Photo by Matthew Henry ()

Emily Prieur is an IPilogue Writer and a 3L JD Candidate at Queen’s University Faculty of Law. This article was originally written as part of the IPilogue’s annual Year in Review but has instead been published as a standalone article.

2021 was a transformational year for Canadian privacy legislation. Following the changes made to the , several provinces amended their privacy legislation to protect their constituents’ interests. The private sector may be less welcoming to changes in many provinces which expose companies to . On the flip side, these proposed legislative changes will strengthen the privacy of Canadians in their everyday lives.

Provincial Legislative Changes

Quebec’s Bill 64 Passes Royal Assent 

The most significant development in privacy legislation is Quebec’s , An Act to modernize legislative provisions as regards the protection of personal information, which received royal assent on September 22, 2021. This legislation is significant because of its effects on the private sector. Starting September 2022, private sector organizations must inform the privacy regulator following any breach to compromised personal information that presents a “serious risk of injury” to affected individuals. To determine if there was a serious risk of injury to affected individuals, the province turns to the factors outlined in the “real risk of serious harm” section of the Federal Personal Information Protection and Electronic Documents Act (“PIPEDA”). As , the gradual implementation of Bill 64 allows organizations the opportunity to update their processes and procedures to ensure compliance before September 2022. The Quebec legislation also takes inspiration from the European Union's General Data Protection Regulation (“G�ٱʸ�”), which has been touted as the “” privacy regime because of its strict privacy standards and its partiality towards consumers.

The omnibus bill included such as changes to company websites, assignment of a Privacy Officer, completion of Privacy Impact Assessments, and requirements for consent, individual rights, and automated decision making. To date, the analysis of the legislation compares the provisions to the European GDPR.

Companies operating in Quebec are now required to publish their company privacy policies on their websites. Such privacy policies must describe how companies plan to use personal information.

In the event of privacy infringements that violate individuals’ private information, individuals will now have recourse through administrative monetary penalties, penal offenses, and private rights of action.

Finally, similarly to the GDPR, Quebec introduced consent requirements for collecting personal information, including express consent before using sensitive information and parental consent for minors under the age of 14. 

Ontario Welcomes Consultations and Proposes Changes

Under the leadership of Patricia Kosseim, the Office of the Privacy Commissioner pursued their goal of passing an equivalent piece of legislation in 2021. In response to an op-ed piece that argued against provincial legislation in fear of redundancy and duplication, Kosseim recently regarding the potential for new provincial legislation to “fill in the gaps” of what Federal privacy legislation cannot accomplish.

In keeping with Kosseim’s motivation to strengthen privacy laws in Ontario, the Government of Ontario released a along with calls for consultation in June 2021. The White Paper, titled “Modernizing Privacy in Ontario,” set out several proposals the Ministry is considering to strengthen privacy protection for Ontarians. To strengthen such protections, the Ministry has proposed making privacy a fundamental right in Ontario. Ontario has also included suggestions to protect youth privacy online, regulate automated decision-making, and require more informed consent and data transparency from private corporations.

The Ministry allowed the public to provide comments and feedback until August 2021. The Office of the Privacy Commissioner applauded the provincial government for taking a “” with its proposal.

BC’s PIPA Committee Releases their Final Report

The British Columbia Legislative Assembly also created a special committee to review the British Columbia (“PIPA BC”) in February 2020. The objective of this committee was to publish a report proposing amendments to PIPA BC, which the committee completed in December of 2021. In the , the committee suggested aligning PIPA BC with PIPEDA and Europe’s GDPR. Like the recently passed Quebec legislation, the committee also suggested mandatory breach notifications if a breach surpasses the “real risk of significant harm” threshold as established in PIPEDA. The committee also recommended broadening the definition of personal information to address the potential issue of de-identification. Finally, the committee proposed that the Office of the Information Privacy Commissioner have greater enforcement powers.

Federal Legislative Changes

The Federal Office of the Privacy Commissioner (“���ʰ�”) did not introduce any new legislation in 2021. The Office was engaged in issues surrounding as well privacy issues resulting from the COVID-19 pandemic, including privacy with respect to and the rise in reliance on video teleconferencing platforms like Zoom and Microsoft Teams. The Canadian OPC, along with privacy authorities in Australia, Gibraltar, Hong Kong SAR, China, Switzerland, and the United Kingdom, to the videoconferencing companies regarding their rapid expansion during the pandemic to query and confirm that these technology companies were using appropriate privacy safeguards. The letter led to a series of video calls between the signatories and representatives from the companies. Finally, the signatories and suggestions to improve privacy going forward. Among the suggestions were the implementation of end-to-end encryption, the identification of secondary use data (as well as an opt-out system), and the option for users to choose where their data is stored.

Conclusion

New and amended privacy legislation continues to develop in Canada and worldwide. Follow the IPilogue and subscribe to our newsletter, the IPIGRAM, for any important legislative changes that emerge in 2022.

The post A Look Back at Canada's Privacy Legislation in 2021 appeared first on IPOsgoode.

He is seeking damages of $500 per email as well as an injunction to stop Google from scanning and collecting information until it receives explicit consent of all parties to email exchanges.

At issue is the process whereby Google collects valuable information from its email wing Gmail to learn more about users for the purposes of displaying consumer-contoured ads. The  lists violation of copyright in Canada, the Privacy Act, as well as the Competition Act.

The claim: “Google’s activities include intentionally and systematically intercepting email sent to Gmail users by individuals who are not Gmail subscribers and whose emails are sent from non-Gmail email accounts. Google intercepts incoming emails to Gmail accounts in order to obtain the words, content, and meaning of the emails. The intercepted data within these emails and the use of this data has value to Google.”

At root of the claim is the use of the information taken and scanned without permission, and for the company’s ultimate financial gain.

“Among other things, Google increases its revenues from third party advertisers by displaying ‘targeted’ ads to consumers based upon data received from others. Google’s intercepting and taking of the data from the content of emails allows Google to avoid paying traffic acquisition costs – i.e. the costs it would normally pay to third party owners or providers for such data.”

There is also strong language about the lack of transparency demonstrated by Google in making available about how and why it gathers the information from Gmail.

“Google has failed or omitted to disclose or describe, either adequately or at all, the fact and the extent of Google’s interception, copying, retention, review and use of emails sent by the Class Members to Gmail account holders. The Class Members own copyright and more rights in the emails they draft, prepare, and send and in any other works attached thereto such as photographs, drawings, and sound recordings…”

Though Google Canada was to any media outlets, the Google Privacy Policy and the FAQ about Gmail give clues as to potential defenses.

In response to the question, “Is Google reading my mail?” the site ,

“No, but automatic scanning and filtering technology is at the heart of Gmail. Gmail scans and processes all messages using fully automated systems in order to do useful and innovative stuff like filter spam, detect viruses and malware, show relevant ads, and develop and deliver new features across your Google experience.”

Its frames the collection of information as a value-added for users.

“We collect information to provide better services to all of our users – from figuring out basic stuff like which language you speak, to more complex things like which ads you’ll find most useful or the people who matter most to you online.”

Unfortunately, as is bound to come out as a central issue, only those who subscribe to a Google or Gmail account have ever formally accepted Google’s privacy policy and waived rights via terms of service. The class in the BC civil action case will be exclusively individuals who have not consented to Google’s data scanning activities but who have sent email to a Gmail account.

The BC suit presents in Google’s “don’t be evil” mantra armour. Google this past summer to settle charges for misrepresenting privacy assurances. It’s also with the EU data protection commissioners who are concerned that Google is breaching EU privacy laws. Not to mention additional, class actions up the U.S.

American law professor Eric Goldman has the validity of the British Columbia lawsuit, largely because of what a holding for the plaintiffs would mean when applied to anti-virus or anti-spam software.

“If electronic scrutiny of private email constitutes an interception then all anti-spam software violates that as well … the same probably with virus checkers,” Goldman told Postmedia.

Though Goldman raises an interesting practical point, it’s unlikely that the judicial ramifications on the software industry warrant a reasonable counter-argument to the privacy and copyright concerns. The technology may be the same, but the application of that technology is so different that it merits a separate rights debate.

Personally, I am of the opinion that this case presents some valid concerns. Moreover, the solution to assuage these claimants’ concerns seems easy from a technology logistics perspective: Google should close the gap between the information it has permission to collect and what it does collect.

The plaintiff, Wayne Plimmer, is represented by Mike Wagner of

Denise Brunsdon is a JD/MBA candidate at Western University.

The post Reply all: BCer launches privacy class action against Google appeared first on IPOsgoode.