Sharon Curtis, an Alberta resident, visited a Leon’s Furniture store on Boxing Day in 2006. Curtis purchased a table, placed a deposit, but did not take immediate delivery of her furniture. The next month, her mother went to the store to pay the balance and pick up the table. Store employees asked for her driver’s licence as identification and recorded her licence plate number as the table was loaded into her car.
Curtis’ mother objected to the collection of this information and proceeded to file a complaint with the Alberta Privacy Commissioner. The complaint wound its way through the legal system until late last month, when a divided Alberta Court of Appeal issued a ruling that sent shockwaves through the Canadian privacy community. If the decision stands – an appeal to the Supreme Court of Canada seems likely – the case will force a re-examination of current privacy law as a gaping hole may exist.
The crucial issue in the case revolved around whether the driver’s licence and licence plate number constituted personally identifiable information. For organizations seeking to comply with the law, one of the first questions they ask is whether the information they collect, use, and disclose is personally identifiable. If it falls outside that standard â€“ perhaps the information has been anonymized or contains no details that can be traced back to a particular person â€“ the privacy rights and obligations found in the law do not apply. In fact, organizations often seek to â€œde-identifyâ€ personally identifiable information so they are not bound by typical consent and disclosure requirements.
The formal definition of personal information is notoriously flexible, stating only that â€œpersonal information means information about an identifiable individual.â€ Privacy commissioners and courts across the country have interpreted this definition broadly, concluding that it captures any information about a specific person.
The majority of the Alberta court came to a different conclusion. While it determined that the driver’s licence was personal information, it ruled that the licence plate information was not. The majority reasoned that the licence plate information was linked to a specific vehicle, not a particular person. Moreover, it noted that the licence plate information was not private given that it is openly available for all to see.
A dissenting opinion noted that licence plate information traces back to an identifiable individual and should therefore be treated as personally identifiable information.
The final outcome of this case carries significant legal implications for privacy protection in Canada, particularly for online activities that raise many of the same issues.
For example, the privacy rights associated with Internet use, including browsing history, the installation of tracking cookies, and other online activities, often link back to a single IP address. The Privacy Commissioner of Canada has found that IP addresses are personally identifiable information and therefore covered by the law. Yet IP addresses bear a striking resemblance to licence plate information â€“ they are openly available for all to see and link not to a specific person, but rather to a particular subscriber. The Internet user might be the same person as the subscriber, but that is not necessarily the case.
If the Alberta approach of limiting the scope of personally identifiable information stands, the privacy protections associated with IP addresses would likely be lost. That would allow organizations to collect, use, and disclose IP address information without regard for the privacy rights and obligations that many Canadians now take for granted.
Michael Geist holds the Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, Faculty of Law. He can reached at firstname.lastname@example.org or online at www.michaelgeist.ca.