In light of issues that arise under PIPEDA, how far does access to personal information go?

Canada’s federal private sector privacy legislation, the Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5 [PIPEDA]), has been described as a compromise between two competing interests:

  • the privacy rights of individuals; and
  • an organization’s commercial need for personal information (Englander v. Telus Communications Inc., [2005] 2 F.C.R. 572 (C.A.) [Telus]).

The commercial focus of PIPEDA is reflected in its scope. It applies to personal information that is handled by an organization “in the course of commercial activities” or “is about an employee of the organization and that the organization collects, uses or discloses in connection with the operation of a federal work, undertaking or business” (PIPEDA, s. 4(1)(a)). Personal information under PIPEDA means “information about an identifiable individual,” such as personal, health and financial information, with few exceptions (PIPEDA, s. 2(1)).

Given its focus on commercial activities, most of the issues that arise under PIPEDA relate to personal information collected, used or disclosed for commercial purposes, such as customer information. However, in the recent Federal Court decision of Johnson v. Bell Canada (2008), 70 C.P.R. (4th) 1 [Bell Canada], the court confronted the reality that every business has in its possession not only personal information relevant to its business but also information of an entirely personal nature, unrelated to its commercial activities, that happens to also be in its computer systems. For example, employees exchange e-mails with friends and relatives while at work. Employees have friendships within the workplace and e-mail one another about personal matters. All these e-mails are in the company’s possession, in its computer systems, in e-mail boxes, on laptops and servers, and could be retained in routine backups, either for a defined time period or indefinitely.

An individual has the right to request access to his or her personal information that is in the possession of a business subject to PIPEDA. What was less clear before the Bell Canada case was whether a person could also seek access to e-mails between co-workers about himself or herself that are of a personal nature only. For example, can a person ask a business for personal information about himself or herself because the person’s ex-spouse works there, on the expectation that the ex-spouse has been e-mailing others about their marital breakdown or their financial disputes? What are the limits?

In the Bell Canada case, the Federal Court examined this issue in the context of a request by an employee for access to e-mails about him in the possession of his employer. Although PIPEDA does not apply to all employee information, it applies to employee information in the hands of federal works, undertakings and businesses such as Bell Canada. The main issues in the case, arising from a conflict of privacy interests, could equally arise outside the realm of employee information.

The Bell Canada Case

Johnson, an employee of Bell Canada, made an access request under PIPEDA seeking “e-mails concerning me in this company … from all sources.” He later limited his request to only include e-mails from the previous two years.

In the face of Johnson’s broad request, Bell Canada focused its search on e-mails that were accessible to Johnson’s direct supervisor, limiting the search to the e-mails in the supervisor’s e-mail box. Bell Canada did not search data on its servers, backups or every hard drive in the organization, nor did it search anyone else’s e-mail.

Bell Canada sought an extension of time to fulfill Johnson’s request, and before the extended time period had elapsed, Johnson filed a complaint with the Office of the Privacy Commissioner of Canada claiming that his access request had not been fulfilled.

Initially, Bell provided Johnson with more than 500 pages of e-mails. Some e-mails were withheld on the basis that their disclosure was likely to reveal personal information about a third party or threaten the security of another, two exemptions under PIPEDA. Ultimately, those e-mails were also produced in redacted form.

With respect to the applicability of PIPEDA to personal e-mails, the commissioner referred to an earlier decision of her office (Case Summary #346) in which the vice president of a business had sent an office-wide e-mail requesting information about the complainant, who was not an employee and did not do business with that company. The complainant believed that the vice president was seeking the information for the vice president’s sister (a family law lawyer) regarding the complainant’s family issues. The vice president initially denied sending the e-mail, and ultimately the commissioner concluded that the e-mail was not sent for business reasons. The commissioner found that the vice president had a “cavalier attitude” toward the complainant’s right to privacy, even though no personal information was actually collected as a result of the e-mail.

The privacy regime under PIPEDA does not apply to people in respect of the information they collect for “personal or domestic purposes” (PIPEDA, s. 4(1)(b)). However, the commissioner noted in her findings that this exemption “is not intended to absolve an organization of responsibility for an employee who uses their position within the organization to collect, use or disclose personal information for their own purposes.” According to the commissioner, since the vice president used the company’s e-mail and computer systems in his capacity as vice president, he was not acting as an “individual” when he sent the e-mail. This decision left open the possibility that in certain circumstances personal e-mail may be subject to PIPEDA and accessible through an access request.

The commissioner concluded that Bell’s request for an extension of time was reasonable, but it ought to have given Johnson a reason for the requested extension and advised him of his right to complain about it. On the main issue – access to the e-mails – the commissioner concluded that Bell Canada had met its obligations to Johnson since, by the time of her decision, it had produced all the e-mails located as a result of its focused search. The commissioner concluded that further searches need not be conducted.

Federal Court Decision

Dissatisfied with the commissioner’s findings, Johnson applied to the Federal Court seeking an order requiring Bell Canada to provide his personal information, including all e-mail messages referring to him, as well as damages. He made three main complaints:

  1. Bell Canada had denied him access to the personal e-mails concerning him that were sent between Bell Canada employees;
  2. Bell Canada had carried out an inadequate search in response to his access request; and
  3. Bell Canada had deleted personal e-mails in breach of PIPEDA.

Before considering these issues, the court noted that PIPEDA is a “compromise between the commercial interests of business and the privacy rights of individuals,” and its interpretation should be guided by “flexibility, common sense and pragmatism,” as the Federal Court of Appeal had previously determined in Telus. The court then addressed the above issues and dismissed Johnson’s application.

1. When Are Personal E-mails Subject to PIPEDA? The court observed that there could be no issue that

e-mails sent in the course of business are accessible through PIPEDA. The issue arose only for personal e-mails. Johnson claimed he had a right of access to all e-mails on Bell Canada’s computer systems that contained information about him, whether or not the e-mails were personal. The only exceptions were those expressly provided for in PIPEDA (such as exceptions for solicitor-client privilege or threats to security). He submitted, and the court agreed, that an electronic message about or concerning him met the definition of “personal information” in section 2(1) of PIPEDA. Bell Canada argued that personal e-mails between employees were not subject to PIPEDA even if they resided on the Bell Canada computer systems and contained personal information about Johnson. They were “exchanges of a personal nature between colleagues” and not part of business operations.

The court recognized the “reality of our electronic world” and that computer systems store e-mail and other data in many locations (such as inboxes, deleted items boxes, servers, backups and various computers) for varying periods of time. The storage systems intended to capture business e-mails also incidentally capture personal e-mails and other non-business-related information (para. 31).

As stated by the court, the reality is that non-relevant information is captured by business computer systems. Likening it to a fisherman’s net, the court observed that a business’s data storage systems, which are intended to capture business e-mail, will also capture “personal e-mails, jokes, spam, family pictures and other non-business data” (para. 31).

The court noted that the section 4(2)(b) exception for information collected for personal use applies only to individuals, and not to companies or other business organizations. If exempt personal e-mails are communicated at work “it would be contrary to the purposes of the act if [the personal e-mails], once stored on the organization’s backup system, would then not also be exempt from production by the organization” (para. 32).

Since section 4(2)(b) did not apply, the court looked to section 4(1) of PIPEDA to resolve the issue. Section 4(1) provides that the privacy regime in PIPEDA applies to personal information that an organization collects, uses or discloses in the course of “commercial activities” or is about an employee of the organization and that the organization collects, uses or discloses “in connection with the operation of a federal work, undertaking or business.” The court observed that the emphasized phrases must have meaning and should be interpreted with reference to the business realities of the commercial world. The court held that only information collected because the organization has a commercial need for it is captured by PIPEDA:

Like the bycatch of the cod fisherman, personal e-mail is the bycatch of the commercially valuable information that is being handed by Bell Canada. … [T]o be information collected in connection with the operation of the business, requires that there be a business purpose for the information. There is none with respect to personal e-mails. In fact, from the viewpoint of organizations like Bell Canada, personal e-mails are refuse that take up valuable space and time. (para. 35, emphasis in original)

Johnson next claimed that even if the personal e-mails did not serve a business purpose, they were not exempt since the employees used Bell Canada’s systems to send the messages, and therefore his personal information was used only by virtue of the employees’ employment with Bell Canada. The court considered the findings of the commissioner in Case Summary #346 (discussed above) but concluded that the exemption for personal information used solely for personal purposes is not lost simply because an individual uses his or her employer’s computer equipment. He explained, “To hold otherwise would strip subsection 4(2)(b) of any meaning, as virtually any use of the employers’ computer systems would result in the loss of the subsection 4(2)(b) exemption and bring within the ambit of PIPEDA personal information that has no value or use to the organization” (para. 39). The court therefore concluded that personal e-mails were not subject to PIPEDA and not subject to disclosure in response to the request for access by Johnson.

2. Adequacy of Search

In considering whether Bell Canada’s focused search was sufficient, the court held that an organization is only required to conduct a search that could reasonably be expected to produce the personal information that would, in the ordinary course, fall under PIPEDA. Further, the court held that there was no need to assume that personal information only used for personal purposes, otherwise exempt under section 4(2)(b), may have lost its exempt status.

The court found that Bell Canada’s search of e-mail that was accessible to Johnson’s direct supervisor was sufficient, and observed that there was no evidence that other Bell Canada employees would have business e-mails related to Johnson. If Johnson claimed that there was additional information that the search did not find, the burden lay on him to make the case that the search was insufficient.

Bell Canada had also argued that Johnson was required to “focus” his broad access request. The court concluded that an organization receiving a broad request had two options open to it: (1) it could ask the requester if he or she could be more specific, in which case the requesting party had an obligation to cooperate in defining his or her request; or (2) it could conduct a reasonable search of information that it could reasonably expect to be responsive to the request, as had been done by Bell Canada (para. 46).

In the absence of evidence to the contrary, Bell Canada did not need to assume that there was any reason to search messages other than those it reasonably believed were collected, used or disclosed “in the course of its business operations.” The court concluded that Bell Canada’s approach met its obligations under PIPEDA.

3. Document Retention Obligations

Finally, Johnson argued that Bell Canada breached its obligation to retain his personal information for as long as needed to permit him to exhaust all recourses available to him under PIPEDA. The court disagreed, noting that there was no evidence of e-mails that should have been provided to him and were not, observing as follows:

It cannot be seriously suggested that an organization has a responsibility to recover deleted or overwritten data in the absence of compelling evidence that it existed and that it can be recovered at a reasonable cost. Further, in my view, such a Herculean task should only be required to be undertaken, if ever, in circumstances where there is a critical need for the recovered information. (para. 51)

The court concluded that an organization cannot be expected to suspend its document retention procedures for each access request. Rather, PIPEDA requires that an organization retain the personal information that its search produced until all recourse is exhausted. Bell Canada met this standard. This result was very favorable to Bell Canada, given the focused nature of the original search.

All told, Bell Canada was found not to have violated PIPEDA and no remedies were therefore necessary. Johnson’s application was dismissed.

Implications of Decision

Most significantly, Johnson v. Bell Canada confirms that personal communications in the workplace may still remain personal, at least for the purpose of access to personal information requests under PIPEDA. However, exceptions may be made, particularly where there is a blurring of business and personal roles and responsibilities.

There are, of course, other contexts outside PIPEDA in which personal e-mails may not be treated as private in the workplace. For example, it is commonplace for businesses to have an e-mail policy that makes it clear that the company itself is entitled to access all personal e-mail that resides on its own computer systems. Employees ought to take these policies into account when using workplace computers for personal e-mail.

Although the United States has analogous practices with respect to internal company e-mail policies, it has no federal privacy legislation of broad application analogous to PIPEDA. Instead, there is a patchwork of laws arising from sectoral privacy regulation, which means that some types of information are heavily regulated, while others may escape regulation altogether. There is no general right of access to personal information, and this lack of uniformity gives rise to problems.

In certain sectors in the United States, information is obtainable on request. For example, certain credit information is obtainable under the Fair Credit Reporting Act (15 U.S.C. § 1681). In other consumer information contexts, the existence of a right of access to one’s personal information and the scope of such right can vary from state to state. For example, California has legislation that requires businesses to disclose to a customer, on request, third-party organizations to which it has given the individual’s personal information for direct marketing by the third party, such as when the business sells mailing lists (The Civil Code of the State of California, section 1798.83).

In contrast to the Canadian trend toward increased privacy protection through legislation, the United States has – through legislation such as the USA PATRIOT Act (Pub.L. 107-56, 115 Stat. 272 (2001)) – seen an increase in governmental access to personal information held by private sector organizations. Initiatives toward more privacy regulation, including more uniformity, appear to be coming, instead, from the private sector. Some companies, notably those that do business on the Internet, have joined voluntary self-regulating bodies and taken on voluntary codes of conduct regarding privacy. In October 2008, a joint initiative of members of the technology and communications sector, human rights groups and academics launched the Global Network Initiative, aimed at “protecting and advancing freedom of expression and privacy in information and communications technologies” (www.globalnetworkinitiative.org).

More recently, a group of technology industry heavyweights, including Microsoft and Hewlett-Packard, which had prepared recommendations for a federal privacy law in the United States that was to be proposed at a widely attended privacy conference, decided to instead propose self-regulation, postponing the development of comprehensive legislation to focus on the underlying issues. Peter Cullen, chief privacy strategist at Microsoft, noted, “To provide effective privacy protection, it’s going to potentially require good legislation. But more importantly, it will require good business processes and good accountability” (Alexei Alexis, “Industry Group Drops Effort to Craft Principles for Data Privacy Legislation,” Electronic Commerce and Law Report, 14 ECLR 279).

The reluctance to introduce general privacy legislation is also seen in the reactions from the US Senate Commerce Committee to presentations on online privacy issues by major technology companies. Continuing with the sectoral approach, the US Senate Commerce Committee held hearings regarding online privacy issues, including data breaches and the use of behavioral advertising (Frank Davies, “Senate wary of regulating personal data,” San Jose Mercury News, July 10, 2008). In response, the director of consumer protection at the Federal Trade Commission (FTC) offered support for industry self-regulation to meet FTC principles, saying that compared with stronger regulation, self-regulation was “more appropriate, especially because the technology is changing so swiftly.” One senator expressed the view that regulation beyond self-regulation would likely inhibit free enterprise.

Thus, the issues in Johnson v. Bell Canada are unlikely to be at the forefront of the debate in the United States, given the absence of broad rights of access to personal information in the hands of private business. In Canada, however, this decision reinforces the compromise contemplated by PIPEDA between access rights to one’s personal information and the commercial focus of the legislative regime.

This article originally appeared in the July 2009 issue of the 2009 Lexpert Guide to the Leading US/Canada Cross-Border Corporate Lawyers.