Updated: Business Disclosure of personal information to law enforcement agencies:

Transcription

Updated: Business Disclosure of personal information to law enforcement agencies:
Updated: Business Disclosure of personal information to law enforcement agencies:
PIPEDA and the CNA letter of request protocol
By
Suzanne Morin, Assistant General Counsel, Privacy, Research In Motion Limited (formerly
Assistant General Counsel & Privacy Chief, Legal & Regulatory, Bell Canada), with the
assistance of Amy Awad as part of her University of Ottawa Technology Law Internship in 2008
and the subsequent assistance of Dee Pham in 2010 as part of the same program
Updated as of May 2011
As originally explained in 2008 when this article was first published, Canadian Internet Service
Providers (“ISPs”) continue to receive a large number of requests for customer information from
law enforcement agencies. The best approach to handling these requests remains controversial
and the issue will continue to be dealt with in political circles in the context of ongoing “lawful
access” discussions.
In the meantime, a number of Canadian ISPs have stayed the course with their strategy to deal
with a subset of these requests of particular concern to them – those pertaining to online child
exploitation investigations. The initiative, where participating ISPs voluntarily disclose customer
name and address linked to an IP address at a particular date and time to law enforcement at
the pre-warrant stage of child exploitation investigations, remains interesting at a number of
levels. It touches on privacy issues pertaining to the proper interpretation of the Personal
Information Protection and Electronic Documents Act (“PIPEDA”) and the reasonable privacy
expectations of ISPs’ customers. It also provides an ongoing example of a relatively successful
voluntary collaboration between private business, law enforcement and privacy regulators
aimed at tackling legal uncertainties where they may most negatively affect the public good. In
this article, we hope to provide an updated overview of the initiative as well as the evolving body
of jurisprudence regarding the relevant legal issues pertaining to the interpretation of PIPEDA
and s. 8 of the Canadian Charter of Rights and Freedoms (the “Charter”).
I. CNA letter of request initiative / protocol
Under the auspices of the Canadian Coalition Against Internet Child Exploitation (“CCAICE”),
certain Canadian ISPs, including Bell Canada, developed in conjunction with certain Canadian
law enforcement agencies (“LEAs”), in particular the RCMP’s National Child Exploitation
Coordination Centre (“NCECC”), a process to handle law enforcement requests of certain
limited customer information. A participating ISP, in response to an agreed upon template letter
of request, will disclose to the requesting LEA the last known name and address of the account
holder that was using a particular IP address at a specific date and time. These requests are
made in non-emergency situations and in the absence of a court order. While the current
template letter was slightly changed at the end of 2007 to reflect almost two years of use, no
changes have since been made as the process is working quite well. This very limited CNA
(customer name and address) disclosure initiative is being used at the pre-warrant stage of child
exploitation investigations only and is intended to strike the right balance between ensuring
fundamental freedoms and Internet principles, and contributing to eradicating a widelycondemned social evil.
Privacy Pages, November 2011
CBA National and Privacy Access Law Section Newsletter
Page 1
II. PIPEDA and exceptions for disclosure without consent
PIPEDA provides a regime that governs the collection, use and disclosure of personal
information in the private sector. Generally, it requires the knowledge and consent of the
individual. It also provides, however, for specific circumstances where personal information can
be disclosed without consent. The relevant provisions of PIPEDA can be found in s. 7(3).
The discussion surrounding the CNA initiative necessarily involves an analysis of which of the
various exceptions applies under differing circumstances. The following five provisions of
subsection 7(3) are intended to apply in very specific types of situations: (c) court order or
warrant; (c.1) government institution request for information relating to enforcement or
investigation of law of Canada; (d) organization’s own initiative; (e) emergency situation; and (i)
required by law.
The provisions pertaining to court orders, an organization’s own initiative and emergency
situations are well understood. Where the confusion arises is in understanding the difference
between a (c.1) disclosure in response to an LEA request at the pre-warrant stage of an
investigation and why a court order or warrant is not required in such cases and under (i) when
the disclosure is required by law.
III. Disclosure when required by law (s. 7(3)(i))
Disclosure required by law under s. 7(3)(i) of PIPEDA refers to disclosure required by orders or
directions of courts and tribunals of competent jurisdiction. It also refers to the various nonjudicial authorities that exist in numerous pieces of legislation such as the Income Tax Act,
Employment Insurance Regulations, Statistics Canada Act, various support order enforcement
legislation, etc. that authorize government officials to demand certain disclosure and legally
compels organizations to provide the information requested. Non-compliance by an organization
in such circumstances would be akin to not responding to a court order or warrant, that is,
negative legal consequences would arise for non-compliance. Frequently, non-compliance with
such disclosure requests constitutes an offence pursuant to the statute in question.
Usually, organizations that are presented with requests or demands for the disclosure of certain
information will perform the required due diligence to ensure the request or demand is
consistent with the statutory power under which it is being exercised and that in fact they are
“required by law” to disclose the information. However, when it comes to police officers, one
would typically never verify a police officer’s lawful authority to investigate crime. Interestingly,
the former proposed bill to amend PIPEDA, Bill C-29, would have made it clear that
organizations were not required to verify the lawful authority identified by what would be
essentially police officers as their lawful authority would be “other than (i) a subpoena or warrant
issued, or an order made, by a court, person or body with jurisdiction to compel the production
of information, or (ii) rules of court relating to the production of records”.1
Notably, over the last couple of years, there has been a general increase in the number of
government institutions that have tried to convince organizations that they can rely on the use of
the “lawful authority” provision rather than the “required by law” provision to disclose the
1
Bill C-29, An Act to amend the Personal Information Protection and Electronic Documents Act, 3rd Sess., 40th
Parl., 2010, cl. 12. This bill died on the Order Paper when the 40th Parliament was dissolved on 26 March 2011.
Privacy Pages, November 2011
CBA National and Privacy Access Law Section Newsletter
Page 2
information at issue. In such cases, the government institution typically identifies in their request
the same statutory authority they would normally use to demand disclosure of the information as
their “lawful authority” under s. 7(3)(c.1) without going the next step of actually demanding the
information. This is done simply to speed up their administrative processes. Under such
circumstances, an organization may decide to voluntarily respond to such a request from a
government institution and still be compliant with their obligations under PIPEDA. Many
organizations, however, continue to insist on the actual invocation of that statutory power before
doing so such that they are “required” to disclose the information requested.
IV. Disclosure in response to lea request (pre-warrant stage of investigation, S. 7(3)(C.1))
Essentially, three requirements must be met in order for an organization to disclose without
consent under s. 7(3)(c.1):
i) the disclosure must be made to a government institution that has made a request;
ii) the government institution must have identified its lawful authority to obtain the
information; and
iii) the government institution must have indicated that the disclosure is requested for the
purpose of law enforcement, national security or administration of a law.
The first and third requirements are fairly straightforward. While there is no definition of
“government institution” in PIPEDA and no regulations have been issued to define the term,
there nevertheless seems to be a general consensus that the RCMP and other provincial or city
police would be characterized as such.2 CNA requests made using the established protocol will
always be made in the context of the enforcement of a law of Canada or an investigation related
to such enforcement, e.g. the Criminal Code.
A. Purpose of Section 7(3)(c.1)
To avoid redundancy, s. 7(3)(c.1) must have a meaning such that the scope is different from
that of s. 7(3)(c) dealing specifically with warrants and court orders and s. 7(3)(i) dealing with
disclosure required by law. That interpretation would be consistent with the commentary on
PIPEDA by Heather Black and Stephanie Perrin (two architects of PIPEDA), who make the
following comment on s. 7(3)(c.1):
This paragraph is aimed at “pre-warrant” activities in which private sector organizations
cooperate with domestic law enforcement agencies who are collecting the information on a
“casual” or “routine” basis and for which no warrant is required. Only information that is of
relatively innocuous nature will be collected by these means, since the collection of information
in which the individual has a reasonable expectation of privacy would require the Charter
protection of a warrant.3
2
Furthermore, “government institution” under the federal public sector Privacy Act explicitly includes the RCMP.
3
Stephanie Perrin et al., The Personal Information and Electronic Documents Act: An Annotated Guide (Concord,
Ont.: Irwin Law, 2001).
Privacy Pages, November 2011
CBA National and Privacy Access Law Section Newsletter
Page 3
It has long been accepted that the provision was originally introduced by Industry Canada in
response to representations made by law enforcement and national security agencies with the
intent to allow them to continue to be able to engage in pre-warrant intelligence gathering. This
view was confirmed by the Office of the Privacy Commissioner (“OPC”) when it stated in an
email exchange dated 10 April 2007 with the author during the PIPEDA Review Committee
hearings that it
“… is not opposed to language which would seek to clarify the intent of c.1 and remove
any confusion that may exist. … c.1 was introduced by Industry Canada as a result of
representations made by law enforcement and national security agencies. The intent as
explained to Parliament was to maintain the status quo for these agencies to allow them
to engage in pre-warrant intelligence gathering. Organizations have the discretion to
disclose information or not pursuant to any request. Organizations are encouraged to get
confirmation of lawful authority in writing.”
The fact that its application is not dependent on the existence of judicially mandated disclosure
is further confirmed by the Government of Canada in its 2007 Response to the statutory review
of PIPEDA:
The government wishes to confirm that the purpose of s. 7(3)(c.1) is to allow
organizations to collaborate with law enforcement and national security agencies without
a subpoena, warrant or court order.4
Meanwhile, the federal Privacy Commissioner in October 2007, in responding to the joint Public
Safety and Industry Canada CNA Information Consultation (no longer available on the
departmental websites), outlined in her comments the intent of section 7(3)(c.1):
Paragraph 7(3)(c.1), in contrast, is clearly intended to allow organizations to disclose
personal information without consent or notification to LE/NS agencies and other
government bodies in the absence of prior judicial authorization. However, the
organization requesting the information has to identify its legal authority and indicate that
it is collecting the information for one of the reasons listed in the paragraph, for example
to enforce a law of Canada, a province or a foreign jurisdiction.
When the legislation (Bill C-6) was being debated in the House of Commons, the
Minister of Industry clearly stated that 7(3)(c.1) was intended to maintain the status quo,
"These amendments do not grant new powers to government institutions, nor do they
create new obligations on business." Although 7(3)(c.1) was not intended to alter the
status quo we appreciate that it may have created some uncertainty on the part of
organizations being asked to disclose certain information.
This provision was the subject of a considerable amount of discussion during the
mandatory five year review of PIPEDA conducted by the House of Commons Standing
Committee on Access to Information Privacy and Ethics. In its report, tabled on May 2,
2007, the Committee recommended that consideration be given to clarifying what is
meant by “lawful authority” in section 7(3)(c.1).
4
Canada, Government Response to the Fourth Report of the Standing Committee on Access to Information Privacy
and Ethics at p. 6.
Privacy Pages, November 2011
CBA National and Privacy Access Law Section Newsletter
Page 4
…
The Privacy Commissioner has stated publicly that she would not object to adding
definitions for the terms "lawful authority" and "government institution" if the government
feels that such definitions would bring clarity to the legislation.
Although the consultation paper identifies the "absence of explicit legislation" as one of
the problems the consultation process seeks to address, PIPEDA is, in fact, an explicit
legislative code that permits lawful access by LE/NS agencies while "preserving and
protecting the privacy and other rights and freedoms of all people in Canada." [Emphasis
added]
This view is also clearly supported by the recent Ontario decision in Kwok (see below).
B. Meaning / sources of “lawful authority”
The term “lawful authority” is not defined in PIPEDA or in the federal Interpretation Act. It is,
therefore, necessary to apply the general rule of statutory interpretation to understand under
what circumstances disclosure of information under s. 7(3)(c.1) is allowed. In accordance with
the general principles of statutory interpretation,
[…] the words of an Act are to be read in their entire context and in their grammatical
and ordinary sense harmoniously with the scheme of the Act, the object of the Act, and
the intention of Parliament.5
The grammatical and ordinary sense of “lawful authority” includes any authority conferred by
law. In Canada, there are two primary sources of law and, hence, lawful authority: statutory or
regulatory provisions and the common law. Each must be examined to determine the existence
of an LEA's authority to request specific information.
A survey of the Canadian Statute Book reveals that it is uncommon for a statutory provision to
specifically create the authority for a LEA to request (as oppose to demand) information.
Nevertheless, there are numerous legislative provisions that refer to the powers of a peace
officer or confer such powers on specific individuals.6 For example, s. 9 of the Royal Canadian
Mounted Police Act provides that:
[e]very officer and every person designated as a peace officer under subsection 7(1) is a
peace officer in every part of Canada and has all the powers, authority, protection and
privileges that a peace officer has by law […] [emphasis added].
5
Elmer Driedger, Construction of Statutes, 2nd ed. (Toronto: Butterworths Ltd., 1983) at p. 87.
See e.g. Child and Family Services Act, R.S.O. 1990, c. C.11, s. 90(3), Public Works Protection Act, R.S.O. 1990,
c. P.55, s. 2(2), Police Act, R.S.A. 2000, c. P-17, s. 38(1), Regulation respecting the application of the Act
respecting detective or security agencies, R.Q. c. A-8, r.1, s. 2, Parks Act, R.S.Q. c. P-9, s. 15.
6
Privacy Pages, November 2011
CBA National and Privacy Access Law Section Newsletter
Page 5
The Province of Alberta has adopted a similar view as to what constitutes “lawful authority”. In
Service Alberta’s guidance document, "Requesting Personal Information from the Private
Sector: Forms and Guidelines for Law Enforcement Agencies", it is stated that when dealing
with the requirement to identify a government institution’s “lawful authority” (at p. 10):
[S]ome statutes provide an agency with specific investigative powers that may include
information-gathering powers, as in the case of investigations pursuant to the Alberta
Occupational Health and Safety Act, or as identified in the duties and powers provided to
police officers under section 38(1) of the Police Act.
Interestingly, s. 487.014(1) of the Criminal Code provides that:
[f]or greater certainty, no production order is necessary for a peace officer or public
officer enforcing or administering this or any other Act of Parliament to ask a person to
voluntarily provide to the officer documents, data or information that the person is not
prohibited by law from disclosing.
Notably, this section does not provide authority to ask for information but rather confirms that
such authority already belongs to peace officers and is included in their general investigative
powers. These powers are expounded in s. 25 of the Criminal Code, which provides as follows:
25. (1) Everyone who is required or authorized by law to do anything in the
administration or enforcement of the law
(a) as a private person,
(b) as a peace officer or public officer,
(c) in aid of a peace officer or public officer, or
(d) by virtue of his office, is, if he acts on reasonable grounds, justified in doing
what he is required or authorized to do […].
To the extent that a peace officer or member of a particular police force is required by law to
investigate crimes, they are, according to s. 25, justified in fulfilling such requirements as long
as they act reasonably.7 Therefore, a peace officer investigating a case of online child
exploitation is justified in requesting CNA from an ISP as long as the request is reasonable.8
Arguably, justification and authority may not be equivalent, however, the federal Interpretation
Act, clearly provides that in interpreting powers, including the statutory powers to investigate
crime, it is deemed that any power necessary for the performance of the act is also given:
7
For example, s. 18 of the RCMP Act provides that “[i]t is the duty of members who are peace officers, [...] to
perform all duties that are assigned to peace officers in relation to the preservation of the peace, the prevention of
crime and of offences against the laws of Canada and the laws in force in any province in which they may be
employed, and the apprehension of criminals and offenders [...]”.
8
This section has both internal and external limits. The internal limits is the reasonableness of the action and the
external limits are the compliance of the action with the constitution – specifically, the Charter. Arguably, the
request would also not be reasonable if it conflicted with the Charter rights of the person to whom the request
pertained. This issue is examined in part V.E. of this article, below.
Privacy Pages, November 2011
CBA National and Privacy Access Law Section Newsletter
Page 6
Where power is given to a person, officer or functionary to do or enforce the doing of any
act or thing, all such powers as are necessary to enable the person, officer or
functionary to do or enforce the doing of the act or thing are deemed to be also given.9
The Department of Justice and LEAs have advanced the view that their lawful authority to
request information also comes from the common law.10 In fact, the principle in relation to
ancillary powers (subsumed in the construction rule of the Interpretation Act) is more pointedly
articulated in the common law. As noted in R. v. Asante-Mensah (2001), 204 D.L.R. (4th) 5
(Ont. C.A.) at para. 44
[...] a statute conferring an investigative power on the police carries with it "ancillary
powers" that arise "by necessary implication and unavoidable inference": see Lyons v.
The Queen (1984), 15 C.C.C. (3d) 417 at p. 444 (S.C.C.); R. v. Simpson (1993), 79
C.C.C. (3d) 482 at p. 496 (Ont. C.A.).
As a result, to the extent that RCMP officers are endowed by statute with the powers and duties
of peace officers to apprehend criminals, they are “by necessary implication” also endowed with
the power to request information furthering such objectives.
However, it is interesting to note the submission filed by KINSA dated 14 January 2008 to the
Industry Canada Consultation on the Implementation Government Response in response to the
question of whether and how “lawful authority” might be clarified. In their submission, KINSA
proposes a very simple definition that essentially reflects our common understanding:
Further, with regards to the definition of “lawful authority” within section 7(3)(c.1), KINSA
supports the following definition: “a peace office in the course of his/her duties”.
It has been argued that the existence of such a common law power must nevertheless be
determined on a case by case basis and cannot form the basis for the generalized type of
request contemplated by the CCAICE protocol. We would hold the contrary view. The CCAICE
initiative has indeed been set up so that the circumstances would, for all practical purposes, be
identical: the information provided is the same every time, the information requested is the same
every time, the lawful authority cited is generally the same every time (except for possible
changes for different police forces), the general crime being investigated is the same, the letter
of request used is essentially the same, and participating ISPs have already done their due
diligence when it comes to their own agreements and policies so any reasonable expectation of
privacy has already been considered.
Many believed that Bill C-29 would have provided much needed clarity to the definition of “lawful
authority”. Even Industry Canada’s own summary states that Bill C-29 would clarify that
PIPEDA permits organizations to collaborate with law enforcement agencies that have
requested the information without a warrant, subpoena or court order.11 Bill C-29 essentially
introduced what can be characterized as a negative definition of lawful authority given it is
9
Section 31(2) of the Interpretation Act, R.S.C, 1985, c. I-21.
Notably, the most common legal authorizations granted to peace officers at common law pertain to warrantless
arrests, search and seizure and entrance onto private property. These authorizations themselves derive, at common
law, from the legal authorizations granted to private citizens. As explained by Justice Binnie in R. v. AssanteMensah, 2003 SCC 38, [2003] 2 S.C.R. 3, “[t]he development of modern police forces brought about a transfer of
law enforcement activities from private citizens to peace officers. But it is the peace officer's powers which are in a
sense derivative from that of the citizen, not the other way around.”
11
Industry Canada, “The Safeguarding Canadians' Personal Information Act: Bill Summary” (25 May 2010), online:
Industry Canada < http://www.ic.gc.ca/eic/site/ecic-ceac.nsf/eng/gv00571.html>.
10
Privacy Pages, November 2011
CBA National and Privacy Access Law Section Newsletter
Page 7
defined as what is other than “a subpoena or warrant” or “rules of court”.12 This merely confirms
the general understanding (or not) already discussed, i.e. “lawful authority is lawful authority”.13
Whereas for many, the proposed language would be enough to tip the balance in favour of a
more “common” interpretation, there are those for whom “lawful authority” would remain
uncertain in the absence of additional legislative certainty or possibly an appellate court decision
on the matter.
Nevertheless, both the statutory and common law powers discussed are necessarily limited by
the exigencies of the Charter, which exigencies are examined below to analyze whether they
limit the authority of a peace officer to request the kind of information under consideration here.
C. Interpretation and recommendations of the OPC
Since the enactment of PIPEDA, the Office of the Privacy Commissioner has made a number of
useful pronouncements in addition to those mentioned above on the purpose and scope of the
exceptions in s. 7 of PIPEDA.
For example, in a public statement at a meeting of Chief Privacy Officers at the end of 2005, in
response to a question about the differences between the various s. 7(3) provisions, the
Assistant Privacy Commissioner explained that each exception serves a different purpose: s.
7(3)(c) was intended for warrants and court orders; s. 7(3)(c.1)(ii) was meant to deal with prewarrant stage, non-sensitive data with no Charter protection, and that organizations should get
the request in writing; s. 7(3)(d) deals with situations where the disclosure is made on the
initiative of the organization; and then, s. 7(3)(e) in an emergency situation.
This point was further explained before the PIPEDA Review Committee in 2007 and made its
way into the Committee’s Report issued in May 2007.14
As part of ongoing discussions, CCAICE members including industry, the OPC, Justice and
LEAs worked together to better understand the intent behind s. 7(3)(c.1) and how the CCAICE
protocol could be developed in such a way as to be privacy compliant. For example, some of
the considerations included: limiting the information disclosed to the customer’s name and
address with no other personal information such as service activation date, other IP addresses
used by account, etc.; ensuring a method of identifying the LEA making the request;15 using fax
back only to avoid possible online compromise unless an online secure method was used
(recently, some CCAICE members have been considering the use of secure electronic means
to further streamline and in some respects secure the process); and retention of records of the
requests for a sufficient period of time. It was further agreed that no notation would be made on
the customer’s account as no inference should be drawn from this request for CNA. In addition,
a customer would be denied access to the fact their CNA was disclosed as part of this process
otherwise the purpose would be defeated. This last point is made clearly in the CNA template
letter. Interestingly, Bill C-29 would have added a provision that expressly forbids an
12
Supra note 1.
David TS Fraser, “Clarifying lawful authority in PIPEDA? Really?” (25 May 2010), online at: Canadian Privacy
Law Blog <http://blog.privacylawyer.ca/2010/05/clarifying-lawful-authority-in-pipeda.html>.
14
Fourth Report of the Standing Committee on Access to Information Privacy and Ethics (Statutory Review of the
Personal Information Protection and Electronic Documents Act (PIPEDA)) issued May 2007 at p. 25. See also
Government Response to the Fourth Report of the Standing Committee on Access to Information Privacy and Ethics
(Statutory Review of the Personal Information Protection and Electronic Documents Act (PIPEDA)) supra note 4.
15
The initiative now requires the LEA to provide the name of supervisor, badge number, contact information, etc.
13
Privacy Pages, November 2011
CBA National and Privacy Access Law Section Newsletter
Page 8
organization from proactively notifying an individual that information has been requested or
obtained by a government institution under s. 7(3)(c.1).16
Naturally, there was a concern that this initiative could lead to LEA requests seeking information
pertaining to other offences. Although such disclosure would still be permissible under PIPEDA,
the CCAICE members indicated that they had no intention of extending the practice to other
offences and that any such further expansion would have to be dealt with under broader lawful
access discussions.
The OPC has continued to be part of ongoing CCAICE discussions and remains fully aware of
the CCAICE initiative and its evolution.
D. Expectation of privacy and charter analysis
The compatibility of the CCAICE procedure with the Charter is relevant in three important ways:
(1) Charter considerations likely limit the lawful authority of LEAs to request too much
information under s. 7(3)(c.1); (2) both OPC and the leading commentary on PIPEDA state that
s. 7(3)(c.1) is not intended to be used in situations where a warrant would otherwise be
required; and (3) CCAICE members are not interested in participating in a process which could
lead to the exclusion of evidence.
Notably, the collection of information by LEAs at the pre-warrant stage allows for the
subsequent gathering of evidence as opposed to the warrant stage which is the actual gathering
of evidence. The pre-warrant CCAICE initiative, therefore, is akin to the offline pre-warrant
efforts of LEAs walking down the street and asking questions. In deciding whether to approach
an ISP at the pre-warrant stage, the LEA is required to consider the individual’s reasonable
expectation of privacy, including any regulatory or contractual obligations that may exist toward
the individual.
There is general comfort among the participating CCAICE members that a LEA request for CNA
as part of a child exploitation criminal investigation at the pre-warrant stage and the subsequent
disclosure of that information by an organization is unlikely to raise a Charter issue.
The following cases shed the most light on the relevant issues.
In R. v. Plant,17 the police accessed the computerized hydro consumption records of the
accused's residence and used the information revealed to obtain a search warrant for the
residence under the Narcotics Control Act. The majority of the Court found that the hydro
consumption records did not give rise to a reasonable expectation of privacy and therefore s. 8
of the Charter was not engaged. In deciding whether the state interest in law enforcement
outweighed the right of citizens to have a reasonable expectation of privacy in the records,
Sopinka J. explained:
Consideration of such factors as the nature of the information itself, the nature of the
relationship between the party releasing the information and the party claiming its
confidentiality, the place where the information was obtained, the manner in which it was
16
17
Supra note 1 at cl 13.
[1993] 3 S.C.R. 281.
Privacy Pages, November 2011
CBA National and Privacy Access Law Section Newsletter
Page 9
obtained and the seriousness of the crime being investigated allows for a balancing of
the societal interests in protecting individual dignity, integrity and autonomy with effective
law enforcement.
In considering these factors, he further noted that:
[...] the information seized must be of a "personal and confidential" nature. In fostering
the underlying values of dignity, integrity and autonomy, it is fitting that s. 8 of the
Charter should seek to protect a biographical core of personal information which
individuals in a free and democratic society would wish to maintain and control from
dissemination to the state. This would include information which tends to reveal intimate
details of the lifestyle and personal choices of the individual. The computer records
investigated in the case at bar while revealing the pattern of electricity consumption in
the residence cannot reasonably be said to reveal intimate details of the appellant's life
[…] the transaction records which were maintained as a result of the commercial
relationship in the case at bar cannot be characterized as confidential communications.
[...] the seriousness of the offence militates in favour of the conclusion that the
requirements of law enforcement outweigh the privacy interest claimed by the appellant.
[...] while participation in the illicit trade of marihuana may not be as serious as the trade
in other narcotics such as cocaine, it remains an offence which is taken seriously by law
enforcement agents.
In R. v. Quinn,18 an investigator with the Insurance Corporation of British Columbia confirmed
with a bank official that specific bank account numbers belonged and were directly related to the
Appellant and that she had sole signing authority on the accounts. This information was later
used to obtain a search warrant for information pertaining to those accounts. One of the issues
in the appeal from the conviction of the Appellant was whether her right to unreasonable search
and seizure had been violated by the request for confirmation of account numbers by the
investigator prior to the issuing of a warrant. In applying the balancing test elaborated in Plant,
supra, Thackray J.A. noted:
In order to proceed with the investigation all that Corporal Shields sought from Mr.
Saunders was a confirmation of the name of the account holder. This was a fundamental
factor required to get the investigation underway. However, of more importance, it was a
necessary basic commodity for inclusion in the Information to Obtain.
He ultimately concluded that there was no unreasonable search as envisioned by the Charter.
He relied primarily on two points: (1) the serious nature of the crime under investigation - fraud;
and (2) the fact that the mere linking of a name to an account number has a limited connection
to a person’s biographical core of information.
18
2006 BCCA 255.
Privacy Pages, November 2011
CBA National and Privacy Access Law Section Newsletter
Page 10
Most recently, the Supreme Court of Canada in R. v. Gomboc19 confirmed that the accused did
not have a reasonable expectation of privacy in information about the pattern of use of electricity
disclosed by the digital recording ammeter installed on his power line at the request of the
police. In so finding, Justice Deschamps was swayed by the “totality of the circumstances”.
A number of conclusions can be drawn from these cases. First, to determine whether a
reasonable expectation of privacy exists it will be necessary to consider a number of different
factors, including the nature of the information disclosed, the pre-existing relationships between
the parties and the seriousness of the offence under investigation. Second, the closer
information is to a person’s biographical core, the heavier it will weigh against disclosure. To
date we have seen that residential hydro consumption records and the confirmation of a link
between a name and an account number are not part of this biographical core of information.
The disclosure of a customer name and address linked to an IP address at a particular date and
time seems akin to the linking of a name to an account number. Both the IP address or bank
account numbers are already known to the law enforcement authorities. Third, and even more
importantly, is the fact that the necessity of the information to either get the investigation
underway or obtain a search warrant will be considered by the court. Where, as in many cases
dealing with online child exploitation, the link between an IP address and a customer name is
essential to get an investigation underway or to seek a warrant, it is less likely to give rise to an
expectation of privacy based on the reasoning in Quinn.
Now, it has been argued that the CCAICE initiative is a “wholesale” disclosure of subscriber
information. Nothing could be further from the truth as to do so would be contrary to PIPEDA
and to the subscriber’s Charter rights. LEAs would not have the lawful authority to request
information that would otherwise require a warrant. This is why the information disclosed as part
of the CCAICE initiative is currently limited to CNA. Whether or not other types of customer
information could be disclosed under s. 7(3)(c.1) without a warrant remains to be seen and
would be subject to any necessary s. 8 Charter analysis by the courts.
E. Early judicial treatment of CNA letters of requests
When this article was first published in the summer of 2008 there was indeed little by way of
judicial interpretation of the CCAICE initiative and whether its use by LEAs gave rise to a breach
of an individual’s Charter rights. The following recounts the judicial treatment of the CCAICE
initiative at the time and includes an update of the growing body of jurisprudence as it existed at
the end of 2010.
R. v. Anderson20
In this case, customer name and address information was obtained without a warrant from
Shaw Communications Inc. for a particular IP address and the judge makes reference to
PIPEDA. This information was later used to obtain a warrant to search the accused’s home.
Ultimately, the accused plead guilty to the offence. The fact that the warrant was not
successfully challenged on the basis of the method by which the name and address information
19
20
[2010] 3 S.C.R. 211.
2005 ABPC 99.
Privacy Pages, November 2011
CBA National and Privacy Access Law Section Newsletter
Page 11
was obtained supports the idea that such a method does not violate the customer’s Charter
rights.
R. v. Smith21
In R. v. Smith, the court considered the appropriateness of a telewarrant.22 Relevant to our
analysis is the court’s reference to the process used by the police officer to obtain the target
address:
[7] … This second IP address allowed Sergeant Mann (pursuant to s. 7(3) of the
Personal Information Protection and Electronic Documents Act, S.C. 2000, c.5) to obtain
from Shaw Cable the billing address of the internet user through the use of a computer
“MAC number” [...]
[9] It is not disputed that, based on this information, Sergeant Mann had reasonable and
probable grounds to support the issuance of a search warrant to gain entry to the
appellant’s residence to search for evidence of the crimes in question. It is also common
ground that if the evidence produced in the search was admissible at trial, it was
sufficient to convict Mr. Smith of the offence of possession of child pornography for the
purpose of distribution or sale. (p. 4)
Neither the appellant, nor the trial judge, nor the Court of Appeal took any issue with how the
Sergeant had obtained the address information from Shaw Cable at the pre-warrant stage that
was then used to obtain the telewarrant and resulted in the disputed search.23
It is also interesting to note some of the findings referred to by the B.C. Court of Appeal that the
trial judge had made as part of his section 24(2) Charter analysis after he found that the search
was unreasonable given the procedural issues surrounding the request for a telewarrant and
other issues with the Information to Obtain:
The offence of child pornography is a serious one [...]
There was no reasonable expectation of privacy as it is related to the appellant’s IP
number. It was published on all of the communications that would have gone to the chat
room in Germany [emphasis added]
[...] It is a difficult question, but at the end of all of my considerations, I am not persuaded
that the administration of justice could be brought into disrepute if this evidence is
admitted. (pp. 13-14)
In deciding not to interfere with the trial judge’s decision to admit the evidence, the B.C. Court of
Appeal reaffirmed at p. 66 of its decision the Supreme Court of Canada’s position that
possession of child pornography for the purpose of distribution or sale is very serious because
of the personal and societal harm flowing from the sexual exploitation of children (see R. v.
Sharpe, [2001] 1 S.C.R. 45, at paras. 28-31 and 82-94.
21
2005 BCCA 334.
The use of a telewarrant per se is irrelevant to our analysis because it is at the “warrant” stage whereas the
CCAICE initiative is at the “pre-warrant” stage.
23
The appellant took issue with the procedure of obtaining the telewarrant afterwards for which the Criminal Code
has very specific requirements, none of which is relevant to this analysis.
22
Privacy Pages, November 2011
CBA National and Privacy Access Law Section Newsletter
Page 12
Re S.C.24
In Re S.C., a search warrant sought on the basis of subscriber name and address information
that was obtained from an ISP was denied.
As per usual practice, a police officer had sought a search warrant after having obtained the
customer’s name and address from Bell Canada by virtue of a CCAICE letter of request. JP
Conacher found that the police officer was not in lawful possession of the target’s name and
address and there was therefore no nexus between the other evidence and the target individual
and residence. In particular, he explains
[2] The issue that is fatal to this application at this time is the lack of sufficient authority
for obtaining the subscriber information and address from the Internet Service Provider
(ISP).
[3] In the Information to Obtain, Appendix C, at paragraph 42 the Informant states, “On
June 27th, 2006 I faxed Bell Canada a “Letter of Request for Account Information
Pursuant to a Child Sexual Exploitation Investigation” requesting the subscriber
information for the user of IP address [IP address deleted] on June 13th, 2006. This
request was done under the authority of P.I.P.E.D.A. (Personal Information Protection
and Electronic Documents Act).” Similar statements are then made at paragraphs 48
and 54.
[4] The Informant then states at paragraph 43, “On June 27th, 2006, under the authority
of P.I.P.E.D.A. (Personal Information Protection and Electronic Documents Act), I
received the following information from Bell Canada in regards to the subscriber of IP
address [IP address deleted]. [underlining added]
The CCAICE template letter clearly has a place for LEAs to insert their authority for requesting
the information, e.g. Royal Canadian Mountain Police Act and Royal Canadian Mountain Police
Regulations. What is indeed unfortunate about this decision is that the police officer in question
made a mistake and stated in his own Information to Obtain that PIPEDA was his authority for
obtaining the information. It is generally agreed that PIPEDA is not the authority for LEAs to
request or obtain such information, but rather is the authority that allows an organization to
disclose the requested information without consent or a warrant.
Having found that the police officer had not correctly identified in his Information to Obtain his
lawful authority for obtaining and possessing the information, JP Conacher simply concludes
that the CNA information is information in which a citizen “would have a reasonable expectation
of privacy”. This conclusion was made without conducting any Charter analysis whatsoever or
reviewing Bell’s internet service agreements with its customers.
It has since been confirmed that fairly soon following Conacher’s refusal, having provided all the
background information in a subsequent request for a search warrant to a judge, the LEA was
able to obtain the requested search warrant relying on the same underlying CNA information.
Unfortunately, this subsequent decision to grant the warrant has not been reported as typically
such decisions are not reported. Also, the Conacher decision is that of a Justice of the Peace
regarding a request for a search warrant from a detective and has no precedent effect for the
courts.
24
2006 ONCJ 343.
Privacy Pages, November 2011
CBA National and Privacy Access Law Section Newsletter
Page 13
The finding that PIPEDA does not provide authority for an LEA to request information is
relatively uncontroversial. In an article commenting on this case published in McCarthy
Tétrault’s Technology Law Quarterly, the author notes that “PIPEDA itself does not establish
authority […] to obtain information” and that the requesting institution should specify its lawful
authority to obtain personal information.”25
JP Conacher therefore concluded that the information in question was information in which the
citizen has a reasonable expectation of privacy. However, whether information is disclosed in
compliance with PIPEDA provisions or not is not necessarily determinative of whether s. 8
Charter rights have been breached by LEAs. It is still necessary to conduct some form of
Charter analysis which may include a review of applicable service agreements. Nevertheless, it
is arguable whether that would be sufficient to raise the level of privacy expectation to one
requiring a warrant prior to disclosure. To clarify, if the information did give rise to a “reasonable
expectation of privacy” under s. 8 of the Charter, then we would argue that no amount of
statutory or common law authority would authorize the collection of the information by LEAs
without the approval of the court.
While this decision of a JP was brought to the attention of the CCAICE members in the fall of
2006, neither Bell Canada nor other participating ISPs have chosen to amend their practices.
Since that time, Re: S.C. was subsequently followed in R. v. Chehil26for the proposition that
lawful authority is required for the police to obtain personal ticketing information because the
police in this case were found to have been on a “fishing expedition” to find drug couriers on a
WestJet flight from Vancouver. However, this lower court decision was reversed on appeal as it
was found that the judge had failed to consider the “totality of the circumstances” when it
excluded the drug evidence.27
R. v. Kwok28
In this 2008 case, Gorewich J. of the Ontario Court of Justice considered an application under s.
24(2) of the Charter for the exclusion of two forms of evidence: conversations recorded in
Internet chat rooms and subscriber information provided to the police by Rogers. The
investigating officer testified to having logged onto an Internet chat room, being invited by a
pseudonym user to a private conversation for the purpose of exchanging child pornography and
ultimately receiving such materials from that user. The initial contact in the chat room revealed
to the officer the I.P. address of the user, which was used for a request of customer name and
address from Rogers using a CNA letter of request. This name and address, combined with the
record of the private conversation, was used to obtain a search warrant for the user’s home.
After performing an analysis of the circumstances under which both the chat room and private
chat conversations were conducted, Gorewich J. concluded that an expectation of privacy
attached to the private conversation and that prior judicial authorization should have been
obtained for the “recording” of the conversation. Noting that such authorization could have been
easily obtained, he finds the admission of the recordings would bring the administration of
justice into disrepute and orders the evidence excluded. Having made this finding, it was
25
“Disclosure of Information without Consent pursuant to Lawful Authority”, McCarthy
Tétrault Co-Counsel: Technology Law Quarterly, 3-2 at 18 (April-June 2007).
26
2008 NSSC 357 at paragraphs 29-30.
27
2009 NSCA 111.
28
[2008] O.J. No. 2414; 78 W.C.B. (2d) 21.
Privacy Pages, November 2011
CBA National and Privacy Access Law Section Newsletter
Page 14
unnecessary to rule on the question of whether judicial authorization had been required for
obtaining the subscriber information from Rogers.
The judge does, however, undertake an analysis of the issue in obiter citing the possibility that
his finding on the private conversations might later be found to be in error. In this analysis, he
acknowledges that the request under s. 7(3)(c)29 is properly made and that the lawful authority
of the police officer is identified:
[32] ... It is reasonable in my view to find “lawful authority” can include, as the officer
testified, his authority as a police officer, identified to the entity, to obtain the information.
Given the stated purpose of the Act, and in particular s. 7(3)(c) [sic], to hold it means
only a warrant does not make any logical sense. This then takes the discussion to the
next consideration, that being whether subscriber information attracts Charter protection
and there can be an expectation of privacy. [emphasis added]
In deciding whether Charter protection attaches to the subscriber name and address
information, Gorewich J. refers to a number of findings in other cases. In BMG Canada Inc. v.
John Doe, [2004] 3 F.C.R. 241, the Federal Court found that “ISP account holders have an
expectation that their identity will be kept private and confidential. This expectation of privacy is
based on both the terms of their account agreements with their ISPs and sections 3 and 5 of the
PIPEDA.” In R. v. Stucky, [2006] O.J. No. 106 (S.C.J.), the Ontario court found that an
expectation of privacy does not attach to subscriber information for a postal box. In R. v. Plant,
supra, it was found that disclosure of electricity records does not attract s. 8 protection.
In applying some of this reasoning to the case, Gorewich J. notes that there “is no evidence
about the contractual agreement between the parties about keeping this information
confidential” and further observes that “in the years preceding the enactment of PIPEDA,
authorities sought a warrant first before acquiring such information”. He proceeds to distinguish
Plant and Stucky on the basis that different kind of information was sought and finds that
[35] ... personal information such as names and addresses of customers, held by
companies, in this case Rogers, would tend to disclose intimate details of lifestyle and
choices. The acquiring of such information [...] should be scrutinized by a neutral body, a
judicial authority... The subscriber [...] has an expectation of privacy in respect of this
personal information.
In finding that name and address information can disclose intimate details, he relies in part on
the finding in BMG Canada Inc., supra and, in part, on the argument of the appellant that name
and address is revealing by definition as it identifies socio-economic status, identities of friends
and neighbours, schedules of those using the address and vehicle information.
Noting that the circumstances under which the information was obtained from Rogers were not
exigent and the evidence could have been obtained without a breach of the applicant's Charter
rights, Gorewich J. chose to exclude the evidence.
From this case, two important points can be taken. First, it is reasonable that “lawful authority” to
request information would include the authority of a police officer. Second, the status of
subscriber name and address information continued to be controversial at the time. While
Gorewich J. found it to be subject to a reasonable expectation of privacy, he relied heavily on
the case of BMG Canada Inc. The decision in BMG Canada Inc. relied on the agreements
29
More correctly, he is referring to s. 7(3)(c.1).
Privacy Pages, November 2011
CBA National and Privacy Access Law Section Newsletter
Page 15
between users and ISPs. From the Kwok decision, there was no evidence that such agreements
were discussed or reviewed by Gorewich J. Furthermore, the interpretation advanced by
Gorewich J. seems in stark contrast with the views expressed above which condone this form of
disclosure while at the same time acknowledging that no disclosure ought to be made under s.
7(3)(c.1) where a warrant would otherwise be required.
F. Post-Kwok Cases
Generally, s. 7(3)(c.1) cases after Kwok have not followed Gorewich J’s decision. A line of
cases that have distinguished Kwok based on internet service agreements, which have
provisions permitting the ISP to disclose information to LEAs. These service agreements were
used to negate a customer’s reasonable expectation of privacy in CNA information. In addition,
a line of cases have gone even further, holding that a customer cannot have a reasonable
expectation of privacy in CNA information because it is not core biographical information.
In R. v. Ward,30 R. v. Verge,31 R. v. Vasic,32 and R. v. McGarvie33 the judges held that that an
accused had no reasonable expectation in CNA information. They were highly persuaded by the
fact that the accuseds’ internet service agreements expressly permitted the ISPs to disclose
CNA information to LEAs. In Ward, Lalande J. lists at para. 69 the following factors that led to
his conclusion:
The gist of the contractual information with Bell Sympatico was that personal information
could, in certain circumstances, be shared with the police. Personal information within
the definition of the service agreement was information significantly more intrusive
because of its inclusion of such information as credit information, billing records, service
and equipment and recorded complaints.
…
Bell Sympatico had reserved the contractual right to disclose information especially in
situations involving investigations of child pornography. This did not exclude subscriber
information (name and address).
In Verge and Vasic, Keaney J. and Thorborne J., respectively, adopt Lalande J’s reasoning in
Ward since the relevant facts in both cases are identical. Notably, these judges mention internet
service agreements to explicitly distinguish Kwok. Furthermore, Halikowski J. in McGarvie
concludes at para. 37 that:
The Accused was aware that his more intimate financial information could be revealed to
others under certain circumstances. He was equally aware that Bell Canada had
reserved a contractual right to disclose information especially in situations involving
investigations of Child Pornography and this information did not exclude subscriber
information such as his name and address. And finally, as a matter of public policy - the
30
[2008] O.J. No. 3116 (C.J.).
2009 CarswellOnt 501 (C.J.).
32
2009 CarswellOnt 846 (S.C.J.).
33
2009 CarswellOnt 500 (S.C.J.).
31
Privacy Pages, November 2011
CBA National and Privacy Access Law Section Newsletter
Page 16
Accused(s) cannot claim a privacy interest in any illegal information he may have been
accessing at the subject website.
Although Halikowski makes no mention of Kwok, he utilizes similar reasoning as Lalande J.
These cases show the importance judges put on internet service agreements in determining
whether a customer has a reasonable expectation of privacy in their personal information.
Another line of cases have gone even further and explicitly overrule Kwok. Specifically, R. v.
S.W.F. 34, R. v. Wilson35 and R. v. Trapp36, relying on Plant, held that there is no reasonable
expectation of privacy in CNA information because it is not core biographical information
protected by the Charter. In S.W.F. Nadal J. held at para. 24 that:
[A]ccount information, per se, reveals very little about the personal lifestyle or private
decisions of the occupants of the defendant's residence other than they have chosen to
have some form of internet connection installed in that residence. Moreover, the
prevalence of wireless and hand-held technology makes a particular address an even
less significant fact so far as internet use is concerned, since that use is no longer tied to
a land line tied to a particular address.
In Wilson, Leitch R.S.J. approves of Nadal J’s above finding and further adds at para. 42 that:
In my view, the applicant had no reasonable expectation of privacy in the information
provided by Bell considering the nature of that information. One's name and address or
the name and address of your spouse are not "biographical information" one expects
would be kept private from the state. It is information available to anyone in a public
directory and it does not reveal, to use the words of Sopinka J in Plant, "intimate details
of the lifestyle and personal choices or decisions of the applicant".
Although Trapp deals with Sasktel and s. 29(2)(ii) of the Freedom of Information and Protection
of Privacy Act (which is modeled after s. 7(3)(c.1)), nevertheless, it is still consistent with the
above cases because it relies on Plant to overrule Kwok.
Despite the overwhelming jurisprudence clearly moving away from the reasoning in Kwok, it is
nevertheless still worth mentioning that not all subsequent cases have been inconsistent with it.
In particular, in R. v. Cuttell37, Pringle J. concludes at para. 21 that:
I agree with Justice Gorewich that the information discloses intimate details of a
subscriber's lifestyle and choices. Once the police accessed Mr. Cuttell's name and
address, they were able to link his identity to a wealth of intensely personal information.
Linking his name to the shared folder under his IP address, police learned a great deal
about Douglas Cuttell and his lifestyle: namely in this case, his interest in adult
pornography, obscenity and child pornography, which were all revealed by his choice of
shared files.
Pringle J. does not analyze whether the accused’s reasonable expectation of privacy is negated
by his service agreement because in this case there was no evidence of the contract between
Bell and the accused. This decision appears to be anomalous. Nevertheless, if a contract had
34
2008 ONCJ 740 (aka Friers).
[2009] O.J. No. 1067.
36
2009 SKPC 5; argued in the Saskatchewan Court of Appeal November 2010.
37
[2009] O.J. No. 4053 (C.J.).
35
Privacy Pages, November 2011
CBA National and Privacy Access Law Section Newsletter
Page 17
been found, the judge would have likely followed the reasoning mentioned above in the first line
of cases and concluded that the accused’s reasonable expectation of privacy was negated.
There were two November 2010 decisions that are worthy of mention. In R. v. McNeice38 where
Northwestel was the service provider and the accused was bound by their terms of service, the
BC Supreme Court clearly distinguishes Kwok and Cuttell as they involved the absence of any
evidence of a contract affecting the reasonable expectation of privacy of the accused. Meiklem
J. goes on to conclude that:
absent a finding of state agency, s. 487.014(1) provides the police with lawful authority
to make a PIPEDA request for subscriber information, which an ISP is not prohibited by
law from disclosing if it falls within the provisions of s. 7(3)(c.1) of PIPEDA.39
Finally, R. v. Brousseau 40 makes a similar finding regarding the absence of contractual
evidence in Kwok and Cuttell. Justice Croll also states how Pringle J. in Cuttell noted that had
such a contract existed, it might have altered privacy expectations. More importantly, it confirms
that PIPEDA does not require that police obtain judicial pre-authorization in every case.
Furthermore, reference is specifically made to the statement by the OPC that the Canadian
government’s clarification of the overall intent of section 7 of PIPEDA “is to allow organizations
to collaborate with law enforcement and national security agencies without a subpoena, warrant
or court order. Organizations who share information with government institutions, including law
enforcement and national security agencies, in accordance with the requirements of this
provision, are doing so in compliance with PIPEDA.”41
G. Contractual obligations to ISP Customers
As noted above, given that LEAs would be required to assess whether there might be a greater
expectation of privacy on the part of users for CNA information in this very specific context, a
review of the contractual obligations between ISPs and their users was necessary. Therefore,
each participating ISP was to satisfy itself that their privacy policies, end user agreements and
acceptable use policies did not otherwise preclude them from disclosing the CNA information.
This could, though not necessarily, have the effect of raising the expectation of privacy and
hence may require a warrant for such disclosure, notwithstanding the clear exceptions in
PIPEDA.
By way of example, the Bell Internet Agreements42 have contained for quite some time
essentially the following language:
[…] and to disclose any information necessary to satisfy any laws, regulations or other
governmental request from any applicable jurisdiction, or as necessary to operate and
optimize the Service, or to protect itself or others.
38
[2010] B.C.J. No. 2131.
Ibid at paragraphs 43 and 46.
40
2010 ONSC 6753.
41
Ibid at paragraph 44. See also supra note 4.
42
See clause 17 of the Bell Internet Service Agreements available at
http://internet.bell.ca/index.cfm?method=content.view&category_id=550&content_id=11013.
39
Privacy Pages, November 2011
CBA National and Privacy Access Law Section Newsletter
Page 18
Most large ISPs now have sufficient language to continue with this initiative and not infringe
upon their user’s privacy or Charter rights. Other sample language includes: “legal, regulatory or
other governmental requests” and “cooperate with law enforcement authorities in the
investigation of suspected criminal violations”. Therefore, these ISP contracts cannot arguably
raise the reasonable expectation of privacy. This conclusion is consistent with the case law
discussed above.
The review of ISP user agreements as part of the CNA initiative was meant to provide additional
comfort to participating ISPs and to address any possible argument regarding a greater
expectation of privacy that might arise if the CNA information were obtained at the pre-warrant
stage. It has therefore developed into a “belt & suspenders” approach as PIPEDA allows for
disclosure without consent under s. 7(3)(c.1). By agreeing to the terms and conditions in the
user agreement, the customer is in effect granting their explicit consent to such disclosures (see
OPC PIPEDA Case Summaries #2 and #319).
H. Privacy policies
Even though organizations have tended to include an approximation of the various key
exceptions to consent in PIPEDA in their privacy policies, in particular those related to
disclosure without consent, the list that is provided by the organization is usually a
representative list of the types of situations when the disclosure without consent may occur.
Typically, it does not reflect the entire PIPEDA list of exceptions – to do so would greatly
increase the length of a privacy policy unnecessarily. For example, rarely is there any reference
in privacy policies to the exception for disclosure to a notary or solicitor (s. 7(3)(a)) or made on
the initiative of the organization which has reasonable grounds to believe that the information
relates to a breach of an agreement or law (s. 7(3)(d)).
Clearly, an organization is allowed to disclose customer information under a warrant or when
required by law. This is true even if the organization has not included such a circumstance in its
privacy policy or user agreement – to think otherwise would be absurd. Providing an exhaustive
list of the PIPEDA exceptions has not been required under PIPEDA and does not represent
industry practice. Even then, amending one’s user agreement or privacy policy to further clarify
or reflect something that the organization is already permitted to do under PIPEDA is highly
unlikely to be considered a “fundamental” change.
Moreover, we are not aware of any privacy policy that specifically refers to all of the explicit
exceptions in PIPEDA, including s. 7(3)(c.1). The preferable approach is to mention the well
known required by law and court order examples and more recently responding to a
“government request”.
V. Conclusion
The CCAICE initiative and related CNA letter of request protocol has been used by many
member ISPs for close to five years now. The privacy issues raised above have been coming to
the greater attention of the lower courts and now await the decision of at least the
Saskatchewan Court of Appeal. While the interpretation of PIPEDA and ISP customers’
reasonable privacy expectations in their CNA information have yet to be definitively settled
judicially, pronouncements of the OPC, persuasive Charter jurisprudence, the government’s
intent in former Bill C-29 and carefully drafted user agreements have been sufficient to assuage
Privacy Pages, November 2011
CBA National and Privacy Access Law Section Newsletter
Page 19
the concerns of the participants. In hope of furthering important public interests, the participants
continue to invest significant resources in responding to a relatively large number of law
enforcement requests using the CCAICE protocol in the ongoing fight to combat online child
exploitation.
Privacy Pages, November 2011
CBA National and Privacy Access Law Section Newsletter
Page 20