For the past several months, many Canadians have been debating privacy reform, with the government moving forward on two bills: lawful access (C-13) and PIPEDA reform (S-4). One of the most troubling aspects of those bills has been the government’s effort to expand the scope of warrantless, voluntary disclosure of personal information.
Bill C-13 proposes to expand warrantless disclosure of subscriber information to law enforcement by including an immunity provision from any criminal or civil liability (including class action lawsuits) for companies that preserve personal information or disclose it without a warrant. Meanwhile, Bill S-4, proposes extending the ability to disclose subscriber information without a warrant from law enforcement to private sector organizations. The bill includes a provision that allows organizations to disclose personal information without consent (and without a court order) to any organization that is investigating a contractual breach or possible violation of any law. I appeared before both committees in recent weeks (C-13, S-4), but Conservative MPs and Senators were dismissive of the concerns associated with voluntary disclosures.
This morning another voice entered the discussion and completely changed the debate. The Supreme Court of Canada issued its long-awaited R. v. Spencer decision, which examined the legality of voluntary warrantless disclosure of basic subscriber information to law enforcement. In a unanimous decision written by (Harper appointee) Justice Thomas Cromwell, the court issued a strong endorsement of Internet privacy, emphasizing the privacy importance of subscriber information, the right to anonymity, and the need for police to obtain a warrant for subscriber information except in exigent circumstances or under a reasonable law.
I discuss the implications below, but first some of the key findings. First, the Court recognizes that there is a privacy interest in subscriber information. While the government has consistently sought to downplay that interest, the court finds that the information is much more than a simple name and address, particular in the context of the Internet. As the court states:
the Internet has exponentially increased both the quality and quantity of information that is stored about Internet users. Browsing logs, for example, may provide detailed information about users’ interests. Search engines may gather records of users’ search terms. Advertisers may track their users across networks of websites, gathering an overview of their interests and concerns. â€œCookiesâ€ may be used to track consumer habits and may provide information about the options selected within a website, which web pages were visited before and after the visit to the host website and any other personal information provided. The user cannot fully control or even necessarily be aware of who may observe a pattern of online activity, but by remaining anonymous – by guarding the link between the information and the identity of the person to whom it relates – the user can in large measure be assured that the activity remains private.
Given all of this information, the privacy interest is about much more than just name and address.
Second, the court expands our understanding of informational privacy, concluding that there three conceptually distinct issues: privacy as secrecy, privacy as control, and privacy as anonymity. It is anonymity that is particularly notable as the court recognizes its importance within the context of Internet usage. Given the importance of the information and the ability to link anonymous Internet activities with an identifiable person, a high level of informational privacy is at stake.
in the totality of the circumstances of this case, there is a reasonable expectation of privacy in the subscriber information. The disclosure of this information will often amount to the identification of a user with intimate or sensitive activities being carried out online, usually on the understanding that these activities would be anonymous. A request by a police officer that an ISP voluntarily disclose such information amounts to a search.
Fourth, having concluded that obtaining subscriber information was a search with a reasonable expectation of privacy, the information was unconstitutionally obtained therefore led to an unlawful search. Addressing the impact of the PIPEDA voluntary disclosure clause, the court notes:
Since in the circumstances of this case the police do not have the power to conduct a search for subscriber information in the absence of exigent circumstances or a reasonable law, I do not see how they could gain a new search power through the combination of a declaratory provision and a provision enacted to promote the protection of personal information.
There are several important implications that flow from this decision. First, with a finding that police need a warrant for subscriber information (except in exigent circumstances), the practice of obtaining information on a voluntary basis should come to an end.
Second, the government’s plans for expanded voluntary, warrantless disclosure under Bill C-13 must surely be reformed as it is unconstitutional. Just yesterday, Conservative MP Bob Dechert relied on R. v. Ward to support the C-13 approach with respect to immunity for voluntary disclosure. The court has effectively rejected the Ward decision and Dechert’s defence of the provision no longer stands.
Third, the government should remove the expansion of voluntary disclosure in S-4. With the Supreme Court emphasizing the privacy importance of subscriber information, the government should not be seeking to expand warrantless disclosures. In fact, immediate reports indicate that the Senate has delayed debate on the bill to consider the ruling.
Fourth, Internet providers need radical reform of their current approach to disclosure of subscriber information. The Supreme Court examined Shaw’s terms of service policy and found it provided “a confusing and unclear picture of what Shaw would do when faced with a police request for subscriber information.” The same can be said for virtually every ISP in Canada. While ISPs have been regularly disclosing this information hundreds of thousands of times, the Court ruled:
Given that the purpose of PIPEDA is to establish rules governing, among other things, disclosure â€œof personal information in a manner that recognizes the right of privacy of individuals with respect to their personal informationâ€ (s. 3), it would be reasonable for an Internet user to expect that a simple request by police would not trigger an obligation to disclose personal information or defeat PIPEDA’s general prohibition on the disclosure of personal information without consent.
The court notes that ISPs are not required to disclose this information and this case reaches the conclusion that they are not permitted to do so absent a warrant either. This means ISPs must change their practices on voluntary warrantless disclosure. Much more to come on a decision that seems likely to define Internet privacy for many years to come.