Gartner Inc. v. Information and Privacy Commissioner of Ontario, 2017 ONSC 7181

CITATION: Gartner Inc. v. Information and Privacy Commissioner of Ontario, 2017 ONSC 7181

DIVISIONAL COURT FILE NO.: 559/16 DATE: 20171220

ONTARIO SUPERIOR COURT OF JUSTICE DIVISIONAL COURT

Swinton, Rady and Matheson JJ.

BETWEEN:

GARTNER INC.

Applicant

– and –

INFORMATION AND PRIVACY COMMISSIONER OF ONTARIO, TREASURY BOARD SECRETARIAT and JANE DOE, REQUESTER

Respondents

Christopher D. Bredt and Logan Crowell, for the Applicant

William Challis, for the Respondent Commissioner

Heather MacKay, for the Respondent Treasury Board Secretariat

Daniel Sheppard, for the Respondent Jane Doe

HEARD at Toronto: November 16, 2017

Swinton J.:

Overview

[1] Gartner Inc. (the “Applicant”) seeks judicial review of Order PO-3663 of the Information and Privacy Commissioner (“IPC”) dated October 27, 2016, in which the adjudicator ordered the disclosure of commercial information that Gartner had provided to the respondent Treasury Board Secretariat (“TBS”). The adjudicator found that the information at issue was not exempt from disclosure under the third party records exemptions found in s. 17(1) of the Freedom of Information and Protection of Privacy Act, R.S.O. 1990, c. F.31 (the “Act”).

[2] In my view, the decision of the adjudicator was reasonable. Accordingly, I would dismiss the application for judicial review.

Factual Background

[3] Gartner is a research and advisory firm that advises clients on the types of information technology (“IT”) they should use in their businesses. One of the key services that Gartner offers is “benchmarking”, which allows clients to compare their IT products and services with those of industry peers. The industry peers are selected from Gartner’s proprietary database (the “Repository”), which has been assembled over the course of approximately 20 years.

[4] The information at issue in the present application is found in a benchmarking report prepared for Treasury Board Secretariat by Gartner in 2012, the ITS Infrastructure Tower Benchmarking: Final Results.

[5] The benchmarking process used by Gartner is broken down into six steps, as described in its reply submissions to the Commissioner.

1. Gartner collects and analyzes raw data obtained from the client (including labour, software, hardware and facilities costs and service levels) using its proprietary data collection tools, templates and definitions in order to determine the client workload (volume of work performed with IT) and complexity (types of work performed with IT);

2. Gartner validates the client’s raw data to ensure consistency with its IT benchmarking methodology and definitions;

3. It then selects peer group data from its Repository of benchmarking data - that is, data of peers having a similar workload and complexity to the client;

4. It conducts a gap analysis between client efficiency levels and the peer data;

5. It generates recommendations to improve client efficiency; and

6. It then documents its results in a report.

[6] The withheld information that is the subject of dispute is of two kinds. First, in charts comparing TBS’ spending figures with peers, the figures for peer spending have been redacted (that is, the average, 25th and 75th percentiles). As a result, only TBS’ actual spending information is revealed. Second, some information about the demographics of the selected peer groups has been redacted.

[7] The withheld information respecting the peer groups is composed of data that is both anonymized and aggregated. It does not disclose information about any identifiable entity. The withheld information was the result of a simulation, based on the spending and support profile of a particular peer group, to arrive at a number that the comparator group would spend to support the same workload as the Ontario government.

The IPC Decision

[8] Subsection 17(1) of the Act provides for exemption from disclosure of certain third party records. At issue in the present case are paragraphs 17(1)(a), (b), and (c). They read:

A head shall refuse to disclose a record that reveals a trade secret or scientific, technical, commercial, financial or labour relations information, supplied in confidence implicitly or explicitly, where the disclosure could reasonably be expected to,

(a) prejudice significantly the competitive position or interfere significantly with the contractual or other negotiations of a person, group of persons, or organization;

(b) result in similar information no longer being supplied to the institution where it is in the public interest that similar information continue to be so supplied;

(c) result in undue loss or gain to any person, group, committee or financial institution or agency; ...

[9] The adjudicator found that the Applicant had provided commercial information in confidence to TBS, thus satisfying two of the criteria for the application of s. 17(1). However, the adjudicator concluded that the redacted information was not exempt under s. 17(1)(a), (b) and (c) - exemptions based on harm to competitive position and interference with negotiations, information no longer supplied to the government institution, and undue loss or gain. She reached that decision based on her conclusion that the Applicant had not established there was a reasonable expectation that the harms might occur.

The Standard of Review

[10] It is well established that reasonableness is the standard of review to be applied in respect of a decision of the IPC interpreting and applying an exemption provision in the Act like s. 17(1) (Alberta (Information and Privacy Commissioner) v. Alberta Teachers’ Association, [2011] 3 S.C.R. 61 at para. 48; Ontario (Community Safety and Correctional Services) v. Ontario (Information and Privacy Commissioner), 2014 SCC 31, [2014] 1 S.C.R. 674 at paras. 26-27).

The Issues

[11] The Applicant argues that the IPC decision is unreasonable for two reasons. First, the adjudicator misapprehended key evidence - the nature of the information being severed - and based her decision on that misapprehension. Second, the adjudicator applied too onerous a standard of proof to the probable harms under s. 17(1).

[12] TBS agrees with the position of the Applicant, but also argues that the IPC unreasonably failed to discuss the application of s. 17(1)(b) of the Act.

Analysis

The task of the adjudicator in applying s. 17(1)

[13] In determining whether third party information is exempt under s. 17(1), the IPC must apply the “reasonable expectation of harm” test. As the Supreme Court of Canada stated in Ontario (Community Safety and Correctional Services), above at para. 54, the test requires the party seeking to uphold an exemption to show a reasonable expectation of probable harm. The Court stated,

As the Court in Merck Frosst [Merck Frosst Canada Ltd. v. Canada (Health), 2002 SCC 3] emphasized, the statute tries to mark out a middle ground between that which is probable and that which is merely possible. An institution must provide evidence “well beyond” or “considerably above” a mere possibility of harm in order to reach that middle ground: paras. 197 and 199. This inquiry of course is contextual and how much evidence and the quality of evidence needed to meet this standard will ultimately depend on the nature of the issue and “inherent probabilities or improbabilities or the seriousness of the allegations or consequences”: Merck Frosst, at para. 94, citing F.H. v. McDougall, 2008 SCC 53, [2008] 3 S.C.R. 41, at para. 40.

[14] The adjudicator correctly set out the test at para. 41 of her reasons.

Did the adjudicator misapprehend key evidence?

[15] The Applicant argues that the adjudicator mistakenly confused the Raw Data (which the Applicant defines as the data obtained from the client) and the asset actually at issue - that is, the benchmarking data. It also submits that the adjudicator, in considering whether there would be harm to the Applicant’s competitive position, erroneously held that the benchmarking data was valueless unless it is in the Repository.

[16] The Applicant’s argument with respect to harm to its competitive position was articulated as follows by the adjudicator (at para. 61):

... As summarized in its reply, the third party argues that disclosure of the information at issue could reasonably be expected to:

(i) Allow competitors to appropriate a key asset developed and used by the third party to provide services that generate an important part of its revenue....

(ii) Allow IT producers and vendors to adjust their pricing, among other strategic decisions, which could reasonably result in market distortions including higher IT costs to clients, which would also be harmful to the third party’s reputation and business.

[17] With respect to whether the adjudicator misapprehended which asset was at issue – the Repository or the data in the report – she described the withheld information accurately as “the aggregate peer spending amounts arrived at by using select peers from the benchmarking data” when considering the Applicant’s submissions (at para. 66). Again, at para. 67 she draws a distinction between the Repository and the withheld information:

While I accept that the third party’s repository of benchmarking data is a valuable asset, the third party has not explained how disclosure of the withheld information would enable a competitor to make use of its benchmarking repository.

[18] The Applicant argues that the adjudicator focused only on the harm that would come with the disclosure of the data in the Repository. I disagree. In para. 68, the adjudicator explained how peer data is selected from the Repository for use in a benchmarking study. She also described how that peer group data was used in the report:

In the copy of the report that was disclosed to the appellant, a general description of the peer groups whose data was used for a particular chart appears beside the chart. Further information about the peer demographics has been redacted. However, the report contains no information that identifies the particular peers used by the third party for its analysis. Moreover, no individualized information particular to any one peer is set out. In other words, only aggregate information about the group of anonymous peers (typically 8 organizations) appears in the report.

[19] Paragraph 69 is key to the adjudicator’s analysis. When read in context and in light of the preceding paragraphs, it demonstrates that the adjudicator was focused on the peer group data in the report - that is, the benchmarking data in the report – not the Repository. The adjudicator was not satisfied that there was a reasonable expectation of harm if the benchmarking data was revealed. She states,

It not [sic] self-evident how this aggregate, anonymized information could be used by a competitor to provide its own benchmarking services in competition with the third party. Moreover, the third party’s representations have not provided me with an explanation of how a competitor could exploit the information at issue. Beyond asserting that the information is valuable and that it could be exploited by a competitor, the third party has not explained how a competitor could make use of the information as it appears in the report.

[20] The Applicant seizes on the fact that the adjudicator in the next sentence accepts the requester’s argument that competitors would be unable to reverse-engineer the redacted information to reveal raw benchmarking data - that is, the data in the Repository. As well, in para. 72, she concludes that “it is not reasonable to expect that the disclosure of the withheld information will result in the exploitation of the third party’s repository of benchmarking data.”

[21] I see no error of fact in her analysis, which recognizes the difference between the benchmarking data in the report and the data in the Repository. The fact that she considered the risk of disclosure of information in the Repository is not surprising for two reasons. First, the Applicant itself emphasized the value of the Repository in its submissions, describing it as a “crown jewel” of its assets. Second, the requester had submitted that there was no danger of disclosure of the data in the Repository if the withheld information in the report was revealed, and the adjudicator addressed this submission.

[22] In any event, the adjudicator did address the risk of harm from disclosure of the withheld information found in the report. She concluded that the Applicant had not demonstrated a reasonable expectation of harm to its competitive position in its submissions.

Did the adjudicator apply too onerous a standard under s. 17(1)?

[23] The Applicant argues that the IPC imposed too high a standard of proof that harm will occur, requiring the Applicant to show it was probable that harm “will” occur. The correct test is whether there is a reasonable expectation of probable harm. The Applicant submits that the adjudicator required it to prove harm on a balance of probabilities.

[24] The Applicant points to two places in the reasons where the adjudicator is said to have imposed the higher standard, despite having correctly articulated the test earlier in her reasons:

[I]t is not reasonable to expect that the disclosure of the withheld information will result in the exploitation of the third party’s repository of benchmarking data (at para. 72).

The third party has not provided me with enough information to conclude that it is reasonable to expect that the harms listed will come about if the information if the information at issue is disclosed (at para. 75). (emphasis added)

[25] In my view, the adjudicator did not impose an incorrect standard of proof. When her reasons are read as a whole, it is clear that she was applying the correct test - that is, a reasonable expectation of probable harm. I note that the Supreme Court of Canada in Ontario (Community Safety and Correctional Services), above, upheld a decision of the IPC where the adjudicator had used almost identical words. The Court concluded that the reasons, read as a whole, demonstrated that the adjudicator was not applying a balance of probabilities test (see paras. 48, 51, and 59).

[26] Similarly, here, the adjudicator applied the correct test, asking whether there was a reasonable expectation of probable harm. She rejected the Applicant’s arguments respecting the exemptions because she concluded that the Applicant had failed to provide the required evidence to show how the alleged harms could occur (see paras. 67 and 69). For example, she stated at para. 69 that the Applicant’s “representations have not provided me with an explanation of how a competitor could exploit the information at issue.”

Did the adjudicator fail to address s. 17(1)(b)?

[27] TBS, but not the Applicant, argues that the adjudicator failed to address s.17(1)(b), the risk of harm because information would no longer be supplied to government. For s. 17(1)(b) to apply, the IPC must conclude that disclosure could reasonably be expected to “result in similar information no longer being supplied to the institution where it is in the public interest that similar information continue to be so supplied.”

[28] The only submission made to the IPC with respect to the application of s. 17(1)(b) is found in the Applicant’s responding submissions. There is no mention of s. 17(1)(b) in its reply submissions, and nothing in the TBS’ submissions to the IPC. In that one paragraph, the Applicant stated that

[it] cannot provide its services without giving its client access, on a confidential basis, to its benchmarking data. The [Applicant] must have confidence that its benchmarking data will be kept confidential in order to provide benchmarking services.

[29] The adjudicator stated that s. 17(1)(a), (b) and (c) were in play. She summarized the brief submission made by the Applicant respecting s. 17(1)(b), but she did no analysis of that provision. Ultimately, she concluded that a reasonable expectation of the risk of the harms in paragraphs (a), (b) or (c) had not been established.

[30] I would not give effect to this ground of judicial review. In the Applicant’s very brief submissions to the IPC with respect to s. 17(1)(b) the Applicant did not put any real weight on this exemption. Its real concern was paragraphs (a) and (c). Moreover, the adjudicator was not provided with the necessary information that would require her to engage in an in depth analysis of s. 17(1)(b).

Was the IPC decision reasonable?

[31] The adjudicator was not satisfied that the disclosure of the benchmarking data could reasonably be expected to significantly prejudice the competitive position of the Applicant. The Applicant had the onus to show that there was a reasonable expectation of probable harm if the withheld information was disclosed.

[32] The adjudicator reasonably stated that it was not “self-evident” how the benchmarking data could be used by the Applicant’s competitors. Accordingly, the Applicant had an obligation to explain how the harms could occur, and it failed to do so to the satisfaction of the adjudicator.

[33] Moreover, the adjudicator reasonably concluded that the Applicant failed to provide information supporting its arguments regarding market distortions. She described the arguments as “mere speculation” (at para. 74), stating

The third party has not provided me with enough information to conclude that it is reasonable to expect that the harms listed will come about if the information at issue is disclosed. For example, the third party has not explained why the harms could reasonably be expected to result from the disclosure of the information at issue, but not from the disclosure of Ontario’s own actual spending on IT services, which has already been released to the appellant.

[34] The Applicant submits that the Adjudicator should have used a contextual analysis, which would lead to the conclusion that the withheld information could cause harm to its competitive position. It relies on the decision of the Divisional Court in Trustees of the Bricklayers and Stonemasons Union Local 2 v. Information and Privacy Commissioner of Ontario, 2016 ONSC 3821. However, the majority in that case was dealing with confidential information related to a pension plan, where a rival union sought access to the information in the raiding season in the construction industry. The Court held that the IPC had imposed too burdensome a standard of proof (see paras. 65-69).

[35] Here, the adjudicator reasonably concluded that it was not self-evident how the withheld information could be used by competitors or how the release of the information could lead to market distortions. Accordingly, the Applicant was required to explain how the harms it alleged could occur.

[36] In my view, the adjudicator’s decision is reasonable, based on the record before her. I would not give effect to new arguments of probable harm, first raised on this application for judicial review. For example, the Applicant suggests that a competitor’s client could use the data because it is an institution similar to TBS. It would be improper for this Court to make findings of fact based on information that was not before the adjudicator.

Conclusion

[37] For these reasons, the application for judicial review is dismissed. No party seeks costs.

___________________________ Swinton J.

I agree___________________________

Rady J.

I agree___________________________

Matheson J.

Released: December 20, 2017

CITATION: Gartner Inc. v. Information and Privacy Commissioner of Ontario, 2017 ONSC 7181

DIVISIONAL COURT FILE NO.: 559/16 DATE: 20171220

ONTARIO

SUPERIOR COURT OF JUSTICE

DIVISIONAL COURT

Swinton, Rady and Matheson JJ.

BETWEEN:

GARTNER INC.

Applicant

– and –

INFORMATION AND PRIVACY COMMISSIONER OF ONTARIO, TREASURY BOARD SECRETARIAT and JANE DOE, REQUESTER

Respondents

REASONS FOR JUDGMENT

Swinton J.

Released: December 20, 2017