Volume 12 • Number 10
In This Issue:
September 2015
Federal Court Certifies Action
for Publicity Given to Private Life
Federal Court Certifies Action
for Publicity Given to Private Life
Gillian Scott
and W. David Rankin .................... 97
Health Privacy Revisited—
Upcoming Changes to Ontario’s
Health Privacy Laws
Ratika Gandhi ................................ 99
Privacy Commissioners Issue
Joint Guidance on Bring Your
Own Device Programs
Martin P. J. Kratz et al. ..................... 102
Protecting Athlete Privacy:
Alleged Concerns in Quebec
Macdonald Allen ......................... 104
You and Your Robot Are
Welcome Here: Canada’s
Friendly Drone Laws
Emily MacKinnon ....................... 106
Gillian Scott
W. David Rankin
Partner
Osler, Hoskin & Harcourt LLP
Associate
Osler, Hoskin & Harcourt LLP
Breaking new ground, the Federal Court recently certified a proposed privacy class action alleging the novel tort of publicity given to private life on
the condition that the plaintiffs name an identified representative of the
class. In John Doe and Suzie Jones v. Her Majesty the Queen [John Doe],1
two plaintiffs alleged that Health Canada breached their privacy, leading
them to seek certification under pseudonyms to protect their identities. The
court certified, for the first time in a Canadian class action, the novel claim
of publicity given to private life. Recognizing the tension between privacy
and the role of class representatives, however, the court required the plaintiffs to identify a named representative.
Background: Medical Marihuana Privacy Breach
The anonymous plaintiffs in John Doe alleged that Health Canada wrongfully identified them as participants in the federal program for access to
medical marihuana. In November 2013, Health Canada sent oversized envelopes marked “Marihuana Medical Access Program” through Canada
Post to approximately 40,000 individuals registered in the program. The
plaintiffs alleged that by identifying on the envelopes the participants’
names together with the name of the program, Health Canada breached
their privacy and exposed them to security concerns. They claimed that a
reasonable person would conclude from the envelopes that the addressees
were associated with the federal program, suffered from serious medical
conditions, and possessed or consumed marihuana.
CANADIAN PRIVACY LAW REVIEW • Volume 12 • Number 10
Canadian Privacy
Law Review
The Canadian Privacy Law Review is
published monthly by LexisNexis Canada Inc.,
123 Commerce Valley Drive East, Suite 700,
Markham, Ont., L3T 7W8, and is available by
subscription only.
Web site: www.lexisnexis.ca
Design and compilation © LexisNexis Canada Inc.
2015. Unless otherwise stated, copyright in
individual articles rests with the contributors.
ISBN 0-433-44417-7
ISSN 1708-5446
ISBN 0-433-44418-5 (print & PDF)
ISBN 0-433-44650-1 (PDF)
ISSN 1708-5454 (PDF)
Subscription rates: $280.00 (print or PDF)
$425.00 (print & PDF)
Editor-in-Chief:
Professor Michael A. Geist
Canada Research Chair in Internet and
E-Commerce Law
University of Ottawa, Faculty of Law
E-mail: [email protected]
LexisNexis Editor:
Boris Roginsky
LexisNexis Canada Inc.
Tel.: (905) 479-2665 ext. 308
Fax: (905) 479-2826
E-mail: [email protected]
Advisory Board:
●
●
●
●
●
●
●
●
Ann Cavoukian, former Information and
Privacy Commissioner of Ontario, Toronto
David Flaherty, Privacy Consultant, Victoria
Elizabeth Judge, University of Ottawa
Christopher Kuner, Hunton & Williams,
Brussels
Suzanne Morin, Ottawa
Bill Munson, Information Technology
Association of Canada, Toronto
Stephanie Perrin, Service Canada, Integrity
Risk Management and Operations, Gatineau
Patricia Wilson, Osler, Hoskin & Harcourt LLP,
Ottawa
Note: This Review solicits manuscripts for consideration by the
Editor-in-Chief, who reserves the right to reject any manuscript or
to publish it in revised form. The articles included in the Canadian
Privacy Law Review reflect the views of the individual authors and do
not necessarily reflect the views of the advisory board members. This
Review is not intended to provide legal or other professional advice
and readers should not act on the information contained in this Review
without seeking specific independent advice on the particular matters
with which they are concerned.
98
The November 2013 mailings were contrary to past practice,
and, on November 21, 2013, the Deputy Minister of Health
Canada acknowledged that the envelopes resulted from administrative error. In response to 339 complaints, the Privacy
Commissioner subsequently concluded that the mailings violated the Privacy Act2 by referring to the program together
with the individuals’ names.
Court Certifies Class Action, Given Low
Evidentiary Threshold
Justice Phelan continued the trend in the federal courts of applying a relatively low evidentiary threshold at the certification stage.3 Thus, Phelan J. held that certification was
appropriate in John Doe, subject to amendments to the pleadings, including identifying a named representative. It was not
plain and obvious that the plaintiffs’ causes of action would
fail, and the Privacy Commissioner’s report was itself sufficient to provide “some basis in fact” for the other elements of
the class certification test.
In addition to causes of action in breach of contract/warranty,
negligence, and breach of confidence, the plaintiffs alleged
novel causes of action for intrusion upon seclusion and publicity given to private life. Justice Phelan held that the area of
privacy rights is developing rapidly and that the development
or limitation of novel breach of privacy claims should not be
decided at certification.
Although Canadian courts have been dealing with the novel
cause of action for intrusion upon seclusion since the Ontario
Court of Appeal’s decision in Jones v. Tsige,4 the tort of publicity given to private life has not yet been directly recognized
in a Canadian class action. In the United States, the tort is
defined as follows:
One who gives publicity to a matter concerning the private life of another
is subject to liability to the other for invasion of his privacy, if the matter
publicized is of a kind that
a) would be highly offensive to a reasonable person and
b) is not of legitimate concern to the public.5
Justice Phelan took issue only with the pleading of breaches
of ss. 7 and 8 of the Canadian Charter of Rights and
Freedoms (“Charter”). However, consistent with his view
on the rapid development of privacy rights, he gave the
plaintiffs an opportunity to amend the allegations under
the Charter.
CANADIAN PRIVACY LAW REVIEW • Volume 12 • Number 10
Publicity Given to Private Life and
Anonymity of Class Representatives
John Doe demonstrates that the rapid development
of privacy law has implications for class action
procedure. In particular, certifying the U.S. tort of
publicity given to private life—which has at its core
the publication of private information—raises the
issue of whether the class representative may remain anonymous under a pseudonym or must be
identified to fulfill the representative’s role.
On one hand, publicly identifying the class representative may further publicize aspects of the representative’s private life and may cause further
damage. This concern is particularly important in
the class action context, given the requirement of
providing notice to class members and the generally
higher profile nature of class proceedings. On the
other hand, class representatives must be accountable to absent class members in how they exercise
their responsibilities to the class, including instructing counsel, reviewing settlement offers, and negotiating retainers with counsel.
Justice Phelan recognized this tension and held that
“it is the Court’s intention that, if feasible, at least
one public class representative should be identified”.6 Justice Phelan made the certification order
conditional on the plaintiffs amending their
Statement of Claim “naming an identified class representative”. The plaintiffs’ counsel suggested in
the course of argument that this was feasible.
John Doe shows that even in privacy class actions
where the alleged damage arises from the publication of class members’ names, at least one named
representative plaintiff should be identified (if at all
possible) to be accountable to class members in the
prosecution of the litigation.
We expect the significance of this decision to be
tested where data breaches result in public disclosure of private information, such as cases where
hackers leak information stolen from corporate
networks. Other class action decisions recognize
that in some circumstances, the class representative
may remain anonymous.7
For more on the responsibilities of class representatives on behalf of absent class members, see our
post regarding meaningful scrutiny of the proposed
representative plaintiff.8
© Osler, Hoskin & Harcourt LLP
____________________
1
2
3
4
5
6
7
8
2015 FC 916, Docket: T-1931-13.
R.S.C., 1985, c. P-21.
For more on the federal courts’ liberal and purposive approach to class action certification, see our recent post on
the Condon v. Canada decision, [2015] F.C.J. No. 803,
2015 FCA 159, Docket: A-165-14: Gillian Scott and
Aislinn Reid, “Privacy Class Action Appeal Decision
Confirms Low Threshold on Certification”, Canadian
Class Action Defence, July 23, 2015, <http://
www.canadianclassactiondefence.com/2015/07/
privacy-class-action-appeal-decision-confirms-lowthreshold-on-certification/>.
[2012] O.J. No. 148, 2012 ONCA 32.
Restatement (Second) of Torts, §652D.
Supra note 1, para. 63.
Jane Doe 1 and Jane Doe 2 v. Manitoba, [2008] M.J.
No. 292, 2008 MBQB 217.
Tristram Mallett and W. David Rankin, “Meaningful
Scrutiny of the Proposed Representative Plaintiff”,
Canadian Class Action Defence, June 18, 2014,
<http://www.canadianclassactiondefence.com/
2014/06/meaningful-scrutiny-of-the-proposedrepresentative-plaintiff/>.
Health Privacy Revisited—
Upcoming Changes to Ontario’s
Health Privacy Laws
Ratika Gandhi
Associate
McMillan LLP
Privacy matters to Ontarians and even more so in
light of a number of highly publicized breaches of
sensitive personal health information (“PHI”) in
circumstances where one would expect PHI to be
protected and treated with the utmost confidentiality. As well, there has been increasing pressure to
modernize the province’s health privacy laws as
99
CANADIAN PRIVACY LAW REVIEW • Volume 12 • Number 10
a result of changing health care delivery models,
electronic health records, and the collaboration
among a greater number of individuals involved in
the provision of a patient’s health care. With this
mind, Ontario’s Health Minister Eric Hoskins has
announced the government’s commitment to privacy and accountability in the health care system and
amendments to the Personal Health Information
Protection Act, 2004 [PHIPA].1 While PHIPA is a
relatively new piece of legislation in Ontario, having been introduced just over ten years ago, many
stakeholders believe that it needs to be updated to
reflect growing privacy concerns as well as to better
align itself with recent changes made to the federal
privacy legislation that governs commercial activities in the private sector—the Personal Information
Protection and Electronic Documents Act
[PIPEDA].2 PHIPA has been deemed to be substantially similar to PIPEDA, and as such, recent
amendments to PIPEDA that include provisions
that now make it easier to prosecute offences
as well as those that impose increased fines for
non-compliance must also make their way into
PHIPA.
put forth, and in what form, below are some of the
key amendments from EPHIPA that if and when
re-introduced have implications for health care providers and prescribed organizations.
Key EPHIPA Provisions
Prescribed Organizations
On May 29, 2013, the Ontario government introduced Bill 78, the Electronic Personal Health
Information Protection Act [EPHIPA] to amend
PHIPA, with a focus on information sharing and
coordination among health care providers involved
in a patient’s circle of care, through the creation of
a single provincial electronic health record maintained by prescribed organizations. While no specific prescribed organization was listed in Bill 78, it
is assumed that eHealth Ontario will be the first entity to be named as such.
One of the main focuses of EPHIPA is the introduction of prescribed organizations as essentially
the service providers of the electronic health record database and its related systems. A similar
concept does exist in the current regulations made
under PHIPA in the form of health information
network providers (HINPs). HINPs are defined in
the general regulation to PHIPA as a “person who
provides services to two or more health information custodians where the services are provided
primarily to custodians to enable the custodians to
use electronic means to disclose personal health
information to one another, whether or not the person is an agent of any of the custodians”. The regulations under PHIPA prescribe minimum
standards that are applicable to HINPs, including
obligations relating to security of PHI, notification
of breaches of confidentiality, and logging and
documenting of data accesses. As well, a HINP
must enter into a written agreement with each
health information custodian concerning the services provided to the custodian that (1) describes
the services that the provider is required to provide
for the custodian; (2) describes the administrative,
technical, and physical safeguards relating to the
confidentiality and security of the information; and
(3) requires the HINP to comply with PHIPA and
its regulations.
EPHIPA previously reached second reading but
died on the Order Paper when the legislature dissolved on May 2, 2014. In a news report released
on June 10, 2015, by the Ontario Ministry of Health
and Long-Term Care, the government has announced its intention to re-introduce a number of
the protections to electronic and other PHI, as presented in 2013 through EPHIPA. While it is not
completely clear when the new amendments will be
The EPHIPA provisions relating to prescribed organizations are in the same spirit as those relevant
to HINPs and build upon the framework that is already in place. However, the EPHIPA provisions
applicable to prescribed organizations contain more
robust requirements, including a tri-annual audit
of the prescribed organization’s privacy and security framework by the Information and Privacy
Commissioner.
100
CANADIAN PRIVACY LAW REVIEW • Volume 12 • Number 10
Collection, Use, and Disclosure of PHI
by Health Information Custodians
(HICs)
Under EPHIPA, a HIC can provide PHI to a prescribed organization for the purposes of creating or
maintaining the electronic health record, and in doing so, the HIC will not be considered to be “disclosing” PHI, and the prescribed organization will
not be considered to be “collecting” PHI. Disclosure is deemed to occur where a HIC, other than the
HIC that originally provided the PHI to the prescribed organization, initially views, handles, or
deals with the PHI in the electronic health record
for the first time. A HIC collects PHI on the initial
instance on which it views, handles, or otherwise
deals with PHI in the electronic health record that
the HIC has not provided itself to the prescribed
organization. Any subsequent viewing, handling, or
dealing with PHI in the electronic health record by
either the original HIC who provided the PHI to the
prescribed organization in the first place, or a HIC
that has already viewed, handled, or dealt with PHI
in the electronic health record, is deemed to be a
“use” so long as no new or additional information is
viewed, handled, or otherwise dealt with. EPHIPA
also specifies that the only purpose for which a HIC
can collect PHI is to provide health care or to eliminate or reduce a significant risk of serious bodily
harm to a person or group of persons.
modifications, to the “lock-box” provisions in
PHIPA, and like such lock-box provisions, there are
circumstances under which a HIC may override the
consent directive, including to eliminate or reduce a
significant risk of serious bodily harm to the patient
or others. However, unlike lock-box requests,
EPHIPA provides that a prescribed organization is
the exclusive manager of consent directives, and as
such, all patient requests to limit access must be
made to and decided by the prescribed organization.
Prescribed organizations must audit, log, and monitor access to PHI that is subject to a consent directive and may override a consent directive for the
purpose of notifying a HIC about potentially harmful medication interactions so long as such notification does not reveal underlying PHI that is subject
to the directive.
Mandatory Reporting of Privacy Breaches
In the event that PHI in the electronic health record
is stolen, lost, or accessed by unauthorized persons,
the prescribed organization must notify the HIC
that provided the PHI in question. As well, the prescribed organization must notify the Information
and Privacy Commissioner in writing where the
prescribed organization (or someone that it has retained) has dealt with the PHI in the electronic
health record in a manner that is contrary to the legislation or where there has been an unauthorized
release of PHI in the electronic health record.
Consent Directives
Increase in Fines for PHIPA Offences
Despite the proposed changes introduced by
EPHIPA, the legislation will retain the overarching
general privacy principles promulgated by PHIPA
and PIPEDA, including the concepts of limited access to a patient’s PHI. In particular, under
EPHIPA, a patient may limit access to his or her
PHI in the electronic health record by a consent directive provided to a prescribed organization.
Through a consent directive, a patient may withhold
or withdraw his or her consent to the collection,
use, and disclosure of his or her PHI contained in
the electronic health record for the purpose of
providing or assisting in the provision of health care
to the individual. This concept is similar, with some
Under EPHIPA, there is no limitation period for
prosecution of offences under PHIPA. More importantly, EPHIPA doubles the monetary fines for
offences committed under the legislation. For an
individual offender, the fine is increased from
$50,000 to $100,000, and for a corporate offender,
the fine is increased from $250,000 to $500,000. If
such proposed amendments are reintroduced, this
could significantly increase organizations’ exposure
for offences.
Contractual Considerations
Until the proposed amendments are actually
introduced, it is difficult to fully comment on
101
CANADIAN PRIVACY LAW REVIEW • Volume 12 • Number 10
the implications for all those involved in the provision of health care. However, it appears that prescribed organizations as well as HICs may have a
number of additional responsibilities that they must
consider. While the amendments to PHIPA found in
EPHIPA do provide a number of explicit duties and
obligations applicable to parties involved in the
creation, contribution, and access to the electronic
health record, it is still arguably important to specify and delineate these responsibilities and liabilities
through contractual means.
In particular, network services agreements (as currently required for HINPs) are still relevant in that
they should still be used to set out the specific services to be provided by a prescribed organization as
well as identify the responsibilities and allocate risk
between the prescribed organization and participants in the electronic health network. Additionally,
there continues to be a need for data-sharing
agreements, since these agreements address the exchange and sharing of PHI between participants of
a network, typically excluding the HINP (or prescribed organization).
© McMillan LLP
___________________
1
2
S.O. 2004, c. 3, Schedule A.
S.C. 2000, c. 5.
Privacy Commissioners Issue Joint
Guidance on Bring Your Own
Device Programs
Martin P. J. Kratz, QC
Michael R. Whitt, QC
Partner, Trademark Agent,
Head of Intellectual Property
Bennett Jones LLP
Partner, Patent Agent, Trademark Agent,
Co-Head of Information Technology
Bennett Jones LLP
Stephen D. Burns
J. Sébastien A. Gittens
Partner, Trademark Agent
Bennett Jones LLP
Associate, Trademark Agent
Bennett Jones LLP
Conclusion
It has become apparent that the use of electronic
health records and the changing health care delivery
model, while extremely beneficial and efficient in
many ways, present a greater risk of unauthorized
access, use, and disclosure of PHI. As Brian
Beamish, the Ontario Privacy Commissioner, stated
“patients who don’t have faith in the security and
privacy of electronic health records may not provide full and accurate information to their health
care providers—and that could impact the health
care they receive”. As such, amendments to PHIPA
are necessary and overdue, and the provisions first
introduced by EPHIPA were meant to protect
Ontarians’ PHI as well as provide greater oversight
and compliance. While the actual amendments have
yet to be released, it is important for HICs and prospective prescribed organizations to consider the
types of changes to health privacy laws that will
likely be introduced in the near future and prepare
for the additional responsibilities that will result.
102
Graeme S. Harrison
Associate
Bennett Jones LLP
An organization’s information can be put at risk
when staff begin to bring their own devices and
use them in the workplace. As a result, in such
cases, an organization should consider adopting an
appropriate bring your own device (BYOD) program to seek to manage the risks inherent in such
activity.
CANADIAN PRIVACY LAW REVIEW • Volume 12 • Number 10
Generally, a BYOD program allows an organization’s employees to use their personal mobile devices for both personal and business purposes. A
threshold issue for an organization is to consider
what devices may be included in a BYOD policy,
as society has moved far past smart phones to all
sorts of wearable devices that can capture, process,
and post an organization’s confidential information
and the personal information of its staff and customers. While there are many benefits to a BYOD
program (e.g., an increase in employee satisfaction
and productivity), organizations should evaluate the
various inherent risks associated with the implementation and use of a BYOD program and take
reasonable steps to mitigate such risks.
To support this process, the Office of the Privacy
Commissioner of Canada, along with its provincial
counterparts in Alberta and British Columbia, recently released a new joint guidance document (Is a
Bring Your Own Device (BYOD) Program the
Right Choice for Your Organization?), which highlights various key privacy and security risks that
should be considered when making decisions regarding a BYOD program. The following is a brief
summary of a few of these considerations:
 Conduct a Privacy Impact Assessment (PIA)
and Threat Risk Assessment (TRA): Conducting a PIA and TRA will help identify and address
risks associated with the collection, use, disclosure, storage, and retention of personal information. These assessments may lead an
organization to restrict the use of applications
with, for example, cloud services.
 Develop, Communicate, Implement, and
Enforce a BYOD-Specific Policy: Establishing
the obligations and expectations of BYOD users
is essential to the prevention of privacy and security threats. Organizations are encouraged to
work with internal departments, such as information technology, information management, legal, finance, and human resources, to develop an
enforceable, easy-to-understand BYOD policy.
Such a policy should address issues such as user
responsibilities, acceptable and unacceptable uses
of BYOD devices, application management, and
access requests.
 Mitigate Risks through Containerization:
Containerization refers to the compartmentalization of an organization’s corporate information
from any other information that may be resident
on an employee’s mobile device. Undertaking
this process creates a clear division as to what is
subject to an organization’s BYOD policy and
what is not.
 Formalize a BYOD Incident Management
Process: Despite any effort to address all privacy
and security risks, organizations should be cognizant that vulnerabilities will continue to exist. In
the event of a privacy or security breach, organizations should accordingly have an incident management process in place to help with the
identification, containment, reporting, investigation, and correction of that breach in a timely
manner.
 Maintain an Inventory: In order to minimize
privacy and security threats, organizations should
maintain an up-to-date inventory of authorized
mobile devices and apps participating in its respective BYOD program. Maintaining such an
inventory will help an organization to, among
other things, take appropriate steps during an incident response.
Employees whose personal mobile devices are improperly secured put all of the information on the
mobile device, including the organization’s confidential information, at risk. Thus, an organization
may suffer significant harm, including financial
loss, loss of competitive advantage, and/or damage
to its reputation if any such device is lost, stolen,
jailbroken, or rooted.
This does not mean that an organization should
avoid a BYOD program. Increasingly, staff are demanding such programs, so it may become a recruiting and retention issue. However, the
organization should seek to create a secure environment where the benefits of a BYOD program
can be enjoyed and where the risks are minimized
103
CANADIAN PRIVACY LAW REVIEW • Volume 12 • Number 10
by (1) setting up suitable and appropriate BYOD
policies, (2) educating users on those policies,
(3) supervising user conduct under the policies, and
(4) implementing suitable technological measures
to support those policies.
© Bennett Jones LLP
Protecting Athlete Privacy:
Alleged Concerns in Quebec
Macdonald Allen
Associate
WeirFoulds LLP
The World Anti-Doping Agency (WADA) adopted
the International Standard for the Protection of
Privacy and Personal Information in May 2009 to
address concerns about the treatment of sensitive
athlete information. Today, concerns over the adequacy of the protection of personal information legislation in Quebec have, according to reports, led to
requests that WADA’s headquarters be transferred
from Quebec to Europe. To address such concerns,
Canada’s federal government is seeking to extend
the applicability of its federal data protection law
to WADA.
WADA collects a significant amount of data from
athletes around the world. WADA’s coordinated
enforcement initiatives often require transferring
data between different jurisdictions. Among
WADA’s initiatives that impact athlete privacy are
its data management database called ADAMS, its
“whereabouts” rules with respect to an athlete’s
location information for random testing and an
athlete’s biological passport.
To address mounting concerns over its treatment of
sensitive and personal athlete information, WADA
adopted the International Standard for the Protection of Privacy and Personal Information (ISPPPI)
in May 2009. The ISPPPI came into force on
June 1, 2009.1 On January 1, 2015, certain revisions
104
to the ISPPPI came into effect. From the ISPPPI’s
preamble, its main purpose “is to ensure that organizations and persons involved in anti-doping in
sport apply appropriate, sufficient and effective privacy protections to Personal Information that they
Process, regardless of whether this is also required
by applicable laws [emphasis in original]”.2 The
ISPPPI establishes a minimum set of rules to protect the personal information of athletes.
WADA was established in 1999 in Lausanne,
Switzerland. In April 2002, WADA moved its
headquarters to Montreal, Quebec.3 WADA warns
that it will collect and store personal information in
Canada and/or Switzerland. WADA’s online privacy policy issues a warning that “both Switzerland
and, to a more limited extent, Canada, have been
deemed by the European Commission to be jurisdictions that provide adequate levels of legal protection for privacy. While Quebec offers an
equivalent level of protection, no such formal decision has been taken”.4
In Canada, privacy and protection of information
law is regulated by federal and provincial statutes.
One of the reasons that the Canadian federal law
on data protection, the Personal Information and
Protection of Electronic Documents Act
[PIPEDA],5 was established was to “create a vehicle for Canada to provide a level of protection for
personal information that would facilitate the flow
of personal information from [European Union]
member states to Canada”.6 PIPEDA was declared
as providing an adequate level of protection by the
European Commission on December 20, 2001.7
During the preparation of the ISPPPI, a WADA expert group specifically took into account a number of
international privacy rules and standards, including
but not limited to, Directive 95/46/EC of the European Parliament and of the Council of October 24,
1995, on the processing of personal data and on the
free movement of such data.8
On June 4, 2014, an independent European advisory body (the “Working Party”), established under
Article 29 of Directive 95/46/EC on data protection
and privacy, prepared an opinion on the protection
CANADIAN PRIVACY LAW REVIEW • Volume 12 • Number 10
of personal data in Quebec. The adequacy of the
data protection legislation in force in Quebec referred to Articles 35 to 41 of the Civil Code of
Quebec9 and the Act Respecting the Protection of
Personal Information in the Private Sector (the
“Quebec Act”).10 Among other things, the Working
Party considered that the Canadian federal and provincial opinions on the scope of the application of
the Quebec legislation to both interprovincial and
international transfers of personal information did
not coincide. The Canadian federal privacy commissioner was of the view that PIPEDA applied to
interprovincial or provincial transfers of personal
information, while the Quebec provincial Commission d’Accès a l’information (CAI) considered that
in the case of interprovincial and international
transactions, both the federal and provincial legislation applied.11The Working Party considered that it
was “necessary to clarify the territorial scope of the
Quebec Act before any decision on its adequacy is
taken by the European Commission”.12 As of the
writing of this article, Quebec’s provincial legislation has not received an adequacy decision by the
European Commission.
Under Article 8.2 of the ISPPPI, Anti-Doping
Organisations (as defined in the ISPPPI) shall not
disclose Personal Information (as defined in the
ISPPPI) to other Anti-Doping Organisations where
there is evidence that the recipient Anti-Doping
Organisation does not or cannot comply with the
ISPPPI. Where there are concerns that another
Anti-Doping Organisation is incapable of complying with the ISPPPI, those concerns shall be made
known to the Anti-Doping Organisation and
WADA as soon as possible.13 Concerns over the
adequacy of the provincial protection of information legislation in Quebec have apparently led to
requests that WADA’s headquarters be transferred
to Europe.14
To address such concerns, the Canadian federal
government’s omnibus budget bill, the Economic
Action Plan 2015 Act (“Bill C-59”)15 seeks to
amend PIPEDA.16 In Division 13 of Bill C-59,
PIPEDA is amended by specifically making the
federal legislation applicable to organisations set
out in a new schedule to the act. At this time, the
only organisation included in the new schedule is
WADA. As noted in the Senate Standing Committee’s report on the content of Bill C-59, “the proposed amendments to PIPEDA would expand the
potential application of the law beyond federal
works, undertakings and businesses and the commercial activities of private-sector organizations to
include any organization that is added to Schedule 4
with respect to the personal information set out in
that Schedule.17 The amendments to PIPEDA establish a precedent to broaden the scope of PIPEDA to
include organisations that are not federal works,
undertakings or businesses, or otherwise engaged in
commercial activities.18
It is unclear what effect this amendment will have
on WADA’s operations. In its written submission to
the Standing Committee on National Finance, the
Privacy Commissioner of Canada noted that “the
extension of PIPEDA’s application to WADA […]
will not remove the application of substantially
similar Quebec privacy law as it applies to collections, uses and disclosures of personal information
within the Province of Quebec”.19 Quebec’s provincial legislation was deemed substantially similar
to PIPEDA in December 2003.20 Global organisations such as WADA, which transfer data within
provincial, national, and international borders, often
adopt privacy compliance measures that meet the
strictest legislative requirements in whichever jurisdiction they operate. On that basis, WADA’s operations likely satisfy the requirements of both
Canada’s federal and provincial protection of information legislation but may expose the organisation to complaints under each regulatory regime.
The real effect of the amendments to PIPEDA may
be to the judicial analysis of Canada’s division of
powers and inter-jurisdictional immunity with respect to privacy and protection of information legislation due to questions about the amendment’s
constitutional validity.21
© WeirFoulds LLP
105
CANADIAN PRIVACY LAW REVIEW • Volume 12 • Number 10
[Editor’s note: To access the article “Protecting
Athlete Privacy: Alleged Concerns in Quebec” first
published in World Sports Law Report, visit either
<http://www.e-comlaw.com/
world-sports-law-report/
article_template.asp?Contents=Yes&from=
wslr&ID=1792> or <http://www.weirfoulds.com/
_WF-Protecting-Athlete-Privacy>.]
_____________________
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
WADA, International Standard for the Protection of
Privacy and Personal Information, <https://
wada-main-prod.s3.amazonaws.com/resources/files/
WADA_IS_PPPI_2009_EN.pdf>.
Ibid.
WADA, “Regional Offices”, <https://
www.wada-ama.org/en/contact-us/regional-offices>.
WADA, “Privacy Policy”, <https://
www.wada-ama.org/en/privacy-policy>.
S.C. 2000, c. 5.
Office of the Privacy Commissioner of Canada, The Case
for Reforming the Personal Information Protection and
Electronic Documents Act, p. 6, <https://
www.priv.gc.ca/parl/2013/pipeda_r_201305_e.pdf>.
Article 29 Data Protection Working Party, “Opinion
7/2014 on the Protection of Personal Data in Quebec”
(June 4, 2014), <http://ec.europa.eu/justice/
data-protection/article-29/documentation/
opinion-recommendation/files/2014/wp219_en.pdf>.
Supra note 1, “Preamble”.
Civil Code of Quebec, CQLR c C-1991.
The Quebec Act, CQLR c P-39.1.
Supra note 7 at p. 4.
Ibid., p. 5.
Supra note 1, article 8.2.
Michael Geist, “How Bill C-59 Reshapes Canadian
Privacy Law”, Michael Geist, June 15, 2015, <http://
www.michaelgeist.ca/2015/06/how-bill-c-59-reshapescanadian-privacy-law/>; see also Allison Lampert,
“Canada Will Act to Keep Doping Agency in Montreal”,
Reuters Canada, April 20, 2015, <http://ca.reuters.com/
article/sportsNews/idCAKBN0NB2CJ20150420>.
Canada. Parliament. Bill C-59, Economic Action Plan 2015
Act, 41st Parl., 2nd Sess., 2015 (assented to June 23, 2015).
Senate Standing Committee on National Finance, “Report
on the Subject Matter of Bill C-59”, Twenty-Second
Report, June 2015, p. 25, <http://www.parl.gc.ca/
sencommitteebusiness/
CommitteeReports.aspx?Language=e&Parl=41&
Ses=2&comm_id=1013>.
Ibid., p. 26.
Letter from Privacy Commissioner of Canada to Standing
Senate Committee on National Finance (June 1, 2015),
<http://www.parl.gc.ca/Content/HOC/Committee/412/
FINA/WebDoc/WD7992837/412_FINA_C-59_Briefs%
5COfficeOfThePrivacyCommissionerOfCanada-e.pdf>.
Ibid., p. 2.
106
20
21
Privacy Commissioner of Canada, Learning from
a Decade of Experience: Quebec’s Private Sector Privacy
Act (Montreal: Government of Canada): 4, <https://
www.priv.gc.ca/information/pub/dec_050816_e.pdf>.
Supra note 14.
You and Your Robot Are Welcome
Here: Canada’s Friendly Drone
Laws
Emily MacKinnon
Associate
McCarthy Tétrault LLP
Whether used to view real estate, monitor remote
industrial operations, deliver goods, shoot scenes in
the television and film industry, or assist with
search and rescue, Canada’s flexible regulations
and its focus on enabling drone operations have
made it a leader in the nascent drone industry. This
is only logical: in Canada’s remote and challenging
terrain, the commercial use of drones makes a lot of
sense. It may also be easier to integrate drones into
our relatively uncrowded airspace. Other jurisdictions are working to catch up: for instance, on
March 29 of this year, the Hong Kong Privacy
Commissioner for Personal Data published a guidance note that supplements previous guidance on
the use of closed circuit television systems and for
the first time addressed the use of drones.
Wherever located, all drone-using businesses face
the challenge of navigating increasing safety and
privacy concerns. Companies considering drone
operations in Canada need to be aware of the rules.
Regulating by Weight
In Canada, drone safety is often addressed by regulations specifying where drones may be flown.
Most jurisdictions distinguish between drones
flown for commercial purposes and those flown for
recreational purposes, provided the drone is below a
particular weight. In the U.S., that weight is 55 lbs,
CANADIAN PRIVACY LAW REVIEW • Volume 12 • Number 10
or just under 25 kgs. In Hong Kong, that weight is
a much lower—7 kgs.
In Canada, drones under 35 kgs are model aircraft
as long as they are flown recreationally. They must
be flown in accordance with Transport Canada’s
guidelines—for instance, they cannot be flown
within five nautical miles of an aerodrome—but
they are otherwise largely unregulated. Transport
Canada’s new proposed drone regulations, unveiled
on May 28, 2015, however, would drop the drone
weight below which they are unregulated to 25 kgs.
Currently, drones that are flown for commercial
purposes or that exceed 35 kgs are unmanned air
vehicles (UAVs).1 Up until November 2014, all
UAVs could be flown only in accordance with a
special flight operations certificate (SFOC). As of
November 2014, blanket exemptions apply to
UAVs weighing less than 25 kgs, provided certain
rules are followed. The new proposed drone regulations would replace these exemptions, which are
due to expire in December 2016.
Flexible Permits in Canada
For now, SFOCs offer regulators a flexible response to the rapidly-evolving drone industry. And
they are popular. In 2014, 1,672 SFOCs were issued—up from 945 in 2013, and 347 in 2012. With
an SFOC, Transport Canada can design rules that
make sense for particular UAV pilots and for particular UAV flights. This is a major advantage over
jurisdictions like the U.S., for instance, which until
recently required drone operators to hold fullfledged private pilot licences. In Canada, drone pilots are currently required to have only a “satisfactory level of knowledge, experience and skill”,
although it is likely that UAV pilot permits will
eventually be required.
Technology-Neutral Privacy Laws
Addressing privacy concerns may be as simple as
ensuring that existing laws encompass drones. This
is the approach taken by Hong Kong in its recent
guidelines. Similarly, Canada’s Privacy Commissioner has opined that Canada’s existing privacy
laws apply to drones. While lateral surveillance—
private citizens surveilling other private citizens—
is often not covered by privacy statutes, torts such
as intrusion upon seclusion may fill that gap.
Even if existing laws apply, however, drones present a unique challenge for enforcement. Catching
the drone—and its operator—is not always simple,
as French authorities discovered when tracking
drones in Paris. In fact, many police forces in
Canada use drones themselves—which raises the
spectre of police drones being used to track and
chase scofflaw civilian drones and their operators.
Hong Kong’s guidelines suggest using flashing
lights or other methods to inform observers that the
drone is recording video, much like the requirement
in Japan and South Korea that all cell phone cameras emit a “shutter” sound when taking a photo. Similar suggestions have been made in the U.S. but so
far have not been widely championed.
Flying beyond Visual Line-of-Sight
Sending drones beyond the visual range of the pilot
is key to the commercial use of drones. The point,
after all, is to send drones to locations inaccessible
by people. Such operations crystallize safety and
privacy concerns, however—think of the mystery
drone seen peering into apartments in Vancouver—
and as a consequence, most regulators will not
permit drone operations beyond visual line of sight.
Even the recent U.S. draft drone regulations, published in February 2015, would restrict operations
to visual line of sight.
Canada has taken a different approach. SFOCs may
be issued for drone operations beyond visual line of
sight, provided (1) the drone has a sense and avoid
system, (2) the operations will be conducted entirely within restricted airspace, or (3) the applicant has
implemented some other method of mitigating
collision risks. Looking to the future, Transport
Canada’s Unmanned Air Vehicle Working Group
will be exploring regulations for drone operations
beyond visual line of sight. We—and the drones—
will be watching with interest.
© McCarthy Tétrault LLP
107
CANADIAN PRIVACY LAW REVIEW • Volume 12 • Number 10
1
Do not get too used to Canada’s terminology—the international organization that governs civil aviation, ICAO, uses
the terms Remotely Piloted Aircraft Systems (RPAS) and
Unmanned Aircraft Systems (UAS), and Canada is eventually likely to follow its lead.
INVITATION TO OUR READERS
Do you have an article that you think would be appropriate
for Canadian Privacy Law Review and that you would like to submit?
Do you have any suggestions for topics you would like to see featured
in future issues of Canadian Privacy Law Review?
If so, please feel free to contact Michael A. Geist
@[email protected]
OR
[email protected]
108