NEWS

CYBER AND PRIVACY LAW APRIL, 2023

The use of facial recognition technology (FRT) broke privacy laws at four BC Canadian Tire stores recently. Please visit the following web link: https://www.itworldcanada.com/article/use-of-facial-recognition-in-four-b-c-canadian-tire-stores-broke-privacy-law-report/537315?utm_source=DIW&utm_medium=enews&utm_campaign=DIW&scid=6a57ca8e-67bb-34bc-1f93-4e6006d444a4 

In essence the technology went way beyond the normal cctv type of technology that is usually used at stores. FRT is a much more invasive technology that takes full facial picture of a person as they enter the store. The Canadian tire locations did not adequately inform their customers that this technology was being used. The effect is the ability of a store to record our unique characteristics before entering their store. The BC Privacy Commissioner noted in their report that this goes beyond their privacy laws and that Canadian Tire must stop using this technology immediately. Please see the full report at this web link: https://www.oipc.bc.ca/investigation-reports/3785  

The commissioner said the following in their report:  

Each human face is unique, and for that reason a template generated from it by an FRT system is a highly sensitive personal identifier. There are appropriate uses for FRT in certain circumstances, such as a credential to unlock your phone, where your biometric resides on your device and is within your control. But FRT systems can do much more than making simple tasks more efficient. They can now gather and compare unique facial identifiers on an expanded scale. This poses a particular challenge and danger to society when those images are inappropriately collected, used, mismanaged, or treated without due restraint and oversight.” 

The report continued and said that “explicit consent” is needed when using FRT as it is a more invasive aspect of one’s privacy. The report also talked about whether the company actually was able to prove the effectiveness in using FRT to halt theft at its stores. This is interesting as the development of technology is going to test the boundaries of privacy at many levels. There seems to be a pattern that where a company wants to use IT to stop theft for example, they cannot just sit on their laurels – they must be able to demonstrate their implementation is reaching a desired goal. 

The tort of intrusion upon seclusion that arose in the Ontario decision Tsige v. Jones 2012 ONCA 32from 2013, came up anew in the following case of the ONT. CA: Owsianik v. Equifax Canada Co. and Equifax Inc.2022 ONCA 813 docket: C69995. See the following canlii link: https://www.canlii.org/en/on/onca/doc/2022/2022onca813/2022onca813.html?autocompleteStr=Owsianik%20v.%20Equifax&autocompletePos=2  The latter case involved a database of defendants who collected and stored personal information of others wherein third-party “hackers” accessed and used the information for a commercial purpose. 

The court held that the “Database Defendants’ failure to meet their common law duty of care, or their contractual and statutory responsibilities to the plaintiffs to properly store the data, cannot, however, be transformed by the actions of independent third-party hackers into an invasion by the Database Defendants of the plaintiffs’ privacy.” 

A very interesting decision indeed, as the Court is clearly making a statement to the public that this new tort of intrusion by seclusion is not going to be contorted and expanded in ways beyond its initial purpose to include actions of third-party hackers that results in violation of one’s privacy. The Court observed: “No decision has held that the tort of intrusion upon seclusion applies to Database Defendants based on negligent or reckless storage of private information”. The following quote was given extra importance by the Court from the case Atlantic Lottery Corp. Inc. v. Babstock, 2020 SCC 19: “If a court would not recognize a novel claim when the facts as pleaded are taken to be true, the claim is plainly doomed to fail and should be struck. In making this determination, it is not uncommon for courts to resolve complex questions of law and policy”.  

The Court continued and said: “The certification of intrusion upon seclusion claims without a determination that the claim was viable in law gave a plaintiff an advantage in certification proceedings. Because damages for intrusion upon seclusion do not require proof of any actual pecuniary loss, but are instead awarded on a “symbolic” or “moral” basis, damages are well suited to an award on a class-wide basis…Consequently, the presence of an intrusion upon seclusion claim, despite the uncertainty as to its legal viability, gave plaintiffs a leg up in the certification process and, as a result, in any settlement negotiations.” The court ultimately decided that it was “plain and obvious” that the claim could not succeed and should be struck.  

The tort of intrusion upon seclusion is one of several intentional torts. As such there is a requirement that the defendant engaged in the proscribed conduct with a specified state of mind. In Jones, the intentional act was never in question. However, in the instant case, Equifax did store the data and accessed and used the data for a commercial purpose. The Court made the following crucial finding: “Equifax failed to take steps to prevent independent hackers from conduct that clearly invaded the plaintiffs privacy interests in the documents stored by Equifax – Equifax did not itself interfere with those privacy interests. The wrong done by Equifax arose out of Equifax’s failure to meet its obligations to the plaintiffs to protect their privacy interests.  

The plaintiff tried to argue that Equifax was “reckless”. In answer to that argument the Court had this to say: “If the defendant does not engage in conduct that amounts to an invasion of privacy, the defendant’s recklessness with respect to the consequences of some other conduct, for example the storage of the information, cannot fix the defendant with liability for invading the plaintiffs’ privacy.” And, “Intention is established if the defendant meant to intrude upon the privacy of the plaintiff or knew that it was a substantially certain consequence of the act which constitutes the intrusion.” 

It is clear from the reasoning of the Court that, in spite of developments in technology and the risk of privacy breaches, the Court is going to be loathe to find a corporate entity engaged in reckless conduct unless the facts present an egregious set of circumstances.  

David H. Davis of Davis Cyber Law specializes in strategic risk management, incident response, privacy & data protection, and advocacy. He can be reached by email at david@daviscyberlaw.com or by telephone at 204-956-2336. We are also on the web at www.daviscyberlaw.com