On March 5, 2013 the California District Court[1] dismissed a proposed class action against LinkedIn arising from hackers infiltrating LinkedIn’s computer system. In June 2012 hackers infiltrated LinkedIn’s computer system and posted approximately 6.5 million user passwords on the Internet. Following the breach, LinkedIn increased the security of its password encryption method from a “hashed” format, in which the passwords were converted into an unreadable encrypted format, by adding the additional step of “salting”, in which random values were added to the passwords before they were “hashed”. A class action was filed in November 2012 on behalf of LinkedIn’s Premium Account holders, on the grounds that they had paid a fee for LinkedIn services which included a promise by LinkedIn that their information would be…
Keep reading
In July of 2012 I wrote an entry for this blog discussing Canada’s pending anti-spam legislation. On January 5, 2013 Industry Canada released a revised set of proposed regulations to the legislation, titled the Electronic Commerce Protection Regulations. There is a 30 day period for any comments to be submitted to Industry Canada. Some of the proposed provisions are a restatement from prior drafts of the regulations, but Industry Canada has responded to previous submissions by expanding and clarifying some of the exemptions to the broadly-stated message prohibitions in the anti-spam legislation. Of particular note are the following items. PERSONAL RELATIONSHIP Consent will not be required to send a message if the parties have a “family relationship” or “personal relationship”. The proposed regulations define…
Keep reading
The Supreme Court of Canada has now released its decision in the case of R v. Cole, affirming that an employee in a workplace has a reasonable expectation of privacy about personal information contained on workplace computers. This expectation can be maintained even in the face of workplace policies and procedures, and despite the fact that the employer owns all relevant equipment and systems. The decision will have a wide-reaching effect on employment law and privacy law. One of the specific issues on appeal in this case was whether the conduct of the police in searching and seizing the workplace computer containing the personal information without a warrant was a breach the employee’s rights under section 8 of the Charter. The Court found…
Keep reading
The lay person’s definition of “spam” likely contemplates advertisements for questionable drug enhancement products and solicitation from individuals set to receive a substantial inheritance; however, Canada’s anti-spam legislation tackles more than just these quintessential stereotypes. The law takes the approach of forbidding almost all commercial electronic messages (“CEM”s) and then setting out only selected exemptions. This article will survey the current state of the various prohibitions and exemptions, and potential effects on organizations which use CEMs. What is commonly referred to as Canada’s Anti-Spam Law (the “CASL”) was passed in 2010, but it is not expected to come into force until sometime in 2013. The new legislation, fully entitled “An Act to promote the efficiency and adaptability of the Canadian…
Keep reading
The British Columbia Court of Appeal in B.C. (Ministry of Children and Family Development) v. Harrison has confirmed a broad interpretation of the obligation on a public body under the Freedom of Information and Protection of Privacy Act (“FIPPA“) to make every reasonable effort to ensure the accuracy of personal information used in decisions that directly affect an individual. Although this decision was made under section 28 of FIPPA, it has implications for the obligations of private sector organizations under the comparable section in the Personal Information Protection Act (“PIPA“). As the Court noted, this decision was part of long and protracted litigation between Mr. Harrison and the Ministry of Children and Family Development related to Mr. Harrison’s termination from his employment with…
Keep reading
The British Columbia Information and Privacy Commissioner has recently published a number of new or updated resources for private sector organizations. These materials are publicly available on the Commissioner’s website and provide a useful education tool (or refresher) for chief privacy officers of organizations who need to address compliance with British Columbia’s Personal Information Protection Act. The principle guideline is the fourth edition of A Guide to B.C.’s Personal Information Protection Act, which provides a general overview of the legislation and the requirements imposed on organizations. Also released is Privacy Breaches: Tools and Resources, which draws together a number of helpful detailed documents in this area, including an assessment tool and a checklist. The Commissioner’s office also collaborated with other privacy…
Keep reading
Who controls the personal email of public body employees on the public body’s email system? Under public sector information and privacy legislation all records, including email, that are in the custody of or under the control of the public body are subject to provisions granting access rights to the public. This issue has been highlighted by a series of orders from provincial Information and Privacy Commissioners considering the status of email files of faculty members at Canadian universities who were involved in grant approval decisions of the Social Sciences and Humanities Research Council (SSHRC). Most recently, the Alberta Court of Queens Bench over-turned a decision of an adjudicator delegated by the Alberta Commissioner who had found that the email communications between a faculty member…
Keep reading
The B.C. Supreme Court’s recent reasons in School District No. 49 (Central Coast) v British Columbia (Information and Privacy Commissioner), confirms the Commissioner’s jurisdiction to decide questions of solicitor-client privilege over information in public body records. However, the Court also concluded that the Commissioner incorrectly decided that information about legal accounts paid by the School District in a particular case was not protected by solicitor-client privilege and the Commissioner’s order was set aside. The School District, relying on the 2008 decision of the Supreme Court of Canada in Canada (Privacy Commissioner) v Blood Tribe Department of Health, argued that FIPPA did not clearly grant the Commissioner jurisdiction to adjudicate issues of solicitor-client privilege. In Blood Tribe, the Supreme Court of Canada confirmed the importance of solicitor-client…
Keep reading