Updated: Business Disclosure of personal information to law enforcement agencies:
Transcription
Updated: Business Disclosure of personal information to law enforcement agencies:
Updated: Business Disclosure of personal information to law enforcement agencies: PIPEDA and the CNA letter of request protocol By Suzanne Morin, Assistant General Counsel, Privacy, Research In Motion Limited (formerly Assistant General Counsel & Privacy Chief, Legal & Regulatory, Bell Canada), with the assistance of Amy Awad as part of her University of Ottawa Technology Law Internship in 2008 and the subsequent assistance of Dee Pham in 2010 as part of the same program Updated as of May 2011 As originally explained in 2008 when this article was first published, Canadian Internet Service Providers (“ISPs”) continue to receive a large number of requests for customer information from law enforcement agencies. The best approach to handling these requests remains controversial and the issue will continue to be dealt with in political circles in the context of ongoing “lawful access” discussions. In the meantime, a number of Canadian ISPs have stayed the course with their strategy to deal with a subset of these requests of particular concern to them – those pertaining to online child exploitation investigations. The initiative, where participating ISPs voluntarily disclose customer name and address linked to an IP address at a particular date and time to law enforcement at the pre-warrant stage of child exploitation investigations, remains interesting at a number of levels. It touches on privacy issues pertaining to the proper interpretation of the Personal Information Protection and Electronic Documents Act (“PIPEDA”) and the reasonable privacy expectations of ISPs’ customers. It also provides an ongoing example of a relatively successful voluntary collaboration between private business, law enforcement and privacy regulators aimed at tackling legal uncertainties where they may most negatively affect the public good. In this article, we hope to provide an updated overview of the initiative as well as the evolving body of jurisprudence regarding the relevant legal issues pertaining to the interpretation of PIPEDA and s. 8 of the Canadian Charter of Rights and Freedoms (the “Charter”). I. CNA letter of request initiative / protocol Under the auspices of the Canadian Coalition Against Internet Child Exploitation (“CCAICE”), certain Canadian ISPs, including Bell Canada, developed in conjunction with certain Canadian law enforcement agencies (“LEAs”), in particular the RCMP’s National Child Exploitation Coordination Centre (“NCECC”), a process to handle law enforcement requests of certain limited customer information. A participating ISP, in response to an agreed upon template letter of request, will disclose to the requesting LEA the last known name and address of the account holder that was using a particular IP address at a specific date and time. These requests are made in non-emergency situations and in the absence of a court order. While the current template letter was slightly changed at the end of 2007 to reflect almost two years of use, no changes have since been made as the process is working quite well. This very limited CNA (customer name and address) disclosure initiative is being used at the pre-warrant stage of child exploitation investigations only and is intended to strike the right balance between ensuring fundamental freedoms and Internet principles, and contributing to eradicating a widelycondemned social evil. Privacy Pages, November 2011 CBA National and Privacy Access Law Section Newsletter Page 1 II. PIPEDA and exceptions for disclosure without consent PIPEDA provides a regime that governs the collection, use and disclosure of personal information in the private sector. Generally, it requires the knowledge and consent of the individual. It also provides, however, for specific circumstances where personal information can be disclosed without consent. The relevant provisions of PIPEDA can be found in s. 7(3). The discussion surrounding the CNA initiative necessarily involves an analysis of which of the various exceptions applies under differing circumstances. The following five provisions of subsection 7(3) are intended to apply in very specific types of situations: (c) court order or warrant; (c.1) government institution request for information relating to enforcement or investigation of law of Canada; (d) organization’s own initiative; (e) emergency situation; and (i) required by law. The provisions pertaining to court orders, an organization’s own initiative and emergency situations are well understood. Where the confusion arises is in understanding the difference between a (c.1) disclosure in response to an LEA request at the pre-warrant stage of an investigation and why a court order or warrant is not required in such cases and under (i) when the disclosure is required by law. III. Disclosure when required by law (s. 7(3)(i)) Disclosure required by law under s. 7(3)(i) of PIPEDA refers to disclosure required by orders or directions of courts and tribunals of competent jurisdiction. It also refers to the various nonjudicial authorities that exist in numerous pieces of legislation such as the Income Tax Act, Employment Insurance Regulations, Statistics Canada Act, various support order enforcement legislation, etc. that authorize government officials to demand certain disclosure and legally compels organizations to provide the information requested. Non-compliance by an organization in such circumstances would be akin to not responding to a court order or warrant, that is, negative legal consequences would arise for non-compliance. Frequently, non-compliance with such disclosure requests constitutes an offence pursuant to the statute in question. Usually, organizations that are presented with requests or demands for the disclosure of certain information will perform the required due diligence to ensure the request or demand is consistent with the statutory power under which it is being exercised and that in fact they are “required by law” to disclose the information. However, when it comes to police officers, one would typically never verify a police officer’s lawful authority to investigate crime. Interestingly, the former proposed bill to amend PIPEDA, Bill C-29, would have made it clear that organizations were not required to verify the lawful authority identified by what would be essentially police officers as their lawful authority would be “other than (i) a subpoena or warrant issued, or an order made, by a court, person or body with jurisdiction to compel the production of information, or (ii) rules of court relating to the production of records”.1 Notably, over the last couple of years, there has been a general increase in the number of government institutions that have tried to convince organizations that they can rely on the use of the “lawful authority” provision rather than the “required by law” provision to disclose the 1 Bill C-29, An Act to amend the Personal Information Protection and Electronic Documents Act, 3rd Sess., 40th Parl., 2010, cl. 12. This bill died on the Order Paper when the 40th Parliament was dissolved on 26 March 2011. Privacy Pages, November 2011 CBA National and Privacy Access Law Section Newsletter Page 2 information at issue. In such cases, the government institution typically identifies in their request the same statutory authority they would normally use to demand disclosure of the information as their “lawful authority” under s. 7(3)(c.1) without going the next step of actually demanding the information. This is done simply to speed up their administrative processes. Under such circumstances, an organization may decide to voluntarily respond to such a request from a government institution and still be compliant with their obligations under PIPEDA. Many organizations, however, continue to insist on the actual invocation of that statutory power before doing so such that they are “required” to disclose the information requested. IV. Disclosure in response to lea request (pre-warrant stage of investigation, S. 7(3)(C.1)) Essentially, three requirements must be met in order for an organization to disclose without consent under s. 7(3)(c.1): i) the disclosure must be made to a government institution that has made a request; ii) the government institution must have identified its lawful authority to obtain the information; and iii) the government institution must have indicated that the disclosure is requested for the purpose of law enforcement, national security or administration of a law. The first and third requirements are fairly straightforward. While there is no definition of “government institution” in PIPEDA and no regulations have been issued to define the term, there nevertheless seems to be a general consensus that the RCMP and other provincial or city police would be characterized as such.2 CNA requests made using the established protocol will always be made in the context of the enforcement of a law of Canada or an investigation related to such enforcement, e.g. the Criminal Code. A. Purpose of Section 7(3)(c.1) To avoid redundancy, s. 7(3)(c.1) must have a meaning such that the scope is different from that of s. 7(3)(c) dealing specifically with warrants and court orders and s. 7(3)(i) dealing with disclosure required by law. That interpretation would be consistent with the commentary on PIPEDA by Heather Black and Stephanie Perrin (two architects of PIPEDA), who make the following comment on s. 7(3)(c.1): This paragraph is aimed at “pre-warrant” activities in which private sector organizations cooperate with domestic law enforcement agencies who are collecting the information on a “casual” or “routine” basis and for which no warrant is required. Only information that is of relatively innocuous nature will be collected by these means, since the collection of information in which the individual has a reasonable expectation of privacy would require the Charter protection of a warrant.3 2 Furthermore, “government institution” under the federal public sector Privacy Act explicitly includes the RCMP. 3 Stephanie Perrin et al., The Personal Information and Electronic Documents Act: An Annotated Guide (Concord, Ont.: Irwin Law, 2001). Privacy Pages, November 2011 CBA National and Privacy Access Law Section Newsletter Page 3 It has long been accepted that the provision was originally introduced by Industry Canada in response to representations made by law enforcement and national security agencies with the intent to allow them to continue to be able to engage in pre-warrant intelligence gathering. This view was confirmed by the Office of the Privacy Commissioner (“OPC”) when it stated in an email exchange dated 10 April 2007 with the author during the PIPEDA Review Committee hearings that it “… is not opposed to language which would seek to clarify the intent of c.1 and remove any confusion that may exist. … c.1 was introduced by Industry Canada as a result of representations made by law enforcement and national security agencies. The intent as explained to Parliament was to maintain the status quo for these agencies to allow them to engage in pre-warrant intelligence gathering. Organizations have the discretion to disclose information or not pursuant to any request. Organizations are encouraged to get confirmation of lawful authority in writing.” The fact that its application is not dependent on the existence of judicially mandated disclosure is further confirmed by the Government of Canada in its 2007 Response to the statutory review of PIPEDA: The government wishes to confirm that the purpose of s. 7(3)(c.1) is to allow organizations to collaborate with law enforcement and national security agencies without a subpoena, warrant or court order.4 Meanwhile, the federal Privacy Commissioner in October 2007, in responding to the joint Public Safety and Industry Canada CNA Information Consultation (no longer available on the departmental websites), outlined in her comments the intent of section 7(3)(c.1): Paragraph 7(3)(c.1), in contrast, is clearly intended to allow organizations to disclose personal information without consent or notification to LE/NS agencies and other government bodies in the absence of prior judicial authorization. However, the organization requesting the information has to identify its legal authority and indicate that it is collecting the information for one of the reasons listed in the paragraph, for example to enforce a law of Canada, a province or a foreign jurisdiction. When the legislation (Bill C-6) was being debated in the House of Commons, the Minister of Industry clearly stated that 7(3)(c.1) was intended to maintain the status quo, "These amendments do not grant new powers to government institutions, nor do they create new obligations on business." Although 7(3)(c.1) was not intended to alter the status quo we appreciate that it may have created some uncertainty on the part of organizations being asked to disclose certain information. This provision was the subject of a considerable amount of discussion during the mandatory five year review of PIPEDA conducted by the House of Commons Standing Committee on Access to Information Privacy and Ethics. In its report, tabled on May 2, 2007, the Committee recommended that consideration be given to clarifying what is meant by “lawful authority” in section 7(3)(c.1). 4 Canada, Government Response to the Fourth Report of the Standing Committee on Access to Information Privacy and Ethics at p. 6. Privacy Pages, November 2011 CBA National and Privacy Access Law Section Newsletter Page 4 … The Privacy Commissioner has stated publicly that she would not object to adding definitions for the terms "lawful authority" and "government institution" if the government feels that such definitions would bring clarity to the legislation. Although the consultation paper identifies the "absence of explicit legislation" as one of the problems the consultation process seeks to address, PIPEDA is, in fact, an explicit legislative code that permits lawful access by LE/NS agencies while "preserving and protecting the privacy and other rights and freedoms of all people in Canada." [Emphasis added] This view is also clearly supported by the recent Ontario decision in Kwok (see below). B. Meaning / sources of “lawful authority” The term “lawful authority” is not defined in PIPEDA or in the federal Interpretation Act. It is, therefore, necessary to apply the general rule of statutory interpretation to understand under what circumstances disclosure of information under s. 7(3)(c.1) is allowed. In accordance with the general principles of statutory interpretation, […] the words of an Act are to be read in their entire context and in their grammatical and ordinary sense harmoniously with the scheme of the Act, the object of the Act, and the intention of Parliament.5 The grammatical and ordinary sense of “lawful authority” includes any authority conferred by law. In Canada, there are two primary sources of law and, hence, lawful authority: statutory or regulatory provisions and the common law. Each must be examined to determine the existence of an LEA's authority to request specific information. A survey of the Canadian Statute Book reveals that it is uncommon for a statutory provision to specifically create the authority for a LEA to request (as oppose to demand) information. Nevertheless, there are numerous legislative provisions that refer to the powers of a peace officer or confer such powers on specific individuals.6 For example, s. 9 of the Royal Canadian Mounted Police Act provides that: [e]very officer and every person designated as a peace officer under subsection 7(1) is a peace officer in every part of Canada and has all the powers, authority, protection and privileges that a peace officer has by law […] [emphasis added]. 5 Elmer Driedger, Construction of Statutes, 2nd ed. (Toronto: Butterworths Ltd., 1983) at p. 87. See e.g. Child and Family Services Act, R.S.O. 1990, c. C.11, s. 90(3), Public Works Protection Act, R.S.O. 1990, c. P.55, s. 2(2), Police Act, R.S.A. 2000, c. P-17, s. 38(1), Regulation respecting the application of the Act respecting detective or security agencies, R.Q. c. A-8, r.1, s. 2, Parks Act, R.S.Q. c. P-9, s. 15. 6 Privacy Pages, November 2011 CBA National and Privacy Access Law Section Newsletter Page 5 The Province of Alberta has adopted a similar view as to what constitutes “lawful authority”. In Service Alberta’s guidance document, "Requesting Personal Information from the Private Sector: Forms and Guidelines for Law Enforcement Agencies", it is stated that when dealing with the requirement to identify a government institution’s “lawful authority” (at p. 10): [S]ome statutes provide an agency with specific investigative powers that may include information-gathering powers, as in the case of investigations pursuant to the Alberta Occupational Health and Safety Act, or as identified in the duties and powers provided to police officers under section 38(1) of the Police Act. Interestingly, s. 487.014(1) of the Criminal Code provides that: [f]or greater certainty, no production order is necessary for a peace officer or public officer enforcing or administering this or any other Act of Parliament to ask a person to voluntarily provide to the officer documents, data or information that the person is not prohibited by law from disclosing. Notably, this section does not provide authority to ask for information but rather confirms that such authority already belongs to peace officers and is included in their general investigative powers. These powers are expounded in s. 25 of the Criminal Code, which provides as follows: 25. (1) Everyone who is required or authorized by law to do anything in the administration or enforcement of the law (a) as a private person, (b) as a peace officer or public officer, (c) in aid of a peace officer or public officer, or (d) by virtue of his office, is, if he acts on reasonable grounds, justified in doing what he is required or authorized to do […]. To the extent that a peace officer or member of a particular police force is required by law to investigate crimes, they are, according to s. 25, justified in fulfilling such requirements as long as they act reasonably.7 Therefore, a peace officer investigating a case of online child exploitation is justified in requesting CNA from an ISP as long as the request is reasonable.8 Arguably, justification and authority may not be equivalent, however, the federal Interpretation Act, clearly provides that in interpreting powers, including the statutory powers to investigate crime, it is deemed that any power necessary for the performance of the act is also given: 7 For example, s. 18 of the RCMP Act provides that “[i]t is the duty of members who are peace officers, [...] to perform all duties that are assigned to peace officers in relation to the preservation of the peace, the prevention of crime and of offences against the laws of Canada and the laws in force in any province in which they may be employed, and the apprehension of criminals and offenders [...]”. 8 This section has both internal and external limits. The internal limits is the reasonableness of the action and the external limits are the compliance of the action with the constitution – specifically, the Charter. Arguably, the request would also not be reasonable if it conflicted with the Charter rights of the person to whom the request pertained. This issue is examined in part V.E. of this article, below. Privacy Pages, November 2011 CBA National and Privacy Access Law Section Newsletter Page 6 Where power is given to a person, officer or functionary to do or enforce the doing of any act or thing, all such powers as are necessary to enable the person, officer or functionary to do or enforce the doing of the act or thing are deemed to be also given.9 The Department of Justice and LEAs have advanced the view that their lawful authority to request information also comes from the common law.10 In fact, the principle in relation to ancillary powers (subsumed in the construction rule of the Interpretation Act) is more pointedly articulated in the common law. As noted in R. v. Asante-Mensah (2001), 204 D.L.R. (4th) 5 (Ont. C.A.) at para. 44 [...] a statute conferring an investigative power on the police carries with it "ancillary powers" that arise "by necessary implication and unavoidable inference": see Lyons v. The Queen (1984), 15 C.C.C. (3d) 417 at p. 444 (S.C.C.); R. v. Simpson (1993), 79 C.C.C. (3d) 482 at p. 496 (Ont. C.A.). As a result, to the extent that RCMP officers are endowed by statute with the powers and duties of peace officers to apprehend criminals, they are “by necessary implication” also endowed with the power to request information furthering such objectives. However, it is interesting to note the submission filed by KINSA dated 14 January 2008 to the Industry Canada Consultation on the Implementation Government Response in response to the question of whether and how “lawful authority” might be clarified. In their submission, KINSA proposes a very simple definition that essentially reflects our common understanding: Further, with regards to the definition of “lawful authority” within section 7(3)(c.1), KINSA supports the following definition: “a peace office in the course of his/her duties”. It has been argued that the existence of such a common law power must nevertheless be determined on a case by case basis and cannot form the basis for the generalized type of request contemplated by the CCAICE protocol. We would hold the contrary view. The CCAICE initiative has indeed been set up so that the circumstances would, for all practical purposes, be identical: the information provided is the same every time, the information requested is the same every time, the lawful authority cited is generally the same every time (except for possible changes for different police forces), the general crime being investigated is the same, the letter of request used is essentially the same, and participating ISPs have already done their due diligence when it comes to their own agreements and policies so any reasonable expectation of privacy has already been considered. Many believed that Bill C-29 would have provided much needed clarity to the definition of “lawful authority”. Even Industry Canada’s own summary states that Bill C-29 would clarify that PIPEDA permits organizations to collaborate with law enforcement agencies that have requested the information without a warrant, subpoena or court order.11 Bill C-29 essentially introduced what can be characterized as a negative definition of lawful authority given it is 9 Section 31(2) of the Interpretation Act, R.S.C, 1985, c. I-21. Notably, the most common legal authorizations granted to peace officers at common law pertain to warrantless arrests, search and seizure and entrance onto private property. These authorizations themselves derive, at common law, from the legal authorizations granted to private citizens. As explained by Justice Binnie in R. v. AssanteMensah, 2003 SCC 38, [2003] 2 S.C.R. 3, “[t]he development of modern police forces brought about a transfer of law enforcement activities from private citizens to peace officers. But it is the peace officer's powers which are in a sense derivative from that of the citizen, not the other way around.” 11 Industry Canada, “The Safeguarding Canadians' Personal Information Act: Bill Summary” (25 May 2010), online: Industry Canada < http://www.ic.gc.ca/eic/site/ecic-ceac.nsf/eng/gv00571.html>. 10 Privacy Pages, November 2011 CBA National and Privacy Access Law Section Newsletter Page 7 defined as what is other than “a subpoena or warrant” or “rules of court”.12 This merely confirms the general understanding (or not) already discussed, i.e. “lawful authority is lawful authority”.13 Whereas for many, the proposed language would be enough to tip the balance in favour of a more “common” interpretation, there are those for whom “lawful authority” would remain uncertain in the absence of additional legislative certainty or possibly an appellate court decision on the matter. Nevertheless, both the statutory and common law powers discussed are necessarily limited by the exigencies of the Charter, which exigencies are examined below to analyze whether they limit the authority of a peace officer to request the kind of information under consideration here. C. Interpretation and recommendations of the OPC Since the enactment of PIPEDA, the Office of the Privacy Commissioner has made a number of useful pronouncements in addition to those mentioned above on the purpose and scope of the exceptions in s. 7 of PIPEDA. For example, in a public statement at a meeting of Chief Privacy Officers at the end of 2005, in response to a question about the differences between the various s. 7(3) provisions, the Assistant Privacy Commissioner explained that each exception serves a different purpose: s. 7(3)(c) was intended for warrants and court orders; s. 7(3)(c.1)(ii) was meant to deal with prewarrant stage, non-sensitive data with no Charter protection, and that organizations should get the request in writing; s. 7(3)(d) deals with situations where the disclosure is made on the initiative of the organization; and then, s. 7(3)(e) in an emergency situation. This point was further explained before the PIPEDA Review Committee in 2007 and made its way into the Committee’s Report issued in May 2007.14 As part of ongoing discussions, CCAICE members including industry, the OPC, Justice and LEAs worked together to better understand the intent behind s. 7(3)(c.1) and how the CCAICE protocol could be developed in such a way as to be privacy compliant. For example, some of the considerations included: limiting the information disclosed to the customer’s name and address with no other personal information such as service activation date, other IP addresses used by account, etc.; ensuring a method of identifying the LEA making the request;15 using fax back only to avoid possible online compromise unless an online secure method was used (recently, some CCAICE members have been considering the use of secure electronic means to further streamline and in some respects secure the process); and retention of records of the requests for a sufficient period of time. It was further agreed that no notation would be made on the customer’s account as no inference should be drawn from this request for CNA. In addition, a customer would be denied access to the fact their CNA was disclosed as part of this process otherwise the purpose would be defeated. This last point is made clearly in the CNA template letter. Interestingly, Bill C-29 would have added a provision that expressly forbids an 12 Supra note 1. David TS Fraser, “Clarifying lawful authority in PIPEDA? Really?” (25 May 2010), online at: Canadian Privacy Law Blog <http://blog.privacylawyer.ca/2010/05/clarifying-lawful-authority-in-pipeda.html>. 14 Fourth Report of the Standing Committee on Access to Information Privacy and Ethics (Statutory Review of the Personal Information Protection and Electronic Documents Act (PIPEDA)) issued May 2007 at p. 25. See also Government Response to the Fourth Report of the Standing Committee on Access to Information Privacy and Ethics (Statutory Review of the Personal Information Protection and Electronic Documents Act (PIPEDA)) supra note 4. 15 The initiative now requires the LEA to provide the name of supervisor, badge number, contact information, etc. 13 Privacy Pages, November 2011 CBA National and Privacy Access Law Section Newsletter Page 8 organization from proactively notifying an individual that information has been requested or obtained by a government institution under s. 7(3)(c.1).16 Naturally, there was a concern that this initiative could lead to LEA requests seeking information pertaining to other offences. Although such disclosure would still be permissible under PIPEDA, the CCAICE members indicated that they had no intention of extending the practice to other offences and that any such further expansion would have to be dealt with under broader lawful access discussions. The OPC has continued to be part of ongoing CCAICE discussions and remains fully aware of the CCAICE initiative and its evolution. D. Expectation of privacy and charter analysis The compatibility of the CCAICE procedure with the Charter is relevant in three important ways: (1) Charter considerations likely limit the lawful authority of LEAs to request too much information under s. 7(3)(c.1); (2) both OPC and the leading commentary on PIPEDA state that s. 7(3)(c.1) is not intended to be used in situations where a warrant would otherwise be required; and (3) CCAICE members are not interested in participating in a process which could lead to the exclusion of evidence. Notably, the collection of information by LEAs at the pre-warrant stage allows for the subsequent gathering of evidence as opposed to the warrant stage which is the actual gathering of evidence. The pre-warrant CCAICE initiative, therefore, is akin to the offline pre-warrant efforts of LEAs walking down the street and asking questions. In deciding whether to approach an ISP at the pre-warrant stage, the LEA is required to consider the individual’s reasonable expectation of privacy, including any regulatory or contractual obligations that may exist toward the individual. There is general comfort among the participating CCAICE members that a LEA request for CNA as part of a child exploitation criminal investigation at the pre-warrant stage and the subsequent disclosure of that information by an organization is unlikely to raise a Charter issue. The following cases shed the most light on the relevant issues. In R. v. Plant,17 the police accessed the computerized hydro consumption records of the accused's residence and used the information revealed to obtain a search warrant for the residence under the Narcotics Control Act. The majority of the Court found that the hydro consumption records did not give rise to a reasonable expectation of privacy and therefore s. 8 of the Charter was not engaged. In deciding whether the state interest in law enforcement outweighed the right of citizens to have a reasonable expectation of privacy in the records, Sopinka J. explained: Consideration of such factors as the nature of the information itself, the nature of the relationship between the party releasing the information and the party claiming its confidentiality, the place where the information was obtained, the manner in which it was 16 17 Supra note 1 at cl 13. [1993] 3 S.C.R. 281. Privacy Pages, November 2011 CBA National and Privacy Access Law Section Newsletter Page 9 obtained and the seriousness of the crime being investigated allows for a balancing of the societal interests in protecting individual dignity, integrity and autonomy with effective law enforcement. In considering these factors, he further noted that: [...] the information seized must be of a "personal and confidential" nature. In fostering the underlying values of dignity, integrity and autonomy, it is fitting that s. 8 of the Charter should seek to protect a biographical core of personal information which individuals in a free and democratic society would wish to maintain and control from dissemination to the state. This would include information which tends to reveal intimate details of the lifestyle and personal choices of the individual. The computer records investigated in the case at bar while revealing the pattern of electricity consumption in the residence cannot reasonably be said to reveal intimate details of the appellant's life […] the transaction records which were maintained as a result of the commercial relationship in the case at bar cannot be characterized as confidential communications. [...] the seriousness of the offence militates in favour of the conclusion that the requirements of law enforcement outweigh the privacy interest claimed by the appellant. [...] while participation in the illicit trade of marihuana may not be as serious as the trade in other narcotics such as cocaine, it remains an offence which is taken seriously by law enforcement agents. In R. v. Quinn,18 an investigator with the Insurance Corporation of British Columbia confirmed with a bank official that specific bank account numbers belonged and were directly related to the Appellant and that she had sole signing authority on the accounts. This information was later used to obtain a search warrant for information pertaining to those accounts. One of the issues in the appeal from the conviction of the Appellant was whether her right to unreasonable search and seizure had been violated by the request for confirmation of account numbers by the investigator prior to the issuing of a warrant. In applying the balancing test elaborated in Plant, supra, Thackray J.A. noted: In order to proceed with the investigation all that Corporal Shields sought from Mr. Saunders was a confirmation of the name of the account holder. This was a fundamental factor required to get the investigation underway. However, of more importance, it was a necessary basic commodity for inclusion in the Information to Obtain. He ultimately concluded that there was no unreasonable search as envisioned by the Charter. He relied primarily on two points: (1) the serious nature of the crime under investigation - fraud; and (2) the fact that the mere linking of a name to an account number has a limited connection to a person’s biographical core of information. 18 2006 BCCA 255. Privacy Pages, November 2011 CBA National and Privacy Access Law Section Newsletter Page 10 Most recently, the Supreme Court of Canada in R. v. Gomboc19 confirmed that the accused did not have a reasonable expectation of privacy in information about the pattern of use of electricity disclosed by the digital recording ammeter installed on his power line at the request of the police. In so finding, Justice Deschamps was swayed by the “totality of the circumstances”. A number of conclusions can be drawn from these cases. First, to determine whether a reasonable expectation of privacy exists it will be necessary to consider a number of different factors, including the nature of the information disclosed, the pre-existing relationships between the parties and the seriousness of the offence under investigation. Second, the closer information is to a person’s biographical core, the heavier it will weigh against disclosure. To date we have seen that residential hydro consumption records and the confirmation of a link between a name and an account number are not part of this biographical core of information. The disclosure of a customer name and address linked to an IP address at a particular date and time seems akin to the linking of a name to an account number. Both the IP address or bank account numbers are already known to the law enforcement authorities. Third, and even more importantly, is the fact that the necessity of the information to either get the investigation underway or obtain a search warrant will be considered by the court. Where, as in many cases dealing with online child exploitation, the link between an IP address and a customer name is essential to get an investigation underway or to seek a warrant, it is less likely to give rise to an expectation of privacy based on the reasoning in Quinn. Now, it has been argued that the CCAICE initiative is a “wholesale” disclosure of subscriber information. Nothing could be further from the truth as to do so would be contrary to PIPEDA and to the subscriber’s Charter rights. LEAs would not have the lawful authority to request information that would otherwise require a warrant. This is why the information disclosed as part of the CCAICE initiative is currently limited to CNA. Whether or not other types of customer information could be disclosed under s. 7(3)(c.1) without a warrant remains to be seen and would be subject to any necessary s. 8 Charter analysis by the courts. E. Early judicial treatment of CNA letters of requests When this article was first published in the summer of 2008 there was indeed little by way of judicial interpretation of the CCAICE initiative and whether its use by LEAs gave rise to a breach of an individual’s Charter rights. The following recounts the judicial treatment of the CCAICE initiative at the time and includes an update of the growing body of jurisprudence as it existed at the end of 2010. R. v. Anderson20 In this case, customer name and address information was obtained without a warrant from Shaw Communications Inc. for a particular IP address and the judge makes reference to PIPEDA. This information was later used to obtain a warrant to search the accused’s home. Ultimately, the accused plead guilty to the offence. The fact that the warrant was not successfully challenged on the basis of the method by which the name and address information 19 20 [2010] 3 S.C.R. 211. 2005 ABPC 99. Privacy Pages, November 2011 CBA National and Privacy Access Law Section Newsletter Page 11 was obtained supports the idea that such a method does not violate the customer’s Charter rights. R. v. Smith21 In R. v. Smith, the court considered the appropriateness of a telewarrant.22 Relevant to our analysis is the court’s reference to the process used by the police officer to obtain the target address: [7] … This second IP address allowed Sergeant Mann (pursuant to s. 7(3) of the Personal Information Protection and Electronic Documents Act, S.C. 2000, c.5) to obtain from Shaw Cable the billing address of the internet user through the use of a computer “MAC number” [...] [9] It is not disputed that, based on this information, Sergeant Mann had reasonable and probable grounds to support the issuance of a search warrant to gain entry to the appellant’s residence to search for evidence of the crimes in question. It is also common ground that if the evidence produced in the search was admissible at trial, it was sufficient to convict Mr. Smith of the offence of possession of child pornography for the purpose of distribution or sale. (p. 4) Neither the appellant, nor the trial judge, nor the Court of Appeal took any issue with how the Sergeant had obtained the address information from Shaw Cable at the pre-warrant stage that was then used to obtain the telewarrant and resulted in the disputed search.23 It is also interesting to note some of the findings referred to by the B.C. Court of Appeal that the trial judge had made as part of his section 24(2) Charter analysis after he found that the search was unreasonable given the procedural issues surrounding the request for a telewarrant and other issues with the Information to Obtain: The offence of child pornography is a serious one [...] There was no reasonable expectation of privacy as it is related to the appellant’s IP number. It was published on all of the communications that would have gone to the chat room in Germany [emphasis added] [...] It is a difficult question, but at the end of all of my considerations, I am not persuaded that the administration of justice could be brought into disrepute if this evidence is admitted. (pp. 13-14) In deciding not to interfere with the trial judge’s decision to admit the evidence, the B.C. Court of Appeal reaffirmed at p. 66 of its decision the Supreme Court of Canada’s position that possession of child pornography for the purpose of distribution or sale is very serious because of the personal and societal harm flowing from the sexual exploitation of children (see R. v. Sharpe, [2001] 1 S.C.R. 45, at paras. 28-31 and 82-94. 21 2005 BCCA 334. The use of a telewarrant per se is irrelevant to our analysis because it is at the “warrant” stage whereas the CCAICE initiative is at the “pre-warrant” stage. 23 The appellant took issue with the procedure of obtaining the telewarrant afterwards for which the Criminal Code has very specific requirements, none of which is relevant to this analysis. 22 Privacy Pages, November 2011 CBA National and Privacy Access Law Section Newsletter Page 12 Re S.C.24 In Re S.C., a search warrant sought on the basis of subscriber name and address information that was obtained from an ISP was denied. As per usual practice, a police officer had sought a search warrant after having obtained the customer’s name and address from Bell Canada by virtue of a CCAICE letter of request. JP Conacher found that the police officer was not in lawful possession of the target’s name and address and there was therefore no nexus between the other evidence and the target individual and residence. In particular, he explains [2] The issue that is fatal to this application at this time is the lack of sufficient authority for obtaining the subscriber information and address from the Internet Service Provider (ISP). [3] In the Information to Obtain, Appendix C, at paragraph 42 the Informant states, “On June 27th, 2006 I faxed Bell Canada a “Letter of Request for Account Information Pursuant to a Child Sexual Exploitation Investigation” requesting the subscriber information for the user of IP address [IP address deleted] on June 13th, 2006. This request was done under the authority of P.I.P.E.D.A. (Personal Information Protection and Electronic Documents Act).” Similar statements are then made at paragraphs 48 and 54. [4] The Informant then states at paragraph 43, “On June 27th, 2006, under the authority of P.I.P.E.D.A. (Personal Information Protection and Electronic Documents Act), I received the following information from Bell Canada in regards to the subscriber of IP address [IP address deleted]. [underlining added] The CCAICE template letter clearly has a place for LEAs to insert their authority for requesting the information, e.g. Royal Canadian Mountain Police Act and Royal Canadian Mountain Police Regulations. What is indeed unfortunate about this decision is that the police officer in question made a mistake and stated in his own Information to Obtain that PIPEDA was his authority for obtaining the information. It is generally agreed that PIPEDA is not the authority for LEAs to request or obtain such information, but rather is the authority that allows an organization to disclose the requested information without consent or a warrant. Having found that the police officer had not correctly identified in his Information to Obtain his lawful authority for obtaining and possessing the information, JP Conacher simply concludes that the CNA information is information in which a citizen “would have a reasonable expectation of privacy”. This conclusion was made without conducting any Charter analysis whatsoever or reviewing Bell’s internet service agreements with its customers. It has since been confirmed that fairly soon following Conacher’s refusal, having provided all the background information in a subsequent request for a search warrant to a judge, the LEA was able to obtain the requested search warrant relying on the same underlying CNA information. Unfortunately, this subsequent decision to grant the warrant has not been reported as typically such decisions are not reported. Also, the Conacher decision is that of a Justice of the Peace regarding a request for a search warrant from a detective and has no precedent effect for the courts. 24 2006 ONCJ 343. Privacy Pages, November 2011 CBA National and Privacy Access Law Section Newsletter Page 13 The finding that PIPEDA does not provide authority for an LEA to request information is relatively uncontroversial. In an article commenting on this case published in McCarthy Tétrault’s Technology Law Quarterly, the author notes that “PIPEDA itself does not establish authority […] to obtain information” and that the requesting institution should specify its lawful authority to obtain personal information.”25 JP Conacher therefore concluded that the information in question was information in which the citizen has a reasonable expectation of privacy. However, whether information is disclosed in compliance with PIPEDA provisions or not is not necessarily determinative of whether s. 8 Charter rights have been breached by LEAs. It is still necessary to conduct some form of Charter analysis which may include a review of applicable service agreements. Nevertheless, it is arguable whether that would be sufficient to raise the level of privacy expectation to one requiring a warrant prior to disclosure. To clarify, if the information did give rise to a “reasonable expectation of privacy” under s. 8 of the Charter, then we would argue that no amount of statutory or common law authority would authorize the collection of the information by LEAs without the approval of the court. While this decision of a JP was brought to the attention of the CCAICE members in the fall of 2006, neither Bell Canada nor other participating ISPs have chosen to amend their practices. Since that time, Re: S.C. was subsequently followed in R. v. Chehil26for the proposition that lawful authority is required for the police to obtain personal ticketing information because the police in this case were found to have been on a “fishing expedition” to find drug couriers on a WestJet flight from Vancouver. However, this lower court decision was reversed on appeal as it was found that the judge had failed to consider the “totality of the circumstances” when it excluded the drug evidence.27 R. v. Kwok28 In this 2008 case, Gorewich J. of the Ontario Court of Justice considered an application under s. 24(2) of the Charter for the exclusion of two forms of evidence: conversations recorded in Internet chat rooms and subscriber information provided to the police by Rogers. The investigating officer testified to having logged onto an Internet chat room, being invited by a pseudonym user to a private conversation for the purpose of exchanging child pornography and ultimately receiving such materials from that user. The initial contact in the chat room revealed to the officer the I.P. address of the user, which was used for a request of customer name and address from Rogers using a CNA letter of request. This name and address, combined with the record of the private conversation, was used to obtain a search warrant for the user’s home. After performing an analysis of the circumstances under which both the chat room and private chat conversations were conducted, Gorewich J. concluded that an expectation of privacy attached to the private conversation and that prior judicial authorization should have been obtained for the “recording” of the conversation. Noting that such authorization could have been easily obtained, he finds the admission of the recordings would bring the administration of justice into disrepute and orders the evidence excluded. Having made this finding, it was 25 “Disclosure of Information without Consent pursuant to Lawful Authority”, McCarthy Tétrault Co-Counsel: Technology Law Quarterly, 3-2 at 18 (April-June 2007). 26 2008 NSSC 357 at paragraphs 29-30. 27 2009 NSCA 111. 28 [2008] O.J. No. 2414; 78 W.C.B. (2d) 21. Privacy Pages, November 2011 CBA National and Privacy Access Law Section Newsletter Page 14 unnecessary to rule on the question of whether judicial authorization had been required for obtaining the subscriber information from Rogers. The judge does, however, undertake an analysis of the issue in obiter citing the possibility that his finding on the private conversations might later be found to be in error. In this analysis, he acknowledges that the request under s. 7(3)(c)29 is properly made and that the lawful authority of the police officer is identified: [32] ... It is reasonable in my view to find “lawful authority” can include, as the officer testified, his authority as a police officer, identified to the entity, to obtain the information. Given the stated purpose of the Act, and in particular s. 7(3)(c) [sic], to hold it means only a warrant does not make any logical sense. This then takes the discussion to the next consideration, that being whether subscriber information attracts Charter protection and there can be an expectation of privacy. [emphasis added] In deciding whether Charter protection attaches to the subscriber name and address information, Gorewich J. refers to a number of findings in other cases. In BMG Canada Inc. v. John Doe, [2004] 3 F.C.R. 241, the Federal Court found that “ISP account holders have an expectation that their identity will be kept private and confidential. This expectation of privacy is based on both the terms of their account agreements with their ISPs and sections 3 and 5 of the PIPEDA.” In R. v. Stucky, [2006] O.J. No. 106 (S.C.J.), the Ontario court found that an expectation of privacy does not attach to subscriber information for a postal box. In R. v. Plant, supra, it was found that disclosure of electricity records does not attract s. 8 protection. In applying some of this reasoning to the case, Gorewich J. notes that there “is no evidence about the contractual agreement between the parties about keeping this information confidential” and further observes that “in the years preceding the enactment of PIPEDA, authorities sought a warrant first before acquiring such information”. He proceeds to distinguish Plant and Stucky on the basis that different kind of information was sought and finds that [35] ... personal information such as names and addresses of customers, held by companies, in this case Rogers, would tend to disclose intimate details of lifestyle and choices. The acquiring of such information [...] should be scrutinized by a neutral body, a judicial authority... The subscriber [...] has an expectation of privacy in respect of this personal information. In finding that name and address information can disclose intimate details, he relies in part on the finding in BMG Canada Inc., supra and, in part, on the argument of the appellant that name and address is revealing by definition as it identifies socio-economic status, identities of friends and neighbours, schedules of those using the address and vehicle information. Noting that the circumstances under which the information was obtained from Rogers were not exigent and the evidence could have been obtained without a breach of the applicant's Charter rights, Gorewich J. chose to exclude the evidence. From this case, two important points can be taken. First, it is reasonable that “lawful authority” to request information would include the authority of a police officer. Second, the status of subscriber name and address information continued to be controversial at the time. While Gorewich J. found it to be subject to a reasonable expectation of privacy, he relied heavily on the case of BMG Canada Inc. The decision in BMG Canada Inc. relied on the agreements 29 More correctly, he is referring to s. 7(3)(c.1). Privacy Pages, November 2011 CBA National and Privacy Access Law Section Newsletter Page 15 between users and ISPs. From the Kwok decision, there was no evidence that such agreements were discussed or reviewed by Gorewich J. Furthermore, the interpretation advanced by Gorewich J. seems in stark contrast with the views expressed above which condone this form of disclosure while at the same time acknowledging that no disclosure ought to be made under s. 7(3)(c.1) where a warrant would otherwise be required. F. Post-Kwok Cases Generally, s. 7(3)(c.1) cases after Kwok have not followed Gorewich J’s decision. A line of cases that have distinguished Kwok based on internet service agreements, which have provisions permitting the ISP to disclose information to LEAs. These service agreements were used to negate a customer’s reasonable expectation of privacy in CNA information. In addition, a line of cases have gone even further, holding that a customer cannot have a reasonable expectation of privacy in CNA information because it is not core biographical information. In R. v. Ward,30 R. v. Verge,31 R. v. Vasic,32 and R. v. McGarvie33 the judges held that that an accused had no reasonable expectation in CNA information. They were highly persuaded by the fact that the accuseds’ internet service agreements expressly permitted the ISPs to disclose CNA information to LEAs. In Ward, Lalande J. lists at para. 69 the following factors that led to his conclusion: The gist of the contractual information with Bell Sympatico was that personal information could, in certain circumstances, be shared with the police. Personal information within the definition of the service agreement was information significantly more intrusive because of its inclusion of such information as credit information, billing records, service and equipment and recorded complaints. … Bell Sympatico had reserved the contractual right to disclose information especially in situations involving investigations of child pornography. This did not exclude subscriber information (name and address). In Verge and Vasic, Keaney J. and Thorborne J., respectively, adopt Lalande J’s reasoning in Ward since the relevant facts in both cases are identical. Notably, these judges mention internet service agreements to explicitly distinguish Kwok. Furthermore, Halikowski J. in McGarvie concludes at para. 37 that: The Accused was aware that his more intimate financial information could be revealed to others under certain circumstances. He was equally aware that Bell Canada had reserved a contractual right to disclose information especially in situations involving investigations of Child Pornography and this information did not exclude subscriber information such as his name and address. And finally, as a matter of public policy - the 30 [2008] O.J. No. 3116 (C.J.). 2009 CarswellOnt 501 (C.J.). 32 2009 CarswellOnt 846 (S.C.J.). 33 2009 CarswellOnt 500 (S.C.J.). 31 Privacy Pages, November 2011 CBA National and Privacy Access Law Section Newsletter Page 16 Accused(s) cannot claim a privacy interest in any illegal information he may have been accessing at the subject website. Although Halikowski makes no mention of Kwok, he utilizes similar reasoning as Lalande J. These cases show the importance judges put on internet service agreements in determining whether a customer has a reasonable expectation of privacy in their personal information. Another line of cases have gone even further and explicitly overrule Kwok. Specifically, R. v. S.W.F. 34, R. v. Wilson35 and R. v. Trapp36, relying on Plant, held that there is no reasonable expectation of privacy in CNA information because it is not core biographical information protected by the Charter. In S.W.F. Nadal J. held at para. 24 that: [A]ccount information, per se, reveals very little about the personal lifestyle or private decisions of the occupants of the defendant's residence other than they have chosen to have some form of internet connection installed in that residence. Moreover, the prevalence of wireless and hand-held technology makes a particular address an even less significant fact so far as internet use is concerned, since that use is no longer tied to a land line tied to a particular address. In Wilson, Leitch R.S.J. approves of Nadal J’s above finding and further adds at para. 42 that: In my view, the applicant had no reasonable expectation of privacy in the information provided by Bell considering the nature of that information. One's name and address or the name and address of your spouse are not "biographical information" one expects would be kept private from the state. It is information available to anyone in a public directory and it does not reveal, to use the words of Sopinka J in Plant, "intimate details of the lifestyle and personal choices or decisions of the applicant". Although Trapp deals with Sasktel and s. 29(2)(ii) of the Freedom of Information and Protection of Privacy Act (which is modeled after s. 7(3)(c.1)), nevertheless, it is still consistent with the above cases because it relies on Plant to overrule Kwok. Despite the overwhelming jurisprudence clearly moving away from the reasoning in Kwok, it is nevertheless still worth mentioning that not all subsequent cases have been inconsistent with it. In particular, in R. v. Cuttell37, Pringle J. concludes at para. 21 that: I agree with Justice Gorewich that the information discloses intimate details of a subscriber's lifestyle and choices. Once the police accessed Mr. Cuttell's name and address, they were able to link his identity to a wealth of intensely personal information. Linking his name to the shared folder under his IP address, police learned a great deal about Douglas Cuttell and his lifestyle: namely in this case, his interest in adult pornography, obscenity and child pornography, which were all revealed by his choice of shared files. Pringle J. does not analyze whether the accused’s reasonable expectation of privacy is negated by his service agreement because in this case there was no evidence of the contract between Bell and the accused. This decision appears to be anomalous. Nevertheless, if a contract had 34 2008 ONCJ 740 (aka Friers). [2009] O.J. No. 1067. 36 2009 SKPC 5; argued in the Saskatchewan Court of Appeal November 2010. 37 [2009] O.J. No. 4053 (C.J.). 35 Privacy Pages, November 2011 CBA National and Privacy Access Law Section Newsletter Page 17 been found, the judge would have likely followed the reasoning mentioned above in the first line of cases and concluded that the accused’s reasonable expectation of privacy was negated. There were two November 2010 decisions that are worthy of mention. In R. v. McNeice38 where Northwestel was the service provider and the accused was bound by their terms of service, the BC Supreme Court clearly distinguishes Kwok and Cuttell as they involved the absence of any evidence of a contract affecting the reasonable expectation of privacy of the accused. Meiklem J. goes on to conclude that: absent a finding of state agency, s. 487.014(1) provides the police with lawful authority to make a PIPEDA request for subscriber information, which an ISP is not prohibited by law from disclosing if it falls within the provisions of s. 7(3)(c.1) of PIPEDA.39 Finally, R. v. Brousseau 40 makes a similar finding regarding the absence of contractual evidence in Kwok and Cuttell. Justice Croll also states how Pringle J. in Cuttell noted that had such a contract existed, it might have altered privacy expectations. More importantly, it confirms that PIPEDA does not require that police obtain judicial pre-authorization in every case. Furthermore, reference is specifically made to the statement by the OPC that the Canadian government’s clarification of the overall intent of section 7 of PIPEDA “is to allow organizations to collaborate with law enforcement and national security agencies without a subpoena, warrant or court order. Organizations who share information with government institutions, including law enforcement and national security agencies, in accordance with the requirements of this provision, are doing so in compliance with PIPEDA.”41 G. Contractual obligations to ISP Customers As noted above, given that LEAs would be required to assess whether there might be a greater expectation of privacy on the part of users for CNA information in this very specific context, a review of the contractual obligations between ISPs and their users was necessary. Therefore, each participating ISP was to satisfy itself that their privacy policies, end user agreements and acceptable use policies did not otherwise preclude them from disclosing the CNA information. This could, though not necessarily, have the effect of raising the expectation of privacy and hence may require a warrant for such disclosure, notwithstanding the clear exceptions in PIPEDA. By way of example, the Bell Internet Agreements42 have contained for quite some time essentially the following language: […] and to disclose any information necessary to satisfy any laws, regulations or other governmental request from any applicable jurisdiction, or as necessary to operate and optimize the Service, or to protect itself or others. 38 [2010] B.C.J. No. 2131. Ibid at paragraphs 43 and 46. 40 2010 ONSC 6753. 41 Ibid at paragraph 44. See also supra note 4. 42 See clause 17 of the Bell Internet Service Agreements available at http://internet.bell.ca/index.cfm?method=content.view&category_id=550&content_id=11013. 39 Privacy Pages, November 2011 CBA National and Privacy Access Law Section Newsletter Page 18 Most large ISPs now have sufficient language to continue with this initiative and not infringe upon their user’s privacy or Charter rights. Other sample language includes: “legal, regulatory or other governmental requests” and “cooperate with law enforcement authorities in the investigation of suspected criminal violations”. Therefore, these ISP contracts cannot arguably raise the reasonable expectation of privacy. This conclusion is consistent with the case law discussed above. The review of ISP user agreements as part of the CNA initiative was meant to provide additional comfort to participating ISPs and to address any possible argument regarding a greater expectation of privacy that might arise if the CNA information were obtained at the pre-warrant stage. It has therefore developed into a “belt & suspenders” approach as PIPEDA allows for disclosure without consent under s. 7(3)(c.1). By agreeing to the terms and conditions in the user agreement, the customer is in effect granting their explicit consent to such disclosures (see OPC PIPEDA Case Summaries #2 and #319). H. Privacy policies Even though organizations have tended to include an approximation of the various key exceptions to consent in PIPEDA in their privacy policies, in particular those related to disclosure without consent, the list that is provided by the organization is usually a representative list of the types of situations when the disclosure without consent may occur. Typically, it does not reflect the entire PIPEDA list of exceptions – to do so would greatly increase the length of a privacy policy unnecessarily. For example, rarely is there any reference in privacy policies to the exception for disclosure to a notary or solicitor (s. 7(3)(a)) or made on the initiative of the organization which has reasonable grounds to believe that the information relates to a breach of an agreement or law (s. 7(3)(d)). Clearly, an organization is allowed to disclose customer information under a warrant or when required by law. This is true even if the organization has not included such a circumstance in its privacy policy or user agreement – to think otherwise would be absurd. Providing an exhaustive list of the PIPEDA exceptions has not been required under PIPEDA and does not represent industry practice. Even then, amending one’s user agreement or privacy policy to further clarify or reflect something that the organization is already permitted to do under PIPEDA is highly unlikely to be considered a “fundamental” change. Moreover, we are not aware of any privacy policy that specifically refers to all of the explicit exceptions in PIPEDA, including s. 7(3)(c.1). The preferable approach is to mention the well known required by law and court order examples and more recently responding to a “government request”. V. Conclusion The CCAICE initiative and related CNA letter of request protocol has been used by many member ISPs for close to five years now. The privacy issues raised above have been coming to the greater attention of the lower courts and now await the decision of at least the Saskatchewan Court of Appeal. While the interpretation of PIPEDA and ISP customers’ reasonable privacy expectations in their CNA information have yet to be definitively settled judicially, pronouncements of the OPC, persuasive Charter jurisprudence, the government’s intent in former Bill C-29 and carefully drafted user agreements have been sufficient to assuage Privacy Pages, November 2011 CBA National and Privacy Access Law Section Newsletter Page 19 the concerns of the participants. In hope of furthering important public interests, the participants continue to invest significant resources in responding to a relatively large number of law enforcement requests using the CCAICE protocol in the ongoing fight to combat online child exploitation. Privacy Pages, November 2011 CBA National and Privacy Access Law Section Newsletter Page 20