Posts

http://pixabay.com/en/contract-consultation-office-408216/

Toronto privacy lawyer, Gil Zvulony appeared on CHCH’s Square Off to discuss the problem of unlawful disclosure of health records and privacy breaches in hospitals.

http://pixabay.com/en/facebook-connection-social-network-76531/

Toronto Privacy lawyer, Gil Zvulony spoke to Dan Misener of CBC Radio regarding a Facebook status update that has gone viral (radio segment embedded below). The update purports to prevent Facebook from using the user’s intellectual property and private information. These types of updates have been going around for some time.  The latest looks like this:

Due to the fact that Facebook has chosen to involve software that will allow the theft of my personal information, I stated: at this date [insert date] in response to the new guidelines of Facebook, pursuant to articles L.111, 112 and 113 of the code of intellectual property, I declare that my rights are attached to all my personal data drawings, paintings, photos, texts etc…. published on my profile and my page. For commercial use of the foregoing my written consent is required at all times.
Those who read this text can do a copy/paste on their Facebook wall. This will allow them to place themselves under the protection of copyright.
By this statement, I tell Facebook that it is strictly forbidden to disclose, copy, distribute, broadcast, or take any other action against me on the basis of this profile and or its content. The actions mentioned above also apply to employees, students, agents and or other personnel under the direction of Facebook.
The content of my profile contains private information. The violation of my privacy is punished by the law (UCC 1-308 1-308 1-103 and the Rome Statute).
Facebook is now an open capital entity. All members are invited to publish a notice of this kind, or if they prefer, can copy and paste this version.
If you have not published this statement at least once, you tacitly allow the use of elements such as your photos as well as the information contained in the profile update.

Do these Status Updates have any Legal Effect?

Do these status updates help protect your information?  Do they have any legal effect? The short answer is no.  The reason is that a person cannot unilaterally change the terms of a contract.  A contract, by definition, requires the agreement of the parties.

When people first sign up to Facebook they are asked to agree to a contract or as Facebook calls it: “Terms“.  This type of contract, like most contracts people enter today, is called a “standard form contract“.  This means that the terms are standard to all who wish to sign up.  The terms are not negotiable.  It’s a “take it or leave it” option.  Facebook’s contract contains many terms regarding how Facebook uses your information and intellectual property.  It also contains terms on how the contract between the user and Facebook may be changed.

But Facebook Changes Their Contracts Unilaterally?

From time to time, Facebook changes its Terms. How can Facebook change it’s terms unilaterally, when a user cannot?  Because the User agreed to this amending formula at the time of signing up. In this sense, Facebook’s amendments are not unilateral.  The Facebook Terms state that in most cases they will give a user notice that the Terms will change and that  “Your continued use of Facebook following changes to our terms constitutes your acceptance of our amended terms.”  In other words, by using Facebook, you agree to allow them to change their Terms.

How to Protect Your Intellectual Property From Facebook?

Users who are concerned about how Facebook uses their data, should take some time to learn about Facebook’s policies.  Facebook has become more transparent in this regard.  Learning about Facebook’s policies may alleviate some concerns.

Ultimately, Facebook is a business.  And just like any business who makes you an offer, you can take it or leave it.  If you are unhappy with Facebook’s Terms, a better option than pasting legally meaningless jargon is to cancel your Facebook account.

Toronto Privacy Lawyer Gil Zvulony recently spoke to Canadian Lawyer Magazine regarding the recent decision in McIntosh v. Legal Aid Ontario.  In that case the court awarded the plaintiff $7500 in damages for the tort of intrusion upon seclusion.

Gil Zvulony believes that the result is typical in that relatively minor privacy breaches will not result in a windfall damages award.  Most minor privacy breaches will fall in the realm of small claims court jurisdiction.  At the time of writing, all monetary claims under $25,000 must be brought in the Small Claims Court.  There can be negative consequences if a plaintiff recovers an amount within the monetary jurisdiction of the Small Claims Court.  In such a case, the court may order that the plaintiff shall not recover any costs.  Such an outcome can result in a plaintiff paying more in legal fees than in what is actually recovered by way of judgment.   The lesson here is to have a hard look at the amount of damages in privacy breaches before commencing an action.

The article in Canadian Lawyer Magazine can be found here: Legal aid employee to pay $7,500 for intrusion upon seclusion

Toronto Privacy Lawyer, Gil Zvulony was a panelist at the Telematics Canada Conference 2014.   Read more

Canadian Privacy Lawyer, Gil Zvulony, recently discussed potential privacy concerns regarding the use of tracking devices used by some auto insurance companies.  The devices involved are called “Telematic” devices that can measure such things as a car’s location and speed.  Such devices, raise several questions such as:

  1. How is the consumer’s consent obtained?
  2. Is the consumer’s consent fully informed?
  3. Is consent obtained for other drivers who are not customers of the insurance company?
  4. Who owns the data collected?
  5. Can a consumer access the data?
  6. Can a consumer share the data?
  7. Can a consumer modify the data?
  8. Is the data portable?  I.e. Can the data be shared with a new insurance company?
  9. What security measures are in place to protect the data?
  10. Can the data be accessed by police?
  11. Is the data discoverable in civil proceedings?

 

By Everaldo Coelho (YellowIcon) [LGPL (http://www.gnu.org/licenses/lgpl.html)], via Wikimedia Commons

by Shaya Silber

As we move into an age where growing portions of our lives are becoming digitized, many holes are becoming apparent in these new information systems. A lot of these holes revolve around issues of personal information and privacy. Because this scenario is relatively new, many people including policy makers, academics, lawyers and so on, are grappling with the consequences. More importantly, many people are seeking avenues to remedy apparent wrongs. Legally speaking, when your privacy is violated, you have three options to consider.  These options will not apply to every situation so it is a good idea to get legal advice before taking legal action.  The first option is launching a complaint with the Federal Office of the Privacy Commissioner of Canada. The second option is launching a complaint with Ontario’s Information and Privacy Commissioner.  A complaint can be launched where someone’s personal information was collected, used or disclosed in an improper manner.  (These are not the only circumstances where a complaint may be launched.  For example, privacy legislation also speak about the ability to access and correct information). The third option is pursuing the matter via a court action. Unfortunately, courts rarely award damages in cases of privacy violations. Courts tend to award damages in more egregious circumstances. Even when courts do award damages, the amounts can be less than the cost of litigation. Depending on the case, a victim may opt to pursue different options.

1. Ontario – Information and Privacy Commissioner

The first avenue to consider is Ontario’s Information and Privacy Commissioner (IPC). Ontario’s Commissioner hears complaints that violate the Freedom of Information and Protection of Privacy Act (FIPPA), Municipal Freedom of Information and Protection of Privacy Act (MFIPPA), and in some circumstances Personal Health Information Protection Act (PHIPA). When a complaint is filed with the IPC, one of three things may happen. The complaint can be settled, dismissed or launched into an investigation. If an investigation is launched, the IPC will examine the situation and prepare a “Privacy Complaint Report.” The report is provided to the parties, and may contain recommendations such as implementing preventative measures so that a violation does not happen again. However, the Commission does not have the authority to award damages, nor is the report binding on the parties. At the moment, Ontario’s IPC only deals with violations of privacy where the alleged violation was made by a government body. (Health organizations can also be investigated by the IPC for the improper use of personal health records. Where a health organization misuses information that is not related to medical records, it would most likely not fall under the IPC’s mandate. Rather, it would more likely fall under the OPC’s mandate.) In a recent exchange with an IPC representative, I was informed that their mandate might be expanded to examine beyond the scope of government violations. However, for now it does not apply to violations of privacy between individuals or businesses.

2. Federal – Office of the Privacy Commissioner of Canada

Another avenue to consider is the Federal Office of the Privacy Commissioner of Canada (OPC). The OPC oversees the implementation of the Personal Information Protection and Electronic Documents Act (PIPEDA), and the Privacy Act. Unlike its Ontario counterpart, the OPC’s mandate extends beyond privacy violations by government bodies. The OPC examines complaints that allege privacy violations by commercial organizations and individuals, with a few exceptions.  PIPEDA provides the right for individuals to know when and why their personal information is being collected, used, or disclosed. It also provides recourse in situations where personal information is used for any purpose other than what was consented to. When a complaint is filed with the OPC, an investigation may be launched. The Commissioner’s investigation is impartial with respect to the parties involved. Upon concluding the investigation, the Commissioner will prepare a report. The report may contain recommendations for the parties. The report may also request that the organization in question provide notice of any action taken in response to the recommendations. Finally, in some circumstances, the report may discuss recourses, if any, that may be able available at the Federal Court. In most cases, courts are unwilling to award any monetary damages pursuant to violations of PIPEDA. However, in a recent case, the Federal Court awarded $5,000.00 to an individual who was denied a loan due to misleading information provided by the credit bureau. This seems to indicate a new approach to privacy law in these circumstances. It will be interesting to see how future cases apply damages in these circumstances.

3. Intrusion Upon Seclusion – Court Action

Until recently, there were not many options available for individuals whose privacy was violated by another individual (as opposed to a business or governmental organization). That has recently changed. In Jones v. Tsige, (“Jones”) the court recognized a new tort. The cause of action has been coined “Intrusion upon Seclusion”.  The Jones case involved two co-workers at a bank, one of whom was dating the other’s ex-partner. Over the course of four years, Tsige accessed Jones’ banking information on more than 150 occasions.  The court awarded Jones $10,000 for the intrusion upon her seclusion. However, to prevent a floodgate of frivolous claims, the court set some qualifiers to future actions. For a case of intrusion upon seclusion, the following factors must be present:

  1. The defendant’s conduct must be intentional or reckless
  2. The Defendant invades the plaintiff’s private affairs “without lawful justification”
  3. A “reasonable person would regard the invasion as highly offensive causing distress, humiliation or anguish”

The court also added a “reasonableness” limitation to claims of Intrusion upon Seclusion. The court stated that:

[c]laims from individuals who are sensitive or unusually concerned about their privacy are excluded: it is only intrusions into matters such as one’s financial or health records, sexual practices and orientation, employment, diary or private correspondence that, viewed objectively on the reasonable person standard, can be described as highly offensive.

Conclusion

With the rise of privacy concerns in Canada, the law seems to be catching up. This area of law is evolving at a rapid pace.  Businesses and individuals alike are now caught by recent developments in the law.

Toronto Privacy Lawyer

416-483-3500


Ask a Toronto Privacy Lawyer

Ask a Lawyer with expertise experience knowledge

Consult a Toronto Lawyer with Expertise in Privacy Law

https://www.flickr.com/photos/111692634@N04/15327739193/

 

by Shaya Silber, Toronto Privacy Lawyer

Employers have access to unprecedented amounts of information on their employees and job candidates. Many people, especially young people, don’t realize how much information they are publishing about themselves, and what the possible implications are.  The Onion posted a video about how every presidential candidate in 2040 has already been disqualified because of internet posts that will come back to haunt them. While the Onion’s clip is obviously a spoof, there is some truth to it.

Any post or comment that is posted on Facebook, Twitter or other social media has the potential to remain online and available to the public indefinitely. What may seem like a humorous or harmless post to an 18-year-old college freshman, might be viewed differently by a job recruiter down the road. Careless posting can be serious, resulting in lost jobs and other opportunities.

However, a number of stories have surfaced recently about employers asking job candidates for their Facebook passwords in order to gain access to information that would otherwise be considered private.

In response, the Information and Privacy Commissioner of Ontario (the IPC), recently put out a report on privacy in the workplace. The report discusses how the web has become a central tool for human resource professionals in vetting potential job candidates.

Information that is available online to the public is fair game for employers. However, employers should be cautious about demanding Facebook passwords from employers. This may lead to claims, including lawsuits for violation of privacy. It is too early to determine whether the tort of Intrusion upon Seclusion applies to cases like this, as it has not yet been tested in the courts.

Furthermore, employers should be cautious regarding the amount of information they gather, as well as the impact said information has on the hiring decision.  Decisions based on information gathered online, such as a candidate’s social networking account, could potentially lead to a human rights complaint. The report states that:

human rights and privacy laws provide stronger protections for job applicants. Employers cannot ask for information that may directly or indirectly reveal a prohibited ground of discrimination.

Toronto Privacy Lawyer

416-483-3500


Ask a Toronto Privacy Lawyer

Ask a Lawyer with expertise experience knowledge

Consult a Toronto Lawyer with Expertise in Privacy Law

by Shaya Silber

People are increasingly becoming conscious about their privacy. This is further promulgated by the growth of the internet. Until recently, a person only had recourse for privacy violations against businesses, and in some cases, against government bodies.

The main piece of legislation governing privacy is the Personal Information Protection and Electronic Documents Act (“PIPEDA”). In a nutshell, PIPEDA addresses the collection, use, and disclosure of private information for commercial purposes.  However, until recently, privacy violations by an individual (as opposed to a business) had no specific recourse available.

That has recently changed. In Jones v. Tsige, (“Jones”) the court recognized a new tort. The cause of action has been coined as “Intrusion upon Seclusion”.  The Jones case involved two co-workers at a bank, one of whom was dating the other’s ex-partner. Over the course of four years, Tsige accessed Jones’ banking information on over 150 occasions.  The court awarded Jones $10,000 for the intrusion upon her seclusion. However, to prevent a floodgate of frivolous claims, the court set some qualifiers to future actions. For a case of intrusion upon seclusion, the following factors must be present:

  1. The defendant’s conduct must be intentional or reckless
  2. The Defendant invades the plaintiff’s private affairs “without lawful justification”
  3. A “reasonable person would regard the invasion as highly offensive causing distress, humiliation or anguish”

The court also added some limitations to claims of Intrusion upon Seclusion. The court stated that:

[c]laims from individuals who are sensitive or unusually concerned about their privacy are excluded: it is only intrusions into matters such as one’s financial or health records, sexual practices and orientation, employment, diary or private correspondence that, viewed objectively on the reasonable person standard, can be described as highly offensive.

The new tort of intrusion upon seclusion clarifies and arguably expands privacy law in Ontario.  It is now clear that individuals can be held liable for  privacy violations.

If you believe that your privacy has been violated, you may wish to contact a privacy lawyer to discuss your case, and explore the law as it relates to your situation.

 

https://www.flickr.com/photos/mstable/17332612340/in/photolist-spCaMN-8qtm2e-9XVAYy-bW8FNp-3KwegV-ciNGsU-6gY6pQ-eQhHRM-ciNFBu-9AKcQt-ciNGJU-9GRXE9-d4g3uA-Q9cCD-6gTUTM-eQoYFN-6gTV2t-6gY6nh-6gTUXi-eQvgW1-eQknJF-eQkqwi-eQkvVH-6gTUZz-eQkm6t-d4g6K9-a4r2yf-d4g89L-32tRRg-9nJXmp-8YQFoQ-buUS3K-32yryu-dCgL1Q-j1yk46-5iA4GK-9nMZXE-eQczcB-bA32ne-4PP6qq-cdv1xy-aYcbri-cnb4kL-xLB87-fEAKom-cTu2rh-dCbkZr-4uEsNi-xLB89-dCbm2H

by Shaya Silber

Changes to Google’s privacy policy in March 2012 has raised many questions.  Some of the most common concerns revolve around the fact that the information that Google collects from one service is going to be shared with its other platforms as well.  Google made another major change by implementing one uniform privacy policy for most of its platforms.

A Step in the Right Direction

What most people don’t realize is that some of the changes are arguably a step in the right direction. Google brought the policies of several of its services under one umbrella policy. Previously, each of Google’s platforms had its own policy. Each privacy policy was long, technical, and tedious.  Most people did not bother to read the old policy. The few who were brave enough to wade their way through the long, technical document were often confused by its legal jargon.

In the new privacy policy, Google has made a simple, centralized, user-friendly policy.  The policy breaks down the type of information that Google is collecting, as well as the purpose of said collection. For the most part, the new policy does not contain a lot of legal jargon, and is simple to understand.  In user-friendly terms, it discusses how the information is used.  If that weren’t enough, Google outlines the steps that you can take in order to access your information and edit your information gathering settings. This includes opting out of targeted advertising. For example, a common complaint is that Google’s targeted ads hit too close to home. Some people may even describe them as “creepy”. However, under the new policy, Google makes it very easy and quick to opt out of targeted advertising.

As far as Canadian privacy law is concerned, Google’s new policy does not yet seem to be in violation of any law.  The most applicable law would be PIPEDA.  PIPEDA governs the collection, use, and disclosure of private information by private sector companies. In a nutshell, a company must obtain consent before they can collect, use, or disclose an individual’s private information.

It’s arguable that Google’s new policy is a step towards better compliance with PIPEDA. The old system used a series of complicated and tedious privacy policies for each of Google’s products. Each user agreed to those policies, but likely did not understand what they were agreeing to.  In the new policy, user consent is arguably more informed.  Furthermore, a user would have a difficult time arguing that they were not aware of Google’s policy.  This is especially true given the persistent notices that Google has been plastering across their sites.

Privacy law is a rapidly developing area of law. Each business is different, with unique information collection practices. It is difficult to know which privacy law applies to your business, and how to execute a proper privacy policy. If you are starting a new business or website, it is wise that you review your information collection practices with a privacy lawyer before opening up shop.

by Shaya Silber

Privacy law in Canada is regulated by various bodies and pieces of legislation. Most important among these pieces of legislation is PIPEDA. PIPEDA governs how organizations collect, use, and disclose personal information in the context of commercial activities. The Act applies across Canada, except where a province has enacted a similar piece of legislation. For example, British Columbia enacted PIPA, which governs how private sector organizations collect, use, and disclose personal information. Ontario does not currently have such a law to address private organizations (although there is an act which governs the collection and use of medical information and another act which addresses the collection and use of information by government bodies).

Generally speaking, organizations are prohibited from gathering personally identifiable information in the absence of consent by those whose information is being gathered. This includes information such as names, credit card information, telephone numbers and so on.

Privacy commissions have interpreted “personal information” broadly. Typically this has meant any information that applies about a specific person.

However, there seems to be a new development in the law.  A recent decision by the Alberta Court of Appeal held that license plate information was considered to be non-identifiable.  Until now, it would have seemed that a car’s license plate would be considered personally identifiable information.  This is the rationale for distorting images of license plates in Google’s Street View.

The logic behind this is that each car can be traced to the registered owner.  The court held that a license plate was attached to a specific vehicle, and not a specific person (i.e. the driver of the vehicle is not necessarily the registered owner). Furthermore, the court stated that a license plate was not private information because it is out in the open, available for all to see and record.

This means businesses now have a legal precedent to rely on if they are recording this kind of information without obtaining specific consent.  Furthermore, when it comes to this kind of information, a business need not put in safeguards that it would otherwise have to for personal information, such as storing the information in a safe place.