Privacy by Sebastien Wiertz (CC BY 2.0) https://www.flickr.com/photos/wiertz/6092000030/sizes/l/
After years of failed bills, public debate, and considerable controversy, lawful access legislation received royal assent last week. Public Safety Minister Peter MacKay’s Bill C-13 lumped together measures designed to combat cyberbullying with a series of new warrants to enhance police investigative powers, generating criticism from the Privacy Commissioner of Canada, civil liberties groups, and some prominent victims rights advocates. They argued that the government should have created cyberbullying safeguards without sacrificing privacy.
While the bill would have benefited from some amendments, it remains a far cry from earlier versions that featured mandatory personal information disclosure without court oversight and required Internet providers to install extensive surveillance and interception capabilities within their networks.
The mandatory disclosure of subscriber information rules, which figured prominently in earlier lawful access bills, were gradually reduced in scope and ultimately eliminated altogether. Moreover, a recent Supreme Court ruling raised doubt about the constitutionality of the provisions.
My weekly technology law column (Toronto Star version, homepage version) notes the surveillance and interception capability issue is more complicated, however. The prospect of a total surveillance infrastructure within Canadian Internet networks generated an enormous outcry when proposed in Vic Toews’ 2012 lawful access bill. Not only did the bill specify the precise required surveillance and interception capabilities, but it also would have established extensive Internet provider reporting requirements and envisioned partial payments by government to help offset the costs for smaller Internet providers.
Supreme Court’s Privacy Streak Comes To End: Split Court Affirms Legality of Warrantless Phone Searches Incident to Arrest
The Supreme Court of Canada issued its decision in R. v. Fearon today, a case involving the legality of a warrantless cellphone search by police during an arrest. Given the court’s strong endorsement of privacy in recent cases such as Spencer, Vu, and Telus, this seemed like a slam dunk. Moreover, the U.S. Supreme Court’s June 2014 decision in Riley, which addressed similar issues and ruled that a warrant is needed to search a phone, further suggested that the court would continue its streak of pro-privacy decisions.
To the surprise of many, a divided court upheld the ability of police to search cellphones without a warrant incident to an arrest. The majority established some conditions, but ultimately ruled that it could navigate the privacy balance by establishing some safeguards with the practice. A strongly worded dissent disagreed, noting the privacy implications of access to cellphones and the need for judicial pre-authorization as the best method of addressing the privacy implications.
Earlier this year, Canada and the European Union announced that they had reached agreement on sharing airline passenger name record data. The data shared includes names, addresses, and credit card numbers of airline passengers. The agreement was signed in June (video of the signing here), but approval from the European Parliament was required. In light of growing privacy concerns, that approval has proven more difficult to obtain than previously anticipated.
Rather than simply grant approval, the European Parliament has narrowly voted to send the agreement to the European Court of Justice for review to ensure that it is compliant with European law including EU treaties and the European Charter of Rights and Freedoms (the final vote was 383 to 271 with 47 abstentions). The resolution notes that the European Data Protection Supervisor (effectively the Privacy Commissioner for the EU) issued an opinion in September 2013 that questioned the necessity and proportionality of agreements to transfer passenger information between jurisdictions. The EDPS opinion features an extensive review of the agreement and raises pointed questions about specific provisions along with numerous recommendations for reform.
The decision means that the Canada – EU data sharing agreement will be delayed by at least one to three years while the court conducts its review. The review will raise several important privacy issues including the effectiveness of exchanging passenger information in combating terrorism and the state of Canadian privacy law. The European Court of Justice has already struck down the European Data Retention Directive, suggesting that this agreement could also face tough scrutiny.
The mounting battle between Uber, the popular app-based car service, and the incumbent taxi industry has featured court dates in Toronto, undercover sting operations in Ottawa, and a marketing campaign designed to stoke fear among potential Uber customers. As Uber enters a growing number of Canadian cities, the ensuing regulatory fight is typically pitched as a contest between a popular, disruptive online service and a staid taxi industry intent on keeping new competitors out of the market.
My weekly technology law column (Toronto Star version, homepage version) notes that if the issue was only a question of choosing between a longstanding regulated industry and a disruptive technology, the outcome would not be in doubt. The popularity of a convenient, well-priced alternative, when contrasted with frustration over a regulated market that artificially limits competition to maintain pricing, is unsurprisingly going to generate enormous public support and will not be regulated out of existence.
While the Uber regulatory battles have focused on whether it constitutes a taxi service subject to local rules, last week a new concern attracted attention: privacy. Regardless of whether it is a taxi service or a technological intermediary, it is clear that Uber collects an enormous amount of sensitive, geo-locational information about its users. In addition to payment data, the company accumulates a record of where its customers travel, how long they stay at their destinations, and even where they are located in real-time when using the Uber service.