On June 13, 2014 the Supreme Court of Canada decided that Canadians have a reasonable expectation of privacy in their online activities, and confirmed that a police investigation isn’t enough to give them the “lawful authority” to get personal information from organizations without a warrant under privacy laws – though it’s not clear what is.
Police asked an Internet Service Provider (ISP) for the identity of a subscriber associated with an “internet protocol” (IP) address (a unique string of numbers) connected to online activities during a criminal investigation – and the ISP gave it. The police used the information to ultimately charge Matthew David Spencer. Spencer said the police got his identity and the evidence without a warrant, breaching his right to be free from unreasonable search and seizure under the Charter of Rights and Freedoms, and couldn’t use any of it. The police said they didn’t need a warrant: PIPEDA (Personal Information Protection and Electronic Documents Act) allows an organization to disclose personal information without consent if a government institution with “lawful authority” requests it – and an investigation is enough to give them that “lawful authority”.
The SCC disagreed with the police. Its decision is in the context of criminal proceedings, but PIPEDA and similarly worded provincial privacy legislation applies across Canada to the obligations of many organizations when they collect, use – and disclose – personal information. The decision therefore applies across Canada and to the disclosure of personal information that any organization (not just an ISP) holds:
- Charter Applies. A police request to the ISP to voluntarily disclose customer information is a “search” under the Charter – but the considerations could be different if an ISP detects illegal activity and reports it.
- Lawful Authority. The police request had no “lawful authority” under PIPEDA: they could ask but had no authority to compel the ISP to produce the information, and the ISP did not acquire the right to disclose it.
From a practical perspective, this decision confirms that if the police come knocking, a business should not hand over any personal information it holds based only on a police investigation. It’s now clear the “lawful authority” required to compel disclosure of personal information means something more than a mere police investigation – though since PIPEDA deals specifically with search warrants, production orders and other legal compulsions elsewhere, it’s still not clear exactly what more it means. The decision doesn’t affect an organization ability to voluntarily report criminal activity.