Karen Eltis is professor in the University of Ottawa law faculty.
It has been said that privacy is at risk of becoming a real human right. The exponential increase of personal information in the hands of organizations, particularly sensitive data, creates a significant rise in the perils accompanying formerly negligible privacy incidents. At one time considered too intangible to merit even token compensation, risks of harm to privacy interests have become so ubiquitous in the past three years that they require special attention.
Legal and social changes have for their part also increased potential privacy liability for private and public entities when they promise – and fail – to guard our personal data. (Think Ashley Madison.) First among those changes has been the emergence of a "privacy culture" – a process bolstered by the trickle-down effect of journalist Julia Angwin's investigative series What They Know and the heightened attention that the mainstream media now attaches to privacy incidents. Second, courts in various common-law jurisdictions are beginning to recognize intangible privacy harms and have been increasingly willing to certify class-action lawsuits for privacy infringements that previously would have been summarily dismissed without hesitation.
Before 2012, it was difficult to find examples of judicially recognized losses arising from privacy breaches. Since then, however, the legal environment in common-law jurisdictions, and particularly Canada, has changed dramatically. Claims related to privacy mishaps are now commonplace, and there has been an exponential multiplication in the number of matters involving inadvertent communication or improper disposal of personal data, portable devices and cloud computing.
The obvious overlap between personal and professional e-mail accounts, Internet use and quasi-ubiquitous surveillance renders the classic "reasonable expectation" standard nearly obsolete, or at least unhelpful in articulating and enforcing privacy rights and duties. Assessing an individual's right to privacy by reference to society's conception of the measure of privacy that one is entitled to reasonably expect is particularly awkward when such expectations are rapidly eroding, precisely by reason of eventual social habituation to recurring intrusions. Plainly put and paradoxically: The more we are watched, the more we expect to be watched.
Cognizant of the nuance that the digital age brings to privacy harm, in A.B. v. Bragg Communications Inc. (2012), the Supreme Court of Canada allowed an adolescent to proceed anonymously with a request that an Internet service provider release the identity of the creator of a fake Facebook account that included various explicit and disturbing sexual references. Importantly, and with broad ramifications, the Supreme Court presumed harm based on the circumstances, recognizing intangible privacy harms and using these as a basis for allowing A.B. to proceed anonymously in her legal action.
As previously noted, a significant obstacle to recovery for privacy-related infringements more generally has been the requirement to show harm, as traditionally defined. But on the heels of A.B. v. Bragg, this is arguably no longer the case, or at least not to the same extent as the Supreme Court of Canada signalled willingness to recognize assertions of intangible damages arising from privacy violations.
Despite the apparent distinctiveness of these cases (and many others), when revisited in unison, they herald the emergence of a far more robust and nuanced conception of privacy. It is a conception predicated on proportionality and purposive, contextual analysis, rather than the essentially circular reasonable-expectations standard. This approach significantly recognizes and then balances companies' affirmative duty to protect clients' delicate data with security considerations, as the Ontario Superior Court wisely opined just last month in R. v. Rogers Communications.
This very principle of proportionality, it is posited, should in turn be harnessed with an eye toward developing a coherent normative framework for resolving future impasses, such as the Apple-Federal Bureau of Investigation privacy dispute and others like it that are sure to follow. Accordingly, U.S. courts might wish to consider this "Canadian" perspective anchored in proportionality as governments worldwide struggle to fulfill their duty to protect against increasingly borderless threats, at times seeking to recruit private parties in the thorny process. Moving beyond an ad hoc approach and toward a sound, consistent and articulate normative framework is key – even if a Apple courtroom battle was averted this time around.