News

In a split decision, Alberta Court of Appeal finds that police do not have to seek judicial authorization to obtain IP addresses in order to further an investigation

In R. v. Bykovets, police were investigating a fraud in which the fraudsters had purchased online liquor gift cards using stolen credit card information. The payments had been processed through a third party service, and when an investigating officer requested information about the purchasers from the third party, that company sent the officer two IP addresses. Using public sources the police were able to determine that the IP addresses were registered to TELUS, and obtained a production order requiring TELUS to provide subscriber information. The information produced by TELUS linked the IP addresses to the appellant and his father, at their home addresses. The police obtained search warrants for the two residences and eventually seized evidence linking the appellant to the fraud. At trial the appellant had argued that s. 8 of the Charter had been breached because the police officer had not obtained judicial authorization before obtaining the IP addresses initially. The trial judge had not acceded to this argument, holding that the appellant did not have a reasonable expectation of privacy in the IP addresses.

This latter question was the main issue confronted by the Court of Appeal: does the target of a police investigation have a reasonable expectation of privacy in an IP address used by them, such that s. 8 of the Charter is engaged and police are required to obtain judicial authorization before obtaining the IP address? Interestingly, this question produced a split decision from the Court of Appeal. Both the majority and dissenting judgments agreed that the analytical starting point was the Supreme Court of Canada’s 2014 decision in R. v. Spencer, in which the Court held that people have a reasonable expectation of privacy in their subscriber information that is attached to IP addresses which have been assigned to them, because this data can reveal to the police “core biographical information.” The disagreement in this case turned on differing views on what the police “were actually trying to obtain” in seeking the IP addresses. Writing in dissent, Justice Veldhuis accepted the appellant’s broader argument that the privacy invasion here was analogous to the one dealt with in Spencer:

[62] …Police officers asking third parties for IP addresses associated with particular internet activity is, in essence, no different from police asking Internet Service Providers (ISPs) to provide the subscriber information associated with a particular IP address. Both investigative techniques are aimed at gathering information to ascertain the identity of an internet user and allow the police to gather further information to draw inferences about the intimate details of the lifestyle and personal choices of the internet user.

[….]

[72]           The trial judge distinguished this case from R v Jennings, 2018 ABQB 296, and in my view, it was an error to do so. In Jennings, the police deployed a mobile device identifier (MDI) on numerous occasions which gathered third-party cellular phone information numbers (IMEI and IMSI). The Crown alleged, much like it does here, that IMEI and IMSI are just numbers and do not constitute or contain intimate details, core biographical information or reveal personal choices. However, the trial judge accepted the defence position that had the numbers been linked to Jennings, the police would be able to use that information in repeated applications of the MDI to build a profile that would reveal patterns of communication, contacts, and other biographical data about Jennings.

[73]           The trial judge in Jennings recognized, at paragraph 37, the quintessential problem with the Crown’s position and applying a narrow scope to characterizing information that acts as a trace associated with a particular individual’s electronic activities: at what point in the iterative process of police gathering electronic information do they need to seek a warrant to ensure that there is a warrant at the point the numbers are associated with a particular person? She held that the point is at the beginning, and I agree.

However, the majority judges held that this view stretched the Spencer analysis too far:

[17]           In Spencer, police obtained, without judicial authorization, the IP address and its subscriber data. Thus, without a court order, the police believed the following: Matthew Spencer was using the internet to download child pornography at a specifically named address. By contrast, the police here obtained, without judicial authorization, only IP addresses. Based on this abstract information, police believed a person who committed fraud used the IP addresses. They did not know who. They only knew the IP addresses belonged to TELUS and they ascertained this information through a publicly available internet lookup site. To get the name and address of the subscriber, they lawfully served TELUS with a production order. Thus, without a court order, they believed only this: an unknown person using a known IP address was committing fraud from an unknown address.

[18]           We also note the difference in mobile phone searches. In situations involving mobile phone data, there is clearly a reasonable expectation of privacy in international mobile subscriber identity (“IMSI”) and international mobile equipment identity (“IMEI”) numbers that the police obtained with a mobile device identifier (“MDI”) or cellular-site simulator (“CSS”). In those cases, the subject or identity of the target is generally known when the MDI or CSS technology is used. More importantly, in those situations, over time the police can glean “significant personal information” from the IMSI and IMEI numbers such as drawing inferences about a target’s cell usage and web browsing.

[19]           The appellant has analogized an IP address to a house address. In our view, the analogy is not appropriate.

[20]            An IP address does not tell police where the IP address is being used or, for that matter, who is using it. Nor is there a publicly available resource from which the police can learn this or other subscriber data. To get the core biographical information such as an address, name, and phone number of the user, the police must obtain and serve a production order on the ISP in accordance with Spencer. That is what the police did here.

[21]           An IP address is an abstract number that reveals none of the core biographical information the issuer of that IP address attaches to it. Standing alone, it reveals nothing. An IP address does not reveal intimate details of a person’s lifestyle nor does it, without more, disclose core biographical information, nor communicate confidential information. An IP address can tell the police something about a person only if they get subscriber information. But the police can only get subscriber information if they comply with Spencer and obtain a production order.

The trial judge had correctly found that the IP addresses, by themselves, revealed no private information, and therefore no reasonable expectation of privacy had arisen.

While at the time of writing there was no indication of a defence appeal to the Supreme Court of Canada, one is available because of a dissent on a point of law at the Court of Appeal. It will be interesting to see if the Supreme Court wishes to examine this issue, given that (as revealed in the decision) there seems to be some division of opinion on whether an IP address attracts a reasonable expectation of privacy.

As a new feature, from time to time the English portion of this newsletter will note the publication of books or articles that might be of interest to the CANTECH memberships. Subscribers who themselves publish relevant material are invited to send notice to the editors.

Michael Shortt, “The Writing Requirement for Canadian Copyright Assignments” (2021) 34:1 Intellectual Property Journal 1

Abstract: Transfer of copyright in Canada requires a written, signed assignment. While the idea of a writing and signature requirement may seem simple, the Canadian requirement has a complex history, and an unpredictable pattern of application by the courts. This article reviews the history of the Canadian writing requirement, which traces back to an unexpected source in 19th-century British jurisprudence. It then considers the policy objectives that have been advanced for the Canadian writing requirement, concluding that courts regularly apply the writing requirement in ways that are inconsistent with all of its most plausible purposes. Finally, the article reviews how courts have applied the writing requirement to practical litigation scenarios, including retroactive assignments, conditional assignments, and assignments via electronic writings and signatures. It concludes with a series of observations on law reform in this area, both judicial and legislative.

Special Issue (2021) 19:2 Canadian Journal of Law & Technology

This special issue of the CJLT contains a collection of articles focused on the problem of technology-facilitated gender-based violence (TFGBV). It emerged from a series of online events hosted by Osgoode Hall Law School and the University of Ottawa.

BC is the first province to specifically provide for electronic wills

On December 1, 2021, amendments to the Wills, Estates and Succession Act of British Columbia came into effect, making the province the first in Canada to provide for electronic wills. The law now specifically defines “electronic wills”, which are valid if they recorded or stored electronically, can be read by a person and are capable of being reproduced in visible form. The requirements of signatures of the testator the witnesses are satisfied by electronic signatures, the definition of which is taken from electronic commerce legislation: “‘electronic signature’ means information in electronic form that a person has created or adopted in order to sign a record and that is in, attached to or associated with the record.” It is notable that secure electronic signatures are not required.

The amendments also provide for specific rules for the revocation of an electronic will (s. 55.1) and further provide that an electronic will cannot be amended or altered once made (s. 54.1), but needs to be revoked and replaced.

While the amendments to provide certainty about the facial validity of electronic wills, it will be interesting to see how popular they become.

Alleged careless security is not enough to make a hacked company the “intruder”

The tort of intrusion upon seclusion was brought into the Canadian common law with the Ontario Court of Appeal’s decision in Jones v Tsige. That case opened a virtual floodgates for privacy class actions across Canada, many of which have been initiated after data breaches at companies potentially exposed large troves of customer information. Since then, courts hearing certification applications for such class actions have been whittling away at the application of that particular tort in cases of externally caused data breaches. Most recently, in Winder v. Marriott International, Inc., the Ontario Superior Court of Justice refused to certify a class action claim on the basis of the intrusion tort.

The suit was commenced following an extended compromise of the information systems of the Marriott chain of hotels. Over a four year period a hacker had compromised Marriott’s databases and installed malware. Once in the system, the threat actor had the ability to extract the personal information of customers. The plaintiffs alleged that after the data breach was discovered, Marriott waited two months before it took steps to mitigate the harm the affected individuals. “It is alleged that Marriott’s remedial steps were of miniscule assistance to the Class Members, who were not provided with credit monitoring and other measures to protect their identities. They were not offered compensation for the harm to their privacy rights.” (at para 3)

A range of recent cases have established that it is the “hacker” who intrudes and would be a proper defendant for intrusion upon seclusion claims, but a company whose systems are compromised has not “intruded” upon the private affairs of the affected individuals. The plaintiffs in this case, in an argument characterized as “quite clever” by Justice Perell, said that Marriott was akin to an intruder because of its reckless security.

[9]               In a quite clever argument, Mr. Winder submits that in the immediate case, Marriott obtained the Class Members’ highly confidential personal information deceptively, that is, by false premises, and he submits that this makes Marriott a reckless intruder who exposed sensitive stored personal information to the risk of harm. He submits that this conduct is reckless and objectively offensive to a reasonable person.

[10]           In a Trojan Horse analogy, (ironically apt for a data breach case), Mr. Winder’s argument is that Marriott is an intruder to the database that housed their personal information. Like the Athenians and Spartans, whose wooden horse got them inside the formidable stone walls of Troy, were intruders, Marriott allowed the hacker into its database. Mr. Winder goes on to argue that he has pleaded the material facts for the other constituent elements of the tort of intrusion on seclusion.

Justice Perell quoted from his previous overview of the tort of intrusion upon seclusion from Del Giudice v. Thompson and found the claim failed on five grounds:

[13]           First, I am not persuaded that the pleaded material facts of the immediate case are sufficient to make Marriott an intruder for the purposes of the tort of intrusion on seclusion. At most, it might be said that Marriott is a constructive intruder. However, a reading of the Court of Appeal’s decision in Jones v. Tsige reveals that both the letter and spirit of the Court’s decision and the policy reasons behind it, prescribe a narrow – do not open the floodgates of liability – ambit for the tort of intrusion on seclusion. The ambit of the tort does not extend to constructive intruders and is limited to real ones.

[14]           Second, there is no gap in the law of privacy that needs to be filled by extending the nature of intruders. The tort of intrusion  on seclusion is not needed to extend liability to defendants who obtain information by false pretenses or by breaching contractual promises or by failing to comply with statutorily imposed privacy safeguards. The law associated with negligence, breach of confidence, breach of fiduciary duty, breach of contract, and breach of statute address or could address the pleaded circumstances of the immediate case.

[15]           Third, clever as the attempt is to fashion an extension to the tort of intrusion on seclusion, the essence of the Class Members’ claims, their pith and substance so to speak, are the other causes of action with their well-established doctrinal elements. Contrary to the doctrinal and legal policy concerns emanating from the Court of Appeal’s decision in Jones v. Tighe, extending the tort of intrusion on seclusion to constructive intruders would open the “floodgates” and would ascribe liability adequately controlled by other causes of action.

[16]           Fourth, while there are advantages to a class member having a claim for the tort of intrusion because of its prospect of supporting a claim for class-wide aggregate damages, the availability of a cause of action is determined by the substantive law not by the tactical and strategic imperatives of a procedural regime or by the aspirations of the parties for negotiating leverage.

[17]           Fifth, ultimately the case at bar is indistinguishable factually, doctrinally and on legal policy grounds from Owsianik v. Equifax Canada Co., Del Giudice v. Thompson, and Obodo v. Trans Union of Canada Inc. I am bound to follow those decisions.

Thus, the intrusion claim against Marriott was struck.

Previous version caused a lot of consternation when debated in last Parliament

The new Minister of Canadian Heritage, Pablo Rodriguez, tabled Bill C-11, entitled “the Online Streaming Act” in Parliament on February 2, 2022. The purpose of the Bill is stated to be to bring the Broadcasting Act up to date by including online streaming platforms such as Netflix into broadcasting regulation. It’s predecessor, Bill C-10, died on the order paper when the 2021 election was called. That previous Bill had attracted a lot of controversy when it became apparent that it also could lead to the regulation of video and audio content on social media sites and podcasting platforms. The new Bill has a mechanism by which the CRTC can determine that certain social media content is a program subject to its regulation. Once so designated, online broadcasters and “programs” can be subject to Canadian content requirement, discoverability requirements and the platforms that carry them are subject to significant reporting obligations to the CRTC, along with financial contributions to support the generation of Canadian content.

The Bill has not yet been referred to committee.

BCCA upholds finding that local courts have jurisdiction over defamation claim against Twitter

As has been reported on, in December 2021 the British Columbia Court of Appeal ruled that a defamation action by well-known Vancouver businessperson Frank Giustra could proceed in the courts of British Columbia, dismissing an appeal of the lower court’s finding that the province had jurisdiction over the action. In the action (which is still only at the pleadings stage), Giustra has alleged that he was targeted by “group who vilified the Plaintiff for political purposes in relation to the 2016 United States election…[as] part of an orchestrated campaign to discredit the Plaintiff in part because of his charitable and philanthropic work in support of the Clinton Foundation.” He says he gave notice to Twitter and that it removed some of the offending tweets, but that it continued to publish a large number of them. The tweets, Giustra pleaded, have been published in British Columbia and around the world, and characterize him as a pedophile among other defamatory statements; and they have damaged his reputation, compromised his involvement with children’s charities, and interfered with his business dealings.

At issue in this particular matter was Twitter’s motion to strike the action, on the basis that British Columbia did not have jurisdiction simpliciter over the matter, or that the court should exercise its discretion not to hear the matter on the basis of forum non conveniens. Writing for a unanimous court, Justice Grauer framed some of the technologically-driven aspects of the case:

The question raised in that application and on this appeal, then, is not whether Twitter can properly be found liable to Mr. Giustra for defamation, or whether policy considerations should insulate it from liability.  Rather, the sole question is where Mr. Giustra should litigate his claim: British Columbia or California?  Because tweets are not geographically constrained, the question is not without complication.

[….]

It is, perhaps, worth mentioning at the outset that lurking in the corner of the room is a metaphorical elephant, one that Twitter maintains should largely be ignored, though Justice Myers disagreed: under US federal law, any action brought against Twitter for defamation in the United States is doomed to fail, and any libel judgment obtained against Twitter elsewhere will not be enforced by the courts of California or any other American jurisdiction.

Twitter conceded (“properly”) that British Columbia presumptively had jurisdiction simpliciter over the matter, as the province’s Court Jurisdiction and Proceedings Transfer Act provides for presumptive jurisdiction on the basis that there is a “real and substantial connection” to the province where “a tort is committed there:”

As the majority of the Supreme Court of Canada explained in the leading case of Haaretz.com v Goldhar, 2018 SCC 28 at para 36, the tort of defamation is committed where material has been “communicated” to at least one person other than the plaintiff, so that “the situs of Internet-based defamation is the place where the defamatory statements are read, accessed or downloaded by the third-party”.  Mr. Giustra pleaded that took place in British Columbia, as well as elsewhere.

Relying on Haaretz, Twitter argued that the presumption in favour of jurisdiction was rebutted because, given Twitter’s world-wide reach, a real and substantial connection could easily be established in any number of jurisdictions, which raised the potential for “forum shopping,” and jurisdiction was most appropriate where the greatest harm was suffered. However, the pleadings indicated that Giustra’s primary residence was in BC, where he had an established reputation and businesses incorporated, and that the tweets had been published to at least 50,000 people in the province, none of which was denied by Twitter. Therefore, a “real and substantial connection” was made out. Nor did the fact that Giustra has business interests and reputation worldwide make it unforeseeable that he would want to vindicate his reputation in British Columbia.

Twitter had argued that it could not be liable for publication, given that it was simply a platform for the communications of others, but Justice Grauer agreed with the lower court that this was a matter of the substantive law of defamation and would need to be litigated in the main case rather than at the pleadings/jurisdictional stage. There was also no merit to Twitter’s suggestion that it could not reasonably have been expected to be sued in British Columbia on the basis that when the tweets were brought to its attention, BC was not mentioned—given that a letter was sent on the letterhead of one of Giustra’s BC corporations, and was also sent to Twitter’s Toronto office. Nor had there been any need for Giustra to file actual evidence to support his injury in BC, simply because Twitter had sought to rebut the presumption of jurisdiction simpliciter.

On the issue of forum non conveniens, the Court dismissed Twitter’s argument that the motions judge had erred by not explicitly considering all of the statutory factors set out in the Act, holding that he had considered all of them in substance. Justice Grauer agreed with Twitter that, given that California law would allow it to have the action summarily dismissed, this was a relevant factor to be considered whether it was treated as a matter of applicable law or juridical advantage. Twitter pointed to the “pointlessness” of the action proceeding in British Columbia, given that it was immune from suit under American law and American courts would not enforce a foreign defamation judgment on free speech grounds. However, Justice Grauer, responded:

[137]   These arguments also do not alter the fact that, on Twitter’s analysis, comity runs as a one-way street in this matter. While courts in the United States are prohibited from respecting and enforcing any order made against Twitter in Canada, that is not so of Canadian courts in relation to any order pronounced in the United States. As the Equustek Solutions Inc v Google Inc litigation demonstrated, the courts in the United States are legislatively prohibited from respecting the different constitutional and legal approach in Canada, notwithstanding our shared values.

[138]   But that does not make proceeding in British Columbia a pointless exercise, for Mr. Giustra would at least have the opportunity to obtain a judgment vindicating his reputation (see Banro at para 45)—an opportunity denied from the outset in California.

The Court also agreed with the trial judge’s finding that there was:

…no practical difficulty arises that would make holding the trial in British Columbia unfair to Twitter by reason of inconvenience and expense, at least as balanced by the unfairness to Mr. Giustra of being required to commence proceedings in California that could not succeed. In doing so, the judge followed section 11(1)’s overarching requirement that he consider “the interests of the parties to a proceeding and the ends of justice”.

Accordingly, the forum non conveniens challenge also failed.

Draft guideline sets expectations for federally regulated financial institutions to manage technology-based risks

On November 9, 2021, the Canadian Office of the Superintendent of Financial Institutions (OSFI) launched a consultation on their draft Tech and Cyber Risk Management Guideline (B-13). This new draft guideline follows a previous consultation that sought feedback on the OSFI discussion paper Delivering financial sector resilience in a digital world.

The guidelines express OSFI’s expectations for federally regulated financial institutions across five dimensions:

1. Governance and Risk Management – Technology and cyber risks are governed through clear accountabilities and structures, and comprehensive strategies and frameworks. 
2. Technology Operations – A technology environment that is stable, scalable and resilient. The environment is kept current and supported by robust and sustainable operating processes. 
3. Cyber Security – A secure technology posture that maintains the confidentiality, integrity and availability of the federally regulated financial institution’s technology assets. 
4. Third-Party Provider Technology and Cyber Risk – Reliable and secure technology and cyber operations from third-party providers.
5. Technology Resilience – Technology services are delivered, as expected, through disruption. 

The consultation is open for comment until February. 

Summary judgment awarded to plaintiffs defamed by de-contextualized screenshot from personal video

In Lavallee et al. v. Isak, Justice M. Smith of the Ontario Superior Court of Justice presided over a summary judgment motion in a defamation case brought by the three plaintiffs against the defendant. The two adult plaintiffs were “play-fighting” with a third person and one of them took a short video of the other two, posting it to her Instagram account. One of her Instagram followers took a screenshot of a moment when the other plaintiff was facedown on the ground, her arms held behind her back by the third person who also had his knee pressed into her back. The Instagram follower circulated this screenshot, which came to the attention of the defendant. The defendant (who did not know the plaintiffs and never did see the entire video) circulated the screenshot on Twitter and Instagram, making numerous posts and re-posts denouncing the plaintiffs as racist because, in her view, they were mocking the death of George Floyd.

The posts attracted attention. Numerous people re-posted and commented on the plaintiffs’ character, racism and ability to perform their jobs. One plaintiff was fired from her job at the Canada Border Services Agency and could not obtain work with the RCMP or any other branch of the federal government. Another plaintiff, a teacher, was investigated by the Ontario College of Teachers, had a job offer rescinded from the Ottawa Catholic School Board, and lost her job at a restaurant. “The Plaintiffs’ home was vandalized, their neighbour’s car seriously damaged, and their friends and family were subjected to death threats and harassing phone calls and social media messages.” The plaintiffs brought an action in defamation against the defendant, and moved for summary judgment.

Justice Smith first examined whether the case was appropriate for summary judgment, which the defendant did not dispute. There was no issue that the defendant was the author of the social media posts and that they were about the plaintiffs, nor that the defendant had published the posts by sharing them on Instagram and Twitter. Justice Smith easily concluded that the defendant’s posts and re-posts (excerpted in detail in the decision) were defamatory in that they tended to lower the plaintiffs’ reputations in the eyes of a reasonable person. While the defendant argued that a reasonable person “would understand that the words spoken by the defendant were reflective of the context of the Screenshot of the video posted by the plaintiff,” the posts clearly stated and implied that the plaintiffs were racists, that they were mocking the death of George Floyd, and generally suggested improper conduct.

The defendant raised the defences of justification and fair comment, but the court held that neither defence was made out. The defendant had stated at discovery that she did not know the plaintiffs, never made any inquiry as to the background of the screenshot, and never actually saw the video, while nonetheless being convinced it was racist. While one of the plaintiffs had made an “apology” on social media, the judge held that understood in context, the apology was a justifiable response to the backlash she had experienced, and she had always maintained there was no racist intent or content in the video. The judge also held that the actions of the plaintiffs’ employers were evidence of no more than the employers’ opinions, and did not constitute “evidence that an alleged act of racism is true.” The plaintiffs’ own affidavits explained the entire video and its context, and proved that there was no racism contained in or implied by the video. The defence of justification was therefore not made out because the defamatory statements untrue.

As to the defence of fair comment, while the subject was one of public interest, there was no factual foundation for the defendant’s comments. Moreover, the posts were framed not as expressions of opinion, but as statements of fact. Even if they were opinion, they were not such that any person could honestly express on the proven facts, and the fact that other people agreed with the statements was not evidence that proved anything.

The judge awarded a total of $50,000 each in general damages to the plaintiffs, summarizing the findings on damages as follows:

[92] [The defendant]’s use of her social media accounts gave her tremendous power to harm Justine and Shania’s reputations. Not only were her posts viewed up to 40,000 times, but [the defendant] increased her followers from 2,000 to approximately 5,000 people in a matter of days. Justine and Shania’s losses are significant. [The defendant]’s conduct was inappropriate including vicious and relentless attacks on Justine and Shania’s reputations. [The defendant] used a powerful medium to publish her defamatory remarks, she encouraged others to assist in the termination of employment, she posted personal information, she refused to stop posting and she targeted family members.

The court declined to order aggravated or punitive damages on the basis that the defendant’s actions were not malicious but motivated by naivete, impulsivity and misguidedness. However, Justice Smith did impose a permanent injunction requiring the defendant to take down the posts and prohibiting her from posting any other defamatory statements about the plaintiffs; in light of the defendant’s “aggressive online defamatory campaign and her continued belief that Justine and Shania are racists, I find that there is a likelihood that [the defendant] may continue to publish defamatory statements about Justine and Shania, despite my findings in this decision.”

Men charged with obstruction of justice for posting recordings of court proceedings on Instagram

It was recently reported that Toronto police charged four men with obstruction of justice, failing to comply with a publication ban and intimidation of a justice system after they allegedly posted recordings of court proceedings on Instagram. A statement by the Toronto Police Department advised that two Instagram accounts had posted pictures of a witness testifying at a preliminary hearing held on Zoom, and later posted audio recordings from a related hearing.

Recent amendments relax cross-border restrictions 

In October and November, the government of British Columbia introduced and passed Bill 22, the Freedom of Information and Protection of Privacy Amendment Act, 2021 that significantly alters the public sector privacy and access law for the province. Most notably for technology law practitioners, the Bill repealed the data sovereignty limitations found in sections 30.1 and 33.1 of the Freedom of Information and Protection of Privacy Act. In their place, a replacement section 33.1 has been added:

Disclosure outside of Canada

33.1 A public body may disclose personal information outside of Canada only if the disclosure is in accordance with the regulations, if any, made by the minister responsible for this Act. 

Another amendment permits the temporary disclosure of information for machine processing outside of Canada and specific rules for metadata: 

33 (2) A public body may disclose personal information in any of the following circumstances: …

(u) if the disclosure is necessary for the processing of information and the following apply:

(i) the processing does not involve the intentional accessing of the information by an individual;

(ii) any processing done outside of Canada is temporary;

(v) if the information is metadata and the following apply:

(i) the metadata is generated by an electronic system;

(ii) the metadata describes an individual's interaction with the electronic system;

(iii) if practicable, information in individually identifiable form has been removed from the metadata or destroyed;

(iv) in the case of disclosure to a service provider, the public body has prohibited subsequent use or disclosure of information in individually identifiable form without the express authorization of the public body;

So far, there has been no indication when (or whether) the government intends to introduce regulations related to the disclosures outside of Canada as contemplated under the replacement section 33.1.