The digital age has brought about significant benefits in our everyday lives. We can settle disputes by searching for an answer on our smartphones; get inspiration for some interior decoration through Instagram; and who can resist a midnight McDonalds delivery with Uber Eats? The thought that the modern toothbrush was not invented until 1938, makes today look like something out of a science fiction novel and makes our day to day lives considerably easier. However, the damaging effects of technological advancements have been largely ignored until recent years. The widespread availability of technology and online platforms reveals a darker side of humanity and allows people to use technology for nefarious purposes, rather than the positive ones we would like to believe it was created for.
Twitter is a great source for recent news and social commentary; however, in 2017, a Maryland man was arrested for sending a reporter a Twitter message containing a flashing strobe-light image in an attempt to trigger the reporter’s epilepsy. Instagram is a great platform to share your experiences with friends and gain inspiration for design; however, earlier this year, a man in Perth Australia became the first individual charged under a new revenge porn legislation after posting intimate images of his ex-girlfriend on Instagram. In 2015, Canada passed a similar Bill C-13, which created the new offence of non-consensual distribution of intimate images. Facebook is a great way to stay connected with classmates and colleagues; however, earlier this year its live stream service aired the New Zealand Christchurch mosque attack. Technological advances are creating a more cohesive, well-connected, and more convenient world, but the same technology has the potential to be used to cause significant harm to others.
A question arises: who is responsible for monitoring and controlling the content that is posted and how this technology is used? Should private companies be policing what users are posting or should the government be stepping in to place a greater burden on organizations? Prime Minister Trudeau believes that Canadians should have more control over their own data and the government should be taking steps to place a greater onus on organizations to combat adverse uses of the technological advances.
On May 16, 2019, Prime Minister Trudeau spoke in Paris, France, regarding the Christchurch attach in New Zealand. He committed to creating a “digital charter” that will restore the faith of citizens while holding online platforms accountable. Trudeau said that he is looking “to working alongside internet companies, but indeed, if they do not choose to act, we will be forced to continue to act in ways that protect Canadians…”.
Prime Minister Trudeau’s commitment demonstrates the inextricable link between technology and privacy. Organizations must keep up with the slow moving government changes and shift their organizational strategies to reflect the importance placed on the way they handle users’ data. Organizations will also be called on to take on a greater societal obligation to protect citizens and their data. If organizations do not want to commit to such a standard, the government seems committed to forcing them to do so through judicial means.
Stas practices in insurance-related litigation. He has a broad range of experience including tort claims, accident benefits, subrogation, priority and loss transfer disputes, WSIB matters, and fraudulent claims. Read more...
On December 31, 2013, the plaintiff, Kathryn Owens, had a slip and fall outside the Blue Canoe Waterfront Restaurant (the “Restaurant”), in Stevenson, BC, while walking on the boardwalk adjacent to its entrance. She shattered her right patella in the fall. The actual entrance is concrete which extends from the street. Abutting the concrete is a wooden plank ramp which leads to the boardwalk, which is also composed of wooden planks.
Subsequent to her fall, the plaintiff brought an action against a number of parties. All actions were discontinued but for the action against the Restaurant.
The trial took place in January 2019 before The Honourable Madam Justice Maisonville, whose judgment, in favour of the plaintiff, was released on May 14, 2019.
The main issue in this case was whether the defendant failed to meet the standard of care owed to the plaintiff, under the Occupiers Liability Act (“OLA”) and whether, but for that breach, the accident would not have occurred.
The Trial Evidence
The plaintiff and her husband went to the Restaurant for a light meal before going home to celebrate New Year’s Eve. They frequented the Restaurant fairly regularly but mostly during the summer months. After their meal they decided to look at the boats in the harbour. Neither were feeling the effects of alcohol when they left the Restaurant.
The couple exited the restaurant onto a concrete path walkway at the door. To get to the boardwalk, they were required to descend a wooden ramp. The plaintiff was following her husband. She looked at the ramp before stepping onto it. It appeared to be dry. After safely descending the ramp, the plaintiff stepped onto the boardwalk, took one, two, or three to four steps, then fell forward onto her right knee.
After she fell, the plaintiff noticed that the wood was wet where she was lying as her clothing on the right side was soaking wet.
The plaintiff had not seen any signs on the boardwalk and testified, at trial, that had there been a sign, she would have grabbed her husband’s arm or taken a different way down to see the boats. The plaintiff was vigorously cross-examined, at trial, on whether she had noticed that the boardwalk was wet. The plaintiff was adamant that had she seen it was wet, she would not have gone down the ramp.
There were no warning signs at the ramp leading to the boardwalk; however, there were a number of places, in other areas on the boardwalk, that had warning signs and grates on it to make it safe. In fact, on the neighbouring property was a sign that stated: ‘CAUTION. BOARDWALK MAY BE SLIPPERY DUE TO VARIABLE WEATHER.”
The witness for the defendant had never heard of any safety issues around the Restaurant. He testified that thousands of people come through the area and it was very busy in the summertime. He had never had any complaints about the surface of the ramp being slippery. He did admit that there are times, mainly during the winter, when the surface of the ramp could be slippery, mostly when there was frost (there was no frost on the date of loss). At the time of the trial, the Restaurant still had not erected any signs, applied any abrasive paints, put down sandwich board signs or metal grates on the walkway, or made any changes to address the potential slipperiness of the ramp or the boardwalk.
According to the OLA, the Restaurant was required to ensure that the plaintiff would be reasonably safe while using the boardwalk. The issue, for the court, was whether or not the Restaurant breached that duty and, if so, whether, but for the breach, the incident and damages flowing from it, would not have occurred.
As the court noted, the Restaurant was not expected to achieve “perfection” – the standard is “reasonableness”. In considering whether or not the Restaurant met this standard, four factors were considered:
Whether there was a recognizable risk of injury;
The gravity of the risk;
The ease or difficulty with which the risk could be avoided; and
The burden or cost of eliminating the risk.
In addition to establishing a breach of the standard of care, the court confirmed that the plaintiff must prove that the Restaurant “caused” the incident or “but for the defendant’s actions, the incident would not have happened.”
Breach of the Standard of Care
The court held that the Restaurant had not met the standard of care imposed by the OLA, based on the following trial evidence.
Although the plaintiff’s evidence on how she came to fall was “imprecise”, the court found that it was more likely than not that she fell on the boardwalk because it was wet. Although there were no witnesses to the fall, the court found the plaintiff’s evidence to be credible and her description of what occurred leading up to and after the fall to be reliable. The court accepted her evidence that neither the wooden planks of the boardwalk nor of the ramp appeared to be wet from a visual scan, but that she noticed the boardwalk was wet while lying on its surface after her fall.
The court also accepted that the plaintiff had looked at the boardwalk before she walked and was unaware that the wood was wet or that the planks may have been slippery.
The Restaurant argued that, regardless of whether the boardwalk was wet, its duty was not to achieve perfection and the fact that the boardwalk was wet did not constitute an unreasonable risk of harm.
The court held that the Restaurant had a positive duty to take reasonable care to make sure the boardwalk was safe to be walked on. An important factor, for the court, in determining that this duty had not been met was that other occupiers along the neighbouring boardwalks had mounted signs warning of the potential slipping hazard. This persuaded the court that the boardwalk could be slippery when wet and that this wetness would not always be visually noticeable to visitors. This fact, amounted to a recognizable risk that required some positive action on the part of the Restaurant: “a sign should have been erected at the top of the ramp to warn that it could be slippery given the variable weather conditions at the site.”
Another factor the court clearly found relevant was that the costs of reducing the risk of slipperiness would have been minimal and held that the Restaurant breached its duty under the OLA to the plaintiff in failing to take any steps to reduce or eliminate the risk posed by the boardwalk becoming slippery when wet.
The court accepted the plaintiff’s evidence that had there been a sign warning that the ramp and the boardwalk surfaces could be slippery, she would not have gone down the ramp that day and her evidence that “If there had been a sign, I either would have grabbed Rodger’s arm to go down the ramp or we would have turned and gone a different direction.”
To be successful against the Restaurant, the plaintiff also had to prove “but for” the Restaurant’s actions, the accident would not have happened. Or, put another way, the plaintiff must prove that the Restaurant’s failure to warn of the potential slipping hazard caused her fall.
The Restaurant argued that a sign would have made no difference and, therefore, the plaintiff had not proven causation. The court rejected this argument as the question to be answered is whether a sign would have changed the plaintiff’s behaviour and, thus, prevented her fall? The court accepted the plaintiff’s evidence that she had looked for such a sign and other indicators of the safety of taking the ramp, including checking for whether it was wet. As the court found the plaintiff to be a credible and reliable witness, it accepted that the presence of a sign would have dissuaded her from taking the ramp or prompted her to take additional precautions.
The breach of duty, of the Restaurant, was its failure to put up a caution sign and had such a sign been visible to the plaintiff, this accident would not have occurred.
This case is a reminder that occupiers are required to take positive steps to ensure that visitors are safe while on their premises. A few factors that likely affected the court’s finding include the presence of warning signs on other areas on the boardwalk and the cost of erecting such a sign would have been minimal. It certainly did not help the Restaurant’s case that the trial evidence was that it was known that the surface of the ramp could become slippery during the winter and that, at the time of trial, no warning sign had been erected. Lastly, even though there were no witnesses to the fall the court made it clear that the plaintiff was credible and, as a result, was able to prove her case through her evidence, alone, a reminder that credibility is always key.
In Kaplan v. Casino Rama, released May 7, 2019, Justice Belobaba dismissed the plaintiffs’ motion to certify a class action arising from the 2016 cyber-attack on Casino Rama.
In November 2016 Casino Rama’s computer system was hacked and a variety of personal information relating to the casino’s employees, customers and suppliers was stolen. The hacker made a ransom demand, which was not paid, following which the hacker posted the personal information of close to 11,000 people online.
The representative plaintiffs included employees of the Casino, members of the Casino’s loyalty program, and people who had joined OLG’s self-exclusion program.
In considering whether to certify the class action, Justice Belobaba made specific reference to the steps taken by the Casino, including notifying the authorities, notifying thousands of people potentially affected by the breach, taking steps to shut down the websites containing the stolen information and providing free credit monitoring for a year to many of the people affected. He also noted that there was no evidence that anyone had experienced fraud or identity theft or that anyone had suffered financial or psychological loss because of the attack.
In reviewing the five requirements for certification, as set out in s 5(1) of the Class Proceedings Act, Justice Belobaba concluded the class action “collapse[d] in its entirety at commonality” [5(1)(c)]. Despite this finding, Justice Belobaba also made substantive comments with respect to 5(1)(a) and (b), which are summarized below.
5(1)(a) Cause of Action
The plaintiffs asserted five causes of action: negligence, breach of contract, intrusion upon seclusion, breach of confidence and publicity given to private life.
Of note, the hacker remained unidentified and was not a party to the action. Traditionally, some of the causes of action pleaded are aimed at recovery from the party who breached the plaintiff’s privacy (i.e. the hacker). Justice Belobaba commented that this left class counsel “trying to force square (breach of privacy) pegs into round (tort and contract) holes”.
The Court found the claims for breach of confidence and publicity given to private life were doomed to fail and should be struck. It is also questioned whether intrusion upon seclusion could be sustained against the defendants on the basis of their alleged recklessness. However, considering the infancy of the tort of inclusion upon seclusion, Justice Belobaba was not prepared to find that the claim was bound to fail. He found the same with respect to the claims in negligence and breach of contract.
5(1)(b) Class Definition
The Court found the proposed class was overly broad and imprecise. Justice Belobaba made a point of agreeing with the defendants, that the class definition could not include the Casino’s unionized employees. The Court lacked jurisdiction over their complaints for the privacy breach, whether in negligence or contract, as they fell within the ambit of the collective agreement. Such matters fall within the exclusive jurisdiction of the Ontario Labour Relations Board.
5(1)(c) Common Issues
Justice Belobaba deliberated on the appropriate test under s. 5(1)(c), which for years required satisfying two inquiries: (1) whether there was some evidentiary basis that the proposed common issue actually existed; and, (2) whether there was some evidence that the proposed issue could be answered in common across the entire class. However, in the 2013 decision of the Supreme Court of Canada, ProSys Consultants Ltd v. Microsoft Corp, the first part of the test was eliminated, no longer requiring evidence that the alleged acts occurred. Justice Belobaba found himself to be bound by the SCC’s direction; however, he performed the two-step analysis, noting that an appeal was likely forthcoming.
Getting to the heart of the common issues analysis, Justice Belobaba made the following comments at paragraph 56 of the decision:
The problem here, with almost all of the PCIs [proposed common issues] is that there is no basis in fact for either the existence of the PCI or its overall commonality or both. Further, many of the PCIs require so much in the way of individual inquiry that any commonality is overwhelmed by the need for individualized assessments.
Justice Belobaba found that the proposed causes of action that could possibly proceed –negligence, breach of contract, and intrusion upon seclusion – could not serve as the basis for common issues. His conclusion hinged on a not so subtle finding that privacy breach cases are inherently individual in nature. In this case, the stolen information varied amongst the victims; ranging from mundane information (e.g. addresses) to more sensitive data (e.g. bank records). Justice Belobaba found that, whether each of the alleged causes of action could be made out, required a look at the individual circumstances of each plaintiff. For instance, the standard of care in data breach cases is a sliding scale based on the sensitivity of the stolen information. Intrusion upon seclusion also requires consideration as to whether the breach is “offensive” to the specific plaintiff. Finally, there was no evidence of any class-wide contractual terms or conditions to support a common issue in that regard.
The Court acknowledged that it should not refuse certification merely because the damages would require individual assessments. However, Justice Belobaba found that there were no common liability issues, which made the issue of damages moot.
Finding that there was a lack of commonality, the Court dismissed the motion for certification.
Lisa has an insurance law practice that has focused exclusively on insurance defence for 15 years. Her practice focuses on complex insurance-related litigation, including accident benefits and bodily injury. Read more ...
The recent decision by the Court of Appeal in clarifies the developing concept of individuals’ privacy rights. The appellant was in a long distance romantic relationship with the complainant. During...
The recent decision by the Court of Appeal in clarifies the developing concept of individuals’ privacy rights. The appellant was in a long distance romantic relationship with the complainant. During their relationship, the parties engaged in an intimate webcam video chat where both were naked. The appellant, unbeknownst to the complainant, took still photographs of her. After the relationship ended, the appellant emailed the nude photos to many people. At trial, he was convicted of voyeurism and he appealed this conviction.
On appeal, the Court noted that there were five elements that must be satisfied under the charge of voyeurism – (1) the accused observed or recorded the subject; (2) the accused’s observation or recording was done surreptitiously; (3) the subject was in circumstances that gave rise to a reasonable expectation of privacy; (4) the subject was nude or exposing sexual parts of her body or engaged in sexual activity; and, (5) the observation or recording of the subject was done for the purpose of recording them in such a state. The issues on appeal was whether the complainant had a reasonable expectation of privacy in the circumstances and whether the appellant acted surreptitiously.
With respect with the complainant’s subjective expectation of privacy, the Court explained that she expected that the appellant would see a fleeting image of her on her computer screen in real time. She did not know and did not expect that the appellant would make any permanent recording of her naked body. The trial judge accepted the complainant’s evidence that at no point during their relationship did the appellant advise that he was capturing permanent still images.
The Court explained that the next question was whether the complainant’s subjective expectation was reasonable in the circumstances. This question should be considered in light of the norms of conduct in our society. The Court noted that there were two norms that were particularly relevant. First, an individual’s privacy expectation for some body parts are reasonably higher than for others. The exposure of intimate body parts in the privacy of the bedroom attracted a high expectation of privacy. Second, there was a distinction between mere observation and recording a permanent image.
The Court of Appeal was satisfied that the complainant was entitled to reasonably expect the appellant would not record their sexual activities in “virtual space” without her consent. The complainant had a reasonable expectation of privacy.
The final issue was whether the recording was done “surreptitiously.” The Court noted that there was little judicial consideration of the term. The Court found that the term, within the context of a voyeurism offence, must be given its ordinary meaning - including intent. Specifically, the Court held that the mental state required by the term was the intent that the subject not be aware that she was being observed or recorded. To prosecute the charge, the Crown may prove the accused acted surreptitiously by proving that he observed or recorded the subject with the intention that they be unaware that it was happening.
The conviction was upheld.
Although the result is seemingly apparent, the legal system has not developed to a point where privacy rights are innately preserved. This decision, along with the Supreme Court of Canada’s R. v. Jarvis, illustrate the importance and societal shift toward our expectation of privacy in both the public and private sphere. In the criminal context, Courts are agreeing to punish individuals who invade another’s privacy – civil courts are likely to follow.
After implementing stricter privacy laws in 2018, Canada has joined a number of countries with a shifting mentality regarding privacy rights. Individuals are becoming more aware of the information they...
After implementing stricter privacy laws in 2018, Canada has joined a number of countries with a shifting mentality regarding privacy rights. Individuals are becoming more aware of the information they are disclosing. Users of applications and services are becoming more cognizant of what data they are providing to organizations and more curious about how that information is being used. For the first time, people are paying close attention to what businesses are using their information for and expect that businesses will be transparent in their privacy policies.
Last week, the Office of the Privacy Commissioner of Canada released a report after conducting a lengthy investigation into Facebook. In sum, the report found that Facebook contravened Canadian privacy laws and failed to take responsibility for protecting the personal information of Canadians. The release noted that Facebook’s privacy framework was “empty” and their “vague terms were so elastic that they were not meaningful for privacy protection”. Part of the investigation revealed that an app called “This is Your Digital Life”, which was used by around 300,000 Facebook users around the world, potentially disclosed the personal information of approximately 87 million users, 600,000 of which were Canadian. The report revealed that Federal and British Columbia privacy laws were violated including unauthorized access (which included superficial and ineffective safeguards), lack of meaningful consent, no proper oversight over privacy practices, and an overall lack of responsibility for personal information.
More shocking than the findings was Facebook’s response to the reports and the recommendations contained therein. Facebook denied that they contravened privacy legislation and rejected the findings and recommendations. This response fueled the claim that Facebook lacks responsibility, especially considering that a 2009 Investigative Report, which largely revealed similar issues, proposed mechanisms to mitigate risk of unauthorized access and use of Canadians’ personal information – recommendations that were seemingly ignored by the organization. Interestingly, a March 2019 Edison Research Infinite Dial Report revealed that Facebook lost around 15 million active users since 2017 (6% of its active users).1 This may be in part as a result of the negative publicity the company has been receiving due to its handling of users’ personal information (the Cambridge Analytica Scandal for example).
One issue that Facebook’s reception of the report revealed was that the amendments in PIPEDA appear to lacks teeth. For instance, PIPEDA does not make a Privacy Commissioner’s recommendations mandatory, nor does the legislation grant a Commissioner the power to issue an order. This, however, does not stop the Office of the Privacy Commissioner of Canada from bringing an application to the Federal Court to compel Facebook to correct its privacy practices. This process, however, will likely be lengthy and it is currently unclear whether any Commissioner will take this step.
What information is needed for the organization to provide the service they are undertaking?
Who has access to that data?
How is that data handled (shared and used)?
How and how often is the data destroyed?
It is without doubt that the Privacy Commissioners throughout Canada will be lobbying to make PIPEDA more aggressive including providing executive power to the entities tasked with protecting the privacy rights of Canadians. Until that time comes, users will make their voices heard by giving their business to organizations that are more conscious about data use. In order to achieve greater success in this realm, organizations must be more transparent in their privacy policies and take a more conscious approach to data use than they have in the past.
Stas practices in insurance-related litigation. He has a broad range of experience including tort claims, accident benefits, subrogation, priority and loss transfer disputes, WSIB matters, and fraudulent claims. Read more...