Wednesday, March 18, 2015

PIPEDA and the Dine-and-Dash by Greg

CBC reported recently on the use of social media to identify a couple involved in a dine-and-dash at a Regina restaurant. But before we see too many businesses adopt a similar strategy, let's note that there are some significant privacy risks arising out of that course of action.

Restaurants and other organizations engaged in commercial activity in Saskatchewan are regulated by the Personal Information Protection and Electronic Documents Act, SC 2000, c 5 ("PIPEDA") in their collection, use and disclosure of the personal information of customers. And it's well-established that video footage of an individual is personal information under PIPEDA's definition of "information about an identifiable individual". (That conclusion is particularly obvious in a case where the express purpose of releasing footage is to identify the individuals involved.)

As a result, a business releasing footage for the purpose of identifying individuals may only do so in accordance with the authorizing provisions of PIPEDA.

In principle, an organization is permitted to disclose information for the purpose of collecting a debt owed by the individual to the organization: PIPEDA, section 7(3)(b). So there's no serious issue as to whether disclosing footage of individuals who have left without paying is for a valid purpose - though the organization may run into trouble if it's incorrect as to whether a debt is actually owed.

More significantly, though, an organization is also required to limit its disclosure of personal information to what is appropriate in the circumstances: section 5(3).

On that front, disclosure of information in a manner which makes it available online without restriction may raise significant liability issues. See e.g. here at para. 58 as to the problems with posting information on unsecured websites in the context of a defamation claim - and note that under PIPEDA (unlike in the defamation context), the truth of the information being made available is not a defence.

Beyond the inherent risks of posting information online, the appropriateness standard may become even more difficult to reach when a business' intention is to have information shared among people who may not know the individuals involved, with the mere hope that it will eventually be passed along to somebody who may be able to apply it for the organization's purpose.

And PIPEDA makes an organization liability for damages caused by humiliation or otherwise where it discloses personal information inappropriately: section 16(c).

So how could the show-and-shame approach go wrong?

Suppose one of the individuals in a photo released on social media had recently moved between cities for the purpose of escaping from an abusive relationship - and the former partner was able to determine the individual's new location because of the organization's sharing of the photo online. Under those circumstances, it's highly questionable that the sharing would be found to be appropriate - and the business responsible could be required to pay damages for humiliation, emotional suffering, and the cost of relocating the individual to a safe location.

Fortunately, the actual incident in the news seems to have been resolved without any such issues. But any organization should be careful before making a habit of putting photos online to track down non-paying customers - as the liability risk could far exceed the payment which might be recouped.

This blog consists of general legal information only, and does not constitute the provision of legal advice to any person or organization. Please contact me at if you require legal advice related to labour, employment or privacy issues.