M. Imtiaz Karamat is an IP Osgoode Alumnus and Associate Lawyer at Deeth Williams Wall LLP. This article was originally posted on E-TIPS™ For Deeth Williams Wall LLP on October 27, 2021.
On October 12, 2021, the County Court at Oxford (the Court) released its decision in Fairhurst v, Woodward (Case No: G00MK161), holding that the Defendant, Jon Woodard, breached the United Kingdom’s Data Protection Act 2018 (the DPA) and the European Union’s General Data Protection Regulation (the Regulations) in his use of surveillance equipment around his property. The surveillance equipment was purchased from the Amazon-owned company, Ring, and included security cameras and a doorbell with audio and video recording capabilities.
To prevent crime around his property and the shared neighbourhood private parking lot, the Defendant installed surveillance equipment that captured audio and video recordings of these areas. The equipment could be remotely accessed by the Defendant via a mobile app with footage sent directly to his mobile phone or smartwatch. The presence of the surveillance equipment and its ability to capture information beyond the Defendant’s property alarmed the Defendant’s neighbor, Mary Fairhurst (the Claimant). The equipment captured aspects of the Claimant’s property, including her side gate, garden and car parking spaces. After the parties failed to informally resolve the matter, the Claimant brought a case before the Court claiming numerous causes of action, including the Defendant’s breach of applicable privacy laws.
Under Section 2 of the DPA, the privacy of individuals is protected by the Regulations. The Court found that the matter fit within Article 4 of the Regulations, with the images and audio captured from the surveillance equipment constituting personal data; the transmission of recordings to the Defendant’s mobile devices and onwards considered the processing of personal data; and the Defendant’s involvement in the surveillance making him a data controller. Given that the Defendant was collecting data outside his property, he had to demonstrate that his data processing was necessary for achieving the purpose of crime prevention and sufficient to override the Claimant’s right to privacy under the Regulations.
Although the Court found that the limited video data collected from the doorbell struck the correct balance between the Defendant’s interest and the Claimant’s right to privacy, the Court objected to the use of a security camera that was positioned to collect data outside the Defendant’s property, including images of the Claimant’s residence. The Court also found that the audio data collected from the Ring surveillance equipment was offside the Regulation’s data minimization principle because the range at which the devices capture audio is far greater than is necessary for the purpose of crime prevention. Instead, the Court noted that the Defendant could still achieve his objective by restricting the collection of audio data or not capturing it at all.
For these reasons, the Court found that the Defendant’s use of his Ring surveillance equipment breached the DPA and the Regulations.
While PIPEDA governs private sector organizations and the Privacy Act regulates Federal government institutions, a glaring problem with Canada’s federal privacy law regime is that neither provides individuals with a private right of action against entities who infringe their privacy rights without first deferring to the Commissioner. Instead, Canada relies on provincial regulations and common law to protect individuals against such activities. British Columbia, Saskatchewan, Manitoba, Quebec, and Newfoundland and Labrador have statutory causes of action in tort for invasion of privacy. In other provinces, such as Ontario and Alberta, individuals must rely on common law torts like “intrusion upon seclusion” and “public disclosure of private facts.”
I believe our current privacy law regime gives rise to two fundamental problems. First, our provincial laws mightn’t adequately address new means of collecting personal information. Given the rapid pace with which technology is constantly evolving, it is only a matter of time before someone develops a way to collect personal information that does not offend our current provincial laws. Second, certain activities may be illegal in some provinces but not others. Canada could potentially negate these issues by adopting a federal statute that enshrines general privacy rights. Property and civil rights fall under the constitutional jurisdiction of provincial legislatures; however, the federal Parliament may be able to enact such legislation for the purpose of regulating trade and commerce.
Therefore, I think Canada should adopt a statute similar to the GDPR, which enshrines privacy in a manner akin to how the Charter enshrines our fundamental rights and freedoms.