On September 2, 2017, the Government of Canada published the proposed Breach of Security Safeguards Regulations (“Regulations”). The proposed Regulations provide additional clarity and substance to the mandatory requirements for breaches of security safeguards which were added to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) in June 2015 but have yet to be declared into force. The Government of Canada will be accepting comments on the proposed Regulations until October 2, 2017.
The new breach notification requirements will add significant financial and administrative burdens for organizations handling personal information regulated by PIPEDA, including organizations located outside of Canada which collect, use or disclose personal information about Canadian individuals.
This morning, the Supreme Court of Canada released its decision in Royal Bank of Canada v. Trang, 2016 SCC 50 (Trang), overturning the reasoning of two decisions of the Ontario Court of Appeal. In the SCC’s view, thePersonal Information Protection and Electronic Documents Act, S.C. 2000 c. 5 (“PIPEDA”) does not preclude a mortgagee from producing a mortgage discharge statement to a judgment creditor. The unanimous decision, written by Justice Côté, concluded that such disclosure was in accordance with an order made by a court or, alternatively, that the mortgagors had provided implied consent.
This week, the Canadian Radio-television and Telecommunications Commission (“CRTC”) released its first substantial decision on Canada’s Anti-Spam legislation (“CASL”). The decision, CRTC 2016-428, significantly reduced the administrative monetary penalty (“AMP”) payable by Blackstone Learning Corp, and shed some light on the CRTC’s interpretation of CASL violations.
After initiating a proposed class action lawsuit alleging copyright infringement in respect of five motion pictures (I have previously blogged on the Notice of Application), Voltage Pictures LLC (“Voltage”) has successfully persuaded the Federal Court to order the partial disclosure of subscriber information in order to proceed with certification of its “reverse” class action.
Two recent articles have highlighted a novel privacy issue regarding the legal implications of wearable technologies in Major League Baseball (MLB). Rian Watt first addressed the issue for Vice Sports, and Associate Professor Nathaniel Grow followed up with a post on Fangraphs about the American implications of MLB franchises collecting biometric data about their players. However, given that the Toronto Blue Jays operate in Canada, a perspective on this from north of the border is warranted.
The leak of the confidential files of a Panamanian law firm, dubbed the “Panama Papers,” has generated much press coverage, but there has been surprisingly little comment about the privacy rights of those named in, or linked to, the disclosures. It seems obvious that the public exposure of the personal information (“PI”) contained in the documents that were unlawfully obtained by an anonymous hacker raises serious privacy concerns for those individuals who are named. In fact, the International Consortium of Investigative Journalists (“ICIJ”) and other media outlets could well be facing regulatory complaints or even tort claims for unauthorized use of PI and/or invasion of privacy under Canadian law. If so, the release of PI by ICIJ members could qualify as the largest intentional privacy breach ever made in Canada by an identifiable entity.