Information Technology Law in Canada : An Overview Facultad de Derecho Universidad de Buenos Aires Le 5 Marzo, 2008.

Information Technology Law in Canada : An Overview

Facultad de Derecho

Universidad de Buenos Aires

Le 5 Marzo, 2008

General context for privacy

• Sometimes privacy concerns relate to the acquisition or disclosure of information (informational privacy), sometimes to physical seclusion (physical privacy), sometimes to ownership or control (proprietary privacy), and sometimes to personal decision making (decisional privacy).

Constitutional context :

• Sections 91 and 92 of the Constitutional Act of 1867 (ex- British North America Act)

• The Canadian Charter of Rights and Freedoms :• Section 8. Everyone has the right to be secure against

unreasonable search and seizure.

• The Quebec Charter of Rights and Freedoms :• Section 5. Every person has a right to respect for his

private life.

Other legal sources for privacy :

• Section 35 Civil Code of Quebec. Every person has a right to the respect of his reputation and privacy. No one may invade the privacy of a person without the consent of the person unless authorized by law.

Other legal sources for privacy (cont’d)

• Section 36 Civil Code of Quebec. The following acts, in particular, may be considered as invasions of the privacy of a person: 1) entering or taking anything in his dwelling; 2) intentionally intercepting or using his private communications; 3) appropriating or using his image or voice while he is in private premises; 4) keeping his private life under observation by any means; 5) using his name, image, likeness or voice for a purpose other than the legitimate information of the public; 6) using his correspondence, manuscripts or other personal documents.

• Section 3 Civil Code of Quebec. Every person is the holder of personality rights, such as the right to life, the right to the inviolability and integrity of his person, and the right to the respect of his name, reputation and privacy.

Other legal sources for privacy (cont’d)

• Section 1457 Civil Code of Quebec. Every person has a duty to abide by the rules of conduct which lie upon him, according to the circumstances, usage or law, so as not to cause injury to another. Where he is endowed with reason and fails in his duty, he is responsible for any injury he causes to another person and is liable to reparation for the injury, whether it be bodily, moral or material in nature. He is also liable, in certain cases, to reparation for injury caused to another by the act or fault of another person or by the act of things in his custody.

Other legal sources for privacy (cont’d)

At common law in Canada :• The right to privacy has not so far, at least under that name,

received explicit recognition by British courts. For one thing, the traditional technique in tort law has been to formulate liability in terms of reprehensible conduct rather than of specified interests entitled to protection against harmful invasion. For another, our courts have been content to grope forward, cautiously along the grooves of established legal concepts, like nuisance and libel, rather than make a bold commitment to an entirely new head of liability. (Peter BURNS, «The Law and Privacy: The Canadian Experience», (1976) 54 C. Bar Rev. 1, p.12)

Other legal sources for privacy (cont’d)

Data protection statutes :• Public sector : Privacy Act, R.S., 1985, c. P-21 (federal)

and An Act respecting Access to documents held by public bodies and the Protection of personal information, R.S.Q., chapter A-2.1 (Quebec)

• Private sector : Personal Information Protection and Electronic Documents Act, S.C. 2000, c.5 (federal) and An Act respecting the Protection of personal information in the private sector, R.S.Q. P-39.1 (Quebec)

Constitutional protection of privacy (cont’d)  :

• Historically, the common law protections with regard to governmental searches and seizures were based on the right to enjoy property and were linked to the law of trespass. It was on this basis that in the great case of Entick v. Carrington (…), the Court refused to countenance a search purportedly authorized by the executive, to discover evidence that might link the plaintiff to certain seditious libels. Lord Camden prefaced his discussion of the rights in question by saying at p.1066 (…): «The great end, for which men entered society, was to preserve their property. That right is preserved sacred and incommunicable in all instances, where it has not been taken away or abridged by some public law for the good of the whole». (Hunter v. Southam, [1984] 2 S.C.R. 145)

Constitutional protection of privacy (cont’d)  :

• In my view the interests protected by s.8 are of a wider ambit that those enunciated in Entick v. Carrington. Section 8 is an entrenched constitutional provision. It is not therefore vulnerable to encroachment by legislative enactments in the same way as common law protections. There is, further, nothing in the language of the section to restrict it to the protection of property or to associate it with the law of trespass, It guarantees a broad and general right to be secure from unreasonable search and seizure. (Hunter v. Southam, [1984] 2 S.C.R.. 145, p.158)

Constitutional protection of

privacy (cont’d) : • As noted previously, territorial claims were originally, legally and

conceptually tied to property, which meant that legal claims to privacy in this sense were largely confined to the home. But as Westin (…) has observed, «to protect privacy only in the home (…) is to shelter what has become, in modern society, only a small part of the individual’s daily environmental need for privacy». Hunter v. Southam Inc. ruptured the shackles that confined these claims to property. Dickson J., at p.159, right adopted the view originally put forward by Stewart J. in Katz v. United States (…) that what is protected is people, not places. This is not to say that some places, because of the nature of the social interactions that occur there, should not prompt us to be especially alert to the need to protect individual privacy. (The Queen v. Dyment, [1988] 2 S.C.R. 417, p.428-429, parag.20)

Constitutional protection of privacy (cont’d) :

• (1) Prior authorization, where feasible, is a precondition for a valid search and seizure. It follows that warrantless searches are prima facie unreasonable under s.8

• (2) For the authorization procedure to be meaningful, it is necessary for the person authorizing the search to be able to assess the conflicting interests of the state and the individual in an entirely neutral and impartial manner. This means that while the person considering the prior authorization need not be a judge, he must nevertheless, at a minimum, be capable of acting judicially. For example, he must not be someone charged with investigative or prosecutorial functions under the relevant statutory scheme.

• (3) Reasonable and probable grounds, established upon oath, to believe that an offence has been committed and that there is evidence to be found at the place of the search, constitutes the minimum standard consistent with s.8 of the Charter for authorizing searches and seizures (Hunter v. Southam Inc., [1984] 2 S.C.R. 145)

Privacy in the Workplace :• The problem of this protection of privacy encountered in this case falls within

the context of labor law (…) However, our Court is not confronted with the entire issue of the existence and the limits of the privacy of employees within the establishment and with the issue of surveillance by the employer inside said establishment such as, for instance, when the employees arrive or leave, while or in the course of performing their duties in the workplace. Here, we are considering the licitness of the surveillance, resulting most certainly from the labor relations but taking place outside of the establishment while the employee was not performing any work for the employer (…) When all is said and done, this appeal will not resolve all the problems resulting from the implementation of certain guarantees to protect privacy. We are facing an important but limited problem, falling into a factual context, well set out by arbitrator Trudeau. (Le Syndicat des travailleurs(euses) de Bridgestone-Firestone de Joliette (CSN) v. Bridgestone/Firestone Canada, REJB 1999-14156 (C.A. Que). Translation from Desjardins Ducharme, «Current Legal Issues. Tailing and Surveilling an Employee: Quebec Court of Appeal Decision», Montréal, September 1999, p.1)

Privacy in the workplace (cont’d) :

• Article 2085. A contract of employment is a contract by which a person, the employee, undertakes for a limited period to do work for remuneration, according to the instructions and under the direction or control of another person, the employer.

• Article 2087. The employer is bound not only to allow the performance of the work agreed upon and to pay the remuneration fixed, but also to take any measures consistent with the nature of the work to protect the health, safety and dignity of the employee.

• Article 2088. The employee is bound not only to carry on his work with prudence and diligence, but also to act faithfully and honestly and not to use any confidential information he may obtain in carrying on or in the course of his work. These obligations continue for a reasonable time after cessation of the contract, and permanently where the information concerns the reputation and private life of another person.

Privacy in the workplace (cont’d) :

• The decision to surveil as well as the methods used were therefore reasonable. The surveillance did not involve continuous tailing but three timely observations, restricted in time, in places where the employee could be observed directly by the public, under conditions that did not violate his dignity. (Le Syndicat des travailleurs(euses) de Bridgestone-Firestone de Joliette (CSN) v. Bridgestone/Firestone Canada, REJB 1999-14156 (C.A. Que). Translation from Desjardins Ducharme, «Current Legal Issues. Tailing and Surveilling an Employee: Quebec Court of Appeal Decision», Montréal, September 1999, p.2)

• First of all, the employer must have serious cause to doubt the employee’s honesty. Second, the employer must be convinced and, in the end, able to show that the surveillance is necessary to verify the employee’s behaviour. Third, the surveillance must be restricted and carried out in the least possible intrusive manner and by avoiding violating the employee’s dignity (Ibid., p.3)

On cybercrime :• First a computer can be used as a tool for commiting criminal activity. This category

includes those crimes that criminals traditionally have committed in the physical world but that are now occuring with increasing frequency on the Internet as the primary means of completing the crime, such as online auction fraud, the distribution of child pornography and copyrighted software, and money laundering. (R.W. DOWNING, « Shoring Up the Weakest Link : What Lawmakers Around the World Need to Consider in Developing Comprehensive Laws to Combat Cybercrime », (2005) 43 Columbia Journal of Transnational Law 705, p.711-712)

• [Second] A computer can also be the target of criminal activity. Commonly called «network crime», this activity involves attakcs on the confidentiality, integrity, or availability of computer systems or information. Criminals undertake these attacks to acquire information stored on the victim computer, to control the victim computer without authorization or payment, to intercept communications, to delete or modify data, or to interfere with the availability of a computer or the information it contains.These attacks often result in the theft of information and monetary loss to the owner of the victim computer. Criminal activities included in this category are unauthorized access to a computer, the release of viruses and other malicious code, website defacements, and denial-of-service attacks that impair the availability of computer systems or data. (Ibid., p.713)

On cybercrime (cont’d) :

• Bill C-74, «The Modernization of Investigative Techiques Act» (Canada)

• The working definition of Telecommunications Associated Data is any data, including data pertaining to the telecommunications functions of dialing, routing, addressing or signaling, that identifies, or purports to identify, the origin, the direction, the time, the duration or size as appropriate, the destination or termination of a telecommunication transmission generated or received by means of the telecommunications facility owned or operated by a service provider.

On cybercrime (cont’d) :

• However, law enforcement agencies have also been able to take advantage of new technologies. Key-stroke loggers have been used to capture e-mails as they are being composed and to gain access to passwords; packet sniffers can scan e-mails going through an ISP node for specific words or phrases; many cell phones generate very detailed location data; and the capability exists to analyze huge amounts of communications data for suspicious patterns. On the last point, we have seen an increased interest on the part of law enforcement and government agencies in data aggregation and data mining. On balance, it is not clear that the proposed measures are necessary to ensure that law enforcement and national security agencies can maintain the capabilities and authorities may have had in the past. We have also been told that one of the reasons legislation is necessary is to allow Canada to meet its commitments under the Council of Europe Convention on Cybercrime, which Canada has signed, but not ratified. We are aware that cybercrime — phishing, denial of service attacks, Internet fraud, malicious spyware, etc. — is a serious and growing international problem and that identity theft and related crimes are also on the rise. The Convention is about more than fighting cyber-crime; one of the main purposes of the Convention is to facilitate information-sharing among law enforcement agencies in the participating countries. (Response to the Government of Canada's "Lawful Access" Consultations. Submission of the Office of the Privacy Commissioner of Canada to the Minister of Justice and Attorney General of Canada, May 5, 2005, Office of the Privacy Commissioner of Canada : http://www.privcom.gc.ca/information/pub/sub_la_050505_e.asp)

Civil liability :

• Section 27. A service provider, acting as an intermediary, that provides communication network services or who stores or transmits technology-based documents on a communication network is not required to monitor the information communicated on the network or contained in the documents or to identify circumstances indicating that the documents are used for illicit activities. However, the service provider may not take measures to prevent the person responsible for access to documents from exercising his or her functions, in particular as regards confidentiality, or to prevent the competent authorities from exercising their functions, in accordance with the applicable legislative provisions, as regards public security or the prevention, detection, proof and prosecution of offences. (An Act to Establish a Legal Framework for Information Technology, R.S .Q., c. C-1.1.)

Civil liability (cont’d) :

• Section 22. Intermediary. A service provider, acting as an intermediary, that provides document storage services on a communication network is not responsible for the activities engaged in by a service user with the use of documents stored by the service user or at the service user's request.

• Illicit Activities. However, the service provider may incur responsibility, particularly if, upon becoming aware that the documents are being used for an illicit activity, or of circumstances that make such a use apparent, the service provider does not act promptly to block access to the documents or otherwise prevent the pursuit of the activity. (An Act to Establish a Legal Framework for Information Technology, R.S .Q., c. C-1.1.)

Civil liability (cont’d) :

• Section 22. Referral Services. Similarly, an intermediary that provides technology-based documentary referral services, such as an index, hyperlinks, directories or search tools, is not responsible for activities engaged in by a user of such services. However, the service provider may incur responsibility, particularly if, upon becoming aware that the services are being used for an illicit activity, the service provider does not act promptly to cease providing services to the persons known by the service provider to be engaging in such an activity. (An Act to Establish a Legal Framework for Information Technology, R.S .Q., c. C-1.1.)

Civil liability (cont’d) :

• Section 36. A service provider, acting as an intermediary, that provides communication network services exclusively for the transmission of technology-based documents is not responsible for acts of service users performed with the use of the documents transmitted or stored during the normal course of the transmission for the time required for the efficiency of the transmission.

• Responsibility. However, the service provider may incur responsibility, particularly if the service provider otherwise participates in acts performed by service users : 1) by being the sender of a document; 2) by selecting or altering the information in a document; 3) by determining who transmits, receives or has access to a document ; or ) by storing a document longer than is necessary for its transmission. (An Act to Establish a Legal Framework for Information Technology, R.S .Q., c. C-1.1.)

Civil liability (cont’d) :

• Section 37. A service provider, acting as an intermediary, which, as part of transmission services provided via a communication network, maintains technology-based documents furnished by clients on that network for the sole purpose of ensuring the efficiency of their subsequent transmission to persons having a right to access the information, is not responsible for acts of service users performed with the use of those documents.

• Responsibility. However, the service provider may incur responsibility, particularly if the service provider otherwise participates in acts performed by service users : 1) as specified in the second paragraph of section 36; 2) by not complying with the conditions for access to a document; 3) by preventing the verification of who has accessed a document; 4) by failing to withdraw a document from the network or to block access to the document after becoming aware that the document has been withdrawn from its initial position on the network, that persons having the right to access the document are unable to do so or that a competent authority has ordered that the document be withdrawn from the network or that access to the document be blocked. (An Act to Establish a Legal Framework for Information Technology, R.S .Q., c. C-1.1.)

Gracias!

Prof. Karim BenyekhlefDirecteurCentre de recherche en droit publicFaculté de droitUniversité de Montré[email protected]://www.crdp.umontreal.ca