columbians to Phillip Morris.” — Privacy Commissioner Michael McEvoy

I’m not sure that there is that much to cheer about for privacy advocates. The court’s distinction here that has within it a central problem facing privacy lawyers today. We often worry about the possibility of re-identification and argue that even de-identified data may still be about an “identifiable” individual because it could be combined with other information. That position requires reading some words into the definition of “personal information” in privacy statutes that are not there. So far, the courts have acceded to this interpretation but it is possible that they could reverse course unless legislatures clarify what they mean.

Trial Fairness

As for the argument that this was unfair, the court said it was premature.

In any event, the concern of “trial fairness” is, at best, premature. Data might be produced if it were relied on by an expert witness at trial. Also, the court could order the production of a “statistically meaningful sample” of the records in the database.

So, the cheers of the Privacy Commissioner may also be premature. It is unknown how big a sample of records will constitute a “statistically meaningful sample”.

Read the Supreme Court Decision here.

Find the BC Privacy Commissioner Press Release here.