canadian association of university solicitors - privacy update 2016
TRANSCRIPT
CAUS Privacy Law Update
CAUS Privacy Law Update
September 2016
Dan Michaluk I Partner, Toronto
CAUS Privacy Law Update
Outline
2
•Outsourcing to the Cloud
•Liability for Data Loss and Misuse
•Two Privacy Nuggets
CAUS Privacy Law Update
Outsourcing to the Cloud
CAUS Privacy Law Update
Manage This!
4
The risk of access by the NSA pursuant to US law is the typical argument against outsourcing.
Let’s look at it.
CAUS Privacy Law Update
The Context is Evolving, the Pressure Subsists
5
2009 •Lakehead University decision
2013 •Edward Snowden disclosure
2015 •“Seeing Through the Cloud” published•Dalhousie University decision
2016 •Microsoft announces Canadian data centre•Microsoft victory in the “Ireland Case”
CAUS Privacy Law Update
This is Really About One NSA Program - PRISM
6
Upstream collection
“Bulk collection”
The PRISM program
CAUS Privacy Law Update
PRISM Gathering is Targeted, There are Safeguards
• Section 702 of the FISA authorizes “targeting” of foreign nationals to acquire “foreign intelligence information”
• Directives flow following certification made to FISC• Contemplates data (not record) collection, but NSA must
certify to its targeting and minimization procedures• NSA uses “selectors” – e-mail accounts and phone numbers• Directives are subject to challenge by service providers
7
CAUS Privacy Law Update
The Amount of Data Gathered Under PRISM is Small
8
Reporting Period Orders Seeking Disclosure Of Content
Accounts Impacted By Orders Seeking Content
Foreign Intelligence Surveillance Act (FISA) Orders
July - Dec 2011 0 -999 11,000 - 11,999
Jan - June 2012 0 - 999 11,000 -11,999
July - Dec 2012 0 - 999 16,000 - 16,999
Jan - June 2013 0 - 999 15,000 - 15,999
July - Dec 2013 0 - 999 18,000 - 18,999
Jan - June 2014 0 - 999 19,000 - 19,999
July - Dec 2014 0 - 999 18,000 - 18,999
Jan - June 2015 0 - 499 15,500 - 15,999
CAUS Privacy Law Update
The NSA has Access to Data Stored Here
9
Prism (US recipient)
Upstream collection
Tailored Access Operating Unit
HEREPrism
Upstream collection
THERE
CAUS Privacy Law Update
In the End• The argument gives pause• But a material difference in risk is very hard to prove• And there are more fundamental arguments upon which to defend
• E-mail is a tool and users have choice (see Marakah)• There are many, many data security risks that are associated with
greater risks than brought on by PRISM• Risk is a fact of life and is acceptable. The only legal obligation is to
address it reasonably
10
CAUS Privacy Law Update
Liability for Data Loss and Misuse
CAUS Privacy Law Update
Two Liability ScenariosScenario A
• Health centre employee snoops through medical records
Scenario B• Computer with research
information stolen• Mis-mailing that identifies all
students receiving accommodation
• Spyware installed on lab computers
• Student reported as potential child abuser without proper grounds
12
CAUS Privacy Law Update
Vicarious Liability - Exposure in Scenario A claims
OPSEU v Ontario
• Citation: 2015CanLII19325• Decision Maker: Arbitrator Briggs
• About: Access to co-workers “EI file”• Issue: Is an employer vicariously liable for snooping
undertaken by its employee?• Answer: No
• Significance: To date, this is the sole final determination on the vicarious liability issue.
“Indeed, the accessing of the grievor’s EI file had nothing to do with the work assigned to employees. Employees were able to and indeed did access EI files but only in those instances where it was necessary to assist their clients.”
13
CAUS Privacy Law Update
The Scenario A Exposure to Moral Damages
14
Nature of wrong
Impact
RelationshipSpecial distress
Conduct before and after
CAUS Privacy Law Update
Scenario B Claims Are Tenuous But Makeable• Without actionable damage there is no negligence claim• Plaintiff counsel are nonetheless making viable claims
15
Claim Measure of $Negligence Compensable mental distress
Cost of remediation
Reckless privacy breach Moral damages
Contract Nominal/symbolic damages
Compensable mental distress
Waiver of tort Disgorgement of profits
CAUS Privacy Law Update
Validation!
• You can take comfort in the typical incident response strategy. You have far more to lose from a failure to openly
own the incident than you have to gain from being defensive
CAUS Privacy Law Update
Two Privacy Nuggets
CAUS Privacy Law Update
Expectation of Privacy In Texts
R v Marakah
• Citation: 2016 ONCA 542• Decision Maker: Justice McPherson
• Issue: Is a reasonable expectation of privacy in text messages stored on a recipient’s phone?
• Answer: No
“In my view, the manner in which one elects to communicate must affect the degree of privacy protection one can reasonably expect.”
18
CAUS Privacy Law Update
Expectation Of Privacy While Working
ATU v TTC (Twitter Policy Grievance)
• Citation: Unreported, 5 July 2016• Decision Maker: Arbitrator Howe
• About: Nasty tweets about transit operators• Issue: Is there a privacy-based duty to protect EEs from
being photographed and discussed online?• Answer: No
• But: The duty to provide a safe and harassment-free workplace can apply.
“a TTC employee’s badge number is not private information, nor is the bus number that a TTC employee is driving or the route number on which it is being driven…”
19
CAUS Privacy Law Update
Questions & Answers
CAUS Privacy Law Update
CAUS Privacy Law Update
September 2016
Dan Michaluk I Partner, Toronto