In R v. Bykovets1, the Supreme Court of Canada ruled that a criminal accused’s Charter rights against unreasonable search and seizure were violated when law enforcement obtained his IP address without prior judicial authorization (i.e., a warrant) because the accused had a reasonable expectation of privacy in his IP address information.
The Bykovets case concerned a police investigation into fraudulent online purchases from a liquor store. During the course of the investigation, police obtained the IP address linked to the purchases from a private payment processing company, Moneris, used by the store. The accused, the appellant in this case, was convicted at trial, and his convictions were confirmed on appeal.
The appellant claimed both at trial and at appeal that his right against unreasonable search and seizure (protected by section 8 of the Charter) was violated when police obtained the IP addresses from Moneris. A violation of section 8 can only be found in this context if law enforcement interfered with the individual’s reasonable expectation of privacy in what was searched or seized. Here, both lower courts found that the appellant did not have a reasonable expectation of privacy in his IP address information, and so his section 8 rights were neither engaged nor violated.
In a 5-4 split, the Supreme Court deviated from the lower courts’ decisions and ruled that an individual’s IP address information does, in fact, have “deeply personal” characteristics when considered in context, and it should, therefore, be obtained by law enforcement from a private company only with prior judicial authorization. The Court allowed the appeal and ordered a new trial.
The Court found that the disclosure of IP addresses provides law enforcement with the means to draw immediate and direct inferences about the user based on their Internet activity, given that IP addresses link specific Internet activity to a specific location and/or device. Information about such activity can lead law enforcement directly to an individual user’s identity. Even before being linked to an identity, the Internet activity associated with an IP address itself can be “deeply personal” and “capable of revealing personal and core biographical information” about the user, as in this case with consumer transaction information2.
The Court noted that private companies are likely to voluntarily or proactively provide other information that they hold about an individual to law enforcement, in addition to their IP address, which can further increase the volume and sensitivity of the information that law enforcement can access about an individual. For instance, the Court observed that websites that track IP addresses also collect “massive amounts” of “extremely personal” information about an individual, like location data and search history3.
For the purposes of section 8 of the Charter, the Court’s decision suggests that any information that can provide the state with a “means” or “roadmap” to a trove of personal, potentially “intensely private” data should be accorded a reasonable expectation of privacy, even where an individual is not directly identifiable from the information itself. With respect to IP addresses, the public’s interest in being left alone by the state was held to outweigh the comparatively light burden on law enforcement necessary to obtain judicial pre-authorization4.
While private organizations are not directly affected by the ruling as they have no obligations under the Charter, they should note that this decision may increase the privacy risk associated with sharing IP addresses (and other Internet activity-related information) with law enforcement on a voluntary or proactive basis. For instance, an individual could allege that the police violated their section 8 rights and concurrently submit a complaint to a privacy regulator alleging that the voluntary disclosure of their IP address by a private business constituted a breach of its privacy obligations—a position which this decision could be used to provide some support for in certain contexts.
Private-sector privacy law (including PIPEDA) generally allows businesses to proactively share personal information with law enforcement to support a police investigation into a crime perpetrated against them, and this is not expected to change with this ruling. However, when receiving a request for information from law enforcement related to a separate investigation, businesses must ensure that they have done their due diligence in confirming that the law enforcement body has the lawful authority to obtain the information in the first place. This may now include confirming that judicial authorization has been granted prior to sharing IP addresses with law enforcement in order to mitigate this privacy risk.
In this decision, the Court emphasized that the sensitivity and personal nature of information is determined just as much by its own content as by its potential to reveal sensitive information about an individual. This is not a novel finding in either the Charter or the privacy law context, and Canadian privacy regulators have long recognized IP addresses as personal information where they can be associated with an identifiable individual.
That said, given the Court’s strong language asserting the “deeply” and “intensely” private nature of information that can be obtained directly from IP addresses, in some cases, even before a specific individual’s identity is linked to the IP address, privacy regulators in future investigations and reports may be influenced by this decision to take an even stronger position regarding the sensitivity of IP addresses and analogous data for contexts directly applicable to the private sector. Higher sensitivity can, in turn, mean heightened privacy obligations, including with respect to the type of consent required to handle the information and the protections that should be put in place.