Aug 9, 2023
Table of contents
Charest c. Procureur général du Québec, 2023 QCCS 1050
Read more about the case: Charest c. Procureur général du Québec, 2023 QCCS 1050
In April 2017, a newspaper company published documents relating to the plaintiff, Jean Charest, former Premier of Québec, obtained or created by Québec’s anti-corruption agency, the Unité permanente anticorruption (UPAC). The documents were leaked to the press in the context of an investigation into sectoral financing by the Québec Liberal Party when it was the ruling party. This was – and still is – a high-profile case.
The Superior Court of Québec ruled in favour of the plaintiff, awarding $35,000 in compensatory damages and $350,000 in punitive damages. The Court found that UPAC had failed to protect Mr. Charest’s personal information, contrary to the provisions of the Act respecting Access to documents held by public bodies and the Protection of personal information. Under the Act, disclosure of personal information to the media without the knowledge of the individual concerned is not permitted. The Attorney General argued that the plaintiff could not have had a significant expectation of privacy as a politician. The Court rejected this argument.
Although this case centres on a public body that leaked personal information to the press, the Court’s ruling shows that the protection of personal information is taken very seriously, even in the case of public figures who are also entitled to the protection of their personal information and retain an expectation of privacy despite their public appearances.
Bellevue West Building Management Ltd., Re, 2022 BCIPC 74
Read more about the case: Bellevue West Building Management Ltd., Re, 2022 BCIPC 74
The complainant owns an apartment in a building where all the owners incorporated Bellevue West Building Management Ltd. to coordinate the use and enjoyment of the building. Bellevue is run by a management committee that installed a video surveillance system to combat break-in attempts and minor property damage. The complainant complained to the Information and Privacy Commissioner for British Columbia that Bellevue had collected and used her personal information consisting of the images captured by the surveillance.
The Commission first considered whether the complainant had consented to the collection of her personal information and found that, while the signs that had been put up did constitute sufficient notice, the complainant’s use of the public spaces under surveillance did not constitute her consent as Bellevue argued – inherent in consent is an element of choice, and the complainant had to use the laundry room and lobby to access her suite. Bellevue relied on sections 12(1)(c), 12(1)(h) and 12(1)(j)(i) to justify why it didn’t require the complainant’s consent, but the Commission found that none of these sections applied. Because Bellevue was not authorized to collect the personal information to begin with, the Commission also found that it was not authorized to use it under ss. 6(1) and 6(2).
For consent to be given for the use or collection of personal information, one must have a legitimate opportunity to decline.
Métis Addictions Council of Saskatchewan Inc., Re, 2023 CarswellSask 124
Read more about the case: Métis Addictions Council of Saskatchewan Inc., Re, 2023 CarswellSask 124
Sensitive personal information of patients of the Métis Addictions Council of Saskatchewan Inc. (MACSI) was found in a recycling bin by a member of the public, who then provided it to the media. The files contained confidential information about clients' addictions and mental health issues, and had not been properly disposed of by MACSI. A member of the media advised the Office of the Saskatchewan Information and Privacy Commissioner of the files.
An investigation by the Office of the Saskatchewan Information and Privacy Commissioner found that the files contained sensitive personal information, including details of clients' addictions and mental health issues, and had not been properly disposed of. MACSI was found to be in breach of the Health Information Protection Act; it was determined that MACSI did not take all the steps it could have to contain the breach nor did it make enough effort to provide notification to the affected individuals. MACSI was ordered to pay a fine and take steps to prevent similar breaches in the future.
The case highlights the importance of proper handling and disposal of sensitive personal information, particularly in the context of healthcare and other industries that deal with such information. It also serves as a reminder to organizations of their obligations under privacy legislation and the potential consequences for failing to comply with these obligations.
James v. Amazon.com.ca, Inc., 2023 FC 166
Read more about the case: James v. Amazon.com.ca, Inc., 2023 FC 166
The applicant, Tamara James, claimed that she created an account with Amazon.com.ca, Inc., but forgot her password. She sought access to customer account information, including account receipts and audio recordings of her dealings with Amazon customer service. Amazon tried to assist James in resetting the password, but James declined to accept that assistance.
James filed a complaint to the Privacy Commissioner and corresponded with the Amazon Privacy Officer, Amazon Executive Customer Relations employees and Amazon counsel to try to resolve the issue. Amazon concluded that it could not authenticate James as the requestor because (i) James was unwilling to follow the steps provided to reset her password; and (ii) the information James provided did not correspond with the information on Amazon’s server.
The Commissioner’s Report found that “Amazon provided [James] with a fair and reasonable response to [her] access request when it could not verify [her] identity.” James then brought the dispute before the Federal Court pursuant to section 14 of PIPEDA.
The Court dismissed the application. James did not discharge her burden of establishing any violation of PIPEDA. Amazon was under an obligation to protect the account information (PIPEDA, Principle 7); in the Court’s words: “that is the very purpose of the PIPEDA.” Accordingly, the Court found, Amazon “was justified in refusing to give access to personal information without being able to authenticate the identity of the requester in the circumstances of this case.”
The Court dismissed several other issues raised by James, including arguments that Amazon violated Principle 6 (on the basis that allegedly inaccurate information in Amazon’s possession prevented authentication of the requestor’s identity) and that Amazon violated the timeliness requirement under section 8 of PIPEDA.
Organizations can validly deny access to personal information if the requestor’s identity cannot be appropriately authenticated. Here, Amazon offered reasonable assistance seeking to authenticate James’s identity. As the Court found: “Assistance was available. The Applicant chose to not use it.”
Barrett v. Royal Bank of Canada, 2022 FC 1534
Read more about the case: Barrett v Royal Bank of Canada, 2022 FC 1534
Maureen Barrett resigned from her job at RBC Life Insurance Company and assumed a new role as a financial adviser with Sun Life Financial. At the time of her resignation from RBC Life, the company was investigating Barrett for alleged fraudulent conduct involving her personal bank account. Sun Life also undertook its own independent investigation into Barrett’s conduct as an employee of Sun Life. After Sun Life terminated Barrett’s employment, Barrett alleged it was because RBC had disclosed her personal banking information to Sun Life without her consent, in contravention of PIPEDA. Barrett brought an application pursuant to s. 14 of PIPEDA. She sought a declaration that RBC’s disclosure of her personal information to Sun Life contravened PIPEDA, damages and costs.
The Court dismissed Barrett’s application, finding that the disclosure of personal information was made in accordance with subsection 7(3)(d.1) of PIPEDA, which permits disclosure of personal information without knowledge or consent of the individual in order to further an investigation. The Court found that RBC reasonably disclosed Barrett’s personal banking information in furtherance of Sun Life’s investigation of Barrett’s conduct. The Court stated that the information was relevant to Sun Life’s investigation and it was reasonable for RBC not to inform Ms. Barrett or seek her consent prior to the disclosure, because this could have compromised the investigation.
The Court explained that it would not have found that the disclosure was authorized by RBC’s own investigation, alone, because disclosing the personal information to Sun Life would have done nothing to further RBC’s investigation or to prevent any fraud, since the alleged fraudulent activity with Barrett’s bank account had already happened.
Finally, the Court stated that, even if Ms. Barrett could demonstrate a violation of PIPEDA, an award of damages would not be appropriate. Any breach by RBC would not have been egregious and her employment was not terminated because of the very limited disclosure of her personal information by RBC.
This decision clarifies the circumstances under which paragraphs 7(3)(d.1) and (d.2) of PIPEDA permit the disclosure of personal information without an individual’s knowledge or consent in order to further an investigation and suppress or prevent fraud. In this particular case, the disclosure was reasonable in furtherance of an investigation, even if it would not have been reasonable to suppress or prevent fraud.
Al-Husseini v. Altaif Inc., 2022 FC 1497
Read more about the case: Al-Husseini v. Altaif Inc., 2022 FC 1497
The applicant, Sadeq Al-Husseini, brought an application under section 14 of PIPEDA against Altaif Inc. for disclosing financial information that allegedly exceeded the scope of a production order related to Al-Husseini’s divorce proceedings in the Ontario Superior Court of Justice (the Production Order).
The Federal Court dismissed the application, finding that Altaif had not breached Al-Husseini’s privacy rights because the foreign exchange transfers that Altaif disclosed were within the scope of the Production Order. The Court also accepted Altaif’s submissions that Altaif reasonably believed that the information was required to be disclosed under the Production Order.
Given that finding, there was no need to address the issue of damages. However, the Court explained that even if the Court’s interpretation of the scope of the Production Order was incorrect, Al-Husseini had not established that he suffered damages as a result of the disclosure. The Court further stated that, although PIPEDA gives the Federal Court discretion to grant remedies for privacy breaches, an award for privacy law damages should only be made in the “most egregious of circumstances.”
This decision highlights some of the challenges in asking one court to interpret the scope of an order issued by another court for the purposes of assessing an alleged violation of PIPEDA. The Federal Court was ultimately able to make findings about the scope and purpose of the Production Order in this case, but the reasons reflect the limits of this exercise.
Read the full edition: Privacy Jurisprudence Review
Get notified by email when the next edition of Privacy Jurisprudence Review is available.