June 23, 2017

Apple Encryption Saga and Beyond: What U.S. Courts Can Learn from Canadian Caselaw

It has been said that privacy is “at risk of becoming a real human right.” The exponential increase of personal information in the hands of organizations, particularly sensitive data, creates a significant rise in the perils accompanying formerly negligible privacy incidents. At one time considered too intangible to merit even token compensation, risks of harm to privacy interests have become so ubiquitous in the past three years that they require special attention.

Legal and social changes have for their part also increased potential privacy liability for private and public entities when they promise – and fail – to guard our personal data (think Ashley Madison…). First among those changes has been the emergence of a “privacy culture” — a process bolstered by the trickle-down effect of the Julia Angwin’s investigative series titled “What They Know,” and the heightened attention that the mainstream media now attaches to privacy incidents. Second, courts in various common law jurisdictions are beginning to recognize intangible privacy harms and have been increasingly willing to certify class action lawsuits for privacy infringements that previously would have been summarily dismissed without hesitation.

Prior to 2012, it was difficult to find examples of judicially recognized losses arising from privacy breaches. Since then however, the legal environment in common law jurisdictions and in Canada in particular has changed dramatically. Claims related to privacy mishaps are now commonplace, and there has been an exponential multiplication in the number of matters involving inadvertent communication or improper disposal of personal data, portable devices, and cloud computing.

The obvious overlap between personal and professional e-mail accounts, Internet use, and quasi-ubiquitous surveillance renders the classic “reasonable expectation” standard quasi-obsolete, or at least unhelpful in articulating and enforcing privacy rights and duties. Assessing an individual’s right to privacy by reference to society’s conception of the measure of privacy that one is entitled to reasonably expect is particularly awkward when such expectations are rapidly eroding, precisely by reason of eventual social habituation to recurring intrusions. Plainly put and paradoxically: the more we are watched, the more we expect to be watched.

Cognizant of the nuance that the digital age brings to privacy harm, in A.B. v. Bragg Communications Inc. (2012), the Supreme Court of Canada allowed an adolescent to proceed anonymously with a request that an ISP release the identity of the creator of a fake Facebook account, which included various explicit and disturbing sexual references. Importantly, and with broad ramifications, the Supreme Court presumed harm based on the circumstances, recognizing intangible privacy harms and using these as a basis for allowing A.B. to proceed anonymously in her legal action.

As previously noted, a significant obstacle to recovery for privacy-related infringements more generally has been the requirement to show harm, as traditionally defined. But on the heels of A.B. v. Bragg, this is arguably no longer the case, or at least not to the same extent as the Supreme Court of Canada signaled willingness to recognize assertions of intangible damages arising from privacy violations.

Despite the apparent distinctiveness of these cases (and many others), revisited in unison they herald the emergence of a far more robust and nuanced conception of privacy. It is a conception predicated on proportionality and purposive, contextual analysis, rather than the essentially circular reasonable expectations standard. This approach significantly recognizes and then balances organizations’ (such as Apple or providers’ such as Rogers’) affirmative duty to protect clients’ delicate data with security considerations—as the Ontario Court of Justice wisely opined only last month in R. v. Rogers Communications (2016 ONSC).

This very principle of proportionality, it is posited, should in turn be harnessed with an eye towards developing a coherent normative framework for resolving future impasses the likes of the Apple/FBI privacy dispute, and others like it that are sure to follow. Accordingly, US Courts might wish to consider this “Canadian” perspective anchored in proportionality as governments worldwide struggle to fulfill their duty to protect against increasingly borderless threats, at times seeking to recruit private parties such as Apple in the thorny process. Moving beyond an ad hoc approach and towards a sound, consistent and articulate normative framework is key—even if a courtroom battle was averted this time around.

Comments

  1. John Millington says:

    “[modern life] renders the classic “reasonable expectation” standard quasi-obsolete, or at least unhelpful in articulating and enforcing privacy rights and duties. … Plainly put and paradoxically: the more we are watched, the more we expect to be watched.”

    Thank you! I get into stupid arguments with people with whom I mostly agree on goals, over the damned “reasonable expectation of privacy” thing. It’s best to just let that phrase fall into obsolesence, rather than try to redefine it as legal jargon, to mean almost the exact the *opposite* of its plain meaning. (Some people use those words to mean situations where a reasonable person would predict that they’re very likely not going to have privacy). Rather than argue about expectations, I’d rather argue about what we _want_ and policies to make that happen.

  2. philips05 says:

    fds a adsfs asfds