Introduction
In R. v. Spencer, the Supreme Court of Canada definitively rejected the narrow protocol developed by the Canadian Coalition Against Internet Child Exploitation.[1] The protocol was a voluntary initiative whereby certain Canadian internet service providers voluntarily disclosed very limited basic subscriber information to police at the pre-warrant stage of child pornography investigations (i.e. an accountholder’s name and address that was linked to an IP address identified by police that was being used at a particular date and time). Though the protocol and CCAICE were not mentioned by the court in Spencer, which is unfortunate given the extensive background, they were referred to by lower courts such as the Ontario Court of Appeal in R. v. Ward, and referenced in the July 2013 submissions by the Ontario AG in their application to intervene in Spencer.
In rejecting the protocol in its current form, the SCC expanded on the “reasonable expectation of privacy” in the context of a s. 8 Canadian Charter of Rights and Freedoms analysis outlined in previous rulings, but left several open questions for law enforcement agencies and private companies alike when dealing with law enforcement investigations in the future.
The ISP practice at issue
ISPs together with law enforcement and other stakeholders worked collaboratively under the auspices of the CCAICE on a strategy for greater cooperation in addressing and preventing the harms of child pornography. Police had noted that crime occurring online usually could only be traced to an IP address, and only ISPs could connect that IP address to the name and street address of the accountholder of the internet service being used at the time. All parties recognized that the account holder was not necessarily the individual engaged in the online activity that was the target of the investigation, but it would bring the law enforcement agency one step closer in their investigation.
Therefore, in January 2006, coming from a sense of corporate responsibility to help combat the exploitation of children while at the same time wanting to protect the privacy of their subscribers, a new initiative was launched focused on the difficult-to-interpret section 7(3)(c.1)(ii) of the Personal Information Protection and Electronic Documents Act, S.C. 2000, c.5 Section 7(3)(c.1)(ii) reads in part:
(3) ... an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is
...
(c.1) made to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that
…
ii) the disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law, or ...
This section received little judicial attention until the long line of cases that eventually culminated in Spencer. But a basic read gave some comfort to the CCAICE that an Internet accountholder’s name and address could be disclosed, voluntarily, where police identified that an IP address being used at a particular date and time was involved in a criminal investigation. Reaching this conclusion required taking a position on several untested legal questions, which (in light of Spencer) might be summarized in the following two questions.
Did the police have “lawful authority to obtain” the information?
As I explained earlier articles on the protocol, there was no question that a government institution was involved in an investigation. But did that government institution have the “lawful authority to obtain” the personal information? The CCAICE analysis concluded that the general police powers under common law to investigate crime together with applicable police statutes constituted the necessary lawful authority, providing the personal information requested was not protected by the Charter.
The CCAICE protocol ran into early complications, as some officers pointed to PIPEDA s. 7(3)(c.1)(ii) itself as the source of their “lawful authority to obtain.” After a couple of years of use, the template letter was changed to make it clear that the applicable police statute and the common law were identified as the lawful authority to make the request.
How could this interpretation of PIPEDA be reconciled with the reasonable expectation of privacy protected by the Charter?
The conclusion on this question was that a subscriber’s name and address was not the kind of core biographical information protected under the SCC’s prior Charter rulings, and R. v. Plant in particular. This was bolstered by the fact that the ISPs’ various terms of service made some effort to reiterate that ISPs would cooperate with police investigations, thereby putting subscribers on notice and influencing their reasonable expectation of privacy.
The CCAICE also saw the protocol as narrowly prescribed in order to best respect customer privacy. For example, it limited disclosure to only an accountholder’s name and address linked to the IP address identified by police that was being used at a particular date and time. It did not extend to sensitive aspects of account information such as the date the service was activated, payment information, etc., as the disclosure of such information would clearly require a warrant.
Leading up to Spencer, most courts agreed with aspects of this interpretation, and found no Charter violation in cases where the CCAICE protocol was used. Notably, however, judges who agreed with this conclusion followed different lines of reasoning – illustrating again the uncertainties in interpreting PIPEDA’s s. 7(3)(c.1)(ii) before Spencer and the interplay with an accused’s reasonable expectation of privacy under the Charter. It should be noted as well that not all ISPs agreed with the CCAICE interpretation, making it even harder to define a pre-Spencer consensus.
The decision in Spencer
Spencer was one of several cases involving the same basic facts. Following the CCAICE process, police obtained the subscriber information for an IP address involved in a child pornography offence. As it turned out, the internet service subscriber was not Spencer himself, but his sister. Spencer claimed unreasonable search and seizure, and the Saskatchewan Court of Appeal with various lines of reasoning, rejected the Charter challenge. The SCC unanimously overturned the Court of Appeal on that point. In so doing, the court made several precedent-setting determinations.
First, they expanded their previous s. 8 Charter jurisprudence to recognize that the concept of privacy under the Charter includes an element of anonymity. They rejected the CCAICE interpretation that a subscriber’s name and address were innocuous, “tombstone” information, in favour of a more contextual and privacy-sensitive approach. They emphasized the fact that the subscriber’s name and address, when linked to the IP address at a particular date and time, also linked it to the targeted online activity, which the SCC found the accused was engaged in anonymously (even though the accused and the accountholder were not the same). The expectation of privacy lay not in the individual bits of information themselves, but in the fact that revealing them overthrew the subscriber’s expectation of online anonymity:
Thus, anonymity may, depending on the totality of the circumstances, be the foundation of a privacy interest that engages constitutional protection against unreasonable search and seizure (Spencer at para. 48). The court also gave its first definitive guidance on the interpretation of s.7(3)(c.1)(ii) of PIPEDA, and particularly, on the meaning of “lawful authority to obtain.” The court recognized that the overall scheme of PIPEDA is to increase privacy protection and limit disclosure without consent to defined circumstances, and in so doing chose to interpret the section as increasing the subscriber’s expectation of privacy.
In defining “lawful authority to obtain,” the court made it clear that this authority could not be found in PIPEDA itself, or in the Criminal Code’s general provision in s.487.014 allowing police to request information on a voluntary basis. This is consistent with CCAICE’s interpretation as well, though it should be noted that the law enforcement request in Spencer’s case still cited these as “authority,” as they dated back to the original CCAICE template letter of request from 2006. It seems unlikely that the court would have come to a different conclusion on lawful authority to obtain, given the further analysis below, but it is interesting to note that the CCAICE anticipated this interpretation and believed that lawful authority resided elsewhere than PIPEDA – a conclusion agreed with by most pre-Spencer rulings.
More significantly, the court rejected the CCAICE interpretation that the police’s common-law power to investigate amounted to a lawful authority to obtain, since that common law power was limited to inquiry, and not searching or “obtaining.” The court therefore left open a quite limited scope for the phrase “lawful authority to obtain,” which might include exigent circumstances (though this scenario is already covered by s. 7(3)(e) of PIPEDA) or a “reasonable law” authorizing a search. It might even refer to the common-law authority to ask questions where there is no reasonable expectation of privacy at play (which is, in fact, how the CCAICE viewed the protocol). It does not, however, include a “bare request” by law enforcement (Spencer at para. 71). To be clear, though, the Supreme Court did not say that there is a reasonable expectation of privacy protected by the Charter in all activity performed online, only that activity where there was an expectation of anonymity. Also, it left open the possibility for an organization to provide limited subscriber information at the pre-warrant stage of an investigation when it comes to other activity performed either online or offline where there is no reasonable expectation of privacy – something the courts will have to continue to define based on the facts before them.
Questions post-Spencer
Many commentators have speculated on the impact Spencer will, or should, have on various privacy-impacting initiatives currently under consideration by Parliament. However, private industry also faces some uncertainties when it comes to cooperating with law enforcement investigations in a post-Spencer world. Many of these questions again come down to interpreting “lawful authority to obtain” (PIPEDA,s.7(3)(c.1)(ii)):
What role will (or should) customer contracts play?
The SCC noted that the language of an ISP’s contract and privacy policy did not, in this case, clearly eliminate the subscriber’s expectation of privacy, as when read together they were confusing. Given that some of the lower courts’ pre-Spencer decisions had already found that certain other ISPs’ internet service contracts and privacy policies together could curb a customer’s reasonable expectation of privacy, it will be interesting to see whether post-Spencer these very same or other courts will continue to be predisposed to do the same (on the right facts, of course), or whether Spencer will lead them to a narrower result.
What are the limits of a customer’s reasonable expectation of privacy, especially online?
The court holds open that PIPEDA may allow voluntary disclosure where there is no reasonable expectation of privacy by the customer or an individual using another customer’s service. Most private companies will be ill-equipped to answer that question without further guidance, whether from the courts or even the Office of the Privacy Commissioner. Indeed, organizations in the private sector, broadly speaking, have for the most part circumscribed their practices in light of Spencer and the uncertainty it has created, and this is having an impact for sure in the investigations of other offences and when dealing with other industries.
What “exigent circumstances” will count?
Another infrequently-interpreted provision of PIPEDA allows disclosure in emergencies that “threaten the life, health, or security of an individual” – but requires the company to inform the individual of the disclosure without delay (s.7(3)(e)). To this, the court adds that s.7(3)(c.1) may also cover “exigent circumstances.” Will we see an increase in police requests citing such circumstances, and if so, how are companies to respond? What are organizations to make of these now potentially overlapping sections when faced with exigent circumstances?
What role does the Privacy Commissioner of Canada have in influencing the courts on how to interpret the reasonable expectation of privacy under the Charter?
There is no doubt that the arguments of the Privacy Commissioner carried weight before the court, notwithstanding their prior involvement and acknowledgement of the CCAICE protocol (unbeknownst to the court). However, it was curious from a procedural perspective how the court permitted into the record an OPC report on metadata that had never been tested or even cross-examined,
While Spencer may bring an end to a certain level of cooperation between police and ISPs (and other private sector organizations), the fact remains that crimes will occur, police will investigate, and private companies will have customer information relevant to those investigations. Companies may feel a moral obligation to cooperate voluntarily, or may fear the bad publicity of appearing non-cooperative. No matter the motivation, the legal parameters of appropriate cooperation, while clarified and narrowed somewhat in Spencer, remain to be tested in future cases. At a minimum, companies in all industries should ensure that the language of their contracts and terms of use are consistent with their privacy policy to avoid any potential customer confusion.
Lower courts are already interpreting (and distinguishing) Spencer
It has not taken very long, but the lower courts are doing their job and have already begun to interpret Spencer and its application to different fact situations, in particular as it relates to wireless telephone numbers – so more to come on that.
A final personal note
Some readers may have read my prior protocol articles, and understood the conviction with which I and other CCAICE members approached this particular initiative to assist in the fight against online child exploitation. The CCAICE’s desire from the beginning was to assist in a way that did not compromise the reasonable expectation of privacy of Canadian internet subscribers, knowing that, in the end, the SCC would decide – we were all in it for the long haul.
Among CCAICE members, we had our own debates on these interpretations, and some think that Spencer may have actually swung the privacy pendulum a little too far. In the end, regardless of where one stands on the reasonable expectation of privacy, we can all agree that the CCAICE members and the protocol, for better or for worse, had a significant role to play in the evolution of further defining the reasonable expectation of privacy protected by the Charter online – in a way it started with the SCC in Plant, inched forward in Spencer, and will continue to be refined by the SCC as our reasonable expectations of privacy continue to evolve.
About the Author
Suzanne Morin, former General Counsel, Regulatory & Privacy Chief, Bell Aliant. The views expressed in this article are those of the author and not those of Bell Aliant. Note: A special thanks to Kevin Kindred, respected former colleague and friend, for his thoughts on an earlier draft.
End note
[1] I explained the protocol in my articles titled: “Business Disclosure of Personal Information to Law Enforcement Agencies: PIPEDA and the CNA Letter of Request Protocol”, first published in July 2008 in Privacy Pages: CBA National Privacy and Access Law Section Newsletter (also in the Canadian Privacy Law Review, Volume 5, Number 10, p. 104) and an updated version in the same Privacy Pages Newsletter in November 2011.