On June 13, 2014 the Supreme Court of Canada decided that Canadians have a reasonable expectation of privacy in their online activities, and confirmed that a police investigation isn’t enough to give them the “lawful authority” to get personal information from organizations without a warrant under privacy laws – though it’s not clear what is.

Police asked an Internet Service Provider (ISP) for the identity of a subscriber associated with an “internet protocol” (IP) address (a unique string of numbers) connected to online activities during a criminal investigation – and the ISP gave it.  The police used the information to ultimately charge Matthew David Spencer. Spencer said the police got his identity and the evidence without a warrant, breaching his right to be free from unreasonable search and seizure under the Charter of Rights and Freedoms, and couldn’t use any of it. The police said they didn’t need a warrant: PIPEDA (Personal Information Protection and Electronic Documents Act) allows an organization to disclose personal information without consent if a government institution with “lawful authority” requests it – and an investigation is enough to give them that “lawful authority”.

The SCC disagreed with the police. Its decision is in the context of criminal proceedings, but PIPEDA and similarly worded provincial privacy legislation applies across Canada to the obligations of many organizations when they collect, use – and disclose – personal information. The decision therefore applies across Canada and to the disclosure of personal information that any organization (not just an ISP) holds:

  • Expectation of Privacy in Online Activities. Internet users understand privacy as anonymity. A person’s privacy interest in her Internet use goes beyond her inherent privacy interest in the name, address and telephone number found in her subscriber information: linking an IP address to subscriber information effectively links a specific person to specific online activities – activities that are usually intimate or sensitive, are usually carried out on the understanding they would be anonymous, and which engage significant privacy interests. Internet users have a reasonable expectation of anonymity, and thus privacy, in their online activities – and in the subscriber information an ISP holds that links them to those activities. Neither PIPEDA’s section permitting disclosure based on “lawful authority” or the ISP’s sections permitting disclosure in the ISP’s customer terms of use dislodge this expectation of privacy.
  • Charter Applies. A police request to the ISP to voluntarily disclose customer information is a “search” under the Charter – but the considerations could be different if an ISP detects illegal activity and reports it.
  • Lawful Authority. The police request had no “lawful authority” under PIPEDA: they could ask but had no authority to compel the ISP to produce the information, and the ISP did not acquire the right to disclose it.

From a practical perspective, this decision confirms that if the police come knocking, a business should not hand over any personal information it holds based only on a police investigation.  It’s now clear the “lawful authority” required to compel disclosure of personal information means something more than a mere police investigation – though since PIPEDA deals specifically with search warrants, production orders and other legal compulsions elsewhere, it’s still not clear exactly what more it means. The decision doesn’t affect an organization ability to voluntarily report criminal activity.

Click here to read the SCC’s decision in R. v. Spencer, 2014 SCC 43