2024 ONSC 2194 CanLII LifeLabs LP v Information and Privacy Commr Ontario CanLII
pThis website uses cookies to various ends as detailed in our Privacy Policy You may accept all these cookies or choose only those categories of cookies that are acceptable to youppCookies are saved on your device to ensure proper operation and security of the website help statistical analysis of its usage improve its functionality or record navigational choices you make Further details can be found in the cookies section of CanLIIs Privacy PolicyppA few cookies are strictly necessary to use CanLII and are always active Cookies that are used to measure performance or improve functionality can be enabled using the buttons belowppCITATION
LifeLabs LP v Information and Privacy Commr Ontario 2024 ONSC 2194ppTORONTO DIVISIONAL COURT FILE NO 05321ppDATE 20240430ppONTARIOppSUPERIOR COURT OF JUSTICEppDIVISIONAL COURTppMcWatt ACJ Doyle and Leiper JJppBETWEENpppppp ppLIFELABS LPppApplicantpp and ppINFORMATION AND
PRIVACY COMMISSIONER OF ONTARIOppRespondentpppp pp pp pp ppppppppAlexandra E Cocks and Amanda
D Iarusso KC for the ApplicantppLinda
Chen and Brendan Gray for the RespondentppOFFICE OF THE INFORMATION AND PRIVACY
COMMISSIONER FOR BRITISH COLUMBIAppppppppCatherine J Boies Parker KC and
Kate Phipps for the BC IPC Intervenerpp
Intervenerpppp pp ppppHEARD at Toronto April 4 2024pp ppREASONS
FOR DECISIONpp ppLEIPER Jpp ppOVERVIEWpp1
This case is about a 2019 data breach in which
cyberattackers obtained personal health data of millions of Canadians and
demanded payment for its return pp2
The target of the attack LifeLabs LP or
LifeLabs provides general and specialized laboratory testing across Canada
In this capacity it holds personal information and personal health information
for its customerspp3
The largest number of people affected by the
attack lived in Ontario and British Columbia The privacy commissioners for
those provinces launched a joint investigation into the data breachpp4
LifeLabs notified the public set up call
centres and used external IT experts to provide it with information about the
breach and to negotiate with the cyberattackers Members of the public
launched class action lawsuits against LifeLabspp5
The Information and Privacy Commissioner of Ontario ON
IPC announced it would investigate the cyber attack under the Personal
Health Information Protection Act 2004 SO 2004 c 3 Sch A PHIPA
The ON IPC stated its investigation would be coordinated with the British
Columbias Information and Privacy Commissioner BC IPC pp6
During their investigation the ON IPC and BC IPC
sought information that LifeLabs had obtained from its consultants about the data
breach and its systems LifeLabs resisted and claimed privilege over any
reports or information in those reports disputed documentspp7
After receiving the documents and
representations from LifeLabs lawyers in a decision dated June 25 2020 the
ON IPC and the BC IPC jointly decided that the claims of privilege should fail
the Privilege Decision They also finalized their investigation report into
the cyberattack the Investigation Report pp8
Neither decision has been published to dateppTHE APPLICATION FOR JUDICIAL REVIEWpp9
On this application for judicial review LifeLabs
seeks an order quashing the Privilege Decision and a permanent order preventing
publication of the Investigation Report on its findings from its joint
investigation into the Ontario and British Columbia data breaches It also seeks
various declarations which are related to the application to quash and for
nonpublication orderspp10
LifeLabs raises two issues on review whether the
ON IPC and BC IPC breached their right to procedural fairness by jointly deciding
the privilege issue and whether they erred in their application of the law on solicitorclient
privilege and litigation privilege to the facts LifeLabs argues that since the
Privilege Decision is wrong it should be set aside and this Court should
order that ON IPC refrain from publishing the Investigation Report or
releasing any report that refers to the facts and documents over which LifeLabs
has claimed privilegepp11
ON IPC responds supported by the submissions of
the intervener BC IPC that there was no breach of procedural fairness LifeLabs
was fully aware of the joint investigation and did not object at any time to that
decisionmaking process Joint investigations are common and are provided for
by the relevant provincial legislation The Privilege Decision arose from the
issues raised by LifeLabs during the joint investigation and had an opportunity
to make submissions to the Commissioners The ON IPC and BC IPC further submit
that the claims of privilege have no merit and that they did not err in
applying the law of privilege pp ppSUMMARY OF FINDINGSpp12
In the context of an ongoing joint
investigation I find that the ruling by the ON IPC and BC IPC in the Privilege
Decision did not breach LifeLabs right to an independent adjudication and was
not procedurally unfair1
pp13
Assessing the Privilege Decision on a standard
of correctness the ON IPC applied the law of privilege to the record before it
and did not err in doing so The decision is logical clear and persuasive It
considered all the arguments raised by LifeLabs and gave comprehensive reasons
for rejecting the claims of privilegepp14
For the reasons below I dismiss the application
for judicial reviewppBACKGROUNDpp15
Although the Investigation Report has not been
published some of the circumstances of the data breach are available On June
9 2020 the Office of the Saskatchewan Information and Privacy Commissioner the
SIPC reported publicly on its investigation into the data breach which
affected the private health data of 93647 Saskatchewan residents pp16
The decision of the SIPC made findings regarding
LifeLabs and therefore provides context and backgroundpp17
The SIPC found that LifeLabs servers in Ontario
had a codelevel third party vulnerability because a software patch had not
been installed The need for the patch was not caught by LifeLabs thirdparty
vulnerability management system pp18
LifeLabs reported to the SIPC that the only way
it might have discovered the need for a particular security patch was through
one of its developers who had received an unsolicited email notification of a
patch The email had landed in the developers junk mailbox The developer was
not part of the security team and was not required as part of his duties to
LifeLabs to search his junk mailbox LifeLabs had not finalized eleven 11
draft privacy and security policies at the time of the breach although by the
time of the SIPCs final report it had done sopp19
The cyberattackers had gained undetected access
to some of LifeLabs systems for over a year On October 28 2019 LifeLabs
thirdparty consultant noted anomalous activity and contained the affected systems
for investigation pp20
On October 31 2019 the cyberattackers contacted
LifeLabs and demanded payment for the safe return of personal data LifeLabs
paid the cyberattackers in exchange for the data and an agreement not to
publicly release it on the internetpp21
The SIPC was concerned with the ongoing risk
because of the breach and disagreed with LifeLabs that the risk was low
given that the data obtained included names addresses dates of birth email
addresses health card numbers passwords security questions and answers and
IP addresses The data also included lab results for 241 residents of
Saskatchewanpp22
Although the payment was made and the personal data
was returned to LifeLabs the SIPC found there was no guarantee that any of the
data taken was not retained by the cyberattackers to be used in other wayspp23
Among other findings the SIPC found that
LifeLabs had not demonstrated it had adequate safeguards in place to protect
the private health data that it would prevent similar breaches from occurring
in the future and that it had properly investigated the breach pp24
During the Saskatchewan investigation LifeLabs
refused to provide any critical incident reports prepared by thirdparty IT
firms to assist with determining how the breach occurred what personal health
information was affected what safeguards were in place the root cause of the
breach and the measures to be taken to prevent the breach from happening again
pp25
In the ON IPC and the BC IPC investigation the
Commissioners examined witnesses from LifeLabs on the retainer of the thirdparty
consultants made orders to produce the thirdparty consultant reports and
reviewed those reports to make their determinations of privilege in advance of
their final reportpp26
On this judicial review all the material in
dispute formed part of the record but the materials over which there are
active claims of privilege were filed in a private record pursuant to a prior
order of this Courtpp27
This leads to the preliminary issue raised by
counsel at the hearing regarding whether the courtroom should be closed during
oral argument I turn to that issue nextppPRELIMINARY ISSUE THE OPEN COURT PRINCIPLE AND CLOSING THE
COURTROOMpp28
The parties jointly requested that this hearing
be closed to the public largely to facilitate counsels oral submissions if
they needed to refer to certain materials that formed part of the private
record pp29
Counsel submitted that a closed hearing would expedite
their submissionspp30
The Panel deliberated on this preliminary issue
and found that this was not an adequate reason to close the hearing pp31
Section 135 of the Courts of Justice Act
RSO 1990 c C43 provides that all court hearings shall be open to the
public subject to subsection 2 and the rules of the Court Section 1352
empowers the Court to exclude the public from a hearing where the possibility
of serious harm or injustice to any person justifies a departure from the
general principle that court hearings should be open to the publicpp32
Court proceedings are generally open to the
public in accordance with this open court principle In Sherman Estate v
Donovan 2021 SCC 25 458 DLR 4th 361 at para 30 the Supreme Court
affirmed that openness is protected by the constitutional guarantee of freedom
of expression and is essential to the proper functioning of our democracy pp33
Courts must take care to narrowly circumscribe
any restrictions to the open court principle see Dagenais v Canadian
Broadcasting Corp 1994 CanLII 39 SCC 1994 3 SCR 835 at para 83 pp34
Recently in a motion concerning the filing of
confidential material and a related request for a closed session the Federal
Court of Appeal cited Sherman Estate Sierra Club Canada v Canada
Minister of Finance 2002 SCC 41 2002 2 SCR 522 and Canadian
Broadcasting Corp v New Brunswick Attorney General 1996 3 SCR 489
for the proposition that the open court principle as discussed in this line of
cases is firm binding and clear a prescription for all participants in the
justice system to follow 92191568 Quebec Inc and MG Freesites Ltd v
Privacy Commissioner of Canada 2024 FCA 38 at para 16pp35
Counsel often file confidential andor
privileged material under sealing orders Counsel can navigate privacy issues
in open court with reference to page numbers or using general descriptions The
fact that the Court has sealed part of the record does not presume that an oral
hearing will necessarily raise the potential for serious harm or injusticepp36
For these reasons the Panel dismissed the motion
to close the courtroom during oral argumentppTHE ISSUES ON JUDICIAL REVIEWpp37
LifeLabs raises two issues on this applicationpp1
Did the ON IPC err in applying the law of solicitorclient
and litigation privilege to the documents at issuepp2 Did the ON IPC fail to act independently by jointly determining the
issue with another regulatorppSTANDARD OF REVIEWppSolicitorclient Privilege and Litigation Privilege Standard of
Correctnesspp38
The parties do not agree on the standard of
review for the issues of privilege LifeLabs submits that the standard is
correctness The ON IPC submits that the court should apply a standard of
reasonableness to the application of the law of privilege to the facts in the
Privilege Decision and correctness only to the identification and
articulation of the legal tests for solicitorclient privilege and litigation
privilegepp39
I find that the issues of privilege in this application
should be reviewed on a standard of correctness based on the principles articulated
in Canada Minister of Citizenship and Immigration v Vavilov 2019 SCC
65 2019 4 SCR 653 pp40
The presumptive standard of review on judicial
review is reasonableness Vavilov at para 30 pp41
The reasonableness standard can be rebutted in
certain circumstances including where the legislature has indicated that a
different standard should apply or where the rule of law requires courts to
apply the standard of correctness to certain legal questions Vavilov at
paras 53 and 59 These include general questions of law of central importance
to the legal system as a whole such as the question of whether a statute
provided uniform protection in instances of claims of solicitorclient
privilege see Alberta Information and Privacy Commissioner v University
of Calgary 2016 SCC 53 2016 2 SCR 555 at para 20pp42
The ON IPC relies on two cases in support of its
position The first is a decision of the Divisional Court involving the ON IPC and
whether privilege justified it refusing to produce information under a freedom
of information request The ON IPCs decision on that point was reviewed on a
standard of reasonableness Ontario Attorney General v Ontario Information
and Privacy Commissioner 2016 ONSC 6913 at para 9 Ontario v
Ontario pp43
I would not apply the reasoning in Ontario v
Ontario because that decision predates Vavilov The court applied
the principles from Dunsmuir v New Brunswick 2008 SCC 9 2008
1 SCR 190 and considered the expertise of the administrative tribunal in interpreting
its home statutepp44
Vavilov altered
the relationship between tribunal expertise and casebycase determinations of
standards of review It folded expertise into the presumption of reasonableness
as the starting point for standard of review Vavilov rejected using
expertise to consider whether a given case involves a general question of law
of such importance that the correctness standard should apply Further given
these changes to the law of standard of review the Supreme Court cautioned
that prior decisions should be read carefully see Vavilov at para
58 In accordance with that caution I decline to apply the 2016 decision in Ontario
v Ontario to the question of standard of review in the case at barpp45
PostVavilov the British Columbia Court
of Appeal considered the standard of review in the context of an access to
information request for material over which solicitorclient privilege was
claimed British Columbia Attorney General v Canadian Constitution
Foundation 2020 BCCA 238 British Columbia v CCF In that
decision which considered the same question raised here Harris JA reasoned
at para 38 thatppThe question as I
see the matter engages the correct scope of a principle that is fundamental to
the proper functioning of our legal system a principle the protection of
which must be as near to absolute as possible It is a question that given its
importance calls for a uniform and consistent answer The question is
fundamentally about the scope of solicitorclient privilege Admittedly it
arises in the factual context of a question about whether
solicitorclient privilege attaches to a record disclosing the total sum
spent on litigating a matter during a certain time period while the litigation
is ongoing But it remains a question about the proper scope of privilege
Moreover the answer to that question has precedential value and a significant
impact on the administration of justice as a whole and other institutions of
government It goes far beyond the immediate interests of the parties in this
case Respect for the rule of law demands this Court ensure a single correct
answer is provided The standard of correctness in my opinion continues to
applypp46
This reasoning is aligned with the logic in Chagnon
v Syndicat de la function public et parapublique du Québec 2018 SCC 39
2018 2 SCR 687 Harris JA observed that the Supreme Court had no
difficulty applying a correctness standard to the question of privilege in Chagnon
see British Columbia Attorney General v CCF at para 44pp47
In the Association of Management
Administrative and Professional Crown Employees of Ontario v Ontario Ministry
of the Attorney General 2024 ONSC 1555 AMAPCEO the Divisional
Court found that the test for prima facie discrimination is a question
of central importance to the legal system to be reviewed on a standard of
correctness and is required to be applied consistently In that decision Ryan
Bell J wrote that the protection of human rights and the rule of law would
be undermined if the test for prima facie discrimination were interpreted
and applied a certain way by one adjudicator and in an entirely different
manner by another AMAPCEO at para 36 emphasis addedpp48
The ON IPC submitted that AMAPCEO at
para 37 supports a reasonableness standard of review because of the
observation in the decision that where the debate is about the facts and the
inferences to be drawn from the facts a reasonableness standard of review will
apply Where however the debate is about the applicable legal test and the
analytical framework a correctness standard of review applies because the
question is of central importance to the legal systempp49
I disagree with the ON IPCs proposed
interpretation of AMAPCEO in support of its submission on standard of
review pp50
It is evident that the court in AMAPCEO applied
the standard of correctness not only to the arbitrators test for prima
facie discrimination but also in considering whether the arbitrators
reasoning and application represented a misapprehension of the test itself This
is in keeping with the intention of ensuring consistency of answers to such
important questions from Vavilovpp51
In its analysis the court in AMAPCEO
at paras 3940 and 4550 found that the arbitrator erred in the application
of the test in three wayspp1 by applying the incorrect legal standard to the evidence of how the
grievor was treatedpp2 by incorrectly attending to the shifting evidentiary burden once a
prima facie case of discrimination was made out andpp3 by requiring direct evidence and rejecting uncontradicted relevant
expert evidencepp52
As the Supreme Court in Vavilov said general
questions of law of central importance to the legal system as a whole require a
single determinate answer In cases involving such questions the rule of law
requires courts to provide a greater degree of legal certainty than
reasonableness review allows at para 62 The Supreme Court speaks of the
consistency of the answers to important legal questions AMAPCEO and British
Columbia v CCF follow that reasoning the principle must be
identified and applied correctly because of the importance of the principle pp53
This approach to the standard of review
involving constitutional questions was recently confirmed by the Supreme Court
of Canada in Société des casinos du Québec inc v Association des cadres de
la Société des casinos du Québec 2024 SCC 13 at paras 45 and 92972pp54
Where the standard applied is one of correctness
the options available to the reviewing court are to either uphold the
determination for example if it finds the reasoning persuasive or it may come
to its own conclusions on the question Vavilov at para 54pp55
The nature and scope of solicitorclient
privilege is a question of fundamental importance Vavilov at
para 60 The issues on this application involve the scope of solicitorclient
privilege andor litigation privilege to investigations under Ontario privacy
legislation In the case at bar there are important questions of law and
public interest involving the privacy of individual health data at stake including
whether the important principle of solicitorclient privilege is being
respected or being asserted in a manner which impedes regulatory investigations
into significant data breaches from cyberattackspp56
While litigation privilege is a class privilege
with conceptually distinct features from solicitorclient privilege it
nevertheless serves a common cause being the secure and effective
administration of justice according to law Blank v Canada Minister of
Justice 2006 SCC 39 2006 2 SCR 319 at para 31 pp57
Although there are differences between
solicitorclient privilege and litigation privilege the Supreme Court of
Canada has described litigation privilege as central to the justice system
both in Quebec and in the other provinces See Lizotte v Aviva Insurance
Company of Canada 2016 SCC 52 2016 2 SCR 521 at para 4pp58
Solicitorclient privilege serves the rule of
law So does litigation privilege In this case litigation privilege
alongside solicitorclient privilege are raised as a basis for a permanent
order of nonpublication on the findings of the ON IPC into a major data
breach The application of either or both privileges or the denial of those
privileges has broader implications Canada is not unique in this
regardsimilar claims of privilege have arisen in other jurisdictions where
there have been significant data breaches because of cyberattacks leading to
regulatory investigations and civil proceedings3
pp59
For these reasons I conclude that a standard
of correctness is the appropriate standard of review for the identification and
application of both solicitorclient privilege and litigation privilege in the
Privilege Decisionpp ppStandard of Review Independence of the Tribunal and the Issue of Procedural
Fairnesspp60
LifeLabs submits that the ON IPC lacked
independence by collaborating and deliberating with the BC IPC in making the
Privilege Decision Independence is a question of procedural fairness Bell
Canada v Canadian Telephone Employees Assn 2003 SCC 36 2003 1 SCR 884
at para 21pp61
It is well settled law that a tribunal must conduct
its proceedings fairly Procedural fairness is determined with reference to the
circumstances of the case including the factors articulated in Baker v
Canada Minister of Citizenship and Immigration 1999 CanLII 699 SCC 1999 2 SCR 817 at
paras 2128 In Mission Institution v Khela 2014 SCC 24 2014 1
SCR 502 at para 79 a unanimous Supreme Court characterized this as a
correctness standard More recent decisions from this court simply apply Baker
without otherwise identifying a standard of review See Mundulai v Law Society of Ontario 2024 ONSC 959 at para 30 and MI v
Administrator Ontario Works Region of Peel 2024 ONSC 1975 at para 8ppANALYSIS OF THE ISSUESpp1 Did the ON IPC err in applying the law of solicitorclient and
litigation privilege to the documents at issuepp62
LifeLabs asserted solicitorclient or litigation
privilege over five sets of disputed documents and the information within them
pp ppi
The investigation report prepared by the
cybersecurity firm hired by LifeLabs which described how the cyberattack
occurredpp ppii
The email correspondence between the cyber intelligence
firm and the cyberattackers after the discovery of the attack by LifeLabspp ppiii
An internal data analysis prepared by LifeLabs
on April 28 2020 to describe which individual health information had been
affected by the breach and to notify those affected pursuant to ss 121 and
122 of the PHIPAppiv
A submission from LifeLabs to the Commissioners
dated May 15 2020 in response to certain specific questions communicated
through legal counselppv
The report of Kevvie Fowler Deloitte LLP dated
June 9 2020 prepared as part of the representations by LifeLabs and submitted
to the Commissioners for that purposepp63
The Privilege Decision found that none of these
documents is subject to litigation or solicitorclient privilege It found that
LifeLabs claims of privilege over facts available from other nonprivileged
sources and contained in the disputed documents above were not substantiated Importantly
the Investigation Report did not seek to publish any of these disputed reports
or documents but rather to include the facts responsive to the legislative
mandate of the ON IPC and the BC IPCpp64
The ON IPC concluded that with one exception
the Investigation Report contained facts which existed independently outside
the disputed documents were known to LifeLabs and were required to be provided
to the Commissioners pursuant to their joint investigation4 The Privilege Decision
found that in any event those facts could not be held back from them by
virtue of being placed in reports over which privilege was claimedpp65
An example of such a fact comes from the SIPC
report about LifeLabs draft IT security policies which became public on June
9 2020 LifeLabs claimed privilege over this information prior to its
publication by the SIPC By the time of the Privilege Decision this was a
publicly available fact pp66
More broadly the Privilege Decision concluded
that none of the documents in dispute is subject to either litigation or
solicitorclient privilege and gave detailed reasons for those conclusions
LifeLabs does not challenge the way in which the Commissioners described the
tests for privilege in their reasons those correct statements of the law can
be found in the Privilege Decision and need not be repeated here pp67
LifeLabs seeks to quash the decision based on
five legal errors The first two alleged errors are considered below as they
are interrelatedppA Did the ON IPC did err in concluding that LifeLabs had an obligation
to investigate remediate and produce information of compliance pursuant to PHIPA
ppB Did the ON IPC err in finding that facts concerning the
investigation and remediation are producible where those facts exist
independently of documents subject to claims of privilegepp68
LifeLabs does not dispute that it had an
obligation to investigate and remediate the data breach Indeed its
correspondence with the ON IPC and BC IPC in the early days postdata breach
emphasized the steps it was taking in that regardpp69
LifeLabs now argues that it had no obligation
to investigate remediate or produce information and that independent facts on
those issues are not producible if contained in privileged documents If these
submissions ere accepted this would permit a regulated entity to defeat
investigative orders by placing unpalatable facts within its knowledge into a
privileged report to counsel pp70
For example the ON IPC asked LifeLabs about
security alerts for a piece of software to address vulnerabilities on May 15
2020 LifeLabs had their counsel interview the employee who had information about
the question LifeLabs then provided responses based on that interview and
then claimed privilege over that information on the basis that it was a
solicitorclient communication andor subject to litigation privilege pp71
The ON IPC found that the facts disclosed from
that interview were not subject to either solicitorclient or litigation
privilege Further those facts were no longer confidential given their
inclusion in the June 9 2020 SIPC reportpp72
LifeLabs maintains that whether those facts
existed elsewhere did not defeat its claim of privilege over its responses to
the ON IPC Thus it was an error for the ON IPC to conclude that these facts
could be included in the Investigation Reportpp73
I reject this submission based on the statutory
authority of the ON IPC to conduct investigations into the duties owed by
health custodians and the law of privilegepp74
Section 12 of the PHIPA requires health
information custodians such as LifeLabs to investigate contain and remediate
privacy breaches See London Health Sciences Centre Re 2017 CanLII
31432 ON IPC at para 140 Quinte Health Care Re 2021 CanLII 70445
ON IPC at para 22 Sault Area Hospital Re 2018 CanLII 78841 ON
IPC at para 28 A Public Hospital Re 2022 CanLII 24233 ON IPC
at para 14pp75
Section 611 of the PHIPA authorizes the
IPC to order a person to perform a duty under the Actpp76
Health information custodians such as LifeLabs
cannot defeat these responsibilities by placing facts about privacy breaches
inside privileged documents Although the claims of privilege here were
rejected even if they had been accepted this would not have defeated the ON
IPCs duty to inquire into the facts about the data breach within the control
and knowledge of LifeLabs This result flows not only from the ON IPCs
statutory mandate but also from how litigation privilege and solicitor client
privilege functionpp77
Litigation privilege attaches to the litigation
process and is based on protecting the zone of adversarial preparation for
trial It has been compared by the Ontario Court of Appeal to the US
protection of solicitors work product as described in Hickman v Taylor
329 US 495 1946 see General Accident v Chrusz 1999 CanLII 7320 ON CA 45 OR 3d 321pp78
Litigation privilege protects the disclosure of
documents and communications whose dominant purpose is preparation for
litigation Lizotte at para 1 It applies to a
partys litigation strategy but it does not extend to facts or base
information that may be useful to counsel in preparing for litigation see Chrusz
at p 352 Fresco v Canadian Imperial Bank of Commerce 2019 ONSC 3309 R
v Assessment Direct 2017 ONSC 5686 leave to appeal refused 2018
SCCA No29 Assessment Direct Inc et al v Ontario Provincial Police
et al leave to appeal refused 2018 SCCA No 29 Claiming
Privilege in the Discovery Process Special Lectures of the Law Society of
Upper Canada 1984 at p 169 cited in Pearson v Inco Limited 2008
CanLII 46701 at para 15pp79
Thus the IPCs statutory duty to inquire and LifeLabs
duty to respond does not permit a claim of litigation privilege over facts
obtained through its lawyers even where those facts might also play a role in
defending against parallel civil litigation As Nordheimer J wrote in R
v Assessment Direct at para 10 the privilege does not protect
information that would otherwise have to be disclosed LifeLabs did not
identify any litigation strategy that would be disclosed in the Investigation
Report because of the Privilege Decisionpp80
Similarly solicitorclient privilege does not
extend to protect facts that are required to be produced pursuant to statutory
duty The ON IPC correctly articulated the law when it stated at para 49ppEven if the
communication is privileged the facts referred to or reflected to in those
communications are not privileged if they exist outside the documents and are
relevant and otherwise subject to disclosure Some facts have a life outside
the communication between lawyer and client but have also been communicated
within the solicitorclient relationship Facts that have an independent
existence outside of solicitorclient privileged communications are not
privileged When deciding if such facts are privileged one must keep one eye
on the need to protect the freedom and trust between solicitor and client and
another eye on the potential use of privilege to insulate otherwise
discoverable evidence While privilege is jealously guarded it must be
interpreted to protect only what it is intended to protect and nothing morepp81
That is simply depositing a document or
providing counsel with a copy of a document does not cloak the original
document with privilege See Nova Chemicals et al v CEDAReactor Ltd et
al 2014 ONSC 3995 Jacobson v Atlas Copco Canada Inc 2015 ONSC 4
at par 34 Blank v Canada 2006 SCC 39 CanLII 2006 2 SCR 319 at paras 4950 Humberplex
Developments Inc v TransCanada Pipelines Ltd 2011 ONSC 4851 at paras
4142 49 and 53 pp82
The same reasoning applies to the type of facts
at issue here whether those be lines of code used by the cyberattackers and
copypasted into an IT thirdparty report information obtained from an
employee by counsel about the measures taken to protect software vulnerabilities
or an internal data analysis undertaken by LifeLabs to determine the extent of
the data breach pp83
LifeLabs did not describe any examples of legal
advice or solicitorclient communication that would be made public via the
information contained in any of the five disputed documents that were also
found to be facts with an independent life of their ownpp84
Therefore taking into consideration the law of
privilege the ON IPC did not err in finding that facts concerning the
investigation and remediation are producible This is especially so where those
facts exist independently of documents subject to claims of privilege The ON
IPC did not err in its finding that LifeLabs had an obligation to investigate
remediate and produce evidence of its compliance pursuant to PHIPApp85
I turn to the third error alleged by LifeLabsppC Did the ON IPC err by requiring LifeLabs to prove how
disclosure of the information would prejudice LifeLabs by revealing counsels
theories and strategies in its legal defencepp86
During the discussion of the underlying facts in
the reports the ON IPC found as discussed above that litigation privilege is
not intended to shield relevant facts from disclosure that do not constitute a
lawyers work product The Privilege Decision found that the underlying facts
in the thirdparty cybersecurity firms report would address the key questions
of the cause of the breach the scope of the breach how the scope was
determined and what was done by the cybersecurity firm to contain and then
remediate the breach LifeLabs has not provided us with any evidence or
arguments to demonstrate that disclosure of these facts would reveal or
undermine the legal strategy of LifeLabs defence emphasis addedpp87
This was a statement of fact arising from the
test for litigation privilege which exists to protect legal strategies in
preparation for litigation and not relevant background facts It did not
require prejudice to be proved pp88
Although the ON IPC also found that the
documents were not created for the dominant purpose of litigation thus not
attracting the protection of litigation privilege it was also entitled to
consider whether independent facts that could not be said to reveal theories or
strategies existed This evidence could only practically come from LifeLabs
with its knowledge of its civil jeopardy and instructions to counsel The ON IPC
was entitled to find that there was no such evidence In doing so it made no
legal errorppD Did the ON IPC err in citing the US decision In re Capital One
Consumer Data Security Breach Litigation 2020 US Dist LEXIS 91736 ED
Va May 26 2020pp89
LifeLabs submits that the decision in Iggilis
Holdings Inc v Minister of National Revenue 2018 FCA 51 2019 2 FCR
767 at para 40 held that the approach of a US court has no bearing on how
privilege questions should be determined in Canada and that it was an error for
the ON IPC to do so in the Privilege Decisionpp90
I disagree The In re Capital One case
affords persuasive authority to support a finding that where a company has
a prior retainer with a cybersecurity firm to provide essentially the same
services before and after a breach inserting counsels name into the contract
and stating that the deliverables would be made to counsel on behalf of the
client does not render any report prepared subject to the US work product
doctrine which is akin to Canadas litigation privilegepp91
The ON IPC noted that for similar reasons given
the facts in the record the cybersecurity firm retained by LifeLabs that
produced a report on the breach did so for business purposes and was not for
the dominant purpose of litigationpp92
The ON IPC also addressed the submission made to
it by LifeLabs that US authority should play no part in the privilege analysis
In the Privilege Decision the ON IPC foundpp
Canadian courts have considered American
jurisprudence on the issue of litigation privilege in the past including in
caselaw relied on by LifeLabs Lizotte pp
The decision in Iggilis Holdings Inc is
distinguishable because it concerned solicitorclient privilege in the context
of a particular statutory definition and the error there involved relying on
jurisprudence from another provincepp
The IPC did not solely rely on In re Capital
One to find that the cybersecurity report was not subject to litigation
privilege rather it was included to confirm their approach based on similar
concepts of dominant purpose in Canada and driving force in the US the
very similar facts and the lack of any Canadian decision dealing with
whether litigation privilege attaches to cybersecurity reports produced by
third parties in response to a cyberattackpp93
The ON IPC did not err in its reference or use
of the In re Capital One in the Privilege Decision This case raised
novel issues and the facts were sufficiently similar to warrant consideration
The ON IPC applied Canadian jurisprudence on the law of litigation privilege
and solicitor client privilege It found on the record before it that the
disputed documents were not protected by either privilege It did not find that
In re Capital One was binding on it Its reference to the case was
appropriate in these circumstancesppE Did the ON IPC disregard the sworn and uncontradicted evidence of
LifeLabs inhouse counsel in favour of its own conjecturepp94
LifeLabs argues that ON IPC erred because it
received a sworn statutory declaration from LifeLabs interim general counsel
and did not crossexamine her on that sworn declaration It did not accept the
assertions of privilege contained in the statutory declarationpp95
The ON IPC did not err in its analysis of the
evidence There was a lengthy record before the ON IPC and BC IPC which
included the records over which privilege was asserted and a prior examination
under oath of interim general counsel who did not respond to questions about
the assertions of privilege During examination which predated the declaration
the ON IPC and the BC IPC sought to examine counsel on an affidavit sworn for
privilege claims that were pending in British Columbia court External counsel
objected to many of these questions pp96
The Privilege Decision rejects the assertions of
privilege in the declaration from interim general counsel This is not a case
of preferring competing versions of facts The ON IPC rejected the assertions
and gave reasons for those conclusions The ON IPC did not err in coming to
these conclusions The ON IPC was not required to crossexamine interim general
counsel on the statutory declaration considering all the other information
available on the questions raised by the claims of privilegepp2 Did the ON IPC fail to act independently by jointly determining the
issue with another regulatorpp97
LifeLabs submits that in deliberating with the
BC IPC the ON IPC allowed itself to be influenced by another regulator thus
failing to grant LifeLabs an independent hearing of the privilege issue by a
tribunal that was also seen to be independent Canadian Pacific Ltd v
Matsqui Indian Band 1995 CanLII 145 SCC 1995 1 SCR 3 at para 80pp98
Further LifeLabs relies on the PHIPA
and the IPCs Code of Procedure for Matters under the Personal Health
Information Protection Act 2019 as authority for its position that neither
of these pieces of legislation allow for joint deliberation with other privacy
commissioners in Canada LifeLabs draws a distinction between the provisions in
PHIPA and in the Personal Information Protection Act SBC
2003 PIPA which authorize a coordinated investigationpp99
The relevant passages in s 361 of the PIPA
empower the commissioner to monitor the administration of the Act and
ensure its purposes are achieved including by being able toppppk exchange
information with any person who under legislation of another province or of
Canada has powers and duties similar to those of the commissionerppl enter into
informationsharing agreements for the purposes of paragraph k and into other
agreements with the persons referred to in that paragraph for the purpose of
coordinating their activities and providing for mechanisms for handling
complaintspp100
Similarly s 66e of the PHIPA empowers
the Commissioner to assist in investigations and similar procedures conducted
by a person who performs similar functions to the Commissioner under the laws
of Canada except that in providing assistance the Commissioner shall not use
or disclose information collected by or for the Commissioner under this Act
Sections 683a and b of the PHIPA permits information sharing with
bodies legally entitled to regulate or review the activities of the custodianpp101
The record reveals that the joint investigation
reflected the fact that the majority of Canadians whose personal health
information was involved in the data breach lived in Ontario and British
Columbia LifeLabs was advised that the investigation would address the scope
of the attack the circumstances that led to it and the measures that LifeLabs
ought to have taken to prevent and to remediate it in compliance with its
obligations under PHIPA and PIPA pp102
In furtherance of the joint investigation the Commissioners
signed a Memorandum of Understanding which agreed neither would exercise
authority over the other that could affect the Commissioners independence The
ON IPC and the BC IPC advised LifeLabs that they would be jointly investigating
and would issue a single Investigation Report with our findings During the
investigation and prior to the Privilege Decision the ON IPC and the BC IPC
jointly ruled on questions of privilege claims over two discrete documentspp103
LifeLabs did not object or raise concerns about
the independence of either regulator in response to the evidence of joint
investigation and decisionmaking To the contrary in a correspondence with
the ON IPC dated March 19 2020 addressed to both offices counsel for LifeLabs
presented proposals concerning the orders and privilege claims with a view to
facilitating the Commissioners investigation The record contains other
examples of references to the joint investigation pp104
LifeLabs clearly understood and acquiesced to corresponding
with and receiving decisions from the Commissioners on a joint basis For
example on March 31 2020 LifeLabs wrote to both Commissioners to advise it
was waiving privilege over its thirdparty cyber security firms
investigation report and cyber intelligence communications with the attackers
exclusively for the limited purpose of your and BC IPCs review in
connection with the joint investigation emphasis addedpp105
On April 8 2020 in correspondence with
LifeLabs the Commissioners wrote that they will decide whether the
objections based on privilege are valid emphasis addedpp106
On April 20 2020 counsel to LifeLabs
acknowledged the process offered by the Commissioners to make representations
on the privileged material and although noting that it should be for a Court
and not the regulator to ultimately determine the questions of privilege
counsel did not object to the joint process proposed That portion of the
letter from counsel readppWe thank you also
for confirming that prior to referencing any portion of the two
abovereferenced documents in the ON IPC and BC IPCs investigation report
the ON IPC and the BC IPC would provide LifeLabs with an opportunity to
make representations on any objections LifeLabs may have in relation to such
disclosures including at LifeLabs discretion pursuant to a judicial review
process That process is acceptable to address LifeLabs concerns provided
that a reasonable period of time is allowed for the review Emphasis addedpp107
The record is replete with LifeLabs
acknowledgement of the process of a joint investigation The issues of
privilege and how to obtain the necessary information consumed a large part of
the correspondence between counsel for LifeLabs and the Commissioners The
adjudication of the privilege claims was subsumed in the larger joint
investigation into this data breach It was not a separate entity with an
independent procedural history rather LifeLabs made it an issue Having done
so and having been heard by the Commissioners LifeLabs cannot now credibly
claim that it did not understand that this was the process that would be
adoptedpp108
The requirement that a decision maker be
independent is a component of the rule against bias see Bell Canada v
Canadian Telephone Employees Association 2003 SCC 36 2003 1 SCR 884
at para 17 Fairness in decisionmaking by administrative agencies depends on
independence which is measured against the test found in Committee for
Justice and Liberty v National Energy Board 1976 CanLII 2 SCC 1978 1 SCR 369 at p
394 that is what the informed person would conclude viewing the matter
realistically and practically having thought the matter throughpp109
I find that there is no merit to the argument
that the Privilege Decision raises issues of independence The Privilege
Decision was made jointly within the larger context of a joint investigation
for which there was statutory authority To publicly report on the
investigation itself the ON IPC and the BC IPC were required to make findings
on confidentiality and the claims of privilege This was an inquisitorial
process which means that the investigative and adjudicative functions were
required to inform the ultimate report to the public pp110
I find that an informed person would conclude
that there was no apparent bias or lack of independence arising from the
jointly issued Privilege Decision Two independent provincial agencies with similar
mandates undertook a transparently joint investigation that included making
orders and decisions such as the Privilege Decision This was all done in
furtherance of preparing a final investigative report to inform the public Both
regulators have the statutory authority to coordinate and share investigations
in privacy matters There is ample precedent for joint investigations
undertaken by various Canadian privacy regulators5 LifeLabs did not put
before the Court any challenge to any prior joint investigation This practice
reflects the reality that data breaches are not confined to provincial
boundariespp111
I conclude that under a standard of review of
correctness there was no procedural unfairness in the joint investigation or
decisionmaking processes adopted by the ON IPC and the BC IPC Therefore procedural
unfairness did not taint the joint Privilege DecisionppCONCLUSION pp112
The Application is dismissed Neither the ON IPC
nor the BC IPC seek costs and none are orderedpp pp pp ppLeiper J pp pp pp ppI agree ppMcWatt ACJpp pp pp ppI agree ppDoyle Jpp pp ppReleased April 30 2024pp ppCITATION
LifeLabs LP v Information and Privacy Commr Ontario 2024 ONSC 2194ppTORONTO DIVISIONAL COURT FILE NO 05321ppDATE 20240430pp ppONTARIOppSUPERIOR COURT OF JUSTICEppDIVISIONAL COURTppMcWatt ACJ Doyle and Leiper JJppBETWEENppLIFELABSppApplicantpp and ppINFORMATION AND
PRIVACY COMMISSIONERppRespondentppREASONS FOR DECISIONppJustice J Leiperpp ppReleased April 30 2024pp1
Given that this judicial review application is being heard in Ontario and the ON
IPC is the responding party I will refer to the ON IPCs actions in rendering
the Privilege Decision notwithstanding that the Privilege Decision was signed
by both the ON IPC and the BC IPCpp2 The parties were invited to make supplementary written submissions
on this decision which was released after oral argument on this application
Those submissions were consistent with the parties original positions on
standard of reviewpp3 This
is an issue which has emerged in other jurisdictions see In re Capital One
Consumer Data Security Breach Litigation 2020 US Dist LEXIS 91736 ED
Va May 26 2020 affirmed MDL No 1 19md2915 AJTJFA ED Va Jun 25
2020 Robertson v Singtel Optus Pty Ltd 2023 FCA 1392 Federal Court
of Australia pp pp4
The one exception is the written record of the statements made by the
cyberattackers in their correspondence with the cyber intelligence firm that
negotiated the payment of the ransom to them The findings of the ON IPC and
the BC IPC that these are not subject to solicitorclient privilege are
unassailable While there may be other good reasons not to publicize these
statements as a matter of public policy they are demonstrably not subject to
solicitorclient privilege in this contextpp5 See
Joint Investigation of Facebook Inc by the Privacy Commissioner of Canada and
the Information and Privacy Commissioner for British Columbia PIPEDA Findings
2019002 April 25 2019 Joint Investigation of AggregateIQ Data Services
Ltd b y the Privacy Commissioner of Canada and the Information and Privacy
Commissioner for British Columbia PIPEDA Findings 2019004 November 26
2019 Joint Investigation of the Cadillac Fairview Corporation Limited by the
Privacy Commissioner of Canada the Commission for British Columbia PIPEDA
Findings 2020004 October 28 2020 Joint Investigation of Clearview AI
Inc by the Office of the Privacy Commissioner of Canada the Commission
daccès à linformation du Québec the Information and Privacy Commissioner for
British Columbia and the Information Privacy Commissioner of Alberta PIPEDA
Findings 2021001 February 2 2021ppp
LifeLabs LP v Information and Privacy Commr Ontario 2024 ONSC 2194ppTORONTO DIVISIONAL COURT FILE NO 05321ppDATE 20240430ppONTARIOppSUPERIOR COURT OF JUSTICEppDIVISIONAL COURTppMcWatt ACJ Doyle and Leiper JJppBETWEENpppppp ppLIFELABS LPppApplicantpp and ppINFORMATION AND
PRIVACY COMMISSIONER OF ONTARIOppRespondentpppp pp pp pp ppppppppAlexandra E Cocks and Amanda
D Iarusso KC for the ApplicantppLinda
Chen and Brendan Gray for the RespondentppOFFICE OF THE INFORMATION AND PRIVACY
COMMISSIONER FOR BRITISH COLUMBIAppppppppCatherine J Boies Parker KC and
Kate Phipps for the BC IPC Intervenerpp
Intervenerpppp pp ppppHEARD at Toronto April 4 2024pp ppREASONS
FOR DECISIONpp ppLEIPER Jpp ppOVERVIEWpp1
This case is about a 2019 data breach in which
cyberattackers obtained personal health data of millions of Canadians and
demanded payment for its return pp2
The target of the attack LifeLabs LP or
LifeLabs provides general and specialized laboratory testing across Canada
In this capacity it holds personal information and personal health information
for its customerspp3
The largest number of people affected by the
attack lived in Ontario and British Columbia The privacy commissioners for
those provinces launched a joint investigation into the data breachpp4
LifeLabs notified the public set up call
centres and used external IT experts to provide it with information about the
breach and to negotiate with the cyberattackers Members of the public
launched class action lawsuits against LifeLabspp5
The Information and Privacy Commissioner of Ontario ON
IPC announced it would investigate the cyber attack under the Personal
Health Information Protection Act 2004 SO 2004 c 3 Sch A PHIPA
The ON IPC stated its investigation would be coordinated with the British
Columbias Information and Privacy Commissioner BC IPC pp6
During their investigation the ON IPC and BC IPC
sought information that LifeLabs had obtained from its consultants about the data
breach and its systems LifeLabs resisted and claimed privilege over any
reports or information in those reports disputed documentspp7
After receiving the documents and
representations from LifeLabs lawyers in a decision dated June 25 2020 the
ON IPC and the BC IPC jointly decided that the claims of privilege should fail
the Privilege Decision They also finalized their investigation report into
the cyberattack the Investigation Report pp8
Neither decision has been published to dateppTHE APPLICATION FOR JUDICIAL REVIEWpp9
On this application for judicial review LifeLabs
seeks an order quashing the Privilege Decision and a permanent order preventing
publication of the Investigation Report on its findings from its joint
investigation into the Ontario and British Columbia data breaches It also seeks
various declarations which are related to the application to quash and for
nonpublication orderspp10
LifeLabs raises two issues on review whether the
ON IPC and BC IPC breached their right to procedural fairness by jointly deciding
the privilege issue and whether they erred in their application of the law on solicitorclient
privilege and litigation privilege to the facts LifeLabs argues that since the
Privilege Decision is wrong it should be set aside and this Court should
order that ON IPC refrain from publishing the Investigation Report or
releasing any report that refers to the facts and documents over which LifeLabs
has claimed privilegepp11
ON IPC responds supported by the submissions of
the intervener BC IPC that there was no breach of procedural fairness LifeLabs
was fully aware of the joint investigation and did not object at any time to that
decisionmaking process Joint investigations are common and are provided for
by the relevant provincial legislation The Privilege Decision arose from the
issues raised by LifeLabs during the joint investigation and had an opportunity
to make submissions to the Commissioners The ON IPC and BC IPC further submit
that the claims of privilege have no merit and that they did not err in
applying the law of privilege pp ppSUMMARY OF FINDINGSpp12
In the context of an ongoing joint
investigation I find that the ruling by the ON IPC and BC IPC in the Privilege
Decision did not breach LifeLabs right to an independent adjudication and was
not procedurally unfair1
pp13
Assessing the Privilege Decision on a standard
of correctness the ON IPC applied the law of privilege to the record before it
and did not err in doing so The decision is logical clear and persuasive It
considered all the arguments raised by LifeLabs and gave comprehensive reasons
for rejecting the claims of privilegepp14
For the reasons below I dismiss the application
for judicial reviewppBACKGROUNDpp15
Although the Investigation Report has not been
published some of the circumstances of the data breach are available On June
9 2020 the Office of the Saskatchewan Information and Privacy Commissioner the
SIPC reported publicly on its investigation into the data breach which
affected the private health data of 93647 Saskatchewan residents pp16
The decision of the SIPC made findings regarding
LifeLabs and therefore provides context and backgroundpp17
The SIPC found that LifeLabs servers in Ontario
had a codelevel third party vulnerability because a software patch had not
been installed The need for the patch was not caught by LifeLabs thirdparty
vulnerability management system pp18
LifeLabs reported to the SIPC that the only way
it might have discovered the need for a particular security patch was through
one of its developers who had received an unsolicited email notification of a
patch The email had landed in the developers junk mailbox The developer was
not part of the security team and was not required as part of his duties to
LifeLabs to search his junk mailbox LifeLabs had not finalized eleven 11
draft privacy and security policies at the time of the breach although by the
time of the SIPCs final report it had done sopp19
The cyberattackers had gained undetected access
to some of LifeLabs systems for over a year On October 28 2019 LifeLabs
thirdparty consultant noted anomalous activity and contained the affected systems
for investigation pp20
On October 31 2019 the cyberattackers contacted
LifeLabs and demanded payment for the safe return of personal data LifeLabs
paid the cyberattackers in exchange for the data and an agreement not to
publicly release it on the internetpp21
The SIPC was concerned with the ongoing risk
because of the breach and disagreed with LifeLabs that the risk was low
given that the data obtained included names addresses dates of birth email
addresses health card numbers passwords security questions and answers and
IP addresses The data also included lab results for 241 residents of
Saskatchewanpp22
Although the payment was made and the personal data
was returned to LifeLabs the SIPC found there was no guarantee that any of the
data taken was not retained by the cyberattackers to be used in other wayspp23
Among other findings the SIPC found that
LifeLabs had not demonstrated it had adequate safeguards in place to protect
the private health data that it would prevent similar breaches from occurring
in the future and that it had properly investigated the breach pp24
During the Saskatchewan investigation LifeLabs
refused to provide any critical incident reports prepared by thirdparty IT
firms to assist with determining how the breach occurred what personal health
information was affected what safeguards were in place the root cause of the
breach and the measures to be taken to prevent the breach from happening again
pp25
In the ON IPC and the BC IPC investigation the
Commissioners examined witnesses from LifeLabs on the retainer of the thirdparty
consultants made orders to produce the thirdparty consultant reports and
reviewed those reports to make their determinations of privilege in advance of
their final reportpp26
On this judicial review all the material in
dispute formed part of the record but the materials over which there are
active claims of privilege were filed in a private record pursuant to a prior
order of this Courtpp27
This leads to the preliminary issue raised by
counsel at the hearing regarding whether the courtroom should be closed during
oral argument I turn to that issue nextppPRELIMINARY ISSUE THE OPEN COURT PRINCIPLE AND CLOSING THE
COURTROOMpp28
The parties jointly requested that this hearing
be closed to the public largely to facilitate counsels oral submissions if
they needed to refer to certain materials that formed part of the private
record pp29
Counsel submitted that a closed hearing would expedite
their submissionspp30
The Panel deliberated on this preliminary issue
and found that this was not an adequate reason to close the hearing pp31
Section 135 of the Courts of Justice Act
RSO 1990 c C43 provides that all court hearings shall be open to the
public subject to subsection 2 and the rules of the Court Section 1352
empowers the Court to exclude the public from a hearing where the possibility
of serious harm or injustice to any person justifies a departure from the
general principle that court hearings should be open to the publicpp32
Court proceedings are generally open to the
public in accordance with this open court principle In Sherman Estate v
Donovan 2021 SCC 25 458 DLR 4th 361 at para 30 the Supreme Court
affirmed that openness is protected by the constitutional guarantee of freedom
of expression and is essential to the proper functioning of our democracy pp33
Courts must take care to narrowly circumscribe
any restrictions to the open court principle see Dagenais v Canadian
Broadcasting Corp 1994 CanLII 39 SCC 1994 3 SCR 835 at para 83 pp34
Recently in a motion concerning the filing of
confidential material and a related request for a closed session the Federal
Court of Appeal cited Sherman Estate Sierra Club Canada v Canada
Minister of Finance 2002 SCC 41 2002 2 SCR 522 and Canadian
Broadcasting Corp v New Brunswick Attorney General 1996 3 SCR 489
for the proposition that the open court principle as discussed in this line of
cases is firm binding and clear a prescription for all participants in the
justice system to follow 92191568 Quebec Inc and MG Freesites Ltd v
Privacy Commissioner of Canada 2024 FCA 38 at para 16pp35
Counsel often file confidential andor
privileged material under sealing orders Counsel can navigate privacy issues
in open court with reference to page numbers or using general descriptions The
fact that the Court has sealed part of the record does not presume that an oral
hearing will necessarily raise the potential for serious harm or injusticepp36
For these reasons the Panel dismissed the motion
to close the courtroom during oral argumentppTHE ISSUES ON JUDICIAL REVIEWpp37
LifeLabs raises two issues on this applicationpp1
Did the ON IPC err in applying the law of solicitorclient
and litigation privilege to the documents at issuepp2 Did the ON IPC fail to act independently by jointly determining the
issue with another regulatorppSTANDARD OF REVIEWppSolicitorclient Privilege and Litigation Privilege Standard of
Correctnesspp38
The parties do not agree on the standard of
review for the issues of privilege LifeLabs submits that the standard is
correctness The ON IPC submits that the court should apply a standard of
reasonableness to the application of the law of privilege to the facts in the
Privilege Decision and correctness only to the identification and
articulation of the legal tests for solicitorclient privilege and litigation
privilegepp39
I find that the issues of privilege in this application
should be reviewed on a standard of correctness based on the principles articulated
in Canada Minister of Citizenship and Immigration v Vavilov 2019 SCC
65 2019 4 SCR 653 pp40
The presumptive standard of review on judicial
review is reasonableness Vavilov at para 30 pp41
The reasonableness standard can be rebutted in
certain circumstances including where the legislature has indicated that a
different standard should apply or where the rule of law requires courts to
apply the standard of correctness to certain legal questions Vavilov at
paras 53 and 59 These include general questions of law of central importance
to the legal system as a whole such as the question of whether a statute
provided uniform protection in instances of claims of solicitorclient
privilege see Alberta Information and Privacy Commissioner v University
of Calgary 2016 SCC 53 2016 2 SCR 555 at para 20pp42
The ON IPC relies on two cases in support of its
position The first is a decision of the Divisional Court involving the ON IPC and
whether privilege justified it refusing to produce information under a freedom
of information request The ON IPCs decision on that point was reviewed on a
standard of reasonableness Ontario Attorney General v Ontario Information
and Privacy Commissioner 2016 ONSC 6913 at para 9 Ontario v
Ontario pp43
I would not apply the reasoning in Ontario v
Ontario because that decision predates Vavilov The court applied
the principles from Dunsmuir v New Brunswick 2008 SCC 9 2008
1 SCR 190 and considered the expertise of the administrative tribunal in interpreting
its home statutepp44
Vavilov altered
the relationship between tribunal expertise and casebycase determinations of
standards of review It folded expertise into the presumption of reasonableness
as the starting point for standard of review Vavilov rejected using
expertise to consider whether a given case involves a general question of law
of such importance that the correctness standard should apply Further given
these changes to the law of standard of review the Supreme Court cautioned
that prior decisions should be read carefully see Vavilov at para
58 In accordance with that caution I decline to apply the 2016 decision in Ontario
v Ontario to the question of standard of review in the case at barpp45
PostVavilov the British Columbia Court
of Appeal considered the standard of review in the context of an access to
information request for material over which solicitorclient privilege was
claimed British Columbia Attorney General v Canadian Constitution
Foundation 2020 BCCA 238 British Columbia v CCF In that
decision which considered the same question raised here Harris JA reasoned
at para 38 thatppThe question as I
see the matter engages the correct scope of a principle that is fundamental to
the proper functioning of our legal system a principle the protection of
which must be as near to absolute as possible It is a question that given its
importance calls for a uniform and consistent answer The question is
fundamentally about the scope of solicitorclient privilege Admittedly it
arises in the factual context of a question about whether
solicitorclient privilege attaches to a record disclosing the total sum
spent on litigating a matter during a certain time period while the litigation
is ongoing But it remains a question about the proper scope of privilege
Moreover the answer to that question has precedential value and a significant
impact on the administration of justice as a whole and other institutions of
government It goes far beyond the immediate interests of the parties in this
case Respect for the rule of law demands this Court ensure a single correct
answer is provided The standard of correctness in my opinion continues to
applypp46
This reasoning is aligned with the logic in Chagnon
v Syndicat de la function public et parapublique du Québec 2018 SCC 39
2018 2 SCR 687 Harris JA observed that the Supreme Court had no
difficulty applying a correctness standard to the question of privilege in Chagnon
see British Columbia Attorney General v CCF at para 44pp47
In the Association of Management
Administrative and Professional Crown Employees of Ontario v Ontario Ministry
of the Attorney General 2024 ONSC 1555 AMAPCEO the Divisional
Court found that the test for prima facie discrimination is a question
of central importance to the legal system to be reviewed on a standard of
correctness and is required to be applied consistently In that decision Ryan
Bell J wrote that the protection of human rights and the rule of law would
be undermined if the test for prima facie discrimination were interpreted
and applied a certain way by one adjudicator and in an entirely different
manner by another AMAPCEO at para 36 emphasis addedpp48
The ON IPC submitted that AMAPCEO at
para 37 supports a reasonableness standard of review because of the
observation in the decision that where the debate is about the facts and the
inferences to be drawn from the facts a reasonableness standard of review will
apply Where however the debate is about the applicable legal test and the
analytical framework a correctness standard of review applies because the
question is of central importance to the legal systempp49
I disagree with the ON IPCs proposed
interpretation of AMAPCEO in support of its submission on standard of
review pp50
It is evident that the court in AMAPCEO applied
the standard of correctness not only to the arbitrators test for prima
facie discrimination but also in considering whether the arbitrators
reasoning and application represented a misapprehension of the test itself This
is in keeping with the intention of ensuring consistency of answers to such
important questions from Vavilovpp51
In its analysis the court in AMAPCEO
at paras 3940 and 4550 found that the arbitrator erred in the application
of the test in three wayspp1 by applying the incorrect legal standard to the evidence of how the
grievor was treatedpp2 by incorrectly attending to the shifting evidentiary burden once a
prima facie case of discrimination was made out andpp3 by requiring direct evidence and rejecting uncontradicted relevant
expert evidencepp52
As the Supreme Court in Vavilov said general
questions of law of central importance to the legal system as a whole require a
single determinate answer In cases involving such questions the rule of law
requires courts to provide a greater degree of legal certainty than
reasonableness review allows at para 62 The Supreme Court speaks of the
consistency of the answers to important legal questions AMAPCEO and British
Columbia v CCF follow that reasoning the principle must be
identified and applied correctly because of the importance of the principle pp53
This approach to the standard of review
involving constitutional questions was recently confirmed by the Supreme Court
of Canada in Société des casinos du Québec inc v Association des cadres de
la Société des casinos du Québec 2024 SCC 13 at paras 45 and 92972pp54
Where the standard applied is one of correctness
the options available to the reviewing court are to either uphold the
determination for example if it finds the reasoning persuasive or it may come
to its own conclusions on the question Vavilov at para 54pp55
The nature and scope of solicitorclient
privilege is a question of fundamental importance Vavilov at
para 60 The issues on this application involve the scope of solicitorclient
privilege andor litigation privilege to investigations under Ontario privacy
legislation In the case at bar there are important questions of law and
public interest involving the privacy of individual health data at stake including
whether the important principle of solicitorclient privilege is being
respected or being asserted in a manner which impedes regulatory investigations
into significant data breaches from cyberattackspp56
While litigation privilege is a class privilege
with conceptually distinct features from solicitorclient privilege it
nevertheless serves a common cause being the secure and effective
administration of justice according to law Blank v Canada Minister of
Justice 2006 SCC 39 2006 2 SCR 319 at para 31 pp57
Although there are differences between
solicitorclient privilege and litigation privilege the Supreme Court of
Canada has described litigation privilege as central to the justice system
both in Quebec and in the other provinces See Lizotte v Aviva Insurance
Company of Canada 2016 SCC 52 2016 2 SCR 521 at para 4pp58
Solicitorclient privilege serves the rule of
law So does litigation privilege In this case litigation privilege
alongside solicitorclient privilege are raised as a basis for a permanent
order of nonpublication on the findings of the ON IPC into a major data
breach The application of either or both privileges or the denial of those
privileges has broader implications Canada is not unique in this
regardsimilar claims of privilege have arisen in other jurisdictions where
there have been significant data breaches because of cyberattacks leading to
regulatory investigations and civil proceedings3
pp59
For these reasons I conclude that a standard
of correctness is the appropriate standard of review for the identification and
application of both solicitorclient privilege and litigation privilege in the
Privilege Decisionpp ppStandard of Review Independence of the Tribunal and the Issue of Procedural
Fairnesspp60
LifeLabs submits that the ON IPC lacked
independence by collaborating and deliberating with the BC IPC in making the
Privilege Decision Independence is a question of procedural fairness Bell
Canada v Canadian Telephone Employees Assn 2003 SCC 36 2003 1 SCR 884
at para 21pp61
It is well settled law that a tribunal must conduct
its proceedings fairly Procedural fairness is determined with reference to the
circumstances of the case including the factors articulated in Baker v
Canada Minister of Citizenship and Immigration 1999 CanLII 699 SCC 1999 2 SCR 817 at
paras 2128 In Mission Institution v Khela 2014 SCC 24 2014 1
SCR 502 at para 79 a unanimous Supreme Court characterized this as a
correctness standard More recent decisions from this court simply apply Baker
without otherwise identifying a standard of review See Mundulai v Law Society of Ontario 2024 ONSC 959 at para 30 and MI v
Administrator Ontario Works Region of Peel 2024 ONSC 1975 at para 8ppANALYSIS OF THE ISSUESpp1 Did the ON IPC err in applying the law of solicitorclient and
litigation privilege to the documents at issuepp62
LifeLabs asserted solicitorclient or litigation
privilege over five sets of disputed documents and the information within them
pp ppi
The investigation report prepared by the
cybersecurity firm hired by LifeLabs which described how the cyberattack
occurredpp ppii
The email correspondence between the cyber intelligence
firm and the cyberattackers after the discovery of the attack by LifeLabspp ppiii
An internal data analysis prepared by LifeLabs
on April 28 2020 to describe which individual health information had been
affected by the breach and to notify those affected pursuant to ss 121 and
122 of the PHIPAppiv
A submission from LifeLabs to the Commissioners
dated May 15 2020 in response to certain specific questions communicated
through legal counselppv
The report of Kevvie Fowler Deloitte LLP dated
June 9 2020 prepared as part of the representations by LifeLabs and submitted
to the Commissioners for that purposepp63
The Privilege Decision found that none of these
documents is subject to litigation or solicitorclient privilege It found that
LifeLabs claims of privilege over facts available from other nonprivileged
sources and contained in the disputed documents above were not substantiated Importantly
the Investigation Report did not seek to publish any of these disputed reports
or documents but rather to include the facts responsive to the legislative
mandate of the ON IPC and the BC IPCpp64
The ON IPC concluded that with one exception
the Investigation Report contained facts which existed independently outside
the disputed documents were known to LifeLabs and were required to be provided
to the Commissioners pursuant to their joint investigation4 The Privilege Decision
found that in any event those facts could not be held back from them by
virtue of being placed in reports over which privilege was claimedpp65
An example of such a fact comes from the SIPC
report about LifeLabs draft IT security policies which became public on June
9 2020 LifeLabs claimed privilege over this information prior to its
publication by the SIPC By the time of the Privilege Decision this was a
publicly available fact pp66
More broadly the Privilege Decision concluded
that none of the documents in dispute is subject to either litigation or
solicitorclient privilege and gave detailed reasons for those conclusions
LifeLabs does not challenge the way in which the Commissioners described the
tests for privilege in their reasons those correct statements of the law can
be found in the Privilege Decision and need not be repeated here pp67
LifeLabs seeks to quash the decision based on
five legal errors The first two alleged errors are considered below as they
are interrelatedppA Did the ON IPC did err in concluding that LifeLabs had an obligation
to investigate remediate and produce information of compliance pursuant to PHIPA
ppB Did the ON IPC err in finding that facts concerning the
investigation and remediation are producible where those facts exist
independently of documents subject to claims of privilegepp68
LifeLabs does not dispute that it had an
obligation to investigate and remediate the data breach Indeed its
correspondence with the ON IPC and BC IPC in the early days postdata breach
emphasized the steps it was taking in that regardpp69
LifeLabs now argues that it had no obligation
to investigate remediate or produce information and that independent facts on
those issues are not producible if contained in privileged documents If these
submissions ere accepted this would permit a regulated entity to defeat
investigative orders by placing unpalatable facts within its knowledge into a
privileged report to counsel pp70
For example the ON IPC asked LifeLabs about
security alerts for a piece of software to address vulnerabilities on May 15
2020 LifeLabs had their counsel interview the employee who had information about
the question LifeLabs then provided responses based on that interview and
then claimed privilege over that information on the basis that it was a
solicitorclient communication andor subject to litigation privilege pp71
The ON IPC found that the facts disclosed from
that interview were not subject to either solicitorclient or litigation
privilege Further those facts were no longer confidential given their
inclusion in the June 9 2020 SIPC reportpp72
LifeLabs maintains that whether those facts
existed elsewhere did not defeat its claim of privilege over its responses to
the ON IPC Thus it was an error for the ON IPC to conclude that these facts
could be included in the Investigation Reportpp73
I reject this submission based on the statutory
authority of the ON IPC to conduct investigations into the duties owed by
health custodians and the law of privilegepp74
Section 12 of the PHIPA requires health
information custodians such as LifeLabs to investigate contain and remediate
privacy breaches See London Health Sciences Centre Re 2017 CanLII
31432 ON IPC at para 140 Quinte Health Care Re 2021 CanLII 70445
ON IPC at para 22 Sault Area Hospital Re 2018 CanLII 78841 ON
IPC at para 28 A Public Hospital Re 2022 CanLII 24233 ON IPC
at para 14pp75
Section 611 of the PHIPA authorizes the
IPC to order a person to perform a duty under the Actpp76
Health information custodians such as LifeLabs
cannot defeat these responsibilities by placing facts about privacy breaches
inside privileged documents Although the claims of privilege here were
rejected even if they had been accepted this would not have defeated the ON
IPCs duty to inquire into the facts about the data breach within the control
and knowledge of LifeLabs This result flows not only from the ON IPCs
statutory mandate but also from how litigation privilege and solicitor client
privilege functionpp77
Litigation privilege attaches to the litigation
process and is based on protecting the zone of adversarial preparation for
trial It has been compared by the Ontario Court of Appeal to the US
protection of solicitors work product as described in Hickman v Taylor
329 US 495 1946 see General Accident v Chrusz 1999 CanLII 7320 ON CA 45 OR 3d 321pp78
Litigation privilege protects the disclosure of
documents and communications whose dominant purpose is preparation for
litigation Lizotte at para 1 It applies to a
partys litigation strategy but it does not extend to facts or base
information that may be useful to counsel in preparing for litigation see Chrusz
at p 352 Fresco v Canadian Imperial Bank of Commerce 2019 ONSC 3309 R
v Assessment Direct 2017 ONSC 5686 leave to appeal refused 2018
SCCA No29 Assessment Direct Inc et al v Ontario Provincial Police
et al leave to appeal refused 2018 SCCA No 29 Claiming
Privilege in the Discovery Process Special Lectures of the Law Society of
Upper Canada 1984 at p 169 cited in Pearson v Inco Limited 2008
CanLII 46701 at para 15pp79
Thus the IPCs statutory duty to inquire and LifeLabs
duty to respond does not permit a claim of litigation privilege over facts
obtained through its lawyers even where those facts might also play a role in
defending against parallel civil litigation As Nordheimer J wrote in R
v Assessment Direct at para 10 the privilege does not protect
information that would otherwise have to be disclosed LifeLabs did not
identify any litigation strategy that would be disclosed in the Investigation
Report because of the Privilege Decisionpp80
Similarly solicitorclient privilege does not
extend to protect facts that are required to be produced pursuant to statutory
duty The ON IPC correctly articulated the law when it stated at para 49ppEven if the
communication is privileged the facts referred to or reflected to in those
communications are not privileged if they exist outside the documents and are
relevant and otherwise subject to disclosure Some facts have a life outside
the communication between lawyer and client but have also been communicated
within the solicitorclient relationship Facts that have an independent
existence outside of solicitorclient privileged communications are not
privileged When deciding if such facts are privileged one must keep one eye
on the need to protect the freedom and trust between solicitor and client and
another eye on the potential use of privilege to insulate otherwise
discoverable evidence While privilege is jealously guarded it must be
interpreted to protect only what it is intended to protect and nothing morepp81
That is simply depositing a document or
providing counsel with a copy of a document does not cloak the original
document with privilege See Nova Chemicals et al v CEDAReactor Ltd et
al 2014 ONSC 3995 Jacobson v Atlas Copco Canada Inc 2015 ONSC 4
at par 34 Blank v Canada 2006 SCC 39 CanLII 2006 2 SCR 319 at paras 4950 Humberplex
Developments Inc v TransCanada Pipelines Ltd 2011 ONSC 4851 at paras
4142 49 and 53 pp82
The same reasoning applies to the type of facts
at issue here whether those be lines of code used by the cyberattackers and
copypasted into an IT thirdparty report information obtained from an
employee by counsel about the measures taken to protect software vulnerabilities
or an internal data analysis undertaken by LifeLabs to determine the extent of
the data breach pp83
LifeLabs did not describe any examples of legal
advice or solicitorclient communication that would be made public via the
information contained in any of the five disputed documents that were also
found to be facts with an independent life of their ownpp84
Therefore taking into consideration the law of
privilege the ON IPC did not err in finding that facts concerning the
investigation and remediation are producible This is especially so where those
facts exist independently of documents subject to claims of privilege The ON
IPC did not err in its finding that LifeLabs had an obligation to investigate
remediate and produce evidence of its compliance pursuant to PHIPApp85
I turn to the third error alleged by LifeLabsppC Did the ON IPC err by requiring LifeLabs to prove how
disclosure of the information would prejudice LifeLabs by revealing counsels
theories and strategies in its legal defencepp86
During the discussion of the underlying facts in
the reports the ON IPC found as discussed above that litigation privilege is
not intended to shield relevant facts from disclosure that do not constitute a
lawyers work product The Privilege Decision found that the underlying facts
in the thirdparty cybersecurity firms report would address the key questions
of the cause of the breach the scope of the breach how the scope was
determined and what was done by the cybersecurity firm to contain and then
remediate the breach LifeLabs has not provided us with any evidence or
arguments to demonstrate that disclosure of these facts would reveal or
undermine the legal strategy of LifeLabs defence emphasis addedpp87
This was a statement of fact arising from the
test for litigation privilege which exists to protect legal strategies in
preparation for litigation and not relevant background facts It did not
require prejudice to be proved pp88
Although the ON IPC also found that the
documents were not created for the dominant purpose of litigation thus not
attracting the protection of litigation privilege it was also entitled to
consider whether independent facts that could not be said to reveal theories or
strategies existed This evidence could only practically come from LifeLabs
with its knowledge of its civil jeopardy and instructions to counsel The ON IPC
was entitled to find that there was no such evidence In doing so it made no
legal errorppD Did the ON IPC err in citing the US decision In re Capital One
Consumer Data Security Breach Litigation 2020 US Dist LEXIS 91736 ED
Va May 26 2020pp89
LifeLabs submits that the decision in Iggilis
Holdings Inc v Minister of National Revenue 2018 FCA 51 2019 2 FCR
767 at para 40 held that the approach of a US court has no bearing on how
privilege questions should be determined in Canada and that it was an error for
the ON IPC to do so in the Privilege Decisionpp90
I disagree The In re Capital One case
affords persuasive authority to support a finding that where a company has
a prior retainer with a cybersecurity firm to provide essentially the same
services before and after a breach inserting counsels name into the contract
and stating that the deliverables would be made to counsel on behalf of the
client does not render any report prepared subject to the US work product
doctrine which is akin to Canadas litigation privilegepp91
The ON IPC noted that for similar reasons given
the facts in the record the cybersecurity firm retained by LifeLabs that
produced a report on the breach did so for business purposes and was not for
the dominant purpose of litigationpp92
The ON IPC also addressed the submission made to
it by LifeLabs that US authority should play no part in the privilege analysis
In the Privilege Decision the ON IPC foundpp
Canadian courts have considered American
jurisprudence on the issue of litigation privilege in the past including in
caselaw relied on by LifeLabs Lizotte pp
The decision in Iggilis Holdings Inc is
distinguishable because it concerned solicitorclient privilege in the context
of a particular statutory definition and the error there involved relying on
jurisprudence from another provincepp
The IPC did not solely rely on In re Capital
One to find that the cybersecurity report was not subject to litigation
privilege rather it was included to confirm their approach based on similar
concepts of dominant purpose in Canada and driving force in the US the
very similar facts and the lack of any Canadian decision dealing with
whether litigation privilege attaches to cybersecurity reports produced by
third parties in response to a cyberattackpp93
The ON IPC did not err in its reference or use
of the In re Capital One in the Privilege Decision This case raised
novel issues and the facts were sufficiently similar to warrant consideration
The ON IPC applied Canadian jurisprudence on the law of litigation privilege
and solicitor client privilege It found on the record before it that the
disputed documents were not protected by either privilege It did not find that
In re Capital One was binding on it Its reference to the case was
appropriate in these circumstancesppE Did the ON IPC disregard the sworn and uncontradicted evidence of
LifeLabs inhouse counsel in favour of its own conjecturepp94
LifeLabs argues that ON IPC erred because it
received a sworn statutory declaration from LifeLabs interim general counsel
and did not crossexamine her on that sworn declaration It did not accept the
assertions of privilege contained in the statutory declarationpp95
The ON IPC did not err in its analysis of the
evidence There was a lengthy record before the ON IPC and BC IPC which
included the records over which privilege was asserted and a prior examination
under oath of interim general counsel who did not respond to questions about
the assertions of privilege During examination which predated the declaration
the ON IPC and the BC IPC sought to examine counsel on an affidavit sworn for
privilege claims that were pending in British Columbia court External counsel
objected to many of these questions pp96
The Privilege Decision rejects the assertions of
privilege in the declaration from interim general counsel This is not a case
of preferring competing versions of facts The ON IPC rejected the assertions
and gave reasons for those conclusions The ON IPC did not err in coming to
these conclusions The ON IPC was not required to crossexamine interim general
counsel on the statutory declaration considering all the other information
available on the questions raised by the claims of privilegepp2 Did the ON IPC fail to act independently by jointly determining the
issue with another regulatorpp97
LifeLabs submits that in deliberating with the
BC IPC the ON IPC allowed itself to be influenced by another regulator thus
failing to grant LifeLabs an independent hearing of the privilege issue by a
tribunal that was also seen to be independent Canadian Pacific Ltd v
Matsqui Indian Band 1995 CanLII 145 SCC 1995 1 SCR 3 at para 80pp98
Further LifeLabs relies on the PHIPA
and the IPCs Code of Procedure for Matters under the Personal Health
Information Protection Act 2019 as authority for its position that neither
of these pieces of legislation allow for joint deliberation with other privacy
commissioners in Canada LifeLabs draws a distinction between the provisions in
PHIPA and in the Personal Information Protection Act SBC
2003 PIPA which authorize a coordinated investigationpp99
The relevant passages in s 361 of the PIPA
empower the commissioner to monitor the administration of the Act and
ensure its purposes are achieved including by being able toppppk exchange
information with any person who under legislation of another province or of
Canada has powers and duties similar to those of the commissionerppl enter into
informationsharing agreements for the purposes of paragraph k and into other
agreements with the persons referred to in that paragraph for the purpose of
coordinating their activities and providing for mechanisms for handling
complaintspp100
Similarly s 66e of the PHIPA empowers
the Commissioner to assist in investigations and similar procedures conducted
by a person who performs similar functions to the Commissioner under the laws
of Canada except that in providing assistance the Commissioner shall not use
or disclose information collected by or for the Commissioner under this Act
Sections 683a and b of the PHIPA permits information sharing with
bodies legally entitled to regulate or review the activities of the custodianpp101
The record reveals that the joint investigation
reflected the fact that the majority of Canadians whose personal health
information was involved in the data breach lived in Ontario and British
Columbia LifeLabs was advised that the investigation would address the scope
of the attack the circumstances that led to it and the measures that LifeLabs
ought to have taken to prevent and to remediate it in compliance with its
obligations under PHIPA and PIPA pp102
In furtherance of the joint investigation the Commissioners
signed a Memorandum of Understanding which agreed neither would exercise
authority over the other that could affect the Commissioners independence The
ON IPC and the BC IPC advised LifeLabs that they would be jointly investigating
and would issue a single Investigation Report with our findings During the
investigation and prior to the Privilege Decision the ON IPC and the BC IPC
jointly ruled on questions of privilege claims over two discrete documentspp103
LifeLabs did not object or raise concerns about
the independence of either regulator in response to the evidence of joint
investigation and decisionmaking To the contrary in a correspondence with
the ON IPC dated March 19 2020 addressed to both offices counsel for LifeLabs
presented proposals concerning the orders and privilege claims with a view to
facilitating the Commissioners investigation The record contains other
examples of references to the joint investigation pp104
LifeLabs clearly understood and acquiesced to corresponding
with and receiving decisions from the Commissioners on a joint basis For
example on March 31 2020 LifeLabs wrote to both Commissioners to advise it
was waiving privilege over its thirdparty cyber security firms
investigation report and cyber intelligence communications with the attackers
exclusively for the limited purpose of your and BC IPCs review in
connection with the joint investigation emphasis addedpp105
On April 8 2020 in correspondence with
LifeLabs the Commissioners wrote that they will decide whether the
objections based on privilege are valid emphasis addedpp106
On April 20 2020 counsel to LifeLabs
acknowledged the process offered by the Commissioners to make representations
on the privileged material and although noting that it should be for a Court
and not the regulator to ultimately determine the questions of privilege
counsel did not object to the joint process proposed That portion of the
letter from counsel readppWe thank you also
for confirming that prior to referencing any portion of the two
abovereferenced documents in the ON IPC and BC IPCs investigation report
the ON IPC and the BC IPC would provide LifeLabs with an opportunity to
make representations on any objections LifeLabs may have in relation to such
disclosures including at LifeLabs discretion pursuant to a judicial review
process That process is acceptable to address LifeLabs concerns provided
that a reasonable period of time is allowed for the review Emphasis addedpp107
The record is replete with LifeLabs
acknowledgement of the process of a joint investigation The issues of
privilege and how to obtain the necessary information consumed a large part of
the correspondence between counsel for LifeLabs and the Commissioners The
adjudication of the privilege claims was subsumed in the larger joint
investigation into this data breach It was not a separate entity with an
independent procedural history rather LifeLabs made it an issue Having done
so and having been heard by the Commissioners LifeLabs cannot now credibly
claim that it did not understand that this was the process that would be
adoptedpp108
The requirement that a decision maker be
independent is a component of the rule against bias see Bell Canada v
Canadian Telephone Employees Association 2003 SCC 36 2003 1 SCR 884
at para 17 Fairness in decisionmaking by administrative agencies depends on
independence which is measured against the test found in Committee for
Justice and Liberty v National Energy Board 1976 CanLII 2 SCC 1978 1 SCR 369 at p
394 that is what the informed person would conclude viewing the matter
realistically and practically having thought the matter throughpp109
I find that there is no merit to the argument
that the Privilege Decision raises issues of independence The Privilege
Decision was made jointly within the larger context of a joint investigation
for which there was statutory authority To publicly report on the
investigation itself the ON IPC and the BC IPC were required to make findings
on confidentiality and the claims of privilege This was an inquisitorial
process which means that the investigative and adjudicative functions were
required to inform the ultimate report to the public pp110
I find that an informed person would conclude
that there was no apparent bias or lack of independence arising from the
jointly issued Privilege Decision Two independent provincial agencies with similar
mandates undertook a transparently joint investigation that included making
orders and decisions such as the Privilege Decision This was all done in
furtherance of preparing a final investigative report to inform the public Both
regulators have the statutory authority to coordinate and share investigations
in privacy matters There is ample precedent for joint investigations
undertaken by various Canadian privacy regulators5 LifeLabs did not put
before the Court any challenge to any prior joint investigation This practice
reflects the reality that data breaches are not confined to provincial
boundariespp111
I conclude that under a standard of review of
correctness there was no procedural unfairness in the joint investigation or
decisionmaking processes adopted by the ON IPC and the BC IPC Therefore procedural
unfairness did not taint the joint Privilege DecisionppCONCLUSION pp112
The Application is dismissed Neither the ON IPC
nor the BC IPC seek costs and none are orderedpp pp pp ppLeiper J pp pp pp ppI agree ppMcWatt ACJpp pp pp ppI agree ppDoyle Jpp pp ppReleased April 30 2024pp ppCITATION
LifeLabs LP v Information and Privacy Commr Ontario 2024 ONSC 2194ppTORONTO DIVISIONAL COURT FILE NO 05321ppDATE 20240430pp ppONTARIOppSUPERIOR COURT OF JUSTICEppDIVISIONAL COURTppMcWatt ACJ Doyle and Leiper JJppBETWEENppLIFELABSppApplicantpp and ppINFORMATION AND
PRIVACY COMMISSIONERppRespondentppREASONS FOR DECISIONppJustice J Leiperpp ppReleased April 30 2024pp1
Given that this judicial review application is being heard in Ontario and the ON
IPC is the responding party I will refer to the ON IPCs actions in rendering
the Privilege Decision notwithstanding that the Privilege Decision was signed
by both the ON IPC and the BC IPCpp2 The parties were invited to make supplementary written submissions
on this decision which was released after oral argument on this application
Those submissions were consistent with the parties original positions on
standard of reviewpp3 This
is an issue which has emerged in other jurisdictions see In re Capital One
Consumer Data Security Breach Litigation 2020 US Dist LEXIS 91736 ED
Va May 26 2020 affirmed MDL No 1 19md2915 AJTJFA ED Va Jun 25
2020 Robertson v Singtel Optus Pty Ltd 2023 FCA 1392 Federal Court
of Australia pp pp4
The one exception is the written record of the statements made by the
cyberattackers in their correspondence with the cyber intelligence firm that
negotiated the payment of the ransom to them The findings of the ON IPC and
the BC IPC that these are not subject to solicitorclient privilege are
unassailable While there may be other good reasons not to publicize these
statements as a matter of public policy they are demonstrably not subject to
solicitorclient privilege in this contextpp5 See
Joint Investigation of Facebook Inc by the Privacy Commissioner of Canada and
the Information and Privacy Commissioner for British Columbia PIPEDA Findings
2019002 April 25 2019 Joint Investigation of AggregateIQ Data Services
Ltd b y the Privacy Commissioner of Canada and the Information and Privacy
Commissioner for British Columbia PIPEDA Findings 2019004 November 26
2019 Joint Investigation of the Cadillac Fairview Corporation Limited by the
Privacy Commissioner of Canada the Commission for British Columbia PIPEDA
Findings 2020004 October 28 2020 Joint Investigation of Clearview AI
Inc by the Office of the Privacy Commissioner of Canada the Commission
daccès à linformation du Québec the Information and Privacy Commissioner for
British Columbia and the Information Privacy Commissioner of Alberta PIPEDA
Findings 2021001 February 2 2021ppp
