Home / Privacy Resources / Article Search / July 2002

July 2002

PrivaTalk

July 2002
Volume 2
Issue 7

Recent Canadian Court Decisions Impact Privacy Rights

This article will discuss two recent cases, one involving the public sector and the other involving the private sector, that put limits on individuals’ privacy rights.

In a unanimous decision that strengthens the Privacy Act’s powers to compel disclosure, nine judges of the Supreme Court of Canada ruled in favour of a Montreal man, Robert Lavigne, who had filed a complaint about a former employer, followed up by a lawsuit seeking damages.

Lavigne complained to the Official Languages Commissioner that he was forced to speak French in 1992-1993 at a designated “bilingual” workplace, Health and Welfare (now Human Resources Development), and that his contract was not renewed. The Official Languages Commissioner interviewed Lavigne’s colleagues, and eventually upheld his complaints. But later, when Lavigne sued his employer for damages and wanted to use the interviews as evidence, the languages commissioner refused to release the notes. The people interviewed spoke based on a promise of confidentiality, the commissioner argued.

The Supreme Court of Canada ruled that although the Privacy Act effectively trumps the Official Languages Act, the law guarantees confidentiality to witnesses only for the purposes of facilitating an investigation. Once a specific investigation is over, personal information must be disclosed to the individual seeking it, unless revealing it could “reasonably” be expected to harm a future investigation. Thus, people who complain to federal investigators about co-workers or managers should expect that their personal information may later be disclosed to those same people, after the investigation has been completed. The judges dismissed concerns that the risk of disclosure would deter witnesses. Justice Charles Gonthier wrote it “may also promote frankness”.

After Lavigne took his complaint about releasing the interviews to the Privacy Commissioner, and later to court, the Office of Official Languages changed its policy. It now informs witnesses that while investigations are conducted in private, information may later be disclosed in other proceedings.

Even without the information, however, Lavigne won his lawsuit for damages against his former employer. The employer was ordered to pay him $3,000 in damages and write him a letter of apology.

The Privacy Act applies to most federal government departments, agencies and offices, and so the ruling is believed to have broad applications. Under the private sector privacy legislation, consent would be required to disclose personal information in the context of an investigation, regardless of whether or not the investigation has been completed, unless it is being disclosed to an investigative body or government institution, or unless a court orders otherwise.

Meanwhile, a recent case on the private sector side weighed the right to privacy on the Internet against public health. A Superior Court judge recently ordered Rogers Cable to reveal the identity of a customer who sent anonymous e-mail claiming he is a sexually active gay man who donates blood.

The blood agency is suing the man, for negligent misrepresentation because he lied on the questionnaire that all potential donors must sign. It asks male donors if they have had sex with another man since 1977, the beginning of the AIDS epidemic among gay men. If they say “yes”, they are banned from donating.

The agency would not have learned of the alleged deception had the man not sent them anonymous e-mail messages from a Hotmail account. The messages were critical of the agency’s controversial policy that excludes most gay men from donating.

In one message, the man admits that he and his partner lied about their sexual histories on the questionnaire and gave blood. He said he “detests” having to deny his sexuality on the questionnaire, but claimed he has no other way to get around “such blunt discrimination”.

Canadian Blood Services traced the IP address (a number imbedded in every every e-mail message) back to the Internet service provider, Rogers Cable. However, the exact identity of the man could be determined only if Rogers used its own records to match up the customer with the IP address he was using at the time.

Rogers complied with the order to release the man’s name without putting up a legal fight. This is typical of most Internet providers who want to avoid expensive legal entanglements. Should ISPs try to preserve the identity of their clients? In principle, it is important that people be able to use their Internet connections freely without the fear of having their identity revealed. A Rogers Cable spokesperson said all customers sign an agreement that allows the company to turn over their names when forced to do so by a court order or warrant. The company has responded to such court orders in the past in child pornography investigations. But the policy means that even whistleblowers or critics of the government who want anonymity risk being identified when they use the Internet to communicate.

The blood agency is now working with hospitals to trace the blood donations made by the man and his partner. This week, it will notify anyone who might have received the blood and offer them HIV tests. The agency has banned both men from donating blood again and is seeking $100,000 in damages, in part to recover the costs of tracking down the recipients of the blood.

These cases make it clear that individuals should be wary of the fact that privacy is not an absolute right. Perceived (even if not real) risks to health or public safety, or legal disputes requiring individuals to be identified, may often mean privacy takes the backseat.

Federal Privacy Commissioner’s Decisions on Access to Credit Information

In February, the Privacy Commissioner issued a decision in favour of a bank finding that providing a customer with an internal bank-generated credit score would result in a disclosure of confidential commercial information (the credit score model) and thus the bank could refuse to provide access in accordance with the exceptions outlined in the private sector privacy law. The Commissioner emphasized that a credit score provided by a credit reporting agency is based on a standardized model composed largely of biographical data and credit history of the individual. A financial institution, on the other hand, uses a unique internally developed model that also incorporates factors specific to the institution – for example, corporate policies, business strategies, corporate and product objectives, historical loan data, economic indicators, and demographic data. That decision can be found at http://www.privcom.gc.ca/media/an/wn_020227_e.asp.

Now, we also have two recent (end of April) decisions involving credit information access requests. Both involved an unsuccessful applicant for a credit card complaining that a bank had refused access to the personal information it had collected and used in making the credit decision about the individual. Both cases also resulted in findings that the bank had taken too long to respond to the access request in violation of the 30-day response requirement in the legislation.

In the first case, the bank finally responded by sending the complainant a copy of the credit agency report it had obtained about him. The complainant expressed dissatisfaction with this information because it contained codes that he did not understand. The Privacy Commissioner suggested that the bank supply the complainant with a legend to explain the codes. The bank declined to do so, taking the position that the responsibility for explaining credit reporting information lies solely with the agency that generated it.

The Commissioner noted furthermore that Principle 4.9.4 of Schedule 1 of the legislation clearly puts the onus on the collecting organization to explain information in understandable terms to the individual and that the Act makes no provision for an organization to refer the individual to another organization for that purpose. Having determined that the bank remained unwilling to provide a legend or otherwise explain the information, the Commissioner found that the bank was in contravention of the Act. The Commissioner suggested that the bank collaborate with credit reporting agencies to develop understandable, consumer-friendly formats for credit information.

In the second case, the bank responded by sending the individual only the information he himself had provided on his credit application form. Even though the complainant had specified that he wished to exercise his right to receive directly from the bank all the information it had collected about him, the bank merely referred him to the agency for access to his credit reporting information. Neither the bank nor the agency argued that any of the credit reporting information constituted confidential commercial information and was thus exempt under the Act.

In the interest of resolving the complaint, the bank was initially willing to release the credit reporting information to the complainant if the agency agreed. The agency said it would support the release, with the exception of two credit scores included in the information. As grounds for this specific refusal, the agency cited a non-disclosure clause in its licensing agreement with the firm whose standardized credit scoring models it had used to generate the scores. The bank then decided not to release any part of the credit report.

The Commissioner noted that the non-disclosure agreement between the bank and the credit reporting agency made an exception for disclosures required by law. He pointed out that the Act is in fact law and does require disclosure of an individual’s personal information on request by the individual.

The Commissioner considered the Act to be clear and unequivocal on the issue: by Principle 4.9 and section 5(1), unless any of the section 9 exempting provisions applies, an organization must give access on request to personal information it has collected about an individual. He noted that in this case the bank had not even invoked an exempting provision. However, due to the Commissioner’s comments in the February case where he distinguished internally generated scores from those generated by credit reporting agencies, it is unlikely that the exemption for “commercial information” could have been of much use to the bank in any case. He determined that the bank had been clearly obliged to give the complainant access to all the personal information he had requested, including the agency's credit report and the credit scores contained in it, and had had no reason under the Act to refuse access to any of it. He found therefore that the bank was clearly in contravention of the law.

The Commissioner also found that in keeping with its obligations under Principle 4.9.4, which states that requested information must be made available in a form that is generally understandable, the bank should also be prepared to provide whatever assistance and explanations may be required in understanding credit reporting information.

The Commissioner also stated that he was not persuaded that the expense involved in attending to the requirements of Principle 4.9 need be nearly as significant as the bank purported. He did not think that the bank’s employees would themselves require much instruction in reviewing credit reports with consumers, and assumed that many of them would already be familiar with the codes and symbols.

These cases have significant repercussions on the way banks respond to customer requests for their credit information. The time required to respond to such requests will surely increase costs and resource requirements for the banks.

The full decisions can be found on the Privacy Commissioner’s Web site at http://www.privcom.gc.ca/cf-dc/index2_e.asp.

British Columbia Consults on Privacy Legislation for the Private Sector

B.C.’s Ministry of Management Services (the “Ministry”) recently released a consultation paper to obtain the public’s opinion regarding private sector privacy legislation that it plans on developing. The B.C. government cites an Ipsos-Reid survey conducted in the winter of 2000 showing that 92% of British Columbians want the government to pass private sector privacy legislation. The real impetus is the fast approaching deadline imposed by the federal Personal Information Protection and Electronic Documents Act that purports to apply to organizations under provincial jurisdiction unless the province enacts “substantially similar” privacy legislation by January 1, 2004.

The following are some interesting questions and assumptions that the B.C. government poses:

The Ministry asks whether it is useful to refer to the importance of non-binding privacy codes in the legislation as a foundation for privacy compliance? My reaction: Such codes developed by individual organizations or industry associations serve the purpose of being open about one’s practices or may outline best practices for staff or for a particular sector, but their importance should not be overemphasized. The key to compliance is analyzing information flows within an organization and ensuring that the purposes for collecting, using or disclosing personal information are appropriate and that consents are received.

B.C. is proposing that the new privacy law not create any “sector specific standards that create ‘special provisions’ or lower standards”, but to apply to all private sector organizations equally. The Ontario approach, as reflected in the draft Privacy of Personal Information Act, offers a special set of rules for health information custodians (such as health care practitioners and hospitals). Note that although the Ontario government claims that this set of rules provides better protection for health information, there exists a larger number of exemptions to the requirement of getting consent when collecting, using or disclosing such information. It will be interesting to see whether B.C. distinguishes health care practitioners as Ontario has done.

The Ministry has also made it clear that the privacy legislation will focus on covering organizations and not types of activities. Entities such as unions, non-profit societies, clubs and professional organizations will likely be covered by the legislation, as they will by the upcoming Ontario privacy legislation. B.C.’s consultation paper contrasts this to the federal private sector legislation that only applies to “commercial activities”. However, it is important to note that if B.C. does not introduce privacy legislation by 2004, unions and associations will likely be governed by the federal legislation because they engage in commercial activities when they collect dues or fees.

The consultation paper also asks whether personal opinions should be addressed in the legislation – i.e. whose personal information is it? The person whose opinion it is or the person who the opinion is about? The Ontario and federal legislation are silent on this point, however since personal information is any information about an identifiable individual, arguably opinions are personal information about both individuals.

With respect to the right of access to one’s personal information, the B.C. government proposes to have provisions similar to the federal legislation. However, the Ministry is considering whether there should be a frivolous and vexatious clause. The lack of such a clause in the federal legislation has been a significant concern for businesses, particularly because the Federal Privacy Commissioner is required to investigate all complaints it receives. Although the Commissioner has been quick to find complaints to be ill-founded in many cases, a clause in the legislation allowing organizations to refuse frivolous or vexatious access requests would be a more balanced approach that recognizes the need for limits on access rights to allow businesses to function.

The consultation paper inquires as to whether the B.C. Information and Privacy Commissioner should be given the authority to initiate an audit or investigation or be limited to responding to complaints. Both the federal and the Ontario legislation allow the Commissioner to initiate a review of an organization’s practices, and it is highly likely that the B.C. legislation will provide the same power.

The B.C. consultation draft is extremely high level, thus, it will probably be some time before we see actual legislation in place. If other provinces want to meet the 2004 deadline but still consult with the public about privacy protection, we are likely to see more consultation papers released in the very near future.

Privacy Legislation in the Far East

A relatively new regulation in Korea that could be roughly translated as the “telecommunications secrecy law” was passed by the National Assembly late last year and states that companies should secure explicit “agreement” from their employees, and not just provide unilateral notification, when implementing e-mail filtering or monitoring software and when tracking the transfer of documents through the network. If the rules are ignored or violated, employees can file a suit against the company in question for violating their telecommunications privacy.

It is no secret that Korean politicians and top managers frequently engage in wiretapping. Many company executives want to monitor corporate e-mail and documents to protect confidential information. Meanwhile, state investigators have often come under fire for their needlessly frequent requests for wiretapping – something that critics say borders on political conspiracy and serious privacy infringement. Since the issue has been so sensitive and controversial, lawmakers in Korea have now made it legally difficult to conduct reckless wiretapping through telecommunications.

A tougher privacy rule is a good thing for individuals, but employers are being confronted with the challenging task of persuading employees to accept the fact that their e-mail is monitored by sophisticated programs, and their documents are thoroughly tracked in the network. Company security systems operators and top managers are fully aware of the possibility that e-mail and documents could be key channels for industrial spies, confidential information leakage or cybercrime. An executive of a satellite broadcasting company in Korea ignored the rule and went ahead and browsed the content of employees’ e-mail messages in a secretive way. The executive was arrested for breaking the law, striking alarm among “big brotherly” managers across the nation.

The government strictly limits the use of wiretapping solutions for national security and other serious investigations. Also, if certain equipment falls into the category of wiretapping gear for investigation purposes, the owner must get permission from the Information and Communication Minister to use it. However, the new private sector telecommunications regulation is about full disclosure to employees. To the relief of security solutions developers, government officials have said that the regulation is not intended to stifle the development and use of solutions for businesses, and mainstream corporate security solutions developers do not need approval and supervision from the authorities.

In Japan, criticism from all circles has made it impossible for the government to push through a controversial privacy protection bill that was first introduced in the spring of last year. Media organizations and investigative free-lance journalists covering politicians and bureaucrats opposed the legislation and called it a media-regulation bill that threatens freedom of the press and the public’s right to know.

Under the legislation, both businesses and non-profit organizations would be punished for violating legal obligations. Consumer groups claim that the bill does not go far enough and should give individuals the ability to play an active role in monitoring and controlling the use of their personal data by businesses and others. The effectiveness of the bill was questioned with respect to specific types of personal information such as credit information, where strict protection of personal data is essential. The Japanese Cabinet Office says separate laws will be developed for certain areas. However, having a multitude of privacy laws that deal with specific types of information means we won’t see comprehensive privacy protection in Japan for some time yet.

As stakeholders voice their support and opposition to such privacy laws, achieving the right balance when regulating the handling of personal information is a new challenge in the Far East. The legislative initiatives being undertaken by governments makes it clear that the invasion of privacy has become a world-wide problem.

Research shows Consumers are Willing to Sacrifice Privacy for Perks

Forrester Research recently surveyed 6,000 on-line consumers in North America and found that monetary compensation is a compelling enough reasons for some consumers to forfeit privacy rights. Fifty percent of respondents said they would be willing to share their television-watching history for a $5 discount on monthly cable or satellite service. In turn, 36 percent would share Web surfing history, 33 percent would share their mobile phone location and 35 percent would share their vehicle location for similar $5 incentives.

Other respondents said they would share information for other types of incentives. For example, 36 percent would share television-watching data for automatic recording of regularly watched programs. In exchange for information about programs they might like, 25 percent of respondents said they would share their personal information, and 29 percent would share data for information about what channels they do not watch.

As for sharing Web surfing data, 31 percent would share history for faster access to their favorite sites, but only 19 percent would do so for personalization of favorite sites or recommendations of sites they might like.

Twenty-nine percent of respondents said they would reveal mobile phone location for directions while 33 percent of respondents would reveal vehicle location for directions. Respectively, 26 percent and 33 percent would share location for custom information about that locale.
An exchange of personal information for some incentive may be more privacy-invasive than a consumer thinks. It is important to know what the company collecting the personal information is doing with it. Are consumers aware and consenting to the use of that information for future marketing, or more controversially, to the disclosure of that information to other organizations? New reward programs are popping up every day. An EKOS Research survey commissioned by the Public Interest Advocacy Centre (PIAC) and funded by Industry Canada, the results of which were released in September of last year, found that about two-thirds of Canadians have loyalty cards, so it is clear that such programs are extremely popular. Interestingly enough, 54% of those asked didn’t know that programs such as Air Miles or gas station reward plans collect, use and disclose information about what they buy, in order to target them with marketing.

If organizations were clearer about what they are doing with the personal information they collect, which is what privacy laws are essentially geared at requiring, many consumers may opt for protecting their privacy rather than accepting the perks that come with sacrificing it.

Beware of Spyware

When things move really slowly while surfing on-line, or when your computer seems to crash more frequently, you may have downloaded software that intrudes upon your computer power, your bandwidth as well as your personal information. Technologies that “piggyback” on free software available on the Internet, often unbeknownst to those who download it, are being used with rising frequency by marketers seeking to pinpoint potential customers. But many of those same programs, known commonly as spyware, can be used to spy on an individual’s every move and even take over a PC’s hard drive – in theory, if not in practice.

Spyware actually refers to any software that employs a user’s Internet connection in the background (the so-called backchannel) without their knowledge or explicit permission. Others have defined it more narrowly as software that transmits personal information without permission – use of the term has been slowly drifting in this direction. Thus, spyware generally now refers to software installed with no disclosure that gathers information about the user of the machine and sends it back to another server.

In the late 1990s, as software developers looked for ways to fund the development of on-line tools that people expected to get for free, they began to add programs that either displayed ads or tracked the user or both. Popular programs for managing downloads or speeding up surfing were tagged as “adware”. Most privacy activists accept that using advertising to fund freeware is a legitimate business model. However, spyware goes a step further than simply displaying ads by collecting information for marketing and advertising purposes, without consent.

Spyware is controversial because from a privacy perspective, the software should make the user clearly aware of the collection and give the user a choice of whether or not to continue. Many of the companies whose programs have been labelled spyware insist they inform users about what their software is doing. However, disclosure information is usually provided in the lengthy user agreement or license shown before you download and install the software. Most people don’t take the time to read these statements and thus miss the fine print that states ‘we will use your information to present you with specials and deals that we believe will interest you’.

Most companies that want to be seen as legitimate businesses now make some attempt to inform the user of what they’re up to (albeit via long user agreements). They offer opt-outs, limit the amount of information they collect and feature details about their privacy policies. However, you still need to take care on-line. If you do a lot of surfing and downloading of software off the Net, you should check in regularly with anti-spyware sites such as Counterexploitation (http://www.cexx.org/) and SpywareInfo (http://www.spywareinfo.com/), and sites that keep tabs on what software installs what adware or spyware, such as Spychecker (http://www.spychecker.com ). Be careful when downloading “free” software. See what programs are bundled with the product you want. Also, see if you can opt out, and if you can't, read the user agreement carefully. Finally, you can download software, such as Ad-Aware, and run the occasional check on your computer to make sure you haven’t picked up any nasty spyware. Remember that if you don’t keep an eye on your machine, it may end up keeping an eye on you!