June

British Columbia's acting information and privacy commissioner has found that landlords there collect too much personal information from prospective tenants.  Drew McArthur reached the conclusion after conducting an investigation that included collecting residential tenancy application forms from eight for-profit and five non-profit landlords, and rental management companies.
 
The investigation revealed that landlords were requesting marital status, sex, age, date of birth and social security numbers from tenants. In one instance, the landlord demanded a credit check, even though they offered to pay one year's rent in advance, and another cited the "Personal Information Reporting Act," which does not exist.

In the case of Papp v. Stokes Economic Consulting Inc. and Ernest Stokes, Papp was a Staff Economist for the Stokes, but eventually was laid off due to a work shortage.

The company agreed to provide a reference for any upcoming job opportunities, but when Papp learned he was the number-one candidate for a position with the Yukon Government, a negative reference resulted in him not being offered the position. At trial, the court ruled that, while the statements were defamatory, they were not made with malice nor were they reckless. As a result, Mr. Stokes was not liable for damages for defamation.

In general, qualified privilege is the reason references are protected from claims of defamation, provided the reference was not malicious nor untrue.

Canadian companies who are gearing up for the May 25, 2018, General Data Protection Regulation (GDPR) should begin to consider whether the GDPR applies to their data processing activities in Canada.

It is also important for companies to assess the extent to which the GDPR applies to them. For example, the level of fines associated with violating certain articles will depend on the size of the organization, which specific provisions were contravened and a number of prescribed aggravating and|or mitigating factors.

If its processing activities are large-scale, those companies will be required to designate a Data Protection Officer (DPO).

And finally, companies should assess how GDPR requirements differ from their existing obligations under Canadian private sector privacy laws.