THE EXPONENTIAL GROWTH OF PRIVACY LAW

IF THERE'S ANY doubt that the complexities of privacy law make it the many-headed Hydra facing Canadian business these days, consider this fact: privacy law considerations have become so ubiquitous that they have even caught the attention of oenophiles desirous of keeping their drinking habits to themselves.

It turns out that the Liquor Control Board of Ontario (LCBO) has a policy that requires wine clubs to submit a purchase list for their order along with the names, addresses and telephone numbers of club members, together with the details of individual orders. When the Toronto-based Vin de Garde Wine Club refused to include the personal information, the LCBO refused to fulfill its order. The club launched a privacy complaint to the Information and Privacy Commissioner (IPC) of Ontario, who provides independent reviews of government decisions regarding privacy under the Freedom of Information and Protection of Privacy Act.

“The Commissioner ruled that the LCBO's collection process was in breach of the legislation's privacy provisions, ordered the Board to cease collecting the information and to destroy all existing records,” says Alexandra Mayeski of Mayeski Law Personal Corporation, whose advocacy and litigation practice from offices in Picton and Toronto includes a focus on privacy and wine industry law.

The LCBO filed for judicial review. Ian Blue of Toronto's Gardiner Roberts LLP, who is co-counsel for the Wine Club with Arnold Schwisberg of Markham, advises that, as of press time, a hearing on the matter was set for September 12, 2013. The oenophiles of the world will be watching. > So will the Canadian business community, a group that probably doesn't have the same benign feelings as wine lovers might about the growth of privacy law in this country. Indeed, privacy law has become so ubiquitous – some would say intrusive – that chief privacy officers (CPO) have become a mainstay of corporate management teams in many sectors. Canadian Tire, for example, has CPOs in several business units.

“As a national retailer and an online bank, the last thing you want is a breach of privacy claim,” says John Chimienti, Associate General Counsel and Chief Counsel, Retail at Canadian Tire. “So the privacy of customer information, which is of paramount concern to us, has given rise to quite a bit of new infrastructure.”

When Éloïse Gratton, now in McMillan LLP's Montreal office, joined the firm in 1999, some 10 to 20 per cent of her practice engaged privacy law. “Now I practise exclusively in the area, and in my view, it has become so specialized that lawyers who don't practise privacy law full-time probably don't know enough about it to advise clients properly, especially because the breadth and complexity of the issues just keep growing,” she says.

For its part, Heenan Blaikie LLP has six lawyers in Toronto and Calgary focused full-time on privacy work, making it one of the largest, if not the largest, dedicated privacy practices in the country. “With the growing sophistication of CPOs at a rapidly growing number of companies, there's no more room for dabbling,” says the firm's Adam Kardash.

But a mere decade ago, the significance of privacy law was not so apparent. “When the federal government passed PIPEDA [the Personal Information Protection and Electronic Documents Act] in 2001, both lawyers and clients thought it was a flash in the pan, no more significant than Y2K eventually turned out to be,” says Tamara Hunter in Davis LLP's Vancouver office.

Indeed, clients rarely went beyond minimum legislative requirements. “There was a time when it was difficult to convince clients that it was something they should think about — privacy beyond putting a policy in place,” says LuAnne Morrow in Borden Ladner Gervais LLP's Calgary office. “But now they're being hit with a lot more pressing issues.”

Even so, a study undertaken by the Privacy Commissioner of Canada in the summer of 2012 suggests that there are still too many businesses that are not taking privacy issues seriously enough: some 25 per cent of websites sampled were leaking personal information to third parties without the knowledge of the individuals affected.

“While the Privacy Commissioner's reaction was relatively gentle in this instance, it is expected that many more websites are in violation, and more extreme measures could follow should Canadian companies not take heed,” says Barbara McIsaac in BLG's Ottawa office.

It's not just the fear of regulatory sanction, however, that's driving the privacy law boom. “We're only starting to discover how extraordinarily important and strategic the privacy law field is becoming,” says François Ramsay, General Counsel at Yellow Pages Group Co.

> To start with, there's the new tort of invasion of “intrusion upon seclusion,” which found its way to Ontario in the Court of Appeal's 2012 judgment in Jones v. Tsige. As the Court pointed out, intrusion upon seclusion is narrower than the tort of invasion of privacy. To succeed, the plaintiff had to prove that the defendant acted intentionally or recklessly, and negligence alone would not suffice; that the defendant invaded the plaintiff's private affairs or concerns without lawful justification; and that a reasonable person would regard the invasion as highly offensive and causing distress, humiliation or anguish.

Here, Sandra Jones had done so by demonstrating that that Winnie Tsige, a BMO employee, accessed the personal banking records of Jones, also a BMO employee, on 174 occasions over four years. Tsige had been involved in a relationship with Jones's former husband and became entangled in a financial dispute with him. She acknowledged having accessed Jones's records to ascertain whether the husband had been paying child support to Jones.

The upshot of Jones, then, is that claims can arise only for deliberate, significant intrusions for highly offensive matters such as financial or health records, sexual preferences, employment, or private correspondence. As well, the court noted that the right to privacy is not absolute and must be balanced with the rights to freedom of expression and the press.

Still, Christopher Du Vernet of Mississauga's Du Vernet, Stewart, who with colleague Carlin McGoogan represented Jones, says the case will have broad implications. Some observers say that privacy class actions may be the fastest-growing arena in class action litigation. With Apple and the federal government's Canadian Student Loans program among several high-profile defendants, the potential of these lawsuits, arguably, has barely been realized.

Jones will have an impact on the law relating to celebrity privacy, media law, employment law, family law and property law,” Du Vernet says. “If I was a private investigator, I'd want to know the case backward and forward.”

Du Vernet also points out that the new tort does not require proof of actual economic loss. As well, he's not concerned about the limit of $20,000 that the court suggested for “symbolic” or “moral” damages in all but the most exceptional cases. “Jurisprudence, like that relating to punitive damages, has proven that caps can quickly become history,” he says.

Jones could also affect the law relating to proprietary commercial information. “There's going to be an overlap with trade secrets law and the like,” Du Vernet says. “And where there is economic loss, damages will affect the value of information.”

Finally, Jones has already prompted class actions in telemarketing and other arenas where organizations collect or use information in a manner that amounts to an invasion of privacy. “That's an area where there's definitely intentional, widespread intrusion into people's seclusion,” Du Vernet says.

One caveat here is that, although the Nova Scotia Supreme Court subsequently adopted Jones in Trout Point Lodge Ltd. v. Handshoe, its acceptance elsewhere in Canada is hardly assured. Indeed, acceptance may well depend on the existence and form of provincial privacy legislation.

“That certainly has some logic to it,” Du Vernet says. In May 2013, for example, the British Columbia Supreme Court held in Demcak v. Vo that there was no cause of action for breach of privacy in that jurisdiction. Demcak arose when municipal officials and a property management company inspected the property of a residential tenant following a complaint about the use of the property. The plaintiffs alleged that the defendants gained forced entry into and inspected a number of recreational vehicles that were the subject of the complaint.

But Justice Kenneth Ball held that BC jurisprudence did not support the existence of a common law tort of invasion of privacy. If the plaintiff had any remedy, it was under the statutory tort for invasion of privacy under BC's Privacy Act. Here, however, the statutory remedy was not available because the defendants had a lawful right to enter the property.

Still, from a practical perspective, the common law and statutory remedies may well converge. “Jones seems very fact-specific and the scope of the tort as recognized by the Court of Appeal seems quite narrow, so the substantive differences between the statutory torts and the common law tort may not be all that different,” says Roland Hung in McCarthy's Calgary office.

> Whatever the potential of the common law tort might be, however, it is the regulatory aspect of privacy law that has so far given rise to the most concern and imposed the heaviest burdens on business. Although all provinces have some form of specialized privacy statutes that applies to discrete arenas, such as government and health records, the federal government, Quebec, Alberta, BC, Saskatchewan, Manitoba and Newfoundland all have generalized privacy legislation in place.

“Privacy legislation is a fact of life for Canadian business,” Chimienti says. “If anything it will get worse by becoming stricter and more rigorous as consumers continue to demand that companies take information seriously.”

Making things even more difficult, the emergence of cloud computing has added a great deal of complexity to the issues around compliance with privacy laws. Dominating the discussion these days are the issues that arise from the multijurisdictional nature of the entities participating in cloud computing and outsourcing.

“It's not unusual to have a transnational cast of characters behind a cloud provider,” says Patrick Flaherty in Torys LLP's Toronto office. “A provider operating in the United States can be dealing with personal information of users in Canada and Australia while utilizing data processors in India who access the data on servers located in Uruguay — all of which is backed up on servers in Ireland.”

Providers want to access jurisdictions that offer low cost labour, but many of these jurisdictions do not have robust privacy laws, making it difficult for companies to meet their accountability obligations. Other concerns relate to the fact that data access may be compromised when stored in developing countries that have histories of totalitarian regimes, as well as the continuing uncertainty about the applicability of the laws relating to jurisdiction.

> Privacy laws hit especially hard in the marketing arena. A particularly touchy issue is online behavioural advertising (OBA), especially in the pharmaceutical sector. “Because pharma companies are prohibited from marketing directly to patients, they've had to become more innovative,” Flaherty says.

In December 2011, the Privacy Commissioner of Canada released new OBA guidelines intended to ensure that advertisers' practices are transparent and comply with federal private-sector privacy legislation.

While the guidelines confirm that OBA is a “reasonable purpose” for collecting personal information under PIPEDA, subject to certain restrictions, advertisers must comply with knowledge and consent requirements. The legislation's knowledge requirements envisage that advertisers have an OBA policy that is “accessible, easy-to-read, and accurate.”

On the consent side, PIPEDA allows advertisers to use “opt-out” processes so long as they are easy to use and make consumers aware that information is being collected for OBA before it is actually collected. Businesses must also destroy user information once it has been utilized.

“There's no doubt that controversy around the Big Brother effect of OBA could negatively impact reputation and damage consumer trust,” McIsaac says. “Businesses will want to tread lightly if engaging.”

And there are more complications en route. Among the most daunting is the impending proclamation of Canada's new anti-spam and anti-malware law (CASL). It has extra-territorial effect, applying whenever a computer located in Canada sends commercial electronic messages anywhere, regardless of the destination. More formally known as the Electronic Commerce Protection Act, the legislation – considered the most stringent such legislation in the world – is expected to come into effect in late 2013 or early 2014.

“As currently written, the law will have a significant impact on customer and prospect communications across a wide spectrum of Canadian business,” says David Young in McMillan LLP's Toronto office. “So much so that it represents the most active focus of our firm's privacy-related advice to clients in the past few months.”

By way of comparison, CASL is much more burdensome, for example, than CAN-SPAM, the corresponding US legislation. Canada's statute applies not only to email but to other forms of electronic communications, including instant and text messaging, and all social media. As well, CASL applies not only to business-to-consumer messages, but also business-to-business messages.

Unlike any legislation elsewhere, CASL is not limited to messages that may be harmful in the sense that they contain some element of fraud or deceit; rather, CASL prohibits the sending of any “commercial electronic message,” (defined as any telecommunication including text, sound, voice or image) to an electronic address without the recipient's prior consent, where the purpose of the message is to encourage participation in a commercial activity.

“CASL will cover all sorts of marketing and advertising campaigns that depend on electronic messages,” notes Paul Broad in Hicks Morley Hamilton Stewart Storie LLP's London, Ontario, office.

But the key difference between the two countries' laws is that CAN-SPAM is opt-out legislation, whereas CASL is premised on an opt-in principle requiring express consent, with certain exceptions for implied consent for existing business relationships, personal and family relationships, business-to-business emails and third-party referrals.

The difficulty is that CASL's consent provisions are quite rigid. The statute is very clear that consent is required before a commercial electronic message can be sent, which means that businesses can't even send an email asking for consent without first obtaining consent. By contrast, CAN-SPAM allows an initial mailing, as long as it contains the required information and has a simple unsubscribe function. “I'm not sure anyone has the answers to the questions that arise from the fact that an electronic message seeking consent is itself an electronic message that CASL prohibits because consent was not first obtained,” Broad observes.

As well, the legislation has sharp teeth. Offenders are liable to administrative monetary penalties of up to $1 million for individuals and up to $10 million for corporations. Officers, directors and agents are liable if they direct, authorize or participate in the violation. A due diligence defence is available in the legislation.

CASL also provides a private right of action for individuals affected by offenders. These individuals may apply for a compensation order for actual loss, as well as a maximum of $200 daily for each contravention of the breached provisions, with a limit of $1 million for each day on which a contravention occurred. Officers, directors and agents of corporation are subject to the private right of action if they directed, authorized or participated in the contravention.

“There is a huge exposure to class action liability under this legislation,” says Barry Sookman in McCarthy's Toronto office.

> It's all a far cry from some 15 years ago, when Kris Klein was working at a large law firm with an eye on developing an information and privacy law practice. “A partner approached me and told me I was wasting my time because I would never bill a penny from that type of practice,” Klein says.

But the young lawyer persisted, and after a spell with the Justice Department, he's now a sole practitioner in Ottawa with a successful practice that specializes in information and privacy law. “As information became such an important commodity, people were desperate for lawyers who were familiar with privacy and access-to-information laws,” Klein says.

Klein's services comprise advising on privacy compliance (including training), data protection and access to information. He defends privacy complaints, appears in Federal Court and negotiates with regulators when necessary. His clients include individuals, companies subject to privacy legislation and those facing common law privacy issues, and a host of Crown corporations that are subject to privacy and access-to-information laws.

Major firms and boutiques have also found it advisable, if not mandatory, to have a healthy contingent of privacy specialists on hand. Indeed, many of the larger firms boast upwards of two dozen lawyers who list privacy law as an area of practice. “Privacy law is so pervasive that there's even one tax lawyer who lists it as a specialty,” Young says.

In conjunction with its growth, privacy law has moved from the background to the foreground. “Two things happened that turned privacy law from a one-off sideshow to the front lines of all areas of practice in which business law firms engage,” Flaherty says. “The first was a statutory evolution, with the introduction of PIPEDA in 2001 and its provincial equivalents in Alberta and BC afterwards; the second was a market force reflected by the digitization of information collection and storage, and the rise of things like online commerce and social media, all of which led to exponential growth in the amount of personal information being collected, stored and used for business purposes.”

Nor is the emergence of privacy law a localized or regionalized phenomenon. “I'm constantly seeing more and more privacy issues arise in just about every practice area in our firm,” says Lorene Novakowski, who practises in Fasken Martineau DuMoulin LLP's Vancouver office.

The same is true in Quebec, which boasts Canada's first privacy legislation, enacted in 1994. “You can't turn around without bumping into a privacy law issue here,” says Christine Carron in the Montreal office of Norton Rose Fulbright Canada LLP.

Among the industry sectors most affected in Canada are financial institutions, which are bound by PIPEDA and function in an environment that is extremely data-rich. But virtually any business that has employees is likely to be affected.

“Privacy law has a growing number of fronts in labour and employment practice, not only in the technical context but also with respect to security issues such as surveillance, computer monitoring and BYOD [bring your own device] policies and even occupational health and safety issues, like drug testing,” says David Elder in Stikeman Elliott LLP's Toronto office.

Privacy concerns are even intruding on the picket line, as evidenced by United Food and Commercial Workers, Local 401 v. Alberta (Information and Privacy Commissioner), currently under reserve in the Supreme Court of Canada. The case arose when the union posted videos of individuals who had crossed a picket line at an Alberta casino. Other casino employees and members of the public complained that their privacy rights had been violated. The Alberta Court of Appeal ruled that the Union's constitutional right to freedom of expression outweighed the complainant's privacy rights.

“Just how the SCC will balance the right to privacy and the right to freedom of expression is an extremely important issue for business generally, quite apart from labour law,” says Geoff Hall in McCarthy Tétrault's Toronto office. “For example, it could impact on stores that use video surveillance to catch shoplifters by providing some guidance on how they must balance their interest in protecting themselves from theft against individuals' interest in controlling their own image.”

In the Toronto office of human resource boutique Hicks Morley, privacy and information law files take up almost three-quarters of Dan Michaluk's time. “I deal with compliance issues, privacy-complaints defences, access-to-information matters, and advice and advocacy related to the production of information,” he says. “The four most important client-based sectors for me, in order, are the employment, public, health-care and commercial sectors.”

The commercial sector is the newest market, and although it's still relatively small, it's quite broad-based. “For example, there's a growing need for legal advice about privacy-related policies and procedure in the gaming industry,” Michaluk says.

Privacy-complaint defence mandates come in various forms. “You have privacy-related grievances under collective agreements, regulatory complaints like those under PIPEDA, provincial privacy law complaints, and court-based litigation, where privacy issues framed in tort or contract are appearing more and more often,” Michaluk says.

In Alberta, Glenn Solomon of Jensen Shawa Solomon Duguid Hawkes LLP, a litigation boutique in Calgary, began doing personal-information-protection work shortly after Alberta's Personal Information Protection Act (PIPA) came into force in 2004. Since 2005, he has acted for the Information and Privacy Commissioner of Alberta on judicial reviews and appeals, including two appearances on privacy cases in the Supreme Court of Canada (SCC), including the aforementioned picketing case. “Initially, privacy work in Alberta was a corollary to other practices, but it is evolving as a major practice area in the province,” he says.

For her part, Barbara McIsaac has been involved in privacy issues since she joined the Justice Department in the early '80s, when the Information to Access Act and the Privacy Act first came on the scene. When McIsaac moved to McCarthy's Ottawa office in 1994, she focused on a range of regulatory issues. But after PIPEDA came into full force in 2004, she developed a growing emphasis on privacy law, which she is currently practising at BLG.

“The privacy side of my practice involves helping clients get privacy policies and procedures organized internally, assisting clients with formal complaints, and guiding them through general compliance issues,” McIsaac says. “Many of these issues arise in the employment or health privacy context.”

Apart from the standalone aspects, McIsaac's practice also has a transactional side, as do the practices of many other privacy lawyers. “There are an increasing number of transactions where privacy issues arise,” she says. “Certainly that's almost always the case where there's a transfer of customer or other databases containing private information.”

As Kardash sees it, privacy law's wide swath is largely attributable to the extent to which it transcends the law. “In 2001, clients thought privacy was strictly a legal issue, but it is now understood in a far more nuanced manner as an issue of trust involving consumers, employees, patients and others,” he says.

“The legal aspect is just one small part, but if you take that in combination with a series of very powerful factors – including rapid developments in information technology, the data explosion, an active privacy enforcement arena, and the fact that a privacy incident makes good press – what you get is a very thick soup in which to stir the privacy pot.”

Julius Melnitzer is a freelance legal-affairs writer in Toronto.