report

Access requests Access requests

May 4, 2026 11 MIN READ
Download PDF

Home Insights Reports Osler Privacy Jurisprudence Review – Fifth Edition

Authors
Kristian Brabander

Partner, Disputes, Montréal

Robert Carson

Partner, Disputes, Toronto

Tommy Gelbman

Partner, Disputes, Calgary

Jessica Harding

Partner, Disputes, Montréal

Craig Lockwood

Partner, Disputes, Toronto

Julien Morissette

Partner, Disputes | Insolvency and Restructuring, Montréal

Authors
Kristian Brabander

Partner, Disputes, Montréal

Robert Carson

Partner, Disputes, Toronto

Tommy Gelbman

Partner, Disputes, Calgary

Jessica Harding

Partner, Disputes, Montréal

Craig Lockwood

Partner, Disputes, Toronto

Julien Morissette

Partner, Disputes | Insolvency and Restructuring, Montréal

Authors:
Kristian Brabander, Robert Carson, Tommy Gelbman, Jessica Harding, Craig Lockwood, Julien Morissette

Table of Contents

Privacy Jurisprudence Review

Read the full edition

Canada (Attorney General) v. Canadian Civil Liberties Association, 2026 FCA 6

Read the case details

Facts

In February 2022, the Canadian federal government invoked the Emergencies Act, for the first time since it was enacted in 1988, in response to the Freedom Convoy protests and related blockades in downtown Ottawa and key international border crossings. The regulations stemming from the federal government’s invocation of the Emergencies Act criminalized participation in, and financial support of, the protests. The order required banks, credit unions, insurance companies, crowdfunding platforms, and others to freeze the assets and accounts of “designated persons” engaged, directly or indirectly, in the protests. These institutions were also required to determine whether they were in possession of property owned, held, or controlled by or on behalf of a “designated person” and, if they were, to disclose to the RCMP or Canadian Security Intelligence Service (CSIS) prescribed information about the property. The accounts of about 257 “designated persons” were frozen pursuant to the order.

The Federal Court found that the reasons provided for the decision to declare a public order emergency did not satisfy the requirements of the Emergencies Act, and that certain measures adopted to deal with the protests infringed sections 8 and 2(b) of the Canadian Charter of Rights and Freedoms (Charter) (i.e., the right to be secure from unreasonable search and seizures, and the right to freedom of expression). The Federal Court found that the infringements were not justified under section 1 of the Charter.

Decision

The Federal Court of Appeal upheld the lower court’s finding that the invocation of the Emergencies Act was unreasonable and ultra vires, and that the measures infringed constitutional rights to free expression and protection against unreasonable search and seizure. The Court found that the order’s requirement for financial institutions and other entities to report information to the RCMP or CSIS and permitted the federal government to disclose information to entities infringed section 8 of the Charter because there was no warrant requirement or prior authorization by a neutral arbiter. There was also no requirement that the “designated persons” receive any advance notice that their personal financial information would be shared with the RCMP or CSIS.

The Court found that banks, crowdfunding platforms, and other financial institutions were effectively deputized by the order and were required to turn account holders’ personal financial information over to the RCMP or CSIS based on the relatively lax “reason to believe” standard. The Court held that individuals have a reasonable expectation of privacy in financial information, which forms part of the “biographical core of personal information,” and the information-sharing provisions failed to provide adequate procedural safeguards.

On March 17, 2026, the federal government applied for leave to appeal to the Supreme Court of Canada.

Key takeaways

This decision is significant because it re-affirms that section 8 of the Charter protects individuals’ privacy interests and confirms that governments cannot conscript financial institutions into warrantless surveillance of account holders without being in violation of section 8 of the Charter. It is also noteworthy insofar as the court affirmed a reasonable expectation of privacy in financial information as part of the “biographical core of personal information”.

Hospital for Sick Children v. Ontario (Information and Privacy Commissioner), 2025 ONSC 5208

Read the case details

Facts

In 2022, both SickKids and the Halton Children’s Aid Society (CAS) were targeted by ransomware attacks that temporarily encrypted their servers, rendering personal information inaccessible. Neither applicant found evidence that any personal information had been viewed, accessed, copied, or exfiltrated by the attackers. Both organizations notified the Information and Privacy Commissioner (IPC) of the attacks but took the position that the statutory requirement to notify affected individuals was not triggered. SickKids publicly disclosed the attack on its website but did not include a statement about individuals’ entitlement to complain to the IPC. CAS did not provide any public disclosure. The IPC initiated reviews and concluded that both organizations had failed to comply with notification requirements under the Personal Health Information Protection Act (PHIPA) and the Child, Youth and Family Services Act (CYSA), respectively. The IPC determined that the ransomware attacks constituted both an unauthorized “use” and a “loss” of personal information, triggering mandatory notification obligations. SickKids sought judicial review and CAS appealed and sought judicial review of the respective IPC decisions.

Decision

The Divisional Court dismissed both judicial review applications and CAS’ appeal. On the question of “use,” the Court upheld the IPC’s finding that the encryption of containers housing personal information amounted to “handling” or “dealing with” that information, even without direct access to individual files. The transformation of containers by encryption also transformed the personal information within them by making it unavailable to authorized users. The Court rejected the applicants’ argument that direct interaction with the information was required to establish “use”. On the question of “loss,” the Court agreed with the IPC that the temporary inaccessibility of personal information due to a malicious unauthorized action constituted a “loss” within the meaning of the legislation. The availability of backup systems to restore information did not negate the fact that the information was temporarily lost.

The Court rejected the applicants’ argument that the IPC engaged in “results-oriented reasoning,” finding that the IPC appropriately considered the text, context and purpose of the statutory provisions. The Court also dismissed concerns about “over-notification” and “notification fatigue”.

Key takeaways

The Court affirmed the IPC’s broad interpretation of the terms “use” and “loss” in the context of ransomware attacks. Importantly, organizations cannot avoid notification obligations simply because attackers did not directly view or access individual files of personal information. The decision emphasizes that the notification requirement is not tied to risk of harm and instead ensures individuals’ continuing interest in their personal information.

Ladouceur c. Desjardins assurances générales, 2026 QCCAI 30

Read the case details

Facts

In December 2018, major renovation work on a building adjacent to the building owned by the applicant, Steven Ladouceur (Ladouceur) resulted in the release of significant asbestos dust that infiltrated his building. Following the incident, Ladouceur submitted a claim (the Claim) to his insurer, Desjardins General Insurance (the Company), which was partially accepted.

Ladouceur submitted a request for the entirety of the Company’s file regarding the Claim, including all documents, notes and communications. Four months later, the Company refused to provide the requested documents on the grounds that disclosure could impact imminent legal proceedings. Dissatisfied, Ladouceur filed an application under section 42 of the Act respecting the protection of personal information in the private sector, C.Q.L.R., c. P-39.1 (the Québec Private Sector Act) before the Commission d’accès à l’information (the CAI).

Ladouceur later submitted a second request for the same documents, which the Company again refused on identical grounds, prompting a second application. The CAI decided to hear both applications jointly.

Ahead of the CAI hearing, the Company provided documents to Ladouceur but raised new refusal grounds: litigation privilege and third-party personal information protection. After the CAI’s intervention at the hearing, additional documents were shared with Ladouceur. However, Ladouceur set forth an argument that the Company’s search was incomplete and insufficient, citing excluded sources, missing documents, and lack of independent confirmation. Separately, Ladouceur initiated Superior Court proceedings, seeking the same documents during out-of-court examinations.

Decision

The CAI had to determine whether the Company had conducted serious and thorough searches to identify all documents covered by the access requests.

At the hearing before the CAI, the Company’s Senior Compliance Advisor, Ms. Blais, testified that she processed Ladouceur’s access requests and consulted all three systems containing relevant information: two computerized platforms used for claims management and damage assessment, and a call recording platform. She confirmed that all data pertaining to the Claim was extracted, including correspondence between the claims adjuster, Ladouceur, and third parties, photographs taken by third parties, and all relevant calls recordings identified using telephone numbers from Ladouceur’s file.

The CAI found that the Company presented compelling evidence that it had identified all relevant documents, placing the burden on Ladouceur to submit concrete and compelling evidence constituting prima facie proof of the existence of additional documents.

Ladouceur argued that the Company did not thoroughly explain its research methodology. However, Ms. Blais’ testimony clearly identified the steps taken. The CAI concluded that the lack of keyword research did not constitute prima facie evidence of insufficient efforts.

Ladouceur further argued that correspondence between the claims adjuster and Company representatives were missing. Although the CAI noted that Ms. Blais could neither access the employees’ email inboxes nor their Microsoft Teams platform, the evidence demonstrated sufficient efforts to identify all relevant email correspondence. Regarding a missing call recording from November 1, 2021, the Company demonstrated that such calls between external experts and building appraisers are never recorded. Finally, Ladouceur argued the Company failed to locate documents explaining inconsistencies in expert reports, but the CAI noted that the relevant information was contained in email correspondence and notes confidentially submitted to the CAI, still in dispute due to interlocutory objections on privilege.

The CAI concluded that the evidence submitted by Ladouceur was insufficient to establish incomplete searches by the Company. The remaining disputed documents, including the Company’s objection based on litigation privilege, will be adjudicated by the CAI on the merits.

With respect to the Company’s arguments relating to litigation privilege, the CAI agreed to suspend part of the file to allow the Superior Court to rule on the Company’s objections on privilege and requested that the parties keep it informed of all developments in the judicial proceedings, as the issue will be decided by the CAI on the merits at a later date. 

Key takeaways

This decision clarifies the standard for assessing whether a company conducted a serious and complete search to locate all documents covered by an access to information request under the Québec Private Sector Act. Once a company satisfies its burden of proof, the applicant must present concrete elements constituting a commencement of proof that not all requested documents were located.

This decision also confirms that the absence of keyword searches does not necessarily constitute an incomplete search, particularly when all relevant documents have been extracted from the company’s platforms. Finally, while the individual responsible for processing access requests should ideally be able to access all locations that may contain relevant information, the inability to do so is not fatal where prior searches have sufficiently identified the requested documents.

Premier Tech Eau et Environnement c. Investissement Québec, 2025 QCCQ 3063

Read the case details

Facts

The appellant, Premier Tech Eau et Environnement inc., a manufacturer of wastewater treatment systems, appealed a decision of the Commission d’accès à l’information (the CAI), refusing access to certain documents (the documents) held by Investissement Québec (IQ) relating to its principal competitor, Technologies Bionest inc., the only other developer of such systems in Québec.

The documents were generated following inspections by the Bureau des normes du Québec (the BNQ, currently called the Bureau de normalisation du Québec), an administrative unit of IQ responsible for certifying wastewater treatment systems, over approximately 15 years. They included effluent sampling results and communications regarding non-conformities identified during inspections.

IQ refused access relying on section 23 of the Act respecting Access to documents held by public bodies and the Protection of personal information, C.Q.L.R., c. A-2.1 (the Québec Access Act), which prohibits disclosure of a third party’s trade secret. The CAI dismissed Premier Tech’s application, finding that disclosure would reveal Bionest’s trade secret regarding the efficiency and evolution of its wastewater treatment process, and that a competitor could use the data to reproduce Bionest’s technology through reverse engineering.

Premier Tech appealed the CAI’s decision before the Court of Québec, raising three questions: whether the CAI correctly interpreted the notion of “trade secret” under section 23 of the Québec Access Act; whether the CAI committed errors of law or palpable and overriding errors of fact in applying section 23 to the documents; and whether the quantity of documents was itself information protected as a trade secret.

Decision

The Court dismissed the appeal. It held that the CAI had correctly identified and applied the four criteria established by the Supreme Court of Canada in Merck Frosst Canada Ltd. v. Canada (Health), 2012 SCC 3, used to determine whether information constitutes a trade secret:

  1. The information must be secret in an absolute or relative sense.
  2. The holder must have acted with the intention of treating the information as secret.
  3. The information must have a practical application in the industrial or commercial sector.
  4. The holder must have an interest worthy of legal protection.

The Court confirmed that the burden of proving the existence of a trade secret rests on the third party claiming protection, not the public body. The Court upheld the CAI’s findings that the documents constituted a trade secret, as they revealed the evolution and performance of Bionest’s technology over time and had been consistently treated as confidential by the BNQ. The Court also rejected Premier Tech’s argument that the CAI should have described Bionest’s trade secret in its reasons, noting that doing so would have defeated the very purpose of the protection.

A judicial review of the decision was filed on August 21, 2025, and a judgment has yet to be rendered.

Key takeaways

This decision reinforces the narrow scope of the right to appeal CAI decisions to the Court of Québec under sections 146 and 147 of the Québec Access Act. A party that disagrees with the CAI’s application of the established legal criteria to the evidence cannot recast its challenge as a question of statutory interpretation to access appellate review. The appeal process is not an opportunity for a fresh assessment of the evidence.

The decision also provides useful guidance on the trade secret exception under section 23 of the Québec Access Act, confirming that the cumulative effect of otherwise individually unremarkable data may constitute a trade secret where, taken together, it reveals the evolution and performance of a competitor’s technology and could enable reverse engineering. This has practical implications for businesses whose proprietary processes are subject to regulatory inspections, as the resulting inspection data may benefit from trade secret protection even when held by a public body.

SUBSCRIBE

Stay Informed

Subscribe to Osler Insights to stay informed on issues impacting your business

Subscribe

Osler is a leading business law firm practising internationally from offices across Canada and in New York. Our clients include industry and business leaders in all segments of the market and at various stages in the growth of their businesses. We have built our reputation on our commitment to our clients' success and the experience, expertise and collaborative approach for which we are recognized. We believe that our success is a reflection of our clients' success.