August 29, 2022

Privacy Round-Up (Volume 17)

In this Edition of the Round-Up:

Government Developments

Regulatory Authority Developments

Case Law Developments

New AccessPrivacy Offerings for Subscribers: Summer 2022

Government Developments

  • A draft regulation regarding the confidentiality incident reporting obligations and record-keeping obligations in Bill 64 has been introduced by the Government of Quebec. The regulation specifies:

    • the content of the notices affected organizations must give to both the Commission d’accès à l’information (CAI) and to individuals whose information has been affected by the confidentiality incident; 

    • when such notices are to be made public;

    • the content of the records an organization must keep regarding the security incident; and

    • the length of time the organization must keep such records.

  • Alongside the confidentiality incident obligations in Bill 64, the regulation comes into force on September 22, 2022. Further information can be found on the AccessPrivacy Breach Notification Topic Hub

 

  • Guidance on new obligations surrounding electronic monitoring of employees has been released by the Ontario Ministry of Labour. As reported in Volume 13 and Volume 14 of the Round-Up, amendments to the provincial Employment Standards Act require Ontario-based organizations with more than 25 employees as of January 2022 to implement an electronic employee monitoring policy by October 2022;

 

  • Foreign nationals outside of Canada now have a statutory right to access their personal information held by Canadian federal government institutions. According to the Office of the Privacy Commissioner of Canada (OPC), this change – as a result of the federal government’s Privacy Act Extension Order No. 3 – brings Canada’s public sector privacy legislation closer in line with global counterparts such as the United Kingdom and the European Union;

 

Regulatory Authority Developments 

  • An analysis of nearly 2,000 privacy breaches reported under the provincial Personal Information Protection Act between 2010 and 2021 has been published by the Information and Privacy Commissioner of Alberta (OIPC Alberta). The report includes guidance for organizations determining whether a particular breach of security safeguards presents a “real risk of significant harm” (RROSH), including key factors in the circumstances where the OIPC determines that there was no RROSH;

 

  • A company administering mandatory COVID-19 tests to travellers passing through the Montreal-Trudeau airport has ceased collecting email addresses to send unsolicited marketing material. The move follows an investigation conducted by OPC, with collaboration from Quebec's Commission d’accès à l’information. The OPC emphasized in its announcement that Quebec's Bill 64 (and the federal Bill C-27, if passed) will allow for the imposition of financial penalties following similar contraventions of privacy legislation;

 

  • Guidance on "credential-stuffing attacks", which exploit the re-use of usernames, email addresses and passwords, has been jointly released by several international data protection and privacy regulators, including the OPC. The guidance document includes measures that can be taken by individuals as well as specific guidance for organizations looking to identify and mitigate this type of attack;

 

 

 

  • The final Guideline B-13 – Technology and Cyber Risk Management has been issued by the federal Office of the Superintendent of Financial Institutions (OSFI). The guideline is intended to assist federally regulated financial institutions “in developing greater resilience to technology and cyber risks”. The final version of the guideline follows a consultation process that took place in early 2022 and was discussed in Volume 7 of the Round-Up;

 

  • The OPC has made submissions as part of a consultation launched by the Canada Border Services Agency. The consultation relates to the CBSA’s proposed regulations under Bill S-7, An Act to Amend the Customs and Preclearance Act, 2016, which addresses circumstances in which Canadian border service officers can examine information stored on personal digital devices. Previous developments relating to this Bill were discussed in Volume 16 of the Round-Up;

 

  • The Office of the Privacy Commissioner for British Columbia (OIPC BC) has released its 2021-2022 Annual Report. Key highlights include progress relating to provincial privacy law reform in both the public and private sectors, the OIPC BC's work in relation to oversight and regulation of artificial intelligence in public-sector decision-making, and collaborative efforts among the OIPC BC, Elections BC and BC’s major political parties towards a voluntary Political Campaign Activity Code of Practice;

 

  • The Office of the Saskatchewan Information and Privacy Commissioner has also released its 2021-2022 Annual Report. Key highlights include the Commissioner’s encouragement for the introduction of a “Saskatchewan Digital ID”, a discussion of privacy interests and virtual healthcare platforms, a discussion of ongoing privacy issues stemming from misdirected faxes, and a summary of recommended legislative changes. Reports released this year by other privacy watchdogs in Canada were highlighted in volume 16 of the Round-Up; 

 

Case Law Developments

  • The British Columbia Supreme Court once again declined to recognize the existence of the common law tort of intrusion upon seclusion in the province. The Court also followed Ontario jurisprudence in holding that the situation of a data breach (where the defendant is "alleged to have 'intruded' by failing to prevent an independent third party from hacking into a database") is not actionable under the common law tort. The Court nevertheless certified the class action based on common issues in contract, negligence, breach of statutory torts, and breach of consumer protection legislation. For a detailed discussion on the development of cross-jurisdictional privacy tort case law, view the AccessPrivacy May 2022 Webinar on-demand here;

 

  • The constitutionality of Canada’s expanded “rape-shield laws”, updated in 2018, has been confirmed by the Supreme Court of Canada. Sections 278.92 to 278.94 of the Criminal Code protect a complainants’ interest in their own private records when an accused seeks to introduce such records as evidence in sexual assault cases;

 

  • The Newfoundland Supreme Court has held that s. 41(1) of the Canada Post Corporation Act, which authorizes Canada Post to search all non-letter mail, violates individuals’ right under s. 8 of the Canadian Charter of Rights and Freedoms to be secure against unreasonable search and seizure. The court’s declaration of invalidity has been suspended for a period of one year;

 

  • Provisions authorizing strip searches in correctional institutions under Ontario’s Ministry of Correctional Services Act are being challenged in Ontario courts. The Canadian Civil Liberties Association has filed a statement of claim arguing that the broad authority granted to administrative officials violates s. 8, as well as the right to life, liberty and security of the person (s. 7) under the Charter

 

  • The Court of Appeal for Ontario allowed an appeal involving evidence collected from an Airbnb rental unit. The owner of the property was acquitted on voyeurism charges after the trial judge found that the police had violated his s. 8 Charter rights by searching for and seizing a hidden camera that was reported by an individual who had rented the property. The Court of Appeal disagreed with the lower court’s decision and ordered a new trial;

 

  • In a recent decision, the Court of Appeal for Ontario confirmed that a school principal had violated the s. 8 Charter rights of two employees by searching for, screen capturing, and sharing with the school board the employees’ private communications. The communications in question had been stored in the cloud, but were displayed to the principal during a search of a classroom computer;

 

New AccessPrivacy Offerings for Subscribers: Summer 2022

  • An interactive clause-by-clause annotation of the Federal Government’s proposed Consumer Privacy Protection Act (CPPA), as set out in the Digital Charter Implementation Act, 2022, is available to Knowledge Portal subscribers. The annotation, which includes comparisons to corresponding PIPEDA sections and analytical commentary on the new framework, will be updated regularly over the coming weeks; 

 

  • Our Legislative Reform Portal provides a suite of resources to help you navigate and stay informed about Canadian federal and provincial legislative reform developments, including new Quebec obligations in force September 22, 2022; 

 

  • The Winter 2022 edition of Privacy in the Courts: A Quarterly Review is now available with 22 informative case summaries and commentary by Dr. Teresa Scassa and expert Osler lawyers. View the full table of contents here. Knowledge Portal subscribers can access the publication, in PDF and web-based versions, here.

 

  • Interested in becoming a Knowledge Portal subscriber? Click here for more information or contact us directly.

***

Sign up for AccessPrivacy's complimentary e-news updates to receive each edition of the Round-Up by email. The archive of past editions of the Privacy Round-Up is available to AccessPrivacy Knowledge Portal subscribers. 

Please note: some of the embedded links direct to resources available only to AccessPrivacy Knowledge Portal subscribers. However, if you are having issues opening links to publicly available materials, please try clearing your browser cache (including cookies and files) before clicking the link again.