Privacy Law: An Overview

by Shaya Silber

As we move into an age where growing portions of our lives are becoming digitized, many holes are becoming apparent in these new information systems. A lot of these holes revolve around issues of personal information and privacy. Because this scenario is relatively new, many people including policy makers, academics, lawyers and so on, are grappling with the consequences. More importantly, many people are seeking avenues to remedy apparent wrongs. Legally speaking, when your privacy is violated, you have three options to consider.  These options will not apply to every situation so it is a good idea to get legal advice before taking legal action.  The first option is launching a complaint with the Federal Office of the Privacy Commissioner of Canada. The second option is launching a complaint with Ontario’s Information and Privacy Commissioner.  A complaint can be launched where someone’s personal information was collected, used or disclosed in an improper manner.  (These are not the only circumstances where a complaint may be launched.  For example, privacy legislation also speak about the ability to access and correct information). The third option is pursuing the matter via a court action. Unfortunately, courts rarely award damages in cases of privacy violations. Courts tend to award damages in more egregious circumstances. Even when courts do award damages, the amounts can be less than the cost of litigation. Depending on the case, a victim may opt to pursue different options.

1. Ontario – Information and Privacy Commissioner

The first avenue to consider is Ontario’s Information and Privacy Commissioner (IPC). Ontario’s Commissioner hears complaints that violate the Freedom of Information and Protection of Privacy Act (FIPPA), Municipal Freedom of Information and Protection of Privacy Act (MFIPPA), and in some circumstances Personal Health Information Protection Act (PHIPA). When a complaint is filed with the IPC, one of three things may happen. The complaint can be settled, dismissed or launched into an investigation. If an investigation is launched, the IPC will examine the situation and prepare a “Privacy Complaint Report.” The report is provided to the parties, and may contain recommendations such as implementing preventative measures so that a violation does not happen again. However, the Commission does not have the authority to award damages, nor is the report binding on the parties. At the moment, Ontario’s IPC only deals with violations of privacy where the alleged violation was made by a government body. (Health organizations can also be investigated by the IPC for the improper use of personal health records. Where a health organization misuses information that is not related to medical records, it would most likely not fall under the IPC’s mandate. Rather, it would more likely fall under the OPC’s mandate.) In a recent exchange with an IPC representative, I was informed that their mandate might be expanded to examine beyond the scope of government violations. However, for now it does not apply to violations of privacy between individuals or businesses.

2. Federal – Office of the Privacy Commissioner of Canada

Another avenue to consider is the Federal Office of the Privacy Commissioner of Canada (OPC). The OPC oversees the implementation of the Personal Information Protection and Electronic Documents Act (PIPEDA), and the Privacy Act. Unlike its Ontario counterpart, the OPC’s mandate extends beyond privacy violations by government bodies. The OPC examines complaints that allege privacy violations by commercial organizations and individuals, with a few exceptions.  PIPEDA provides the right for individuals to know when and why their personal information is being collected, used, or disclosed. It also provides recourse in situations where personal information is used for any purpose other than what was consented to. When a complaint is filed with the OPC, an investigation may be launched. The Commissioner’s investigation is impartial with respect to the parties involved. Upon concluding the investigation, the Commissioner will prepare a report. The report may contain recommendations for the parties. The report may also request that the organization in question provide notice of any action taken in response to the recommendations. Finally, in some circumstances, the report may discuss recourses, if any, that may be able available at the Federal Court. In most cases, courts are unwilling to award any monetary damages pursuant to violations of PIPEDA. However, in a recent case, the Federal Court awarded $5,000.00 to an individual who was denied a loan due to misleading information provided by the credit bureau. This seems to indicate a new approach to privacy law in these circumstances. It will be interesting to see how future cases apply damages in these circumstances.

3. Intrusion Upon Seclusion – Court Action

Until recently, there were not many options available for individuals whose privacy was violated by another individual (as opposed to a business or governmental organization). That has recently changed. In Jones v. Tsige, (“Jones”) the court recognized a new tort. The cause of action has been coined “Intrusion upon Seclusion”.  The Jones case involved two co-workers at a bank, one of whom was dating the other’s ex-partner. Over the course of four years, Tsige accessed Jones’ banking information on more than 150 occasions.  The court awarded Jones $10,000 for the intrusion upon her seclusion. However, to prevent a floodgate of frivolous claims, the court set some qualifiers to future actions. For a case of intrusion upon seclusion, the following factors must be present:

1. The defendant’s conduct must be intentional or reckless
2. The Defendant invades the plaintiff’s private affairs “without lawful justification”
3. A “reasonable person would regard the invasion as highly offensive causing distress, humiliation or anguish”

The court also added a “reasonableness” limitation to claims of Intrusion upon Seclusion. The court stated that:

[c]laims from individuals who are sensitive or unusually concerned about their privacy are excluded: it is only intrusions into matters such as one’s financial or health records, sexual practices and orientation, employment, diary or private correspondence that, viewed objectively on the reasonable person standard, can be described as highly offensive.

Conclusion

With the rise of privacy concerns in Canada, the law seems to be catching up. This area of law is evolving at a rapid pace.  Businesses and individuals alike are now caught by recent developments in the law.