The ubiquitous and rapidly-evolving nature of technology has recently necessitated serious consideration of our “reasonable expectation of privacy.” This concept is at the core of Canadian privacy law. In particular, the concept is a key part of the Charter test for s. 8, the right to be secure against unreasonable search and seizure. The Supreme Court of Canada (“SCC”) grappled with these questions in R v Cole and R v Vu, and more recently, the British Columbia and Ontario Courts of Appeal applied these Charter principles to couriered packages and USB keys in R v Godbout and R v Tuduce, respectively.
In R v Cole, the SCC found that employees can reasonably expect some level of privacy with regard to personal information stored on work computers, but the reasonableness of their expectation is impacted by the context in which personal information is placed on an employer-owned computer and the customs of the workplace, factors that the court called “operational realities.”
In R v Vu, the SCC took privacy rights on personal computers one step further, finding that police must obtain prior judicial authorization for a computer search. Police must be able to satisfy the authorizing justice that they have reasonable grounds to believe that any computers they discover will contain the evidence sought.
In R v Godbout and R v Tuduce, the court continues to grapple with finding the elusive limits of the “reasonable expectation of privacy” standard.
R v Godbout: Reasonable Expectations with respect to Couriered Packages
A reversal of the trend set by R v Cole and R v Vu occurred in the R v Godbout decision, wherein the British Columbia Court of Appeal (“BCCA”) found that the consignee of a couriered package has no reasonable expectation of privacy with regard to its contents. Mr. Godbout was sent a package through the DHL courier company from a Mr. Calkins, who signed a shipping contract containing a term that the company or a government authority could search the package without notice. Mr. Godbout never interacted with DHL nor agreed to the terms of the shipping contract. The company opened the box and called the police, who searched it and found illegal drugs. They repackaged and delivered it to Mr. Godbout, who opened it and was subsequently arrested on drug charges. Mr. Godbout challenged the lawfulness of the search under s. 8 of the Charter, which protects the right to be secure against unreasonable search and seizure. In order to be protected under s. 8, one must have an objectively reasonable expectation of privacy in the object searched.
The court found that neither Mr. Calkins nor Mr. Godbout had an any reasonable expectation of privacy because DHL accepted the package for delivery pursuant to certain explicit contractual terms that allowed DHL to search the contents of the package. The court found that the contractual terms “negated any objectively reasonable expectation of privacy” that either Mr. Calkins or Mr. Godbout could assert, stating, “[t]he fact that the appellant may not have known of the terms of shipment does not make his subjective expectation objectively reasonable.” Thus, the terms of the shipping contract ultimately governed the s. 8 rights of both Mr. Calkins and Mr. Godbout, despite the fact that only one of them had seen, or had any way of knowing, the terms of that contract.
This decision seems to suggest that an individual can sign away his or her privacy rights which may affect how organizations can structure certain contracts to allow it to monitor or search its customers or employees.
R v Tuduce: Reasonable Expectations with respect to USB Keys
In another technologically-charged case, R v Tuduce, the Ontario Court of Appeal (“ONCA”) pondered the similarities between USB keys and computers with regard to searches, and found that police required specific prior authorization before searching an electronic device. The ONCA considered the factors discussed in R v Vu that distinguish personal computers from other “receptacles” covered under search warrants, and applied them to USB keys. They considered the large storage capacity of USB keys, that data can be left on the keys without the user’s knowledge, and that the user does not have complete control over which files an investigator will be able to find on the key. In particular, the ONCA found that a personal USB arguably engages a more serious privacy concern than a work computer, for it is neither owned by the employer nor is it subject to the terms and conditions of use imposed by employers on work computers.
However, the court did not discuss other storage devices or electronic “receptacles” that may or may not be provided by employers. What of the cell phones commonly provided by employers? Larger USB storage devices or external hard drives may be provided by employers; what level of privacy will be considered objectively “reasonable”? The storage capacity of USB keys have massively increased over the last decade; the courts are attempting to keep up with our ever-increasing ability to store vast amounts of personal data on devices that we fit into a pocket.
Most often, our highest court deals with these types of privacy issues in criminal law cases, where the accused objects to the procedure by which authorities have obtained evidence. However, private corporations and employers should be aware that developments in Charter jurisprudence can be important indicators of best practices and employee rights when it comes to privacy concerns. The line between personal devices and employer-issued technology becomes more and more blurred as the divide between home and office narrows. Employers must caution themselves against the potential privacy infringements enabled by superior employee-monitoring capacity, and define “acceptable use of technology” policies in order to clearly delineate the lines between personal and office use on work desktops, laptops, cell phones, USB keys, and any other storage mediums that they may provide. Courts’ ability to keep up with changing technology will always be limited; employers must be able to proactively consider the myriad privacy issues that can arise in the context of employee devices.