1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

Dentons to Participate in Whistleblowing and Privacy Webinar

Whistleblowing is back in the news with the recent unveiling of the Ontario Securities Commission’s office of the Whistleblower. Our post about the new program can be found here.

Join DataGuidance and Dentons on August 4, 2016 for an examination of Whistleblowing & Privacy in Canada and select other jurisdictions. Click here to register.

Dentons to Participate in Whistleblowing and Privacy Webinar

OSC Whistleblower Program Launched


On July 16, 2016, the Ontario Securities Commission (OSC) announced the launch of its Office of the Whistleblower. This is the first paid whistleblower program by a securities regulator in Canada. Subject to eligibility requirements, whistleblowers could receive an award of between 5% and 15% of the total sanctions imposed and/or voluntary payments made in an administrative proceeding brought as a result of information from a whistleblower. The total of the sanctions and/or voluntary payments must exceed CA$1 million. The maximum award to a whistleblower is CA$5 million.

Certain individuals may be ineligible for an award. For example, a lawyer or auditor may be ineligible if the lawyer or auditor obtained information in connection with providing legal services or an internal audit or external assurance mandate and the disclosure would violate professional obligations. Other examples of ineligible individuals include directors, officers and Chief Compliance Officers of an entity that is the subject of the whistleblower submission.

There is no requirement that whistleblowers report violations through internal compliance programs (although the OSC encourages internal reporting). Although the OSC will endeavour to keep the identity of the whistleblower confidential, including in response to an access to information requires, the OSC has been careful not to guarantee confidentiality and the OSC will require verification of identity prior to payment in order to ensure the whistleblower is not ineligible. The Ontario Securities Act (s. 121.5) prohibits reprisals by an employer against an employee.

For more information, see OSC Policy 15-601 Whistleblower Program.

Dentons is delighted to participate in a Whistleblowing & Privacy Webinar offered by DataGuidance on August 4, 2016. Click here to register.

OSC Whistleblower Program Launched

The Connected Retail Store

In the battle for consumer engagement, brick-and-mortar retailers and shopping centres are investing in new technologies to gather data on their customers and offer new shopping centre experiences. According to the Toronto Star, retailers are finding that millennials have a different approach to luxury than previous generations. No surprise – it is a more social and experiential understanding of luxury. Retailers are not stopping with social listening. Recent articles in the National Post and on the CBC describes technologies, such as those offered by Eyeris, that retailers can use to analyze and track emotions and engagement levels using in-store cameras. Another technology, offered by Stefanka, allows for 3D body scans to assist salespersons to find apparel that will fit the customer’s body.

Dentons, with special guests from Deloitte, will be tackling the legal issues pertinent to a successful Connected Retail Store in a half-day program to be held in Toronto on April 14, 2016. Dentons and Deloitte will address:

  • Omnichannel marketing issues and trends
  • Bringing eyeballs to the screens and feet to the stores
  • Privacy issues in tracking shoppers in stores
  • Negotiating percentage rent when dealing with online sales
  • Supply chain challenges and cross-border fulfillment

Learn more at http://www.dentons.com/en/whats-different-about-dentons/connecting-you-to-talented-lawyers-around-the-globe/events/2016/april/14/the-connected-retail-store

The Connected Retail Store

Update on Canadian Data Breach Regulations

Innovations, Science and Economic Development Canada has issued a consultation paper asking Canadians what should be included in new data breach regulations that will be made under the Personal Information Protection and Electronic Documents Act (PIPEDA). The consultation will close on May 31, 2016. Following this consultation process, the Canadian Government will publish draft regulations for public comment and further consultation. It is unlikely, therefore, that we would see breach reporting come into force in Canada before the last quarter of the year.

Why are regulations required?

Canada’s Parliament enacted the Digital Privacy Act in 2015. The Act included amendments to PIPEDA that will introduce new provisions relating to breaches of security safeguards. These provisions include mandatory breach reporting to the Office of the Privacy Commissioner of Canada (OPC) and to individuals and, in some cases, third parties. The provisions also contain controversial record-keeping requirements. These new data breach provisions will not come into force until the Government passes regulations regarding the form and content of the required notices. The Government may also supplement certain provisions in the legislation by way of regulation.

What are the key data breach obligations?

Once the amendments to PIPEDA come into force, organizations will have four new obligations regarding data breaches:

  • Organizations will need to keep records of breaches of security safeguards;
  • Organizations will be required to report a breach of security safeguards to the OPC if it is reasonable to believe that the breach creates a real risk of significant harm to an individual.
  • Organizations will be required to notify affected individuals about a breach that it is reasonable to believe creates a real risk of significant harm to the individual.
  • Organizations will be obligated to notify third parties if the third party could mitigate the risk of harm to the affected individual.

A “breach of security safeguards” is defined as “the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s safeguards that are referred to in Clause 4.7 of Schedule 1 or from a failure to establish those safeguards.” Clause 4.7 of Schedule 1 of PIPEDA is the principle that requires an organization to protect personal information by physical, organizational, and technological measures that are proportional to the sensitivity of the personal information.

What is the consultation about?

The consultation relates to five key issues.

  • Record keeping: The Government wants to know what records organizations should be required to keep and for how long.
  • Risk assessment: The Digital Privacy Act provides that an organization assessing whether there is a “real risk” of significant harm should consider the sensitivity of the personal information involved in the breach, the probability that it will be misused and other factors that could be prescribed by regulation. The Government wants to know whether further factors should be specified and whether the risk of harm should be presumed to be low for data that was encrypted.
  • Reports to the OPC: The Government has asked what should be included in reports to the OPC about a breach of safeguards that poses a real risk of significant harm to the individual. The Government has asked whether reports should be made through an electronic secure tool developed by the OPC.
  • Notices to Individuals: The Government is considering a number of issues relating to individual notices. What should the content of the notices be? How much detail should be required? How should notices be delivered? Do the notices need to be separate from other communications by the organization? When should organizations be able to give notice indirectly, such as through posts on the organization’s website?
  • Notices to Third Parties: The Government is mindful that third-parties such as law enforcement and consumer (credit) reporting agencies have a role to play in the protection of individuals from fraud and identity theft. The Government is asking whether there are circumstances that should be enumerated where reporting to third parties should be required.

What about the Province of Alberta’s regime?

The Government acknowledged that the Alberta regime for mandatory breach reporting has been in place for several years and that lessons could be learned from that province’s approach. However, the Government does not seem to be focused on ensuring that there is a harmonized system. It is possible, therefore, that we could see different types of reports and notices being required under PIPEDA than under Alberta’s law.


Update on Canadian Data Breach Regulations

Evidence and Social Media: Notes from the Canadian Twitter Trial

On Friday, January 22, 2016, the Ontario Court of Justice released reasons in R. v. Elliott, 2016 ONCJ 35. The case involved allegations that the accused engaged in criminal harassment of two women by repeatedly communicating with them over Twitter. The case is interesting in a number of respects, not least of which was the court’s struggle with how to address evidentiary challenges with social media.

A Little Background

The case stemmed from a dispute that took place over Twitter between the accused and, among others, the two complainants. The accused met one of the complainants once, but never met the other. An analysis of all of the tweets that were involved goes beyond the scope of this post. Suffice it to say that the exchanges were not always a model of civil discourse – on anyone’s part.

In order prove criminal harassment under section 264 of the Criminal Code, the prosecution was required to establish:

  • the accused repeatedly communicated with, either directly or indirectly, with the two complainants
  • the complainants were harassed
  • the accused knew the complainants were harassed or was reckless or wilfully blind as to whether they were harassed
  • the complainants feared for their safety (physical or psychological)
  • the fear was reasonable in all the circumstances

The court had no trouble concluding that most of the elements of criminal harassment were established with respect to the complainant with whom the accused had had personal contact and who the accused engaged with the most (directly and indirectly) over Twitter. However, the prosecutor was unable to prove that the harassment, however genuinely felt by the complainant, was reasonable.

The prosecution relied on the number of tweets and that the accused continued to participate in a public online discussion of various topics in which the two complainants were involved even when they asked him to stop. But the court concluded that there were no tweets that were of a violent, sexual, or irrational nature. In the absence of that type of conduct, the court appeared to think that the complainant’s participation in shaming the accused should be part of the context in which the volume of tweets should be understood. The court held: “The main premise that I find unreasonable is [the complainant’s] perception that she could tweet about topics but not be exposed to [the accused’s] tweets (however spurious and invalid) about the same topic – even if the topic was him.”

Listening in on the Public Square

The allegedly harassing tweets and the context in which the tweets occurred were, of course, central to the entire case. However, no single tweet or group of tweets were alleged to constitute the harassment. Instead, the harassment was alleged to occur because of the total volume of tweets. Since one of the complainants had blocked the accused on Twitter, some of the tweets that allegedly constituted part of the harassment involved those that were sent to others, such as the complainants’ followers, or tweets that contained hashtags that the complainants used.

One of the complainants likened Twitter to a public square. With all of the shouting in the public square, how would the prosecution select the tweets and demonstrate that they were harassing in context? Initially, the police simply searched the Twitter platform for tweets but the number of tweets were temporally limited and this type of search would not capture erased tweets. So the police resorted to employing social media listening software, which is used by organizations to track trends and to understand how potential customers are engaging with brands and ideas. Using this social media listening software, the investigating police officer:

  • looked for the conversation between the accused and the complainants by searching for tweets in which they used each other’s Twitter handle
  • looked for tweets that contained certain hashtags that the accused or the complainants either created or followed

Importantly, because the tweets were available to anyone with a licence to use the social media listening software, the court accepted that it was unnecessary for the police to obtain a warrant to gather that evidence. Although not discussed by the court, it does not appear that a user of Twitter could make a viable argument for a reasonable expectation of privacy based on the current version of the Twitter privacy policy. The privacy policy specifically notifies users that the Twitters services “broadly and instantly disseminate your public information to a wide range of users, customers, and services” and that this information may be delivered and used by third parties to analyze the information for trends and insights.

Proof the Accused Sent the Tweets

The charges of criminal harassment did not require the prosecution to prove that the accused meant what he said in the tweets. But it was necessary to prove that the accused sent them. But the fact that they were sent by the accused was hearsay. At a minimum, it was necessary to establish a link between the accused and the handle from which the tweet allegedly originated and then to establish that the tweets were authentic in the sense of not having been altered.

The court took a common sense, although perhaps not particularly rigorous, approach to this issue. The court noted that some of the tweets attributed to the accused related to a dinner that the accused had with one of the complainants. This provided circumstantial evidence that the accused was tweeting from that handle. Since there was no evidence anyone else had access to the accused’s handle or had access to his account, and the accused did not allege the tweets had been altered, the court found it was not necessary to prove that the accused sent each tweet.

The Fragility and Completeness of Electronic Evidence

There were numerous problems with printing out the tweets obtained through social media listening software. The searches using the social media listening software did not always yield complete records of the tweets. The tweets were garbled with punctuation being displayed as symbols.  Links and attachments were not available.

To remedy the deficiencies, the prosecution created electronic files that showed the tweet as it appears in Twitter. However, using this method meant that the court was being connected to Twitter through the Internet. The court encountered striking examples of how access to the evidence could be impeded in real time during the trial. For example, at one point, the prosecution could not open a tweet because the complainant, who was testifying, had locked her account and made it private the day before she testified. The problem re-occurred when the defence counsel attempted to open the links only to discover the complainant had again blocked access to her account. A similar issue happened to the trial judge when hew as attempting to review the evidence while preparing his reasons for judgment.

Ultimately the electronic evidence had to be printed in order to create a stable record of the evidence that was introduced at trial.

Selectivity in Relying on Search Results

Another problem for the prosecution was establishing the context for the tweets. If only the tweets produced by the search results had been authenticated and introduced into evidence, the prosecution would have failed to prove the context of a tweet if the court could not give meaning to the content of the tweet without resort to other tweets or the links in the tweets.

The court took a common sense, although again not a particularly rigorous approach, to the evidence. The court held that if there were other tweets surrounding the tweets sent and received by the accused that provided context and were printed and available in the exhibits, he could rely upon those to give the tweets the appropriate context.

Twitter Discourse is Not a Free-for-All

Although the charges against the accused were dismissed, the court did not find that anything goes on Twitter. Clearly, messages that are threatening can be objectively harassing. It is also possible that the total volume of messages could be objectively harassing if the complainant tells the user that the volume is harassing, blocks the user and does not engage with the user further, and the user persists.

In future cases, it may be relevant for the court to consider whether the complainant sought recourse through Twitter. Twitter recently updated its Rules to address abusive behaviour. In particular, the Rules prohibit behaviour “that harasses, intimidates or uses fear to silence another user’s voice.” Twitter will consider the following factors when considering whether there is harassment: (i) whether the primary purpose of the account is to harass or send abusive messages; (ii) whether the reported behaviour is one-sided or involves threats; (iii) whether the account is being used to incite others to harass another account; and (iv) whether the account is sending harassing messages from multiple accounts. Twitter has a number of tools that it makes available to report violations.


Evidence and Social Media: Notes from the Canadian Twitter Trial