TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Tracker | There is a Reasonable Expectation in Subscriber Records, says Canada's Highest Court Related reading: A view from Brussels: EDPS sends signal on data transfers 

rss_feed

""

Canada’s highest court issued its strongest statement in support of privacy and the Internet on June 13, in R v Spencer, 2014 SCC 43. In doing so, the court recognized that individuals may have an interest in anonymity on the Internet that should be taken into account in determining whether law enforcement should have warrantless access to subscriber information associated with Internet Protocol (IP) addresses. The court also ended debate regarding a provision in Canada’s federal private sector privacy legislation that organizations and law enforcement commonly relied on to obtain pre-warrant information.

Organizations in Canada must now rethink how they handle police requests for personal information of customers and employees. Organizations must consider whether there is a reasonable expectation of privacy in the information requested, whether there are exigent circumstances and whether there are other laws that might require or authorize disclosure. If there is a reasonable expectation of privacy, police should obtain a production order or warrant unless there are exigent circumstances or another law requires or authorizes the disclosure.

Search and Seizure

In Canada, section 8 of the Charter of Rights and Freedoms protects individuals against unreasonable search and seizure. A warrantless search and seizure in circumstances where an individual has a reasonable expectation of privacy is a violation of the Charter. The mere fact that information is held by a third party does not mean that the person about whom the information relates has no expectation of privacy in that information (see: R v Ward, 2012 ONCA 660 at para. 77).

In order to determine whether an individual has a reasonable expectation of privacy, it is necessary to determine the subject matter of the search. A person will have an expectation of privacy if the search was of core biographical data revealing intimate and private information. In the case of R v Spencer, the court had to decide whether the subscriber information was simply generic subscriber information or whether it touched the biographical core of Mr. Spencer. The court then had to determine whether the expectation of privacy in the subscriber data was objectively reasonable.

It Isn’t “Just” Subscriber Information

When considering the subject matter of the search, the court concluded that it must take into account more than just the narrow information that is collected, in this case, the subscriber information. The court must consider “the tendency of [the] information sought to support inferences in relation to other personal information” when characterizing the subject matter of the search (R v Spencer, para. 31).

Viewed from that angle, the court held that subscriber information isn’t just a name and address of someone in a contractual relationship with the Internet Service Provider (ISP). Narrowly defining the subject matter of the search obfuscated the significance of that information. The subscriber information was capable of revealing a great deal about an individual’s online activities when connected with the IP address (at para. 32). Therefore, the court accepted that the search indirectly involved information that touched on broader informational interests of Mr. Spencer.

A Privacy Interest in Anonymity

The court then analyzed the privacy interest that was at stake in relation to this information to determine whether it was worthy of protection under the Charter. The court affirmed that the nature of a privacy interest does not depend on whether privacy shelters a legitimate activity (R v Spencer, para. 36).  

In this case, the issue was informational privacy. In analyzing the content of the right to informational privacy, the Supreme Court identified three conceptually distinct but overlapping concepts of informational privacy: privacy as secrecy, privacy as control and privacy as anonymity (R v Spencer, para. 38).

The court concluded that the conception of privacy as anonymity is protected from unreasonable state search and seizure under section 8 of Canada’s Charter of Rights and Freedoms. In one of the key passages of the decision, the court held: “Internet users do not expect their online anonymity to cease when they access the Internet outside their homes, via smartphones, or portable devices” (R v Spencer, para. 37). The court was careful to say that the recognition that informational privacy includes an interest in anonymity does not mean that there is a right to anonymity (at para. 49). Rather, the court recognized that there may be a value in practical anonymity when using the Internet. The court noted that individuals leave a rich digital trail of their activities on the Internet and that the maintenance of anonymity is one way to exercise informational privacy (R v Spencer, para. 46):

[46] [...]  the Internet has exponentially increased both the quality and quantity of information that is stored about Internet users. Browsing logs, for example, may provide detailed information about users’ interests. Search engines may gather records of users’ search terms. Advertisers may track their users across networks of websites, gathering an overview of their interests and concerns. “Cookies” may be used to track consumer habits and may provide information about the options selected within a website, which web pages were visited before and after the visit to the host website and any other personal information provided: [...] . The user cannot fully control or even necessarily be aware of who may observe a pattern of online activity, but by remaining anonymous — by guarding the link between the information and the identity of the person to whom it relates — the user can in large measure be assured that the activity remains private: [...]

[47] In my view, the identity of a person linked to their use of the Internet must be recognized as giving rise to a privacy interest beyond that inherent in the person’s name, address and telephone number found in the subscriber information. [...] subscriber information, by tending to link particular kinds of information to identifiable individuals, may implicate privacy interests relating not simply to the person’s name or address but to his or her identity as the source, possessor or user of that information.

The court concluded that the police request for subscriber information corresponding to anonymous Internet activity engages a high level of informational privacy (R v Spencer, para. 51).

Reasonable Expectation of Privacy

The fact that a person has a privacy interest does not necessarily mean that the person will have a reasonable expectation of privacy in the factual circumstances of the case. However, an objectively reasonable expectation of privacy is necessary in order to be protected under the Charter.

Although not always consistent, prevailing judicial opinion prior to R v Spencer appeared to suggest that an expectation of privacy in subscriber data was not reasonable given the ISP’s contractual terms of service, the ISP’s interests in ensuring its services were not used for criminal activity, the power of police to seek information from the ISP and particular terms of the Personal Information Protection and Electronic Documents Act (PIPEDA) regarding disclosure in response to “lawful access” requests.

In order to understand the issues, some background is required regarding how pre-warrant requests for information were handled in Canada until last Friday. In the absence of clear legislation or judicial guidance, ISPs had worked out a system of letters of request, in which a police officer would make a written request for limited subscriber information (see: R v Ward, para. 36). The trial judge in R v Ward, 2008 ONCJ 355, quoted a sample of such a letter:

I, Constable [...] of the National Child Exploitation Coordination Centre, am a law enforcement officer with the Royal Canadian Mounted Police. I am conducting an investigation in relation to child sexual exploitation offences under the Criminal Code and I am requesting account information pursuant only to that investigation.

I request this disclosure in accordance with s. 7(3)(c.1) of the Personal Information Protection Electronic Documents Act.  My authority to request and obtain this information derives from the Royal Canadian Mounted Police Act and the Royal Canadian Mounted Police Regulations as well as common law.

I am requesting the last known customer name and address of the account holder associated with IP address [number] used [date and time].

Should you agree to this request, please provide the information in the section below and reply via e-mail to [...].

This form of letter was created to address the exception in clause 7(3)(c.1)(ii) of PIPEDA, which provides that personal information may be disclosed by an organization to police without the knowledge or consent of the individual if (a) a police officer makes a request for the information, (b) the police officer identifies his or her lawful authority to make the request and (c) the disclosure is requested for the purposes of, among other things, carrying out an investigation relating to the enforcement of a law:

7(3) [...] an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is

[...]

(c.1) made to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that

[...]

(ii) the disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law, or

[...]

Although there were inconsistent judicial decisions, until the Supreme Court’s pronouncement, it appeared that the majority of cases tended to the view that an Internet user’s expectation of privacy in subscriber information was not reasonable.

For example, the Saskatchewan Court of Appeal, in R v Spencer, 2011 SKCA 144, the majority of the court concluded that the search was not unreasonable. The ISP’s terms of service, the powers of the police to request information from the third parties, and the provisions of PIPEDA all undermined any reasonable expectation of privacy. In particular, the majority of the court held (at para. 41 and note 2, per Caldwell JA and para 99 per Cameron JA) that there was common law lawful authority to ask organizations to divulge information in the course of an investigation and specific authority under section 487.014 of the Criminal Code, which states:

787.014 no production order is necessary for a peace officer or public officer enforcing or administering this or any other Act of Parliament to ask a person to voluntarily provide to the officer documents, data or information that the person is not prohibited by law from disclosing.

Furthermore, the majority of the Saskatchewan Court of Appeal concluded that the purpose of clause 7(3)(c.1)(ii) of PIPEDA was to permit an organization to disclose information in response to a police request and that this is a factor that is relevant to considering whether there is a reasonable expectation of privacy in information held by a third party (R v Spencer, para. 41 per Caldwell JA).

Other courts, such as the Ontario Court of Appeal in its decision in R v Ward, cited earlier, have taken a more restrictive approach but ultimately arrived at similar conclusions. In R v Ward, the court concluded that police officers have the authority to make requests of organizations to provide information and organizations have the right to respond voluntarily. The court held that a reasonable expectation of privacy in subscriber information must take into account the ISP’s “legitimate interests in voluntarily disclosing that information to the police when that disclosure would assist in an investigation of the alleged criminal misuse of [the ISP’s] services, assuming the disclosure was not prohibited and would not violate any laws or the terms of applicable customer agreement” (R v Ward, para. 50).

Lawful Authority Does Not Mean the Power to Investigate

The Supreme Court corrected the logical fallacies of earlier decisions. The court accepted that the ISP’s terms of service and PIPEDA were relevant to the analysis but concluded that they did not affect the analysis in the way previous courts had suggested. The ISP could only disclose information (irrespective of its terms of service) if it were lawful to do so. In examining, paragraph 7(3)(c.1) of PIPEDA, the court unanimously rejected the proposition that this provision could diminish an otherwise reasonable expectation of privacy. In particular, the court rejected the idea that PIPEDA permits an organization to respond to a police request that would otherwise violate an individual’s reasonable expectation of privacy.

Although clause 7(3)(c.1)(ii) of PIPEDA permits an organization to disclose personal information in response to a police request where the police officer has identified his or her lawful authority, the reference to “lawful authority” did not mean merely the power of a police officer to investigate a crime. “Lawful authority” may include “the common law authority of the police to ask questions relating to matters that are not subject to a reasonable expectation of privacy” (R v Spencer, para. 71). The court observed that the concept may also “refer to the authority of police to conduct warrantless searches under exigent circumstances or where authorized by a reasonable law” (at para. 71). However, a police officer has no “lawful authority” to conduct a search for which a warrant is required. Therefore, clause 7(3)(c.1)(ii) will not apply if there is a reasonable expectation of privacy in the personal information held by the organization. In those cases, the organization must ask the police to obtain a production order or warrant.

Given that neither the ISP terms of service, nor PIPEDA, diminished Spencer’s reasonable expectation of privacy, the court concluded that Spencer’s rights had been infringed by the police obtaining disclosure of the subscriber information. Notwithstanding the Charter breach, however, the evidence was not excluded as the court concluded doing so would bring the administration of justice into disrepute. The police had acted in good faith at a time when the law was not clear and the crimes were extremely serious.

Implications

This unanimous decision of the Supreme Court demonstrates that the court is developing a rich understanding how technical data associated with an individual, such as an IP address, can be used ultimately to reveal significant biographical information about an individual. The court’s approach sets the stage for consideration of other data such as metadata in communications over the Internet.

Furthermore, even though the case involved access to subscriber records based on an IP address, the court’s ruling has broad implications for any organization that receives a police request for information that is not accompanied by a production order or warrant. Whether Parliament may attempt to intervene is uncertain.

Comments

If you want to comment on this post, you need to login.