The debate on Bill C-13 opened yesterday in the House of Commons with opposition MPs calling on the government to split the bill into two (cyberbullying and lawful access) and raising concerns about the voluntary disclosure provision that would give Internet providers complete criminal and civil immunity for voluntary retention and disclosure of subscriber information. When asked about the issue, Justice Minister Peter MacKay said the following:
The provision would clarify that the police officer can lawfully ask – and he points out – that individuals and groups voluntarily preserve data or provide documentation, but only when no prohibition exists against doing so. That is to suggest that organizations would still be bound by the Personal Information Protection and Electronic Documents Act, something known as PIPEDA, which makes it clear that an organization is entitled to voluntarily disclose personal information to the police, without the consent of the person to have the information relayed.
However police have to have lawful authority to do so. They still have to obtain a warrant. They can ask that the information be preserved and temporarily put on hold so that it cannot be deleted, but in order for police to access that information that is frozen, they must still obtain a warrant. There is no warrantless access.
Unfortunately, MacKay is wrong.
For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is
(c.1) made to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that
(ii) the disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law
As MacKay notes, this provision allows for voluntary disclosure of personal information without court oversight. Indeed, we know that Internet providers disclose subscriber information tens of thousands of times every year without such oversight (and without transparency on their practices).
Yet MacKay is wrong when he says that police must obtain a warrant to access the information. With the voluntary disclosure, law enforcement has access and there is no warrant. MacKay seems to think “lawful authority” is a reference to a warrant. In fact, the opposite is true as Bill C-12 (the PIPEDA reform bill) sought to clarify the meaning of “lawful authority” by defining it as an authority other than a warrant or court order.
The changes in Bill C-13 would likely increase voluntary disclosures without a warrant since ISPs and telecom providers would know that any warrantless disclosure would be free from legal liability. There have been some efforts to suggest that the PIPEDA exception is limited to less sensitive data, but the government has never confirmed this to be the case. In fact, in its 2007 response to PIPEDA reform recommendations, it stated:
The government wishes to confirm that the purpose of s. 7(3)(c.1) is to allow organizations to collaborate with law enforcement and national security agencies without a subpoena, warrant or court order.
With the change in C-13, ISPs and telecom companies may be far more willing to disclose information about their subscribers without fear of liability. Indeed, law enforcement will be able to point to PIPEDA and the changes to argue that complete cooperation without a warrant is perfectly permissible and carries no legal risk of liability. That represents a serious privacy risk and Justice Minister MacKay is wrong to downplay the concern and inaccurately tell the House of Commons that there is no warrantless access.