Top Five Privacy Developments in Canada: A Year in Review 2024

While 2024 is nearing its end, global efforts to regulate artificial intelligence (“AI”) and privacy are only getting started. As technology continues to evolve, legislators are becoming increasingly aware of the need to reform their privacy laws. This article highlights Canada’s top five notable developments in the privacy space in 2024.

1. Privacy Commissioner of Canada v. Facebook Inc., 2024 FCA 140

In this groundbreaking decision concerning Facebook’s launch of “Graph API”, a feature enabling third-party applications operating through Facebook to receive user information, the Federal Court of Appeal (“FCA”) found that Facebook breached its privacy obligations under Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”).^[1]

While Facebook had implemented various privacy measures upon Graph API’s launch, the adequacy of such measures was called into question in 2015, when media reports revealed that one of these third-party applications was obtaining user data beyond what it needed to function, and selling that data to an external corporation. Importantly, it was obtaining not only user data but also the data that belonged to the friends of the users. In 2021, following its investigation into these practices, the Privacy Commissioner of Canada (“Commissioner”) commenced proceedings in the Federal Court alleging that Facebook’s practice of sharing its users’ personal information with these other third-party applications was in breach of PIPEDA. The Federal Court held that the Commissioner failed to prove that Facebook did not (a) obtain meaningful consent from users and Facebook friends of users when sharing their personal information with third-party apps; and (b) adequately safeguard user information.

The FCA decided in favour of the Commissioner, finding that there were three overriding errors in the reasons of the Federal Court: (1) the Federal Court premised its conclusion largely on the absence of expert and subjective evidence; (2) the Federal Court failed to inquire into the existence or adequacy of the consent given by friends of users who downloaded third-party apps, not just the installing users themselves; and (3) it did not engage with the evidence pertaining to the content of meaningful consent under clause 4.3 and section 6.1 of PIPEDA.

The FCA’s decision reminds organizations to ensure they obtain meaningful consent from its users directly and to safeguard personal information when sharing that information with third parties, including third-party applications. One way of doing this is to develop privacy policies that are clear and concise. The FCA further emphasized the necessity for corporations to turn their minds to the “reasonable person” when obtaining such consent and safeguarding user data, which should also be considered when drafting such policies.^[2] For more on this case, see our previous article here.

2. Supreme Court of Canada (“SCC”) cases: York Region District School Board v. Elementary Teachers’ Federation of Ontario, 2024 SCC 22 & R. v. Bykovets, 2024 SCC 6

The SCC was also busy with privacy-related issues this year. Two notable decisions clarified the application of section 8 of the Canadian Charter of Rights and Freedoms (“Charter”) dealing with reasonable expectation of privacy. In R. v. Bykovets,^[3] the SCC extended the reasonable expectation of privacy to IP addresses. When police got hold of the IP addresses used for fraudulent online purchases from a liquor store, they obtained a production order compelling the Internet service provider to disclose the name and address of those customers. The police then executed search warrants on the basis of this information and subsequently arrested Bykovets. The trial judge held that the reasonable expectation of privacy does not attach to IP addresses and the Court of Appeal upheld this decision. However, in a narrow 5-4 decision, the SCC ordered a new trial  on the basis that an IP address does, in fact, attract a reasonable expectation of privacy. It is the “the key to unlocking a user’s Internet activity and, ultimately, their identity … if s. 8 is to meaningfully protect the online privacy of Canadians in today’s overwhelmingly digital world, it must protect their IP addresses.”^[4]  

In York Region District School Board v. Elementary Teachers’ Federation of Ontario, the right to a reasonable expectation of privacy was called into question in the work context. The private communication between two teachers, recorded on their personal, password-protected log, was read and captured by screenshots taken by their school principal. After the teachers were subsequently given written reprimands on this basis, their union grieved the discipline claiming that the search violated the teachers’ right to privacy at work. A labour arbitrator held that there was no breach of the teachers’ reasonable expectation of privacy when balanced against the school board’s interest in managing the workplace, and the reasonableness of this decision was subsequently upheld by the divisional court. On further appeal, the Court of Appeal allowed the union’s appeal and quashed the arbitrator’s decision, holding that the search was unreasonable under s. 8 of the Charter. The SCC dismissed the appeal of the Court of Appeal’s decision, confirming that Ontario public school board employees are entitled to protection under the Charter when it comes to reasonable expectation of privacy. The principal was not exempt from Charter scrutiny, since he was acting in his official capacity as an agent of the school board rather than in his personal capacity.

3. G.D. v. South Coast British Columbia Transportation Authority, 2024 BCCA 252

While G.D. v. South Coast British Columbia Transportation Authority is a B.C. decision, it may be instructive in other provinces. South Coast British Columbia Transportation Authority (“TransLink”), a public body, is subject to certain statutory obligations regarding the protection of private information, pursuant to B.C.’s Freedom of Information and Protection of Privacy Act (“FIPPA”). After TransLink suffered a cyberattack, a former employee of TransLink applied to certify a class action on behalf of all whose personal information was impacted as a result of the breach. The B.C. Court of Appeal held that the Chambers judge erred in concluding that the appellants’ claims based on the statutory tort of breach of privacy under B.C.’s Privacy Act, and based on negligence for breach of a common law duty of care in relation to FIPPA, were bound to fail. Instead, the B.C. Court of Appeal held that a claim based in common law negligence against the data collector is not excluded by the Privacy Act. Further, in this case, there was at least an argument that there was a common law duty of care breached under FIPPA. This opens the door for two potential claims: (1) that a data custodian who fails to adequately safeguard personal information in a data breach is liable for the statutory tort of violation of privacy, depending on the appellants’ reasonable expectation of privacy and the acts or omissions of the respondent in failing to safeguard personal information; and (2) that a duty of care may arise in such situations, and that due to the sensitivity of the information breached, loss may be compensable in some manner.^[5]

Referencing the aforementioned SCC decisions that were released earlier in the year, as well as other decisions on this issue from across the provinces, the B.C. Court of Appeal clarified that the reasonable expectation of privacy is contextual and fact-dependent. It is “both subjective, based on the claimant’s own expectations, and objective, in that it must be objectively reasonable”.^[6] Similarly to the aforementioned Facebook case, high importance is given to the owner of the personal information when it comes to considering adequacy of safeguards.

4. Bill C-27: An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts (“AIDA”)

There has been little development with Bill C-27 this year. Bill C-27  is currently being reviewed by the Standing Committee on Industry and Technology (“INDU”). There have been no further committee meetings since September of this year. With a pending election potentially looming, Bill C-27 may not pass at this point. It will be up to the new government to update PIPEDA, which is in dire need of retooling.

5. Quebec Law 25

Quebec’s Law 25, An Act to modernize legislative provisions as regards the protection of personal information (the “Act”),^[7] became fully effective this year. The requirements set out under the Act were scheduled to come into force in three increments. The first set of these privacy requirements (which include the appointment of a privacy officer and mandatory breach reporting) came into force on September 22, 2022. The second set of the requirements came into force on September 22, 2023, and the final requirements came into force in September 22, 2024.

Article 27 of the Act, better known as the data portability right, came into force this year. The data portability right gives individuals the ability to request that an organization provide them with computerized personal information collected from them in a “structured and commonly used technological format”. It is important to note that the scope of this right does not extend to: (a) non-computerized personal information, (b) personal information collected from third parties or sources other than the individual directly; and (c) personal information concerning the individual that is created or deduced from such information concerning the individual.

As a reminder, Law 25 introduced several penal offences with fines of up to $25 million or four percent of worldwide turnover from the previous year, whichever is greater. Given the seriousness of the enforcement mechanisms, businesses must ensure compliance with the requirements brought by Law 25 (including the data portability right).

Bonus: Chatbots and PIPEDA Findings

A couple other developments in the law are worth noting. PIPEDA Findings #2024-002 highlights unique circumstances where reporting obligations under PIPEDA are not triggered. In this case, the Office of the Privacy Commissioner (“OPC”) was tasked with determining whether a company had implemented adequate safeguards after personal information of its customers was accessible without authorization to other customers. This finding clarified that organizations must report a breach to the OPC and notify affected individuals only where there is a real risk of significant harm. The personal information involved in this incident, while potentially sensitive, was of low probability of misuse. No unknown third parties or malicious actors were involved, and such absence of malicious intent significantly reduced the probability of misuse, which lessened the risk of significant harm. Thus, the company was not required to notify the affected individuals or report the breach.^[8]

Given the infiltration of AI into everyday life, we conclude this year in review with a classic chatbot case. In Moffatt v. Air Canada,^[9] an Air Canada passenger was informed by Air Canada’s website chatbot that he could apply for bereavement fares retroactively. When the passenger was then informed by Air Canada employees that such information was actually false, he applied to the Civil Resolution Tribunal of British Columbia (“CRT”) claiming the difference in price between the regular and alleged bereavement fares. Perhaps the most intriguing aspect of Air Canada’s response was its suggestion that the chatbot is a separate legal entity that is responsible for its own actions. The CRT clarified that is not the case, and that Air Canada had a duty to ensure its chatbot was accurate. The passenger successfully made out their claim of negligent misrepresentation and was entitled to damages.

For more on this case, see our previous article here.

Conclusion

In general, 2024 was an eventful year, and the world of privacy law was no exception. Privacy issues are going to continue to be a big topic in the legal field as AI continues to replace manual work in an increasingly technologically-driven world. Businesses are encouraged to reach out to Roland Hung in the Technology and Privacy & Data Management Groups at Torkin Manes with questions.

The author would like to acknowledge Torkin Manes’ Articling Student, Yasmin Thompson, for her invaluable contribution in drafting this bulletin.

[1] Canada (Privacy Commissioner) v. Facebook, Inc., 2024 FCA 140.

[2] See Roland Hung, “Federal Court of Appeal found Facebook Breached Privacy Law” (9 October 2024) online: Torkin Manes LLP <https://www.torkin.com/insights/publication/federal-court-of-appeal-found-facebook-breached-privacy-law>

[3] R. v. Bykovets, 2024 SCC 6.

[4] Ibid at para 28.

[5] G.D. v. South Coast British Columbia Transportation Authority, 2024 BCCA.

[6] Ibid at para 66.

[7] National Assembly of Quebec, “An Act to modernize legislative provisions as regards the protection of personal information” (2021) online: <https://www.publicationsduquebec.gouv.qc.ca/fileadmin/Fichiers_client/lois_et_reglements/LoisAnnuelles/en/2021/2021C25A.PDF>

[8] Office of the Privacy Commissioner, PIPEDA Findings # 2024-002.

[9] Moffatt v. Air Canada, 2024 BCCRT 149.