In a landmark privacy decision, R. v. Spencer, the Supreme Court of Canada has ruled that individuals have a reasonable expectation of privacy in Internet usage information, and that law enforcement authorities who wish to obtain subscriber information from Internet service providers (ISPs) must, in most circumstances, do so pursuant to a warrant.

The court rejected the argument that section 7(3)(c.1)(ii) of the Personal Information Protection and Electronic Documents Act (PIPEDA) allowed ISPs to provide subscriber information to authorities in response to a simple request.

BACKGROUND

In Spencer, the Saskatoon police identified the Internet Protocol (IP) address of a computer believed to be in Saskatchewan that was being used to access and store child pornography through an Internet file-sharing program. Without obtaining a warrant or production order, investigators made a “law enforcement request” to the ISP for subscriber information connected with that IP address, including the name, address and telephone number of the customer. The request was made pursuant to section 7(3)(c.1)(ii) of PIPEDA, which permits an organization to disclose personal information without consent to a government institution which has made a request for the information, identified its “lawful authority” to obtain the information, and indicated that the disclosure is requested for the purpose of enforcing a law, carrying out an investigation or gathering intelligence to enforce a law.

The ISP complied with the request and provided the name, address and telephone number of Matthew Spencer’s sister, the ISP’s customer and with whom he was living. With this information, the police obtained a warrant to search Mr. Spencer’s home and seize his computer, which resulted in a search that revealed extensive child pornography on Mr. Spencer’s computer.

At trial, Mr. Spencer tried to exclude the evidence found on his computer on the basis that the police actions in obtaining his address from the ISP without prior judicial authorization amounted to an unreasonable search contrary to section 8 of the Canadian Charter of Rights and Freedoms. The trial judge rejected this argument and convicted Mr. Spencer on possession of child pornography. The Saskatchewan Court of Appeal upheld the trial judge’s decision with respect to the search issue.

SUPREME COURT’S DECISION

The Supreme Court, in a unanimous decision written by Justice Thomas Cromwell, held that the police action in obtaining the subscriber information matching the IP address without a warrant constituted a search that was not authorized by law. In the circumstances, Mr. Spencer had a reasonable expectation of privacy in the information provided to the police and PIPEDA did not provide a “lawful authority” to obtain the information.

With respect to the question of whether there was a reasonable expectation of privacy, the court first considered the subject matter of the search and rejected the argument that what was sought and obtained (name, address, telephone number) was simply “generic information.” Rather, this “mundane” information had the potential to reveal intimate details of the lifestyle and personal choices of the individual in question.

The court also provided a framework for analyzing the “informational” privacy interest that had been compromised in this case. Informational privacy includes privacy as secrecy or confidentiality, privacy as control (over when, how and to what extent information about a person is communicated to others), and privacy as anonymity.

On the last point, the court accepted that “maintaining anonymity can be integral to ensuring privacy” and found that in this case, a high level of informational privacy was engaged when the police requested subscriber information corresponding to specifically observed, anonymous Internet activity. The court stopped short of recognizing a general right to anonymity and noted that the effectiveness of law enforcement for online offences was not at risk since, as could have been done in this case, it remained open to the police to obtain a production order requiring the ISP to release subscriber information (which would have clearly permitted disclosure under a different section of PIPEDA).

In considering whether Mr. Spencer had a reasonable expectation of privacy, the court also examined the ISP’s terms of service agreement – though it was Mr. Spencer’s sister, not he, who had been the customer – and relevant user and privacy policies. The court concluded these were of little assistance as they ultimately referred back to PIPEDA but that, if anything, the contractual provisions supported the existence of a reasonable expectation of privacy since they narrowly circumscribed the ISP’s right to disclose subscriber information.

The court went on to conclude that a simple request to ISPs to disclose subscriber information without power to compel compliance with the request is not a “lawful authority to obtain the information”, as required by section 7(3)(c.1)(ii) of PIPEDA. The reference to “lawful authority” must mean something other than a warrant, since providing information pursuant to a warrant has its own exemption under PIPEDA. The court noted the term could refer to the common law authority of the police to ask questions relating to matters that are not subject to a reasonable expectation of privacy – for example, the content of conversations between a suspect and a potential witness – and could also refer to the authority of police to conduct warrantless searches under exigent circumstances, such as imminent harm, or where authorized by a reasonable law.

Ultimately, the court held that while the police conduct was a serious infringement of Mr. Spencer’s Charterrights and emphasized that anonymity is “an important safeguard for privacy interests online,” society’s interest in seeing this case adjudicated on its merits meant that the evidence should not be excluded. The court affirmed the conviction on the possession of child pornography count.

IMPLICATIONS OF THE DECISION

It is now clear that private-sector entities cannot rely on section 7(3)(c.1)(ii) of PIPEDA to provide information in which there is a reasonable expectation of privacy to law enforcement in response to a simple request without prior judicial authorization, unless there are exigent circumstances such that a warrantless search would be permitted under the Charter, which may be difficult to determine.

While Spencer dealt with an ISP disclosing Internet usage information, the same reasoning would apply equally to other disclosures of personal information, by other types of companies that are subject to PIPEDA, at the request of law enforcement. However, it is important to note that ISPs and other private-sector organizations remain free to use the separate, broader exemption in PIPEDA, section 7(3)(d), where the ISP itself detects illegal activity and on its own initiative wishes to report it to the police. Such a disclosure by a non-governmental body that is not acting as an agent of the police is not subject to the Charter restrictions that apply to government actions.

The decision in Spencer raises questions regarding the “lawful access” provisions in the “cyberbullying bill” (Bill C-13) currently before Parliament, which purport to expand the Criminal Code provision on voluntary assistance to police without prior judicial authorization, and include an immunity provision protecting organizations that preserve personal information or disclose it without a warrant from criminal or civil liability.

Questions are also being raised in the media about the PIPEDA reform bill (Bill S-4), which includes a provision to extend disclosure of subscriber information without a warrant to private-sector organizations investigating a contractual breach or possible violation of any law; however, the lack of any governmental involvement makes such a disclosure quite different from the Charter-restricted police seizure at issue in Spencer. It remains to be seen whether the federal government will move forward with the bills in their current form or propose amendments.

CONCLUSION

With its decision in Spencer, the Supreme Court has stepped squarely into the debate around how – and how much – to protect the broad-ranging personal information found online. While the government response to the decision remains to be seen, the implications could reach deeply into law enforcement practices in the Internet age, including everything from investigations of online frauds to national security issues. Indeed, information provided to the Privacy Commissioner of Canada in 2011 showed that nine Canadian ISPs collectively reported receiving just short of 1.2 million data requests from government authorities annually, on average.

Following Spencer, ISPs and other recipients of law enforcement requests will need to examine whether the requester in fact has “lawful authority” (including constitutional authority) to collect the personal information in issue. That due diligence exercise will be necessary even if new federal legislation is passed.