A focus on the risk of harm : applying a risk-centered purposive approach to the interpretation of "personal information" under Canadian data protection laws
University of British Columbia
Master of Laws - LLM
We now live in a world where the Internet is in its second generation, big data is king, and a “Digital Earth” has emerged alongside advancements in 3S technologies, where cyber-attacks and cybercrime are the new trend in criminal activity. The ease with which we can now find, collect, store, transfer, mine and potentially misuse large amounts of personal information is unprecedented. The pressure on data protection regulators continues to mount against this backdrop of frenetic change and increased vulnerability. Law and policy makers around the world tasked with protecting information privacy in the face of these advances are simply struggling to keep pace. One important difficulty they encounter is defining the term “personal information” under data protection laws (DPLs) in order to delineate precisely what type of information enjoys the protection of these legislative instruments. As a result, the meaning and scope of this term have emerged as a pressing issue in scholarly debates in the field of privacy and data protection law. This thesis contributes to these discussions by critically appraising the approaches taken by Canadian courts, privacy commissioners and arbitrators to interpreting the statutory definitions of “personal information” under Canadian private sector DPLs, and showing that a different approach is justified in light of rapidly evolving technologies. The second part of my thesis recommends a purposive risk of harm focused framework advanced by Canadian privacy scholar Éloïse Gratton as a desirable substitute for existing expansionist approaches to interpreting the definition of “personal information” under Canada’s private sector DPLs. I support my recommendation by discussing the ways in which the proposed risk of harm framework can overcome the shortcomings of existing approaches, and demonstrate this by applying it to previously issued decisions in which Canadian arbitrators and privacy commissioners or their delegates have applied expansionist approaches to new data types and data gathered by new technologies. In so doing, I demonstrate that the proposed framework better reflects the fundamental purpose of Canadian private sector DPLs: to protect only data that raises a risk of harm to individuals impacted by its collection, use or disclosure.
Attribution-NonCommercial-NoDerivs 2.5 Canada
Law, Peter A. Allard School of