What the Supreme Court’s Latest Privacy Ruling Means for Business

The Supreme Court of Canada’s decision in R v. Reeves, 2018 SCC 56 (Reeves) has broad privacy law implications, despite it being decided in the criminal law context. The majority of the Court ruled that when two people share a personal computer, one person can’t consent to its search or seizure on behalf of the other person.

What You Need To Know

• The Court’s ruling in Reeves has implications in the business context where organizations rely on an individual’s consent to collect, use or disclose personal information on behalf of their spouse or household. For example, where organizations rely on an employee’s or customer’s consent to provide benefits to their spouse or common law partner or to handle household information for statistical, data analytics or marketing purposes, they should consider whether the form of consent captures all individuals whose information may be processed.
• Organizations should ensure customers or employees understand they need to obtain meaningful consent from individual household members before consenting on their behalf.
• Organizations must document that customers or employees have the authority to consent on behalf of the household. This could mean including language such as “I have provided the [terms and conditions/privacy policy] to [the relevant individuals] and have the authority to consent on their behalf” prior to the collection of such information.
• While privacy jurisprudence arising from the criminal context engages somewhat different rights under the Charter than would apply in the private sector, the principles of a reasonable expectation of privacy and meaningful consent discussed in Reeves are increasingly relevant to the federal Privacy Commissioner’s interpretation of businesses’ obligations under PIPEDA.

Background

In Reeves, Mr. Reeves was not permitted to live in his family home after he was charged with domestic violence. Mr. Reeves’ wife alerted his probation officer to the fact she thought she’d seen child pornography on their shared computer. Subsequently, a police officer, who didn’t have a search warrant and didn’t have enough evidence to obtain one, came to the home and took the shared computer on Mr. Reeves’ spouse’s consent. When the police finally searched the computer—months later, with a faulty warrant—they found images and videos of child pornography.

Decision

Mr. Reeves argued, and the SCC agreed, that the initial seizure of the computer based on his wife’s consent was contrary to section 8 of the Charter. The majority of the Court ruled that although the computer was shared, Mr. Reeves maintained a reasonable expectation of privacy in it. Accordingly, the spouse’s consent did not nullify his reasonable expectation of privacy, or operate to waive his Charter privacy rights.

In coming to its decision, the majority of the Court noted that “waiver by one holder does not constitute waiver for all rights holders.” The Court reaffirmed that the doctrine of third-party consent should not be adopted in Canada, despite its acceptance in the U.S. Justice Karakatsanis, writing for the majority, found that “this doctrine would be ‘inconsistent with this Court’s jurisprudence on first party consent,’ which requires consent to be ‘voluntarily given by the rights holder’ and ‘based on sufficient information in his or her hands to make a meaningful choice’.” In light of the section 8 Charter violations, the majority of the Court found the evidence obtained from the shared computer inadmissible.

Considerations

In light of Reeves, organizations may need to revisit their reliance on indirect consent, such as a customer’s consent for a company to collect personal information of their spouse. The content and means of indirect consent will become increasingly important in the era of the internet of things and big data analytics, when the individual setting up a device may be asked to consent to the processing of data about entire households.