Menu
Log in
Log in


News

  • 18 Mar 2022 1:12 PM | CAN-TECH Law (Administrator)

    Alleged careless security is not enough to make a hacked company the “intruder”

    The tort of intrusion upon seclusion was brought into the Canadian common law with the Ontario Court of Appeal’s decision in Jones v Tsige. That case opened a virtual floodgates for privacy class actions across Canada, many of which have been initiated after data breaches at companies potentially exposed large troves of customer information. Since then, courts hearing certification applications for such class actions have been whittling away at the application of that particular tort in cases of externally caused data breaches. Most recently, in Winder v. Marriott International, Inc., the Ontario Superior Court of Justice refused to certify a class action claim on the basis of the intrusion tort.

    The suit was commenced following an extended compromise of the information systems of the Marriott chain of hotels. Over a four year period a hacker had compromised Marriott’s databases and installed malware. Once in the system, the threat actor had the ability to extract the personal information of customers. The plaintiffs alleged that after the data breach was discovered, Marriott waited two months before it took steps to mitigate the harm the affected individuals. “It is alleged that Marriott’s remedial steps were of miniscule assistance to the Class Members, who were not provided with credit monitoring and other measures to protect their identities. They were not offered compensation for the harm to their privacy rights.” (at para 3)

    A range of recent cases have established that it is the “hacker” who intrudes and would be a proper defendant for intrusion upon seclusion claims, but a company whose systems are compromised has not “intruded” upon the private affairs of the affected individuals. The plaintiffs in this case, in an argument characterized as “quite clever” by Justice Perell, said that Marriott was akin to an intruder because of its reckless security.

    [9]               In a quite clever argument, Mr. Winder submits that in the immediate case, Marriott obtained the Class Members’ highly confidential personal information deceptively, that is, by false premises, and he submits that this makes Marriott a reckless intruder who exposed sensitive stored personal information to the risk of harm. He submits that this conduct is reckless and objectively offensive to a reasonable person.

    [10]           In a Trojan Horse analogy, (ironically apt for a data breach case), Mr. Winder’s argument is that Marriott is an intruder to the database that housed their personal information. Like the Athenians and Spartans, whose wooden horse got them inside the formidable stone walls of Troy, were intruders, Marriott allowed the hacker into its database. Mr. Winder goes on to argue that he has pleaded the material facts for the other constituent elements of the tort of intrusion on seclusion.

    Justice Perell quoted from his previous overview of the tort of intrusion upon seclusion from Del Giudice v. Thompson and found the claim failed on five grounds:

    [13]           First, I am not persuaded that the pleaded material facts of the immediate case are sufficient to make Marriott an intruder for the purposes of the tort of intrusion on seclusion. At most, it might be said that Marriott is a constructive intruder. However, a reading of the Court of Appeal’s decision in Jones v. Tsige reveals that both the letter and spirit of the Court’s decision and the policy reasons behind it, prescribe a narrow – do not open the floodgates of liability – ambit for the tort of intrusion on seclusion. The ambit of the tort does not extend to constructive intruders and is limited to real ones.

    [14]           Second, there is no gap in the law of privacy that needs to be filled by extending the nature of intruders. The tort of intrusion  on seclusion is not needed to extend liability to defendants who obtain information by false pretenses or by breaching contractual promises or by failing to comply with statutorily imposed privacy safeguards. The law associated with negligence, breach of confidence, breach of fiduciary duty, breach of contract, and breach of statute address or could address the pleaded circumstances of the immediate case.

    [15]           Third, clever as the attempt is to fashion an extension to the tort of intrusion on seclusion, the essence of the Class Members’ claims, their pith and substance so to speak, are the other causes of action with their well-established doctrinal elements. Contrary to the doctrinal and legal policy concerns emanating from the Court of Appeal’s decision in Jones v. Tighe, extending the tort of intrusion on seclusion to constructive intruders would open the “floodgates” and would ascribe liability adequately controlled by other causes of action.

    [16]           Fourth, while there are advantages to a class member having a claim for the tort of intrusion because of its prospect of supporting a claim for class-wide aggregate damages, the availability of a cause of action is determined by the substantive law not by the tactical and strategic imperatives of a procedural regime or by the aspirations of the parties for negotiating leverage.

    [17]           Fifth, ultimately the case at bar is indistinguishable factually, doctrinally and on legal policy grounds from Owsianik v. Equifax Canada Co., Del Giudice v. Thompson, and Obodo v. Trans Union of Canada Inc. I am bound to follow those decisions.

    Thus, the intrusion claim against Marriott was struck.


  • 18 Mar 2022 1:11 PM | CAN-TECH Law (Administrator)

    Previous version caused a lot of consternation when debated in last Parliament

    The new Minister of Canadian Heritage, Pablo Rodriguez, tabled Bill C-11, entitled “the Online Streaming Act” in Parliament on February 2, 2022. The purpose of the Bill is stated to be to bring the Broadcasting Act up to date by including online streaming platforms such as Netflix into broadcasting regulation. It’s predecessor, Bill C-10, died on the order paper when the 2021 election was called. That previous Bill had attracted a lot of controversy when it became apparent that it also could lead to the regulation of video and audio content on social media sites and podcasting platforms. The new Bill has a mechanism by which the CRTC can determine that certain social media content is a program subject to its regulation. Once so designated, online broadcasters and “programs” can be subject to Canadian content requirement, discoverability requirements and the platforms that carry them are subject to significant reporting obligations to the CRTC, along with financial contributions to support the generation of Canadian content.

    The Bill has not yet been referred to committee.


  • 18 Mar 2022 1:10 PM | CAN-TECH Law (Administrator)

    BCCA upholds finding that local courts have jurisdiction over defamation claim against Twitter

    As has been reported on, in December 2021 the British Columbia Court of Appeal ruled that a defamation action by well-known Vancouver businessperson Frank Giustra could proceed in the courts of British Columbia, dismissing an appeal of the lower court’s finding that the province had jurisdiction over the action. In the action (which is still only at the pleadings stage), Giustra has alleged that he was targeted by “group who vilified the Plaintiff for political purposes in relation to the 2016 United States election…[as] part of an orchestrated campaign to discredit the Plaintiff in part because of his charitable and philanthropic work in support of the Clinton Foundation.” He says he gave notice to Twitter and that it removed some of the offending tweets, but that it continued to publish a large number of them. The tweets, Giustra pleaded, have been published in British Columbia and around the world, and characterize him as a pedophile among other defamatory statements; and they have damaged his reputation, compromised his involvement with children’s charities, and interfered with his business dealings.

    At issue in this particular matter was Twitter’s motion to strike the action, on the basis that British Columbia did not have jurisdiction simpliciter over the matter, or that the court should exercise its discretion not to hear the matter on the basis of forum non conveniens. Writing for a unanimous court, Justice Grauer framed some of the technologically-driven aspects of the case:

    The question raised in that application and on this appeal, then, is not whether Twitter can properly be found liable to Mr. Giustra for defamation, or whether policy considerations should insulate it from liability.  Rather, the sole question is where Mr. Giustra should litigate his claim: British Columbia or California?  Because tweets are not geographically constrained, the question is not without complication.

    [….]

    It is, perhaps, worth mentioning at the outset that lurking in the corner of the room is a metaphorical elephant, one that Twitter maintains should largely be ignored, though Justice Myers disagreed: under US federal law, any action brought against Twitter for defamation in the United States is doomed to fail, and any libel judgment obtained against Twitter elsewhere will not be enforced by the courts of California or any other American jurisdiction.

    Twitter conceded (“properly”) that British Columbia presumptively had jurisdiction simpliciter over the matter, as the province’s Court Jurisdiction and Proceedings Transfer Act provides for presumptive jurisdiction on the basis that there is a “real and substantial connection” to the province where “a tort is committed there:”

    As the majority of the Supreme Court of Canada explained in the leading case of Haaretz.com v Goldhar, 2018 SCC 28 at para 36, the tort of defamation is committed where material has been “communicated” to at least one person other than the plaintiff, so that “the situs of Internet-based defamation is the place where the defamatory statements are read, accessed or downloaded by the third-party”.  Mr. Giustra pleaded that took place in British Columbia, as well as elsewhere.

    Relying on Haaretz, Twitter argued that the presumption in favour of jurisdiction was rebutted because, given Twitter’s world-wide reach, a real and substantial connection could easily be established in any number of jurisdictions, which raised the potential for “forum shopping,” and jurisdiction was most appropriate where the greatest harm was suffered. However, the pleadings indicated that Giustra’s primary residence was in BC, where he had an established reputation and businesses incorporated, and that the tweets had been published to at least 50,000 people in the province, none of which was denied by Twitter. Therefore, a “real and substantial connection” was made out. Nor did the fact that Giustra has business interests and reputation worldwide make it unforeseeable that he would want to vindicate his reputation in British Columbia.

    Twitter had argued that it could not be liable for publication, given that it was simply a platform for the communications of others, but Justice Grauer agreed with the lower court that this was a matter of the substantive law of defamation and would need to be litigated in the main case rather than at the pleadings/jurisdictional stage. There was also no merit to Twitter’s suggestion that it could not reasonably have been expected to be sued in British Columbia on the basis that when the tweets were brought to its attention, BC was not mentioned—given that a letter was sent on the letterhead of one of Giustra’s BC corporations, and was also sent to Twitter’s Toronto office. Nor had there been any need for Giustra to file actual evidence to support his injury in BC, simply because Twitter had sought to rebut the presumption of jurisdiction simpliciter.

    On the issue of forum non conveniens, the Court dismissed Twitter’s argument that the motions judge had erred by not explicitly considering all of the statutory factors set out in the Act, holding that he had considered all of them in substance. Justice Grauer agreed with Twitter that, given that California law would allow it to have the action summarily dismissed, this was a relevant factor to be considered whether it was treated as a matter of applicable law or juridical advantage. Twitter pointed to the “pointlessness” of the action proceeding in British Columbia, given that it was immune from suit under American law and American courts would not enforce a foreign defamation judgment on free speech grounds. However, Justice Grauer, responded:

    [137]   These arguments also do not alter the fact that, on Twitter’s analysis, comity runs as a one-way street in this matter. While courts in the United States are prohibited from respecting and enforcing any order made against Twitter in Canada, that is not so of Canadian courts in relation to any order pronounced in the United States. As the Equustek Solutions Inc v Google Inc litigation demonstrated, the courts in the United States are legislatively prohibited from respecting the different constitutional and legal approach in Canada, notwithstanding our shared values.

    [138]   But that does not make proceeding in British Columbia a pointless exercise, for Mr. Giustra would at least have the opportunity to obtain a judgment vindicating his reputation (see Banro at para 45)—an opportunity denied from the outset in California.

    The Court also agreed with the trial judge’s finding that there was:

    …no practical difficulty arises that would make holding the trial in British Columbia unfair to Twitter by reason of inconvenience and expense, at least as balanced by the unfairness to Mr. Giustra of being required to commence proceedings in California that could not succeed. In doing so, the judge followed section 11(1)’s overarching requirement that he consider “the interests of the parties to a proceeding and the ends of justice”.

    Accordingly, the forum non conveniens challenge also failed.

  • 17 Mar 2022 2:03 PM | CAN-TECH Law (Administrator)

    Draft guideline sets expectations for federally regulated financial institutions to manage technology-based risks

    On November 9, 2021, the Canadian Office of the Superintendent of Financial Institutions (OSFI) launched a consultation on their draft Tech and Cyber Risk Management Guideline (B-13). This new draft guideline follows a previous consultation that sought feedback on the OSFI discussion paper Delivering financial sector resilience in a digital world.

    The guidelines express OSFI’s expectations for federally regulated financial institutions across five dimensions:

    1. Governance and Risk Management – Technology and cyber risks are governed through clear accountabilities and structures, and comprehensive strategies and frameworks. 
    2. Technology Operations – A technology environment that is stable, scalable and resilient. The environment is kept current and supported by robust and sustainable operating processes. 
    3. Cyber Security – A secure technology posture that maintains the confidentiality, integrity and availability of the federally regulated financial institution’s technology assets. 
    4. Third-Party Provider Technology and Cyber Risk – Reliable and secure technology and cyber operations from third-party providers.
    5. Technology Resilience – Technology services are delivered, as expected, through disruption. 

    The consultation is open for comment until February. 

  • 9 Dec 2021 2:05 PM | CAN-TECH Law (Administrator)

    Summary judgment awarded to plaintiffs defamed by de-contextualized screenshot from personal video

    In Lavallee et al. v. Isak, Justice M. Smith of the Ontario Superior Court of Justice presided over a summary judgment motion in a defamation case brought by the three plaintiffs against the defendant. The two adult plaintiffs were “play-fighting” with a third person and one of them took a short video of the other two, posting it to her Instagram account. One of her Instagram followers took a screenshot of a moment when the other plaintiff was facedown on the ground, her arms held behind her back by the third person who also had his knee pressed into her back. The Instagram follower circulated this screenshot, which came to the attention of the defendant. The defendant (who did not know the plaintiffs and never did see the entire video) circulated the screenshot on Twitter and Instagram, making numerous posts and re-posts denouncing the plaintiffs as racist because, in her view, they were mocking the death of George Floyd.

    The posts attracted attention. Numerous people re-posted and commented on the plaintiffs’ character, racism and ability to perform their jobs. One plaintiff was fired from her job at the Canada Border Services Agency and could not obtain work with the RCMP or any other branch of the federal government. Another plaintiff, a teacher, was investigated by the Ontario College of Teachers, had a job offer rescinded from the Ottawa Catholic School Board, and lost her job at a restaurant. “The Plaintiffs’ home was vandalized, their neighbour’s car seriously damaged, and their friends and family were subjected to death threats and harassing phone calls and social media messages.” The plaintiffs brought an action in defamation against the defendant, and moved for summary judgment.

    Justice Smith first examined whether the case was appropriate for summary judgment, which the defendant did not dispute. There was no issue that the defendant was the author of the social media posts and that they were about the plaintiffs, nor that the defendant had published the posts by sharing them on Instagram and Twitter. Justice Smith easily concluded that the defendant’s posts and re-posts (excerpted in detail in the decision) were defamatory in that they tended to lower the plaintiffs’ reputations in the eyes of a reasonable person. While the defendant argued that a reasonable person “would understand that the words spoken by the defendant were reflective of the context of the Screenshot of the video posted by the plaintiff,” the posts clearly stated and implied that the plaintiffs were racists, that they were mocking the death of George Floyd, and generally suggested improper conduct.

    The defendant raised the defences of justification and fair comment, but the court held that neither defence was made out. The defendant had stated at discovery that she did not know the plaintiffs, never made any inquiry as to the background of the screenshot, and never actually saw the video, while nonetheless being convinced it was racist. While one of the plaintiffs had made an “apology” on social media, the judge held that understood in context, the apology was a justifiable response to the backlash she had experienced, and she had always maintained there was no racist intent or content in the video. The judge also held that the actions of the plaintiffs’ employers were evidence of no more than the employers’ opinions, and did not constitute “evidence that an alleged act of racism is true.” The plaintiffs’ own affidavits explained the entire video and its context, and proved that there was no racism contained in or implied by the video. The defence of justification was therefore not made out because the defamatory statements untrue.

    As to the defence of fair comment, while the subject was one of public interest, there was no factual foundation for the defendant’s comments. Moreover, the posts were framed not as expressions of opinion, but as statements of fact. Even if they were opinion, they were not such that any person could honestly express on the proven facts, and the fact that other people agreed with the statements was not evidence that proved anything.

    The judge awarded a total of $50,000 each in general damages to the plaintiffs, summarizing the findings on damages as follows:

    [92] [The defendant]’s use of her social media accounts gave her tremendous power to harm Justine and Shania’s reputations. Not only were her posts viewed up to 40,000 times, but [the defendant] increased her followers from 2,000 to approximately 5,000 people in a matter of days. Justine and Shania’s losses are significant. [The defendant]’s conduct was inappropriate including vicious and relentless attacks on Justine and Shania’s reputations. [The defendant] used a powerful medium to publish her defamatory remarks, she encouraged others to assist in the termination of employment, she posted personal information, she refused to stop posting and she targeted family members.

    The court declined to order aggravated or punitive damages on the basis that the defendant’s actions were not malicious but motivated by naivete, impulsivity and misguidedness. However, Justice Smith did impose a permanent injunction requiring the defendant to take down the posts and prohibiting her from posting any other defamatory statements about the plaintiffs; in light of the defendant’s “aggressive online defamatory campaign and her continued belief that Justine and Shania are racists, I find that there is a likelihood that [the defendant] may continue to publish defamatory statements about Justine and Shania, despite my findings in this decision.”

  • 9 Dec 2021 2:04 PM | CAN-TECH Law (Administrator)

    Men charged with obstruction of justice for posting recordings of court proceedings on Instagram

    It was recently reported that Toronto police charged four men with obstruction of justice, failing to comply with a publication ban and intimidation of a justice system after they allegedly posted recordings of court proceedings on Instagram. A statement by the Toronto Police Department advised that two Instagram accounts had posted pictures of a witness testifying at a preliminary hearing held on Zoom, and later posted audio recordings from a related hearing.


  • 9 Dec 2021 2:03 PM | CAN-TECH Law (Administrator)

    Recent amendments relax cross-border restrictions 

    In October and November, the government of British Columbia introduced and passed Bill 22, the Freedom of Information and Protection of Privacy Amendment Act, 2021 that significantly alters the public sector privacy and access law for the province. Most notably for technology law practitioners, the Bill repealed the data sovereignty limitations found in sections 30.1 and 33.1 of the Freedom of Information and Protection of Privacy Act. In their place, a replacement section 33.1 has been added:

    Disclosure outside of Canada

    33.1 A public body may disclose personal information outside of Canada only if the disclosure is in accordance with the regulations, if any, made by the minister responsible for this Act. 

    Another amendment permits the temporary disclosure of information for machine processing outside of Canada and specific rules for metadata: 

    33 (2) A public body may disclose personal information in any of the following circumstances: …

    (u) if the disclosure is necessary for the processing of information and the following apply:

    (i) the processing does not involve the intentional accessing of the information by an individual;

    (ii) any processing done outside of Canada is temporary;

    (v) if the information is metadata and the following apply:

    (i) the metadata is generated by an electronic system;

    (ii) the metadata describes an individual's interaction with the electronic system;

    (iii) if practicable, information in individually identifiable form has been removed from the metadata or destroyed;

    (iv) in the case of disclosure to a service provider, the public body has prohibited subsequent use or disclosure of information in individually identifiable form without the express authorization of the public body;

    So far, there has been no indication when (or whether) the government intends to introduce regulations related to the disclosures outside of Canada as contemplated under the replacement section 33.1.

  • 9 Dec 2021 2:03 PM | CAN-TECH Law (Administrator)

    Witness obscures, conceals text messages during Zoom trial, held to have fabricated evidence

    The leap to doing hearings and even trials via online platforms such as Zoom has been a significant one, but many matters have proceeded in this way throughout Canada and generally seem to produce solid and uncontroversial results. This was not the case in a recently reported family law matters, which demonstrated some of the problems that can arise when doing “virtual” trials while at the same time showing that witness credibility issues can be dealt with nonetheless in that setting. In Oremush v. Hickey, Justice Audet of the Ontario Superior Court of Justice presided over an application by a father to vary custody conditions regarding his child, which had been imposed in a previous court decision. The three main witnesses in the trial, which proceeded on Zoom, were the father, the child’s paternal grandmother, and the mother; the trial judge held that none of them “had much credibility.”

    A week before the trial, the mother had reviewed a series of text messages between the father and mother that had been disclosed by the father, and proceeded to upload “her own version” of the text exchange. That version included a number of very damaging admissions made by the father as to the parents’ comparative parenting ability, his motivations, etc. The father vehemently denied that he had sent the damaging texts and stated that they had been fabricated by the mother. The mother in turn denied this, stating that she had taken screenshots of the texts directly and emailed them directly to her lawyer. “Therefore,” Justice Audet observed, “the authenticity of the mother’s text messages became a key issue in this trial.”

    During cross-examination of the mother by the father’s counsel she was asked to show the court the text messages. She first denied that she still had them and stated that she had deleted them some time ago, and continued to refuse to admit she still had them. Her testimony became increasingly suspect:

    [45] … When asked to show her cell phone to the camera and scroll down slowly so we could see how far the text message exchanges between her and the father went, it became obvious that the mother was keeping her finger on the screen of her phone to make sure it could not scroll down past a certain date. 

    [46] It took a lot of direction (including eventually by myself) for the mother to finally remove her finger from the screen and to stop interfering with her phone to allow everyone to see the string of messages. It became clear that she did, in fact, still have all of her text messages going back years.

    [47] The mother then became very defensive and agitated. She started to question the purpose for which she was required to do this, became belligerent with opposing counsel, and quite flustered by the process. When directed to go to a specific date in July 2020, the date at which one of the very damaging messages had purportedly been sent to her by the father, she started to give all sorts of explanation as to why it “might” not be there anymore (while searching for the particular date on her phone), including that she had also exchanged many text messages with the father using her iPad (which, conveniently, was now in the possession of her parents in Nova Scotia).

    Things went from bad to worse when the mother insisted on a break to feed her child, at which point the court granted a request that her camera be kept pointed at the phone during the entirety of the break, during which time the father’s counsel’s associate was to pick up the phone. When the trial resumed it was noted that the mother’s camera had been disconnected for 4-5 minutes during the break, and that when the phone was examined at the father’s counsel’s office, “all text messages between the parties that the phone ever contained had been entirely wiped out.” The judge held that the mother’s evidence (like that of the father and grandmother) was completely lacking credibility, in part based on the following:

    [53] From the above, I come to the following factual findings:

    • The mother’s version of the text messages exchanged between her and the father is not authentic. Those messages were fabricated by the mother or someone else at her behest;

    • The mother lied to the court when counsel was trying to get her to access the text messages on her phone. She deliberately tried to conceal the history of messages and, when she failed, she lied by saying that she could not access them before;

    • During the lunch break, the mother intentionally disconnected from the Zoom call just long enough for her to delete all the text exchanges between her and the father that her cell phone contained. I find that she (or someone for her) erased all those messages, in clear breach of my specific order.
  • 9 Nov 2021 2:38 PM | Deleted user

    2021 CAN TECH Fall Conference recordings are now AVAILABLE.

    Originally recorded on October 20 & 21, 2021.

    2021 CAN-TECH LAW Annual Conference to stay on top of the most recent and significant developments in Canadian and international technology law, gain an analysis of critical changes from over 45 leading experts from across Canada and the globe and to connect with our faculty and your peers via our interactive online experience. Get the answers you need to the latest and most critical technology law questions including:

    • The latest legal developments related to privacy, cybersecurity and artificial intelligence
    • Managing risks arising from the expanding use of digital identification technologies
    • Changes in all areas of intellectual property and the implications for technology transactions
    • Comprehending evolving legal issues related to blockchain and non-fungible tokens
    • Drafting and negotiating digital interaction agreements and risk allocation
    • Keeping up with new standard contractual clauses for transferring personal data

    VIEW AGENDA
    VIEW ACCREDITATION

    Fees:

    Full conference:

    • Member: $450 + HST
    • In-House Counsel: $350 + HST
    • Non-member: $650 + HST
    • Student: $75 + HST

    One day only (choose either Day 1 or Day 2):

    • Member: $225 + HST
    • In-House Counsel:$125 + HST
    • Non-member: $325 + HST
    • Student: $40 + HST

    SPECIAL INSTRUCTIONS:

    A link to access the webcast recording will be included in your registration confirmation. Be sure to check your spam/promotions folder.

    There are no refunds.

    Register here

  • 9 Nov 2021 2:26 PM | CAN-TECH Law (Administrator)


    November 24, 2021 12 to 1 PM ET

    Please join us for our Women Telling Stories event. Our excellent panel of female lawyers from different practice areas and levels of experience will share stories from their professional journey to provide insight on seizing opportunities and navigating challenges in the legal world. Our panel will impart their most impactful professional advice, followed by a fireside chat with questions. No doubt will you find inspiration from these amazing mentors and learn best practices for career and profile management as a legal professional; mentoring best practices; and work/life balance and wellness principles for lawyers and paralegals. 

    Agenda: 

    • Our panel of experts share their professional stories
    • Fireside chat with the questions

    Moderated by:

    • Lisa Danay Wallace, WeirFoulds LLP
    • Maya Madeiros, Norton Rose Fulbright

    Our panel of experts: 

    • Nancy Cleman - Lapointe Rosenstein Marchand Melancon 
    • Catherine Lovrics – Marks & Clerk 
    • Nadine Letson – Microsoft 

    REGISTER HERE 

  

Canadian Technology Law Association

1-189 Queen Street East

Toronto, ON M5A 1S2

contact@cantechlaw.ca

Copyright © 2024 The Canadian Technology Law Association, All rights reserved.