Canada’s federal privacy law, PIPEDA, was enacted to be one of our framework laws that would underpin our digital economy. It’s goal was to recognize the privacy rights of individuals and at the same time to recognize the legitimate needs of organizations to collect, use, and disclose personal information. That balance between privacy and uses of personal information for appropriate purposes was underscored by the Supreme Court in a decision released yesterday in Royal Bank of Canada v. Trang 2016 SCC 50. .
Posts Tagged ‘Privacy’
The territorial reach and enforcement jurisdiction of European Union’s data protection law has become a lot more important these days following the decision of the Court of Justice in the Schrems case. In a case decided just a few days before Schrems, the same court gave Directive 95/46/EC a broad reading holding that the laws of a Member State apply to data controllers in another Member State who operate a website that processes data of residents of the first Member State. The Court, however, construed the enforcement jurisdiction of supervisory authorities narrowly ruling they do not have the ability to impose penalties on controllers not established in the Member State. The judgment of the Court in Weltimmo s.r.o. v Nemzeti Adatvédelmi és Információszabadság Hatóság, Case C‑230/14, October 1, 2015 has significant repercussions for EU and non-EU businesses that operate websites that target residents of a Member State and potentially for the territorial reach of the “right to be forgotten”.
Schrems, what the CJEU decided and why it is a problem for Canadian and other non-EU businesses (updated)October 12th, 2015
On October 6, 2015 the Court of Justice of the European Union (CJEU) released a bombshell, but not completely unexpected judgment, invalidating a decision of the European Commission that underpinned the EU-US privacy safe harbor. In Schrems v. Data Protection Commissioner  EUECJ C-362/14 (06 October 2015), the CJEU held that supervisory data authorities in Member States have the joint right with the EU Commission to review whether non-EU countries provide adequate protection to personal data transferred to them from the EU despite a decision by the EU Commission that such protection is provided. It also invalided Commission Decision 2000/520 which had found that transfers of personal data to the US from the EU provided adequate protection where the recipient complied with the EU-US Safe Harbour Principles.
EU’s highest court struck a major blow to the EU-US safe harbour earlier today in the closely watched case, Schrems v. Data Protection Commissioner  EUECJ C-362/14 (06 October 2015). The decision of the CJEU, which followed the earlier opinion of the Advocate General, is the worst privacy nightmare that could have been imagined by the thousands of US and EU based companies that rely on the safe harbour to transfer personal data to the US for processing. It affects giant social networks like Facebook, search engines like Google, cloud hosting providers, and thousands of other companies that do business in the EU and that transfer personal data to the US.
A divided Supreme Court ruled that individuals cannot be secure that their most personal information will be protected from warrantless searches when arrested. In a 4 to 3 ruling, in R v Fearon, the Court held that if a person is lawfully arrested, a search is conducted that is incidental to the arrest, the search is tailored to its purpose, and the police take detailed notes, police may search the person’s cell phone.
The Digital Privacy Act (Bill S-4) will make significant changes to Canadian privacy law when it is enacted. The amendments to PIPEDA have been in the making since 2007 following the statutory review of PIPEDA by the Standing Committee on Access to Information, Privacy and Ethics. The Bill has passed the Senate and was referred to the Standing Committee on Industry, Science and Technology. The INDU Committee will begin considering the Bill on November 25, 2014.
Earlier today, the Supreme Court released a landmark decision dealing with privacy on the Internet. The main issue in R v Spencer 2014 SCC 43 was whether a user of the Internet has a reasonable expectation of privacy in his or her basic subscriber information held by the user’s ISP that prevents the police from obtaining this information from the ISP without a warrant or court order. Prior to the decision some courts had ruled that ISPs could turn over subscriber contact details associated with the person’s IP address to police without a warrant or court order. The Court rejected this line of cases ruling that a person has a reasonable expectation of privacy associated with Internet activities and that the “lawful authority” exemption in PIPEDA does not create a basis to turn such information to the police.
In a bombshell opinion released earlier today, the CJEU ruled that Google Inc. is subject to EU data protection laws even where its servers are located outside of the EU. The Court ruled that when Google spiders the web and indexes the globe’s data, it is a processor with respect to personal information and a controller of such information. In the case before the Court, this meant that Google was required to de-index links to personal information, even though the information was accurate and without any showing that making the information available was prejudical to the data subject. The case is bound to lead to many further questions about the scope of the duties of search engines like Google under EU laws. I raised this issue in an interview with CTV News.
The Supreme Court released a landmark decision today in the Alberta (Information and Privacy Commissioner) v. United Food and Commercial Workers, Local 401, 2013 SCC 62 case. In short, the Court found that while Alberta’s privacy legislation PIPA plays a vital role in protecting privacy, it violated the Charter right to freedom of expression by precluding the use of personal information in the labour context. The ruling is an appeal from a decision the Alberta Court of Appeal, which is summarized here.
The headnote of the case reads as follows:
Last week I had the pleasure of listening to a great talk titled “Privacy: Getting Accountability Right” at the 2013 Compliance and Consumer Complaints Annual Conference organized by the Canadian Life and Health Insurance Asscoiation Inc. Taking place in sunny Vancouver (see below), the speakers were Barbara Bucknell of the Office of the Privacy Commissioner of Canada, Jill Clayton, Information and Privacy Commissioner, Alberta, and Elizabeth Denham, Information and Privacy Commissioner, British Columba.
Here is a summary of their remarks.
The first question addressed to each panelist was the trends they were seeing in relation to privacy in the insurance industry.