Having had the benefit of a few days to consider the implications of the Supreme Court of Canada decision in Spencer, the Senate last night proceeded to ignore the court and pass Bill S-4, the Digital Privacy Act, unchanged. The bill extends the ability to disclose subscriber information without a warrant from law enforcement to any private sector organizations by including a provision that allows organizations to disclose personal information without consent (and without a court order) to any organization that is investigating a contractual breach or possible violation of any law. Given the Spencer decision, it seems unlikely that organizations will voluntarily disclose such information as they would face the prospect of complaints for violations of PIPEDA.
Despite a strong ruling from the Supreme Court of Canada that explicitly rejected the very foundation of the government’s arguments for voluntary warrantless disclosure, the government’s response is “the decision has no effect whatsoever on Bill S-4.”
As I posted yesterday, the government had argued in committee that:
In the instance of PIPEDA, because of the type of information provided in a preâ€‘warrant phase such as basic subscriber information, it would be consistent with privacy expectations and therefore it’s not really putting telecoms, for example, in some unique position in terms of police investigations.
The Supreme Court of Canada rejected this view, concluding that:
there is a reasonable expectation of privacy in the subscriber information. The disclosure of this information will often amount to the identification of a user with intimate or sensitive activities being carried out online, usually on the understanding that these activities would be anonymous.
That cannot be credibly described as “no effect whatsoever.” Indeed, the government’s recently appointed Privacy Commissioner also pointed to Spencer and urged the government to consider the implications on S-4.
In another post yesterday on the future of C-13 and S-4, I lamented that the “government could adopt the ‘bury our heads in the sand approach’ by leaving the provisions unchanged, knowing that they will be unused or subject to challenge.” I argued that a better approach would be to address the issue directly, providing certainty to businesses and Canadians.
Perhaps unsurprisingly given its recent track record on privacy, it has chosen the head in the sand approach. During debate at the Senate yesterday, Conservative Senators repeatedly argued that Bill S-4 actually strengthens privacy, despite the fact that it opens the door to warrantless voluntary disclosure to any organization (it also enshrines weak data breach rules that do not provide protection as strong as that found in some other jurisdictions). Moreover, they tried to distinguish Spencer by arguing that it involves a criminal investigation disclosure to police, while the S-4 expansion of warrantless disclosure involves disclosures to private organizations.
Yet the principle is obviously the same: there is a reasonable expectation of privacy in subscriber information that should not be disclosed without a warrant or court order. No organization should be disclosing that information and when they do, they are likely to face a complaint with the Privacy Commissioner of Canada for violating PIPEDA. By leaving S-4 unchanged, the government is encouraging voluntary disclosures even after the Supreme Court explicitly ruled against them.
While the bill must still pass through the House of Commons, the government’s decision to rush the legislation through the Senate (it conducted only a few hours of hearings) and to seemingly ignore the Supreme Court’s decision creates further uncertainty for Canadians and Canadian businesses. Everyone needs rules that comply with the letter and spirit of the Spencer decision, which Bill S-4 fails to do on both counts.