LifeLabs LP v. Information and Privacy Commr. (Ontario), 2024 ONSC 2194
TORONTO DIVISIONAL COURT FILE NO.: 053/21
DATE: 20240430
ONTARIO SUPERIOR COURT OF JUSTICE DIVISIONAL COURT
McWatt ACJ, Doyle and Leiper JJ.
BETWEEN:
LIFELABS LP Applicant
– and –
INFORMATION AND PRIVACY COMMISSIONER OF ONTARIO Respondent
OFFICE OF THE INFORMATION AND PRIVACY COMMISSIONER FOR BRITISH COLUMBIA Intervener
COUNSEL:
Alexandra E. Cocks and Amanda D. Iarusso, K.C., for the Applicant
Linda Chen and Brendan Gray, for the Respondent
Catherine J. Boies Parker, K.C and Kate Phipps for the BC IPC, Intervener
HEARD at Toronto: April 4, 2024
REASONS FOR DECISION
LEIPER J.:
OVERVIEW
[1] This case is about a 2019 data breach in which cyber-attackers obtained personal health data of millions of Canadians and demanded payment for its return.
[2] The target of the attack, LifeLabs LP (or “LifeLabs”), provides general and specialized laboratory testing across Canada. In this capacity, it holds personal information and personal health information for its customers.
[3] The largest number of people affected by the attack lived in Ontario and British Columbia. The privacy commissioners for those provinces launched a joint investigation into the data breach.
[4] LifeLabs notified the public, set up call centres and used external IT experts to provide it with information about the breach, and to negotiate with the cyber-attackers. Members of the public launched class action lawsuits against LifeLabs.
[5] The Information and Privacy Commissioner of Ontario (“ON IPC”) announced it would investigate the cyber attack under the Personal Health Information Protection Act, 2004, S.O. 2004, c. 3, Sch. A (“PHIPA”). The ON IPC stated its investigation would be coordinated with the British Columbia’s Information and Privacy Commissioner (“BC IPC”).
[6] During their investigation, the ON IPC and BC IPC sought information that LifeLabs had obtained from its consultants about the data breach and its systems. LifeLabs resisted, and claimed privilege over any reports or information in those reports (“disputed documents”)
[7] After receiving the documents and representations from LifeLabs’ lawyers, in a decision dated June 25, 2020, the ON IPC and the BC IPC jointly decided that the claims of privilege should fail (the “Privilege Decision”). They also finalized their investigation report into the cyberattack (the “Investigation Report”).
[8] Neither decision has been published to date.
THE APPLICATION FOR JUDICIAL REVIEW
[9] On this application for judicial review, LifeLabs seeks an order quashing the Privilege Decision and a permanent order preventing publication of the Investigation Report on its findings from its joint investigation into the Ontario and British Columbia data breaches. It also seeks various declarations which are related to the application to quash and for non-publication orders.
[10] LifeLabs raises two issues on review: whether the ON IPC and BC IPC breached their right to procedural fairness by jointly deciding the privilege issue, and whether they erred in their application of the law on solicitor-client privilege and litigation privilege to the facts. LifeLabs argues that since the Privilege Decision is wrong, it should be set aside, and this Court should order that ON IPC refrain from publishing the Investigation Report, or releasing any report that refers to the facts and documents over which LifeLabs has claimed privilege.
[11] ON IPC responds, supported by the submissions of the intervener, BC IPC, that there was no breach of procedural fairness. LifeLabs was fully aware of the joint investigation and did not object at any time to that decision-making process. Joint investigations are common and are provided for by the relevant provincial legislation. The Privilege Decision arose from the issues raised by LifeLabs during the joint investigation and had an opportunity to make submissions to the Commissioners. The ON IPC and BC IPC further submit that the claims of privilege have no merit and that they did not err in applying the law of privilege.
SUMMARY OF FINDINGS
[12] In the context of an ongoing joint investigation, I find that the ruling by the ON IPC and BC IPC in the Privilege Decision did not breach LifeLabs’ right to an independent adjudication and was not procedurally unfair.[^1]
[13] Assessing the Privilege Decision on a standard of correctness, the ON IPC applied the law of privilege to the record before it and did not err in doing so. The decision is logical, clear and persuasive. It considered all the arguments raised by LifeLabs and gave comprehensive reasons for rejecting the claims of privilege.
[14] For the reasons below, I dismiss the application for judicial review.
BACKGROUND
[15] Although the Investigation Report has not been published, some of the circumstances of the data breach are available. On June 9, 2020, the Office of the Saskatchewan Information and Privacy Commissioner (the “SIPC”) reported publicly on its investigation into the data breach, which affected the private health data of 93,647 Saskatchewan residents.
[16] The decision of the SIPC made findings regarding LifeLabs, and therefore provides context and background.
[17] The SIPC found that LifeLabs’ servers in Ontario had a “code-level third party vulnerability” because a software patch had not been installed. The need for the patch was not caught by LifeLabs’ third-party vulnerability management system.
[18] LifeLabs reported to the SIPC that the only way it might have discovered the need for a particular security patch was through one of its developers, who had received an unsolicited email notification of a patch. The email had landed in the developer’s junk mailbox. The developer was not part of the security team and was not required as part of his duties to LifeLabs to search his junk mailbox. LifeLabs had not finalized eleven (11) draft privacy and security policies at the time of the breach, although by the time of the SIPC’s final report, it had done so.
[19] The cyber-attackers had gained undetected access to some of LifeLabs’ systems for over a year. On October 28, 2019, LifeLabs’ third-party consultant noted anomalous activity and contained the affected systems for investigation.
[20] On October 31, 2019, the cyber-attackers contacted LifeLabs and demanded payment for the safe return of personal data. LifeLabs paid the cyber-attackers in exchange for the data, and an agreement not to publicly release it on the internet.
[21] The SIPC was concerned with the ongoing risk because of the breach, and disagreed with LifeLabs that the risk was “low”, given that the data obtained included names, addresses, dates of birth, email addresses, health card numbers, passwords, security questions and answers and IP addresses. The data also included lab results for 241 residents of Saskatchewan.
[22] Although the payment was made and the personal data was returned to LifeLabs, the SIPC found there was no guarantee that any of the data taken was not retained by the cyber-attackers to be used in other ways.
[23] Among other findings, the SIPC found that LifeLabs had not demonstrated it had adequate safeguards in place to protect the private health data, that it would prevent similar breaches from occurring in the future and that it had properly investigated the breach.
[24] During the Saskatchewan investigation, LifeLabs refused to provide any “critical incident reports” prepared by third-party IT firms to assist with determining how the breach occurred, what personal health information was affected, what safeguards were in place, the root cause of the breach and the measures to be taken to prevent the breach from happening again.
[25] In the ON IPC and the BC IPC investigation, the Commissioners examined witnesses from LifeLabs on the retainer of the third-party consultants, made orders to produce the third-party consultant reports and reviewed those reports to make their determinations of privilege in advance of their final report.
[26] On this judicial review, all the material in dispute formed part of the record, but the materials over which there are active claims of privilege were filed in a private record pursuant to a prior order of this Court.
[27] This leads to the preliminary issue raised by counsel at the hearing regarding whether the courtroom should be closed during oral argument. I turn to that issue next.
PRELIMINARY ISSUE: THE OPEN COURT PRINCIPLE AND CLOSING THE COURTROOM
[28] The parties jointly requested that this hearing be closed to the public, largely to facilitate counsel’s oral submissions if they needed to refer to certain materials that formed part of the private record.
[29] Counsel submitted that a closed hearing would expedite their submissions.
[30] The Panel deliberated on this preliminary issue and found that this was not an adequate reason to close the hearing.
[31] Section 135 of the Courts of Justice Act, R.S.O. 1990, c. C.43 provides that all court hearings shall be open to the public, subject to subsection (2) and the rules of the Court. Section 135(2) empowers the Court to exclude the public from a hearing “where the possibility of serious harm or injustice to any person justifies a departure from the general principle that court hearings should be open to the public.”
[32] Court proceedings are generally open to the public, in accordance with this open court principle. In Sherman Estate v. Donovan, 2021 SCC 25, 458 D.L.R. (4th) 361, at para. 30 the Supreme Court affirmed that “openness is protected by the constitutional guarantee of freedom of expression and is essential to the proper functioning of our democracy”.
[33] Courts must take care to “narrowly circumscribe” any restrictions to the open court principle: see Dagenais v. Canadian Broadcasting Corp., [1994] 3 S.C.R. 835, at para. 83.
[34] Recently, in a motion concerning the filing of confidential material and a related request for a closed session, the Federal Court of Appeal cited Sherman Estate; Sierra Club Canada v. Canada (Minister of Finance), 2002 SCC 41, [2002] 2 S.C.R. 522; and Canadian Broadcasting Corp. v. New Brunswick (Attorney General), [1996] 3 S.C.R. 489 for the proposition that the open court principle as discussed in this line of cases is “firm, binding and clear, a prescription for all participants in the justice system to follow”: 9219-1568 Quebec Inc. and MG Freesites Ltd. v. Privacy Commissioner of Canada, 2024 FCA 38, at para. 16.
[35] Counsel often file confidential and/or privileged material under sealing orders. Counsel can navigate privacy issues in open court with reference to page numbers or using general descriptions. The fact that the Court has sealed part of the record does not presume that an oral hearing will necessarily raise the potential for serious harm or injustice.
[36] For these reasons, the Panel dismissed the motion to close the courtroom during oral argument.
THE ISSUES ON JUDICIAL REVIEW
[37] LifeLabs raises two issues on this application:
Did the ON IPC err in applying the law of solicitor-client and litigation privilege to the documents at issue?
Did the ON IPC fail to act independently by jointly determining the issue with another regulator?
STANDARD OF REVIEW
Solicitor-client Privilege and Litigation Privilege: Standard of Correctness
[38] The parties do not agree on the standard of review for the issues of privilege. LifeLabs submits that the standard is correctness. The ON IPC submits that the court should apply a standard of reasonableness to the application of the law of privilege to the facts in the Privilege Decision, and correctness only to the “identification and articulation” of the legal tests for solicitor-client privilege and litigation privilege.
[39] I find that the issues of privilege in this application should be reviewed on a standard of correctness, based on the principles articulated in Canada (Minister of Citizenship and Immigration) v. Vavilov, 2019 SCC 65, [2019] 4 S.C.R. 653.
[40] The presumptive standard of review on judicial review is reasonableness: Vavilov, at para. 30.
[41] The reasonableness standard can be rebutted in certain circumstances, including where the legislature has indicated that a different standard should apply, or where the rule of law requires courts to apply the standard of correctness to certain legal questions: Vavilov at paras. 53 and 59. These include “general questions of law of central importance to the legal system as a whole” such as the question of whether [a] statute provided uniform protection in instances of claims of solicitor-client privilege: see Alberta (Information and Privacy Commissioner) v. University of Calgary, 2016 SCC 53, [2016] 2 S.C.R. 555, at para. 20.
[42] The ON IPC relies on two cases in support of its position. The first is a decision of the Divisional Court involving the ON IPC and whether privilege justified it refusing, to produce information under a freedom of information request. The ON IPC’s decision on that point was reviewed on a standard of reasonableness: Ontario (Attorney General) v. Ontario (Information and Privacy Commissioner), 2016 ONSC 6913, at para. 9 (“Ontario v. Ontario”).
[43] I would not apply the reasoning in Ontario v. Ontario because that decision pre-dates Vavilov. The court applied the principles from Dunsmuir v. New Brunswick, 2008 SCC 9, [2008] 1 S.C.R. 190, and considered the expertise of the administrative tribunal in interpreting its home statute.
[44] Vavilov altered the relationship between tribunal expertise and case-by-case determinations of standards of review. It folded expertise into the presumption of reasonableness as the starting point for standard of review. Vavilov rejected using expertise to consider whether a given case involves a general question of law of such importance that the correctness standard should apply. Further, given these changes to the law of standard of review, the Supreme Court cautioned that prior decisions should be “read carefully”: see Vavilov at para. 58. In accordance with that caution, I decline to apply the 2016 decision in Ontario v. Ontario to the question of standard of review in the case at bar.
[45] Post-Vavilov, the British Columbia Court of Appeal considered the standard of review in the context of an access to information request for material over which solicitor-client privilege was claimed: British Columbia (Attorney General) v. Canadian Constitution Foundation, 2020 BCCA 238 (“British Columbia v. CCF”). In that decision, which considered the same question raised here, Harris, J.A. reasoned at para. 38 that:
The question, as I see the matter, engages the correct scope of a principle that is fundamental to the proper functioning of our legal system; a principle, the protection of which must be as near to absolute as possible. It is a question that, given its importance, calls for a uniform and consistent answer. The question is fundamentally about the scope of solicitor‑client privilege. Admittedly, it arises in the factual context of a question about whether solicitor‑client privilege attaches to a record disclosing the total sum spent on litigating a matter during a certain time period while the litigation is ongoing. But it remains a question about the proper scope of privilege. Moreover, the answer to that question has precedential value and a significant impact on the administration of justice as a whole and other institutions of government. It goes far beyond the immediate interests of the parties in this case. Respect for the rule of law demands this Court ensure a single, correct answer is provided. The standard of correctness, in my opinion, continues to apply.
[46] This reasoning is aligned with the logic in Chagnon v. Syndicat de la function public et parapublique du Québec, 2018 SCC 39, [2018] 2 S.C.R. 687. Harris, J.A. observed that the Supreme Court had “no difficulty” applying a correctness standard to the question of privilege in Chagnon: see British Columbia (Attorney General) v. CCF, at para. 44.
[47] In the Association of Management, Administrative and Professional Crown Employees of Ontario v. Ontario (Ministry of the Attorney General), 2024 ONSC 1555 (“AMAPCEO”), the Divisional Court found that the test for prima facie discrimination is a question of central importance to the legal system to be reviewed on a standard of correctness and is required to be applied consistently. In that decision, Ryan Bell, J. wrote that “the protection of human rights and the rule of law would be undermined if the test for prima facie discrimination were interpreted and applied a certain way by one adjudicator and in an entirely different manner by another”: AMAPCEO, at para. 36 (emphasis added).
[48] The ON IPC submitted that AMAPCEO, at para. 37, supports a reasonableness standard of review because of the observation in the decision that “[w]here the debate is about the facts and the inferences to be drawn from the facts, a reasonableness standard of review will apply. Where however, the debate is about the applicable legal test and the analytical framework, a correctness standard of review applies because the question is of central importance to the legal system”.
[49] I disagree with the ON IPC’s proposed interpretation of AMAPCEO in support of its submission on standard of review.
[50] It is evident that the court in AMAPCEO applied the standard of correctness not only to the arbitrator’s test for prima facie discrimination, but also in considering whether the arbitrator’s reasoning and application represented a misapprehension of the test itself. This is in keeping with the intention of ensuring consistency of answers to such important questions from Vavilov.
[51] In its analysis, the court in AMAPCEO, at paras. 39-40 and 45-50, found that the arbitrator erred in the application of the test in three ways:
by applying the incorrect legal standard to the evidence of how the grievor was treated;
by incorrectly attending to the shifting evidentiary burden, once a prima facie case of discrimination was made out; and,
by requiring direct evidence and rejecting uncontradicted, relevant expert evidence.
[52] As the Supreme Court in Vavilov said: “general questions of law of central importance to the legal system as a whole require a single determinate answer. In cases involving such questions, the rule of law requires courts to provide a greater degree of legal certainty than reasonableness review allows” (at para. 62). The Supreme Court speaks of the consistency of the answers to important legal questions. AMAPCEO and British Columbia v. CCF follow that reasoning – the principle must be identified and applied correctly because of the importance of the principle.
[53] This approach to the standard of review involving constitutional questions was recently confirmed by the Supreme Court of Canada in Société des casinos du Québec inc. v. Association des cadres de la Société des casinos du Québec, 2024 SCC 13, at paras. 45 and 92-97.[^2]
[54] Where the standard applied is one of correctness, the options available to the reviewing court are to either uphold the determination, for example if it finds the reasoning persuasive, or it may come to its own conclusions on the question: Vavilov, at para. 54.
[55] The nature and scope of solicitor-client privilege is a question of fundamental importance: Vavilov, at para. 60. The issues on this application involve the scope of solicitor-client privilege and/or litigation privilege to investigations under Ontario privacy legislation. In the case at bar, there are important questions of law and public interest involving the privacy of individual health data at stake, including whether the important principle of solicitor-client privilege is being respected or being asserted in a manner which impedes regulatory investigations into significant data breaches from cyber-attacks.
[56] While litigation privilege is a class privilege with conceptually distinct features from solicitor-client privilege, it nevertheless serves a “common cause”, being the secure and effective administration of justice according to law: Blank v. Canada (Minister of Justice), 2006 SCC 39, [2006] 2 S.C.R. 319, at para. 31.
[57] Although there are differences between solicitor‑client privilege and litigation privilege, the Supreme Court of Canada has described litigation privilege as “central to the justice system both in Quebec and in the other provinces”: See Lizotte v. Aviva Insurance Company of Canada, 2016 SCC 52, [2016] 2 S.C.R. 521, at para. 4.
[58] Solicitor-client privilege serves the rule of law. So does litigation privilege. In this case, litigation privilege, alongside solicitor-client privilege, are raised as a basis for a permanent order of non-publication on the findings of the ON IPC into a major data breach. The application of either or both privileges, or the denial of those privileges has broader implications. Canada is not unique in this regard—similar claims of privilege have arisen in other jurisdictions where there have been significant data breaches because of cyber-attacks, leading to regulatory investigations and civil proceedings.[^3]
[59] For these reasons, I conclude that a standard of correctness is the appropriate standard of review for the identification and application of both solicitor-client privilege and litigation privilege in the Privilege Decision.
Standard of Review: Independence of the Tribunal and the Issue of Procedural Fairness
[60] LifeLabs submits that the ON IPC lacked independence by collaborating and deliberating with the BC IPC in making the Privilege Decision. Independence is a question of procedural fairness: Bell Canada v. Canadian Telephone Employees Assn., 2003 SCC 36, [2003] 1 S.C.R. 884, at para. 21.
[61] It is well settled law that a tribunal must conduct its proceedings fairly. Procedural fairness is determined with reference to the circumstances of the case, including the factors articulated in Baker v. Canada (Minister of Citizenship and Immigration), [1999] 2 S.C.R. 817, at paras. 21-28. In Mission Institution v. Khela, 2014, SCC 24, [2014] 1 S.C.R. 502, at para. 79, a unanimous Supreme Court characterized this as a correctness standard. More recent decisions from this court simply apply Baker without otherwise identifying a standard of review: See Mundulai v. Law Society of Ontario, 2024 ONSC 959, at para. 30, and M.I. v. Administrator, Ontario Works Region of Peel, 2024 ONSC 1975, at para. 8.
ANALYSIS OF THE ISSUES
1. Did the ON IPC err in applying the law of solicitor-client and litigation privilege to the documents at issue?
[62] LifeLabs asserted solicitor-client or litigation privilege over five sets of disputed documents and the information within them:
i. The investigation report prepared by the cybersecurity firm hired by LifeLabs, which described how the cyberattack occurred.
ii. The email correspondence between the cyber intelligence firm and the cyber-attackers after the discovery of the attack by LifeLabs.
iii. An internal data analysis prepared by LifeLabs on April 28, 2020 to describe which individual health information had been affected by the breach and to notify those affected pursuant to ss. 12(1) and 12(2) of the PHIPA.
iv. A submission from LifeLabs to the Commissioners dated May 15, 2020 in response to certain specific questions, communicated through legal counsel.
v. The report of Kevvie Fowler, Deloitte LLP dated June 9, 2020 prepared as part of the representations by LifeLabs and submitted to the Commissioners for that purpose.
[63] The Privilege Decision found that none of these documents is subject to litigation or solicitor-client privilege. It found that LifeLabs’ claims of privilege over facts available from other non-privileged sources and contained in the disputed documents above, were not substantiated. Importantly, the Investigation Report did not seek to publish any of these disputed reports or documents, but rather to include the facts responsive to the legislative mandate of the ON IPC and the BC IPC.
[64] The ON IPC concluded that, with one exception, the Investigation Report contained facts which existed independently outside the disputed documents were known to LifeLabs and were required to be provided to the Commissioners pursuant to their joint investigation.[^4] The Privilege Decision found that, in any event, those facts could not be held back from them by virtue of being placed in reports over which privilege was claimed.
[65] An example of such a fact comes from the SIPC report about LifeLabs’ draft IT security policies, which became public on June 9, 2020. LifeLabs claimed privilege over this information prior to its publication by the SIPC. By the time of the Privilege Decision, this was a publicly available fact.
[66] More broadly, the Privilege Decision concluded that none of the documents in dispute is subject to either litigation or solicitor-client privilege and gave detailed reasons for those conclusions. LifeLabs does not challenge the way in which the Commissioners described the tests for privilege in their reasons: those correct statements of the law can be found in the Privilege Decision and need not be repeated here.
[67] LifeLabs seeks to quash the decision based on five legal errors. The first two alleged errors are considered below as they are interrelated.
A. Did the ON IPC did err in concluding that LifeLabs had an obligation to investigate, remediate and produce information of compliance pursuant to PHIPA?
B. Did the ON IPC err in finding that facts concerning the investigation and remediation are producible where those facts exist independently of documents subject to claims of privilege?
[68] LifeLabs does not dispute that it had an obligation to investigate and remediate the data breach. Indeed, its correspondence with the ON IPC and BC IPC in the early days post-data breach emphasized the steps it was taking in that regard.
[69] LifeLabs, now argues that it had no obligation to investigate, remediate or produce information and that independent facts on those issues are not producible if contained in privileged documents. If these submissions ere accepted, this would permit a regulated entity to defeat investigative orders by placing unpalatable facts within its knowledge into a privileged report to counsel.
[70] For example, the ON IPC asked LifeLabs about security alerts for a piece of software to address vulnerabilities on May 15, 2020. LifeLabs had their counsel interview the employee who had information about the question. LifeLabs then provided responses based on that interview, and then claimed privilege over that information on the basis that it was a solicitor-client communication and/or subject to litigation privilege.
[71] The ON IPC found that the facts disclosed from that interview were not subject to either solicitor-client or litigation privilege. Further, those facts were no longer confidential, given their inclusion in the June 9, 2020 SIPC report.
[72] LifeLabs maintains that whether those facts existed elsewhere did not defeat its claim of privilege over its responses to the ON IPC. Thus, it was an error for the ON IPC to conclude that these facts could be included in the Investigation Report.
[73] I reject this submission based on the statutory authority of the ON IPC to conduct investigations into the duties owed by health custodians and the law of privilege.
[74] Section 12 of the PHIPA requires health information custodians such as LifeLabs to investigate, contain and remediate privacy breaches: See London Health Sciences Centre (Re), 2017 ONIPC 31432 at para. 140; Quinte Health Care (Re), 2021 ONIPC 70445, at para. 22; Sault Area Hospital (Re), 2018 ONIPC 78841, at para. 28; A Public Hospital (Re), 2022 ONIPC 24233, at para. 14.
[75] Section 61(1) of the PHIPA authorizes the IPC to order a person to perform a duty under the Act.
[76] Health information custodians, such as LifeLabs, cannot defeat these responsibilities by placing facts about privacy breaches inside privileged documents. Although the claims of privilege here were rejected, even if they had been accepted, this would not have defeated the ON IPC’s duty to inquire into the facts about the data breach within the control and knowledge of LifeLabs. This result flows not only from the ON IPC’s statutory mandate, but also from how litigation privilege and solicitor client privilege function.
[77] Litigation privilege attaches to the litigation process and is based on protecting the zone of adversarial preparation for trial. It has been compared by the Ontario Court of Appeal to the U.S. protection of solicitor’s work product as described in Hickman v. Taylor, 329 U.S. 495 (1946): see General Accident v. Chrusz, 45 O.R. (3d) 321.
[78] Litigation privilege protects the disclosure of documents and communications whose “dominant purpose” is preparation for litigation: Lizotte, at para. 1. It applies to a party’s litigation strategy but it does not extend to facts or “base information” that may be useful to counsel in preparing for litigation: see Chrusz, at p. 352; Fresco v Canadian Imperial Bank of Commerce, 2019 ONSC 3309; R. v. Assessment Direct, 2017 ONSC 5686 leave to appeal refused, [2018] S.C.C.A. No.29; Assessment Direct Inc., et al. v. Ontario Provincial Police, et al., leave to appeal refused, [2018] S.C.C.A. No. 29; Claiming Privilege in the Discovery Process (Special Lectures of the Law Society of Upper Canada, 1984) at p. 169, cited in Pearson v. Inco Limited, 2008 ONSC 46701, at para. 15.
[79] Thus, the IPC’s statutory duty to inquire, and LifeLabs’ duty to respond, does not permit a claim of litigation privilege over facts obtained through its lawyers, even where those facts might also play a role in defending against parallel civil litigation. As Nordheimer, J. wrote in R. v. Assessment Direct, at para. 10, “the privilege does not protect information that would otherwise have to be disclosed”. LifeLabs did not identify any litigation strategy that would be disclosed in the Investigation Report because of the Privilege Decision.
[80] Similarly, solicitor-client privilege does not extend to protect facts that are required to be produced pursuant to statutory duty. The ON IPC correctly articulated the law when it stated at para. 49:
Even if the communication is privileged, the facts referred to or reflected to in those communications are not privileged if they exist outside the documents and are relevant and otherwise subject to disclosure. Some facts have a life outside the communication between lawyer and client but have also been communicated within the solicitor-client relationship. Facts that have an independent existence outside of solicitor-client privileged communications are not privileged. When deciding if such facts are privileged, one must keep one eye on the need to protect the freedom and trust between solicitor and client and another eye on the potential use of privilege to insulate otherwise discoverable evidence. While privilege is jealously guarded it must be interpreted to protect only what it is intended to protect and nothing more.
[81] That is, simply depositing a document or providing counsel with a copy of a document does not “cloak” the original document with privilege: See Nova Chemicals et al. v. CEDA-Reactor Ltd. et al., 2014 ONSC 3995; Jacobson v. Atlas Copco Canada Inc. 2015 ONSC 4, at par. 34; Blank v. Canada, 2006 SCC 39, [2006] 2 S.C.R. 319, at paras. 49-50; Humberplex Developments Inc. v. TransCanada Pipelines Ltd., 2011 ONSC 4851, at paras. 41-42, 49 and 53.
[82] The same reasoning applies to the type of facts at issue here, whether those be lines of code used by the cyber-attackers and copy-pasted into an IT third-party report, information obtained from an employee by counsel about the measures taken to protect software vulnerabilities or an internal data analysis undertaken by LifeLabs to determine the extent of the data breach.
[83] LifeLabs did not describe any examples of legal advice or solicitor-client communication that would be made public via the information contained in any of the five disputed documents that were also found to be facts with an independent life of their own.
[84] Therefore, taking into consideration the law of privilege, the ON IPC did not err in finding that facts concerning the investigation and remediation are producible. This is especially so where those facts exist independently of documents subject to claims of privilege. The ON IPC did not err in its finding that LifeLabs had an obligation to investigate, remediate and produce evidence of its compliance pursuant to PHIPA.
[85] I turn to the third error alleged by LifeLabs.
C. Did the ON IPC err by requiring LifeLabs to prove how disclosure of the information would prejudice LifeLabs by revealing counsel’s theories and strategies in its legal defence?
[86] During the discussion of the underlying facts in the reports, the ON IPC found, as discussed above, that litigation privilege is not intended to shield relevant facts from disclosure that do not constitute a lawyer’s work product. The Privilege Decision found that the underlying facts in the third-party cybersecurity firm’s report “would address the key questions of the cause of the breach, the scope of the breach, how the scope was determined, and what was done by [the cybersecurity firm] to contain and then remediate the breach. LifeLabs has not provided us with any evidence or arguments to demonstrate that disclosure of these facts would reveal or undermine the legal strategy of LifeLabs’ defence” (emphasis added).
[87] This was a statement of fact arising from the test for litigation privilege which exists to protect legal strategies in preparation for litigation and not relevant background facts. It did not require prejudice to be proved.
[88] Although the ON IPC also found that the documents were not created for the dominant purpose of litigation, thus not attracting the protection of litigation privilege, it was also entitled to consider whether independent facts that could not be said to reveal theories or strategies existed. This evidence could only practically come from LifeLabs with its knowledge of its civil jeopardy and instructions to counsel. The ON IPC was entitled to find that there was no such evidence. In doing so, it made no legal error.
D. Did the ON IPC err in citing the US decision In re Capital One Consumer Data Security Breach Litigation, 2020 U.S. Dist. LEXIS 91736 (E.D. Va May 26, 2020)?
[89] LifeLabs submits that the decision in Iggilis Holdings Inc. v. Minister of National Revenue, 2018 FCA 51, [2019] 2 F.C.R. 767, at para. 40 held that the approach of a U.S. court has no bearing on how privilege questions should be determined in Canada and that it was an error for the ON IPC to do so in the Privilege Decision.
[90] I disagree. The In re Capital One case affords persuasive authority to support a finding that where a company has a prior retainer with a cybersecurity firm to provide essentially the same services before and after a breach, inserting counsel’s name into the contract and stating that the deliverables would be made to counsel on behalf of the client, does not render any report prepared subject to the U.S. work product doctrine, which is akin to Canada’s litigation privilege.
[91] The ON IPC noted that for similar reasons, given the facts in the record, the cybersecurity firm retained by LifeLabs that produced a report on the breach did so for business purposes and was not for the dominant purpose of litigation.
[92] The ON IPC also addressed the submission made to it by LifeLabs that U.S. authority should play no part in the privilege analysis. In the Privilege Decision, the ON IPC found:
• Canadian courts have considered American jurisprudence on the issue of litigation privilege in the past, including in caselaw relied on by LifeLabs: Lizotte;
• The decision in Iggilis Holdings Inc. is distinguishable because it concerned solicitor-client privilege in the context of a particular statutory definition and the error there involved relying on jurisprudence from another province;
• The IPC did not solely rely on In re Capital One to find that the cybersecurity report was not subject to litigation privilege, rather it was included to confirm their approach based on similar concepts of “dominant purpose” in Canada and “driving force” in the U.S., the “very similar facts” and the “lack of any Canadian decision dealing with whether litigation privilege attaches to cybersecurity reports produced by third parties in response to a cyberattack.”
[93] The ON IPC did not err in its reference or use of the In re Capital One in the Privilege Decision. This case raised novel issues and the facts were sufficiently similar to warrant consideration. The ON IPC applied Canadian jurisprudence on the law of litigation privilege and solicitor client privilege. It found on the record before it that the disputed documents were not protected by either privilege. It did not find that In re Capital One was binding on it. Its reference to the case was appropriate in these circumstances.
E. Did the ON IPC disregard the sworn and uncontradicted evidence of LifeLabs’ in-house counsel in favour of its own conjecture?
[94] LifeLabs argues that ON IPC erred because it received a sworn statutory declaration from LifeLabs interim general counsel and did not cross-examine her on that sworn declaration. It did not accept the assertions of privilege contained in the statutory declaration.
[95] The ON IPC did not err in its analysis of the evidence. There was a lengthy record before the ON IPC and BC IPC which included the records over which privilege was asserted, and a prior examination under oath of interim general counsel, who did not respond to questions about the assertions of privilege. During examination (which pre-dated the declaration), the ON IPC and the BC IPC sought to examine counsel on an affidavit sworn for privilege claims that were pending in British Columbia court. External counsel objected to many of these questions.
[96] The Privilege Decision rejects the assertions of privilege in the declaration from interim general counsel. This is not a case of preferring competing versions of facts. The ON IPC rejected the assertions and gave reasons for those conclusions. The ON IPC did not err in coming to these conclusions. The ON IPC was not required to cross-examine interim general counsel on the statutory declaration considering all the other information available on the questions raised by the claims of privilege.
2. Did the ON IPC fail to act independently by jointly determining the issue with another regulator?
[97] LifeLabs submits that in deliberating with the BC IPC, the ON IPC allowed itself to be “influenced” by another regulator, thus failing to grant LifeLabs an independent hearing of the privilege issue by a tribunal that was also seen to be independent: Canadian Pacific Ltd. v. Matsqui Indian Band, [1995] 1 S.C.R. 3, at para. 80.
[98] Further, LifeLabs relies on the PHIPA, and the IPC’s Code of Procedure for Matters under the Personal Health Information Protection Act, 2019 as authority for its position that neither of these pieces of legislation allow for joint deliberation with other privacy commissioners in Canada. LifeLabs draws a distinction between the provisions in PHIPA and in the Personal Information Protection Act, S.B.C. 2003, (“PIPA”) which authorize a coordinated investigation.
[99] The relevant passages in s. 36(1) of the PIPA empower the commissioner to monitor the administration of the Act, and ensure its purposes are achieved, including by being able to:
(k) exchange information with any person who, under legislation of another province or of Canada, has powers and duties similar to those of the commissioner;
(l) enter into information-sharing agreements for the purposes of paragraph (k) and into other agreements with the persons referred to in that paragraph for the purpose of coordinating their activities and providing for mechanisms for handling complaints.
[100] Similarly, s. 66(e) of the PHIPA empowers the Commissioner, to “assist in investigations and similar procedures conducted by a person who performs similar functions to the Commissioner under the laws of Canada, except that in providing assistance, the Commissioner shall not use or disclose information collected by or for the Commissioner under this Act.” Sections 68(3)(a) and (b) of the PHIPA permits information sharing with bodies legally entitled to regulate or review the activities of the custodian.
[101] The record reveals that the joint investigation reflected the fact that the majority of Canadians whose personal health information was involved in the data breach lived in Ontario and British Columbia. LifeLabs was advised that the investigation would address the scope of the attack, the circumstances that led to it and the measures that LifeLabs ought to have taken to prevent and to remediate it in compliance with its obligations under PHIPA and PIPA.
[102] In furtherance of the joint investigation, the Commissioners signed a Memorandum of Understanding, which agreed neither would exercise authority over the other that could affect the Commissioners’ independence. The ON IPC and the BC IPC advised LifeLabs that they would be jointly investigating and would issue a single Investigation Report with “our” findings. During the investigation and prior to the Privilege Decision, the ON IPC and the BC IPC jointly ruled on questions of privilege claims over two discrete documents.
[103] LifeLabs did not object or raise concerns about the independence of either regulator in response to the evidence of joint investigation and decision-making. To the contrary, in a correspondence with the ON IPC dated March 19, 2020 addressed to both offices, counsel for LifeLabs presented proposals concerning the orders and privilege claims “with a view to facilitating the Commissioners’ investigation”. The record contains other examples of references to the joint investigation.
[104] LifeLabs clearly understood and acquiesced to corresponding with, and receiving decisions from, the Commissioners on a joint basis. For example, on March 31, 2020, LifeLabs wrote to both Commissioners, to advise it was “waiving privilege over [its third-party cyber security firm’s investigation report and cyber intelligence communications with the attackers] exclusively for the limited purpose of your and [BC] IPC’s review in connection with the joint investigation” (emphasis added).
[105] On April 8, 2020, in correspondence with LifeLabs, the Commissioners wrote that “they will decide whether [the objections based on privilege] are valid” (emphasis added).
[106] On April 20, 2020, counsel to LifeLabs acknowledged the process offered by the Commissioners to make representations on the privileged material, and although noting that it should be for a Court and not the regulator to ultimately determine the questions of privilege, counsel did not object to the joint process proposed. That portion of the letter from counsel read:
We thank you also for confirming that prior to referencing any portion of the two above-referenced documents in the [ON] IPC and [BC] IPC’s investigation report, the [ON] IPC and the [BC] IPC would provide LifeLabs with an opportunity to make representations on any objections LifeLabs may have in relation to such disclosures (including, at LifeLabs’ discretion, pursuant to a judicial review process). That process is acceptable to address LifeLabs’ concerns provided that a reasonable period of time is allowed for the review. [Emphasis added.]
[107] The record is replete with LifeLabs’ acknowledgement of the process of a joint investigation. The issues of privilege, and how to obtain the necessary information consumed a large part of the correspondence between counsel for LifeLabs and the Commissioners. The adjudication of the privilege claims was subsumed in the larger joint investigation into this data breach. It was not a separate entity with an independent procedural history, rather LifeLabs made it an issue. Having done so, and having been heard by the Commissioners, LifeLabs cannot now credibly claim that it did not understand that this was the process that would be adopted.
[108] The requirement that a decision maker be independent is a component of the rule against bias: see Bell Canada v. Canadian Telephone Employees Association 2003 SCC 36, [2003] 1 S.C.R. 884, at para. 17. Fairness in decision-making by administrative agencies depends on independence, which is measured against the test found in Committee for Justice and Liberty v. National Energy Board, [1978] 1 S.C.R. 369, at p. 394 – that is, what the informed person would conclude, viewing the matter realistically and practically, having thought the matter through.
[109] I find that there is no merit to the argument that the Privilege Decision raises issues of independence. The Privilege Decision was made jointly within the larger context of a joint investigation for which there was statutory authority. To publicly report on the investigation itself, the ON IPC and the BC IPC were required to make findings on confidentiality and the claims of privilege. This was an inquisitorial process, which means that the investigative and adjudicative functions were required to inform the ultimate report to the public.
[110] I find that an informed person would conclude that there was no apparent bias or lack of independence arising from the jointly issued Privilege Decision. Two independent provincial agencies, with similar mandates undertook a transparently joint investigation that included making orders and decisions such as the Privilege Decision. This was all done in furtherance of preparing a final investigative report to inform the public. Both regulators have the statutory authority to coordinate and share investigations in privacy matters. There is ample precedent for joint investigations undertaken by various Canadian privacy regulators.[^5] LifeLabs did not put before the Court any challenge to any prior joint investigation. This practice reflects the reality that data breaches are not confined to provincial boundaries.
[111] I conclude that, under a standard of review of correctness, there was no procedural unfairness in the joint investigation or decision-making processes adopted by the ON IPC and the BC IPC. Therefore, procedural unfairness did not taint the joint Privilege Decision.
CONCLUSION
[112] The Application is dismissed. Neither the ON IPC nor the BC IPC seek costs, and none are ordered.
Leiper, J.
I agree _______________________________ McWatt ACJ
I agree _______________________________ Doyle J.
Released: April 30, 2024
CITATION: LifeLabs LP v. Information and Privacy Commr. (Ontario) 2024 ONSC 2194
TORONTO DIVISIONAL COURT FILE NO.: 053/21
DATE: 20240430
ONTARIO SUPERIOR COURT OF JUSTICE DIVISIONAL COURT
McWatt ACJ, Doyle and Leiper JJ.
BETWEEN:
LIFELABS Applicant
– and –
INFORMATION AND PRIVACY COMMISSIONER Respondent
REASONS FOR DECISION
Justice J. Leiper
Released: April 30, 2024
[^1]: Given that this judicial review application is being heard in Ontario and the ON IPC is the responding party, I will refer to the ON IPC’s actions in rendering the Privilege Decision notwithstanding that the Privilege Decision was signed by both the ON IPC and the BC IPC.
[^2]: The parties were invited to make supplementary written submissions on this decision, which was released after oral argument on this application. Those submissions were consistent with the parties’ original positions on standard of review.
[^3]: This is an issue which has emerged in other jurisdictions: see In re Capital One Consumer Data Security Breach Litigation, 2020 U.S. Dist. LEXIS 91736 (E.D. Va May 26, 2020), affirmed: MDL No 1: 19md2915 (AJT/JFA) (E.D. Va. Jun. 25, 2020); Robertson v. Singtel Optus Pty Ltd [2023] FCA 1392 (Federal Court of Australia).
[^4]: The one exception is the written record of the statements made by the cyber-attackers in their correspondence with the cyber intelligence firm that negotiated the payment of the ransom to them. The findings of the ON IPC and the BC IPC that these are not subject to solicitor-client privilege are unassailable. While there may be other good reasons not to publicize these statements as a matter of public policy, they are demonstrably not subject to solicitor-client privilege in this context.
[^5]: See: Joint Investigation of Facebook, Inc. by the Privacy Commissioner of Canada and the Information and Privacy Commissioner for British Columbia (PIPEDA Findings #2019-002, April 25, 2019; Joint Investigation of AggregateIQ Data Services Ltd. b y the Privacy Commissioner of Canada and the Information and Privacy Commissioner for British Columbia (PIPEDA Findings #2019-004) November 26, 2019; Joint Investigation of the Cadillac Fairview Corporation Limited by the Privacy Commissioner of Canada, the Commission for British Columbia (PIPEDA Findings #2020-004), October 28, 2020; Joint Investigation of Clearview AI. Inc. by the Office of the Privacy Commissioner of Canada, the Commission d'accès à l'information du Québec, the Information and Privacy Commissioner for British Columbia, and the Information Privacy Commissioner of Alberta (PIPEDA Findings #2021-001) February 2, 2021.