Canada Pits Constitution Against Right to Be Forgotten

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

June 9 — The right to be forgotten may never make the leap across the Atlantic from the European Union to Canada.

Our neighbors to the north are willing to talk about reputational privacy and the right to be forgotten—the concept that individuals should be able to seek removal of online links to their personal data to protect their reputation. But any attempt to significantly regulate Internet speech will run smack-dab into the brick wall established by the freedom of expression guarantee in the Canadian Charter of Rights and Freedoms, privacy professionals told Bloomberg BNA.

Canadians may not be fully in synch with the U.S. populace's general aversion to restrictions on personal liberty, but neither do they have the Europeans citizenry's willingness to accept a strong national governance approach to privacy.

The back-and-forth between privacy and free speech rights is highlighted by the Officer of the Privacy Commissioner's approach to the issue. In 2015, the privacy office named reputational privacy as on of it's top priorities. To follow up, the privacy office conducted a national consultation regarding online reputational privacy. In January, the office published a discussion paper on reputational privacy.

Privacy face off


Privacy Commissioner Daniel Therrien isn't ready to publicly discuss the consultation's results or how he will respond, as the process of reviewing submissions is still underway, agency spokesman Tobi Cohen said.

“We'll be using what we learn to inform public debate on online reputation, to better inform the Canadian Parliament on the issues and potential solutions and also to develop our own policy positions on the right to be forgotten and other forms of recourse,” Cohen said. “However, at this point we have yet to develop a position, and we also have an investigation underway that deals directly with the right to be forgotten.”

Although we may not know the outcome of the public consultation and the privacy office's ultimate response, there will sure be a battle between constitutional protections and people's right to guard against reputational harm.

The implications for companies doing business in Canada—particularly for the search engine from Google Inc.—would be significant if the country enacts a right to be forgotten statute.

Lawyers Discount Right to Be Forgotten

In May 2014, the European Court of Justice—the European Union's top court—ruled that individuals in the EU have the right to compel Google and other Internet search engines to delist results linking to websites containing personal information about them if their fundamental right to individual privacy outweighs the public's right to know (13 PVLR 857, 5/19/14).

The ruling involved the application of the right to be forgotten principle in Spain but the ruling is binding for the 28 EU countries. Some in Europe contend that the ruling should be binding on searches to all of Google's search engine websites worldwide, including .com based in the U.S., not just EU domain names , such as .fr, .de or .uk. Others have said the ruling should be the basis for expanding the right directly in other countries.

But Eloise Gratton, a privacy partner at Borden Ladner Gervais LLP in Montreal, said that she is “very negative” on the question of whether a right to be forgotten is constitutional. Establishing such a right through the Personal Information Protection and Electronic Documents Act (PIPEDA) would breach constitutional rights such as the freedom of information and expression, she said.

It is also inappropriate to give tech companies, like Google, the power to resolve reputational privacy disputes, she said. Tech companies aren't in the business of investigating complaints and wouldn't return an impartial decision, she said.

Instead, Canada should adopt Quebec's approach that empowers judges to determine if publication of information is in the public interest, Gratton said. “Courts make that call. It's not Google. It's not a private entity.”

Kelly Friedman, a privacy partner at DLA Piper in Toronto, agrees that legislation is the wrong approach and that it is “unrealistic” to think the Internet can be regulated. “It really has to be industry self-regulation,” she said.

It may be more realistic to address reputational privacy issues on an international basis, Friedman said. She bases her approach, and is heavily involved, on the International Organization for Standardization's development of an international standard. Getting governments to adopt an international standard might be easier than a legislative or regulatory approach, she said.

David Fraser, a privacy partner with McInnes Cooper in Halifax, Nova Scotia, notes that even if a government adopts an international standard, companies can run into technical issues with such requests.

For example, there are problems with the methods search engines employ to take down information, he said. There are companies that archive search data, and people can pay a fee to obtain the information.

Howard Deane, privacy spokesman of the Consumers Council of Canada, echoed that the multitude of search engines makes it impossible to fully take down information, plus there are ways to find information without using a brand-name search engine. “It may give people a false sense of security,” he said.

Different Approaches

Not all privacy attorneys have written off some meaningful online regulation, however, the approach might be tempered.

Fraser said that one approach to regulating online information may be to focus on the “particularly harmful” information, such as revenge pornography and other malicious content, rather than the run of the mill requests from the average consumer.

There may be a “eureka moment” that spotlights a fair approach to regulating online information, but it's not necessary, he said. Regulations will deal with harmful requests but companies aren't “going to be able to deal with everything that people are going to whine about,” he said.

If the issue is with an old news story that may no longer be relevant, people should “just suck it up,” he said.

It's also not possible to write a law to address reputational privacy without harming the interests of Internet providers, Fraser said. “In a lot of cases, the treatment will kill the patient,” he said.

Micheal Vonn, policy director with the British Columbia Civil Liberties Association, is unwilling to write off the right to be forgotten. It's easy to say it isn't possible because it would intrude on freedom of expression, but the Charter also aims to protect privacy, she said. Canadian courts have solidly interpreted the Charter as providing a right of privacy to Internet subscriber information, she said.

Suggestions by Canadian privacy lawyers that the Charter provides an automatic bar against the right to be forgotten are often based on the mistaken belief that it would be like eliminating a card catalog to the world's information, a bit like “burning books.” Vonn said.

“That's the nature of the balance that the Google Spain decision is trying to address,” she said (15 PVLR 450, 2/29/16). “People are constantly trying to bring up the library analogy, and it doesn't fit.”

A better analogy is forcing people to keep tattoos, Vonn said. Forcing people to keep everything they have posted online forever is equivalent to making it mandatory for them to keep tattoos they got when they were young, she said.

Existing Legal System Workable

Nicole Henderson, an associate at Blakes LLP in Toronto, said that addressing reputational privacy issues doesn't require wholesale reform of Canada's privacy laws, although tweaks may be needed to address specific challenges.

Changes might be appropriate to address problems with “shaming” and revenge pornography websites, areas where legislatures are “rightly” catching up with society, she said. And the right to be forgotten can largely be addressed through existing defamation jurisprudence, she said.

Class action risk, however, is a potentially thorny issue in addressing reputational privacy, Henderson said. Creation of a new tort of intrusion on seclusion in the Jones v. Tsige ruling in Ontario (14 PVLR 1055, 6/8/15), which involved an individual snooping into another's information, spurred a proliferation of class actions and the same could follow on creation of a right to be forgotten, she said.

None of the intrusion on seclusion class actions have reached a verdict, Henderson said. “It's not clear, at the end of the day, how many of them, if any, are going to be successful.”

Self-Inflicted Damage?

Deane said that options to address reputational privacy are limited because much of the damage to individuals is self-inflicted.

People often post on Facebook or discussion groups without thinking about the consequences, he said. Hiring managers see online sites as a great vehicle to informally collect information on the suitability of job candidates, and the damage is done, he said.

One potential solution is to adopt a self-regulation model, Deane said.

Government or industry associations may adopt rules that insure Canadian companies don't improperly access sensitive information, he said. Canadian companies shouldn't be able to “ask the Internet what you can't ask the individual,” Deane said.

Another solution would be an opt-in model, Deane said. Consumers often provide personal information online in exchange for some good or service, but rarely realize how that information may be used, he said.

By Peter Menyasz

To contact the reporter on this story: Peter Menyasz in Ottawa at

To contact the editor responsible for this story: Donald G. Aplin at

Request Bloomberg Law Privacy and Data Security