Federal Court of Canada Finds PIPEDA Has Extraterritorial Application

Introduction

On Jan. 30, the Federal Court of Canada released A.T. v Globe24h.com and Sebastien Radulescu (Globe24h), finding a foreign-based website operator liable for a breach of the Personal Information Protection and Electronic Documents Act (PIPEDA). While PIPEDA has been applied to foreign companies before, Globe24h is the Federal Court’s most explicit statement on the issue of extraterritorial application so far.

Globe24h implicates several different issues—including the open court principle, international comity, and various PIPEDA exceptions—but this blog post will focus on PIPEDA’s application to the Romania-based website and its operator. As the digital world becomes ever more connected, Globe24h’s impact on the PIPEDA’s scope of application will need to be considered by the growing list of businesses that transfers and stores personal data internationally.

The Facts

Sebastien Radulescu ran a Romania-based website (Globe24h.com) that republished Canadian court and tribunal decisions downloaded from public sites like CanLII.org. Unlike CanLII, Globe24h.com allowed the cases to be indexed by third-party search engines. This means that a “casual” Google Inc. search could turn up personal information on sensitive matters such as immigration or bankruptcies. Starting in October 2013, the Office of the Privacy Commissioner began receiving numerous complaints about Globe24h.com. Besides individuals’ names appearing prominently in third-party searches, the website charged varying fees for redacting personal information from the court documents with any alacrity; while there was a method for removing the information free of charge, it involved disclosing even more personal information and could take 180 days or more.

After a damning OPCC investigation, one of the OPCC complainants—who was concerned about potential employers’ ease of access to a labour relations dispute—exercised his rights under s. 14 of PIPEDA to pursue the matter in the Federal Court. The appellant sought various orders, including a corrective order, a declaration of contravention, and damages.

The Breach

Extraterritorial Application.

The first step for analysis (and the focus here) was whether PIPEDA could even apply to a foreign-based website. While PIPEDA is silent on its own territorial reach, there is also no language explicitly limiting its application to Canada. The court stated that in such scenarios, whether an act applies “extraterritorially” is to be determined by the “real and substantial connection” test:

The operative question underlying the test is “whether there is sufficient connection between this country and the [activity] in question for Canada to apply its law consistent with the principles of order and fairness and international comity.”

In short, PIPEDA will apply extraterritorially where there is a real and substantial connection with Canada, determined by an evaluation of relevant connecting factors, such as the situs of the content provider, the host server, the intermediaries and the end user. The specific factors—and the weight given to each—will vary with the circumstances of the dispute. When a “real and substantial connection” to Canada is found, it is perhaps debatable whether applying PIPEDA truly constitutes an assumption of “extraterritorial” jurisdiction. Nevertheless, this is the language used in the decision.

In this case, the three main connecting factors in favour of application were as follows:

• the content at issue was Canadian decisions containing personal information copied from Canadian legal websites;

• the website directly targeted Canadians by advertising access to Canadian case law; and

• the impact was felt by the Canadian public, as evidenced by the complaints to the OPCC and CanLII as well as the media reports about the controversial Globe24h.com.

Thus, while the server was based in Romania, the court found that when an organization’s activities take place exclusively through a website, the physical location of the website operator or host server is not determinative.

The principle of comity of nations was also not a barrier to PIPEDA’s application. The Romanian authorities had cooperated with the OPCC investigation and had already acted to curtail Radulescu’s activities. The applicant had pursued a complaint through the Romanian National Supervisory Authority for Personal Data Processing, which fined the respondent as a result (a decision which was being appealed at the time of this decision). A Canadian finding on PIPEDA would thus complement, not offend, actions taken in a Romanian court.

PIPEDA Breach.

After PIPEDA was determined to apply, the necessary next step was to evaluate whether the statute had been breached. Radulescu claimed that consent under PIPEDA was not required because the website’s purpose was exclusively journalistic and the content was already publicly available. Instead, the Court found that no exception was applicable and that Global24h.com had violated the purpose of PIPEDA.

The Court determined that the respondent was clearly an organization collecting, using and disclosing personal information for activities that were commercial in nature. The “journalistic purposes” exception to consent (under paragraph 4(2)(c) of PIPEDA) did not apply, as what Globe24h.com was doing could not qualify as journalistic, and certainly not exclusively journalistic (as required). Similarly, the “publicly available information” exceptions under section 7 did not apply, as the website’s purposes did not “relate directly” to the open court principle but instead served to undermine the administration of justice.

The underlying purpose of Globe24h.com—to make available Canadian decisions through common search engines and induce individuals to pay to have their personal information removed—could not be considered as appropriate from the perspective of a reasonable person under subsection 5(3) of PIPEDA, as (1) the collection, use, and disclosure of the personal information was not directed to a bona fide business interest, and (2) the loss of privacy was not proportional to any benefit gained.

Remedies.

The Court determined that while it was not barred from making an order simply due to the foreign respondent, certain orders would be more appropriate than others (i.e., those that could be enforced). However, even if enforceability was in question, the Court decided that “a corrective order in Canada may assist the applicant in pursuing his remedies in Romania” [83] as well as assist him to persuade search engine operators to de-index the Globe24h.com pages. The Court also stated that PIPEDA granted it the power to craft systemic remedies beyond the particular dispute at hand in cases of broad non-compliance.

Thus, the Court granted:

• a declaration that Radulescu and Globe24h.com had contravened PIPEDA by collecting, using, and disclosing personal information without consent;

• an order for Radulescu to remove all Canadian decisions containing personal information from the website (and remove them from search engine caches);

• an order to refrain from further copying and republishing of Canadian decisions containing personal information;

• damages in the amount of CA$5,000 ($3,727) (for the “egregious” breach); and

• CA$300 ($224) in costs to the (self-represented) applicant.

The Takeaways

It has become trite to point out the growing interconnection of our digital world. Nevertheless, the trend has legal consequences, and it should now be reasonably well-settled that the courts are willing to apply PIPEDA “extraterritorially.” Indeed, this is not the first time: as noted by Justice Mosley, the Federal Court had previously applied PIPEDA to a foreign-based organization in Lawson v Accusearch Inc. While the “real and substantial connection” test must still be met in all circumstances, the imbricate networks of cross-border business and data flow could risk making such test a formality—especially if “telecommunications occur ‘both here and there’” [52].

The stated purpose of Part I of PIPEDA is to:

[E]stablish, in an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.

The scope of application of these rules is clearly larger than the geographical boundaries of Canada. International businesses that collect, use or disclose personal data with a significant connection to Canada—regardless of their ostensible base—will need to pay close attention to PIPEDA. Exposure to risk cannot be avoided simply by basing operations abroad.