British Columbia Supreme Court emphasizes the importance of contextual assessment when assessing privacy risks associated with information access requests

August 29, 2023 | David Krebs, Baljinder S. Bains, Vanessa Rosteski

Introduction

In Airbnb Ireland UC v Vancouver (City), 2023 BCSC 1137, the British Columbia Supreme Court (the “Court”) highlighted the privacy implications for companies and other parties who provide information to public bodies. Airbnb Ireland UC (“Airbnb”) applied for judicial review of a decision made by the Office of the Information and Privacy Commissioner for British Columbia (the “OIPC”) where the OIPC found that certain Records (defined later) of Airbnb held by the City of Vancouver (the “City”) with respect to short-term rental accommodations were not “personal information” under the Freedom of Information and Protection of Privacy Act (“FIPPA”) and were to be disclosed to a third party.

In its decision, the Court emphasized that a contextual assessment of the risks is important when determining whether contact information is to be considered “personal information” under FIPPA and is required to be disclosed by a public body, especially when the disclosure has significant privacy implications on impacted individuals.

Background

Airbnb operates an online peer-to-peer marketplace for users to connect with each other to book services that individuals (the “Hosts”) advertise on its website, which includes short-term housing rentals. In April 2018, the City amended its bylaws to provide specific licensing requirements for short-term rental operators. The City and Airbnb entered into a memorandum of understanding (the “MOU”) wherein Airbnb would require business licence numbers from Vancouver Hosts and Airbnb agreed to provide information to the City so that they could enforce their bylaws. This information shared by Airbnb included Host names, their short-term rental license numbers, home addresses and email addresses.

In March 2019, the City received a request to disclose specific information that Airbnb had provided to the City pursuant to the MOU. Specifically, the requester (the “Requester”) sought the names of Hosts, license numbers, and addresses (the “Records”), along with other short-term rentals in the City. The City refused the request on the basis that the disclosure would threaten the safety, and mental and physical health of individuals, harm the business interests of Airbnb and the Hosts, and was an invasion of privacy. The Requester appealed the City’s decision to the OIPC. The OIPC overturned the decision and required the City to disclose license numbers of individuals on Airbnb’s platform, home addresses of Hosts, and the license numbers associated with those addresses. The details of the decision are discussed below.

Airbnb applied for judicial review on the grounds that the OIPC decision was unreasonable and the result was unfair because the disclosure required Airbnb and the City to demonstrate a greater risk of harm than was legally necessary, the disclosure of the Hosts’ personal information would make them easily identifiable, and the Hosts were not given an opportunity  to participate in the OIPC hearing.

More specifically, Airbnb and the City sought an order that the OIPC decision be quashed and the City’s original decision be confirmed. In the alternative, they sought an order that the matter be sent back to the OIPC with proper notice to the Hosts.

BC OIPC decision

During the OIPC hearing, the City’s position was that the disclosure of the Records would have dire privacy implications on Hosts, and this would then expose them to greater harm, such as vandalism, robbery, stalking and personal attacks. Airbnb’s position was that this disclosure would cause Hosts harm due to there being some opposition against short-term rentals in Vancouver, such as squatting at Hosts’ residences and harassing of Hosts.

In its decision, the OIPC acknowledged that the disclosure of the Records to the Requester would mean disclosure to the world, as the Requester was likely to share the Records broadly because there were no limitations on what could be done with the disclosed Records.

However, on the concerns raised by Airbnb and the City, the OIPC ultimately concluded that both parties had not shown a clear and direct connection between the disclosure of the Records and the harm alleged. More specifically, the OIPC determined that the names and short-term rental addresses of Hosts were not required to be disclosed but all the other information requested was disclosable.

Analysis

Airbnb brought an application to the Court for judicial review. The application raised four issues:

  1. What was the applicable standard of review?
  2. Was it reasonable for the OIPC to determine that releasing the Records could not be reasonably expected to endanger the physical safety, harm the security of property, or threaten the mental or physical health of Hosts?
  3. Was it reasonable for the OIPC to determine that releasing the Records would not involve disclosure of personal information that would be an unreasonable invasion of a third party’s personal privacy?
  4. Whether the OIPC breached its duty of procedural fairness by not notifying the Hosts of the request for information?

The Court agreed with Airbnb and the City’s submission that Hosts’ principal residence addresses were “personal information” under FIPPA and that disclosure was unreasonable, as the OIPC failed to consider the context that required the Hosts’ addresses to be disclosed to the City and that the Hosts’ addresses could be both personal information and contact information simultaneously. Furthermore, the Court determined that, cumulatively, the disclosure would enable the discovery of a significant trove of personal information, the disclosure of which would distort the balance that the law seeks to strike between making public bodies accountable to the public and protecting personal privacy.

The Court also found that the Hosts were in the best position to explain the impacts of the disclosure, as the personal information within the Records made the Hosts inherently affected by its disclosure. The OIPC had a reasonable belief that Hosts’ information might be extracted from disclosure, therefore, they were under a duty to provide notice to Hosts of the request.

The Court quashed the OIPC’s decision and sent it back for reconsideration. Furthermore, the Court requested that proper notice of the request be given to the Hosts so that they have the opportunity to participate in the hearing.

Takeaway

The Court made it clear that a contextual assessment is important when determining the circumstances under which certain information is required to be disclosed by a public body. Moreover, in undertaking a contextual assessment, contact information may be considered “personal information” in appropriate circumstances, which attracts the protection of applicable privacy laws.

If you have any questions about your organization’s privacy and security programs, please reach out to a member of Miller Thomson’s Privacy and Cybersecurity group for assistance.

The authors would like to thank Vanessa Rosteski, 2023 Miller Thomson Summer Student for their contributions to this article.

Disclaimer

This publication is provided as an information service and may include items reported from other sources. We do not warrant its accuracy. This information is not meant as legal opinion or advice.

Miller Thomson LLP uses your contact information to send you information electronically on legal topics, seminars, and firm events that may be of interest to you. If you have any questions about our information practices or obligations under Canada’s anti-spam laws, please contact us at privacy@millerthomson.com.

© Miller Thomson LLP. This publication may be reproduced and distributed in its entirety provided no alterations are made to the form or content. Any other form of reproduction or distribution requires the prior written consent of Miller Thomson LLP which may be requested by contacting newsletters@millerthomson.com.