Are our cellphones violating solicitor-client privilege?

iphone-410311_960_720

Are cellphones violating solicitor-client privilege? Probably.

Solicitor-client privilege requires confidentiality between lawyers and their clients. But this confidentiality could be violated by our cellphones. For example, we are frequently downloading apps onto our cellphones. These apps often gain access to our camera, contacts, microphone, and location.

It is not a far stretch to see how an app on a cellphone could be used for a nefarious purpose. Even to blackmail a lawyer.

For example, a cellphone’s microphone can easily be turned on to record conversations, without the user knowing it. Similarly, a cellphone’s email can be hacked. As we are often connecting our cellphones to wireless networks that we are unfamiliar with.

The best way to preempt potential privacy breaches is for cellphones to build in privacy by design. Perhaps with building in a mechanism that alerts users when apps are proposing to gain access to sensitive information, in the moment it is happening. Rather than just a warning hidden in the fine print.

Allowing apps to bury privacy violating features in terms of use that no one wants to read, including lawyers, is ultimately a disservice to users and a potential threat to confidentiality.

(Views are my own and do NOT represent the views of any organization.)

Hopkins v Kay, Court of Appeal Decision

IMG_2027

The Ontario Court of Appeal released today (February 18) its decision from the December hearing. The appeal dealt with the jurisdiction of the Superior Court to hear “a common law claim for breach of privacy” in a hospital.

The Ontario Court of Appeal stated in its decision that “there is no merit to the suggestion that the court should decline to exercise its jurisdiction”. The Personal Health Information Protection Act (PHIPA) does not contain an effective dispute resolution procedure for privacy breaches that occur in the hospital.

Sharpe J.A., writing for the Court of Appeal, looked at the process for dispute resolution, the nature of the dispute and its relation to the legislation, and “the capacity of the scheme to afford effective redress”.

Sharpe J.A. writes at paragraph 73:

I conclude that the language of PHIPA does not imply a legislative intention to create an exhaustive code in relation to personal health information. PHIPA expressly contemplates other proceedings in relation to personal health information. PHIPA’s highly discretionary review procedure is tailored to deal with systemic issues rather than individual complaints. Given the nature of the elements of the common law action, I do not agree that allowing individuals to pursue common law claims conflicts with or would undermine the scheme established by PHIPA, nor am I satisfied that the review procedure established by PHIPA ensures that individuals who complain about their privacy in personal health information will have effective redress. There is no basis to exclude the jurisdiction of the Superior Court from entertaining a common law claim for breach of privacy and, given the absence of an effective dispute resolution procedure, there is no merit to the suggestion that the court should decline to exercise its jurisdiction.

The Hopkins v Kay Court of Appeal decision is a significant case. It could open the door for further class action lawsuits against hospitals and hospital employees that breach patient privacy. People are likely to sue hospitals and hospital employees that breach privacy because they have deep pockets (hospitals and hospital employees commonly have insurance policies that respond to litigation). So, I anticipate an increase in these types of cases.

 

My notes on the hearing: https://heatherdouglaslaw.wordpress.com/2014/12/16/hopkins-v-kay-court-of-appeal-hearing/

The case can be read in its entirety here: http://canlii.ca/t/ggbt6

Hopkins v Kay: Court of Appeal Hearing

IMG_2027

(counsel Ian Matthews and Heather Douglas)

In Hopkins v Kay, the plaintiffs allege “that approximately 280 patient records of the Peterborough Regional Health Centre were intentionally and wrongfully accessed by the Hospital, Sir Sanford Fleming College and seven employees of the Hospital without the consent of the patients”.

http://www.canlii.org/en/on/onsc/doc/2014/2014onsc321/2014onsc321.html

The Court of Appeal hearing dealt mainly with the jurisdiction of the court to adjudicate on privacy claims (tort of intrusion upon seclusion) that fall within the scope of the Personal Health Information Protection Act, 2004. The Personal Health Information Protection Act does not contain an explicit clause that ousts the jurisdiction of the court.

Justice Sharpe, Justice van Rensburg, and Justice Pardu presided over the case. Justice Sharpe previously penned the tide turning decision Jones v Tsige 2012 ONCA 32, which recognized a new tort of intrusion upon seclusion.

Ian Matthews and Jonathan Lisus for the defendant employee argued that the court’s jurisdiction is not ousted but merely delayed. They asserted that it was an issue of sequencing.  http://www.counsel-toronto.com

Sharpe JA remarked:

So we have to hope that the Information Privacy Commissioner makes an order or sends the matter to the Attorney General to prosecute on a burden beyond a reasonable doubt? And, if the Attorney General agrees to prosecute, then we have to hope that the victims are awarded damages? But, now we have a common law right that did not exist when the legislation was passed.

There are three possible outcomes. Either the court determines that the Personal Health Information Protection Act is an exclusive code, the court has delayed jurisdiction, or that there is concurrent jurisdiction between the court and the Information and Privacy Commissioner.

It is unlikely that the Court of Appeal will find that the Personal Health Information Protection Act is an exclusive code. There is no explicit clause that ousts the jurisdiction of the court, and the legislation does not provide for an adequate remedy to victims.

It is also unlikely that the court will determine that individuals may only launch a lawsuit in the Superior Court after the Information and Privacy Commissioner has dealt with the matter. The judges’ questions revealed compelling concerns regarding issues of access to justice that would arise from a finding of delayed jurisdiction.