Canadian Association of University Solicitors - Privacy Update 2016

CAUS Privacy Law Update


September 2016

Dan Michaluk I Partner, Toronto


Outline

2

•Outsourcing to the Cloud

•Liability for Data Loss and Misuse

•Two Privacy Nuggets


Outsourcing to the Cloud


Manage This!

4

The risk of access by the NSA pursuant to US law is the typical argument against outsourcing.

Let’s look at it.


The Context is Evolving, the Pressure Subsists

5

2009 •Lakehead University decision

2013 •Edward Snowden disclosure

2015 •“Seeing Through the Cloud” published•Dalhousie University decision

2016 •Microsoft announces Canadian data centre•Microsoft victory in the “Ireland Case”


This is Really About One NSA Program - PRISM

6

Upstream collection

“Bulk collection”

The PRISM program


PRISM Gathering is Targeted, There are Safeguards

• Section 702 of the FISA authorizes “targeting” of foreign nationals to acquire “foreign intelligence information”

• Directives flow following certification made to FISC• Contemplates data (not record) collection, but NSA must

certify to its targeting and minimization procedures• NSA uses “selectors” – e-mail accounts and phone numbers• Directives are subject to challenge by service providers

7


The Amount of Data Gathered Under PRISM is Small

8

Reporting Period Orders Seeking Disclosure Of Content

Accounts Impacted By Orders Seeking Content

Foreign Intelligence Surveillance Act (FISA) Orders

July - Dec 2011 0 -999 11,000 - 11,999

Jan - June 2012 0 - 999 11,000 -11,999

July - Dec 2012 0 - 999 16,000 - 16,999

Jan - June 2013 0 - 999 15,000 - 15,999

July - Dec 2013 0 - 999 18,000 - 18,999

Jan - June 2014 0 - 999 19,000 - 19,999

July - Dec 2014 0 - 999 18,000 - 18,999

Jan - June 2015 0 - 499 15,500 - 15,999


The NSA has Access to Data Stored Here

9

Prism (US recipient)

Upstream collection

Tailored Access Operating Unit

HEREPrism

Upstream collection

THERE


In the End• The argument gives pause• But a material difference in risk is very hard to prove• And there are more fundamental arguments upon which to defend

• E-mail is a tool and users have choice (see Marakah)• There are many, many data security risks that are associated with

greater risks than brought on by PRISM• Risk is a fact of life and is acceptable. The only legal obligation is to

address it reasonably

10


Liability for Data Loss and Misuse


Two Liability ScenariosScenario A

• Health centre employee snoops through medical records

Scenario B• Computer with research

information stolen• Mis-mailing that identifies all

students receiving accommodation

• Spyware installed on lab computers

• Student reported as potential child abuser without proper grounds

12


Vicarious Liability - Exposure in Scenario A claims

OPSEU v Ontario

• Citation: 2015CanLII19325• Decision Maker: Arbitrator Briggs

• About: Access to co-workers “EI file”• Issue: Is an employer vicariously liable for snooping

undertaken by its employee?• Answer: No

• Significance: To date, this is the sole final determination on the vicarious liability issue.

“Indeed, the accessing of the grievor’s EI file had nothing to do with the work assigned to employees. Employees were able to and indeed did access EI files but only in those instances where it was necessary to assist their clients.”

13


The Scenario A Exposure to Moral Damages

14

Nature of wrong

Impact

RelationshipSpecial distress

Conduct before and after


Scenario B Claims Are Tenuous But Makeable• Without actionable damage there is no negligence claim• Plaintiff counsel are nonetheless making viable claims

15

Claim Measure of $Negligence Compensable mental distress

Cost of remediation

Reckless privacy breach Moral damages

Contract Nominal/symbolic damages

Compensable mental distress

Waiver of tort Disgorgement of profits


Validation!

• You can take comfort in the typical incident response strategy. You have far more to lose from a failure to openly

own the incident than you have to gain from being defensive


Two Privacy Nuggets


Expectation of Privacy In Texts

R v Marakah

• Citation: 2016 ONCA 542• Decision Maker: Justice McPherson

• Issue: Is a reasonable expectation of privacy in text messages stored on a recipient’s phone?

• Answer: No

“In my view, the manner in which one elects to communicate must affect the degree of privacy protection one can reasonably expect.”

18


Expectation Of Privacy While Working

ATU v TTC (Twitter Policy Grievance)

• Citation: Unreported, 5 July 2016• Decision Maker: Arbitrator Howe

• About: Nasty tweets about transit operators• Issue: Is there a privacy-based duty to protect EEs from

being photographed and discussed online?• Answer: No

• But: The duty to provide a safe and harassment-free workplace can apply.

“a TTC employee’s badge number is not private information, nor is the bus number that a TTC employee is driving or the route number on which it is being driven…”

19


Questions & Answers



September 2016

Dan Michaluk I Partner, Toronto