The Supreme Court of Canada (SCC) has recognized Canadians’ right to Internet privacy in a recent decision involving Internet Protocol (IP) address information provided to police by an Internet Service Provider (ISP). In R. v. Spencer (Spencer),1 the SCC unanimously held that (i) there is a reasonable expectation of privacy in IP account information; and (ii) a violation of this reasonable expectation is not authorized by the Criminal Code or the Personal Information Protection and Electronic Documents Act (PIPEDA).
In Spencer, police monitored an online public peer-to-peer file-sharing site for shared folders used for storing and sharing child pornography. Police identified the IP address—the number corresponding to the particular Internet connection through which a computer accesses the Internet—associated with the accused’s shared folder on the file-sharing site. This enabled police to use publicly available information to find the computer’s approximate location and ISP. Police then made a "law enforcement request" to the ISP for the subscriber information (i.e., the name and address of the person using that computer), citing PIPEDA, and indicating they were investigating an offence under the Criminal Code. The ISP responded to the request by providing the subscriber information.
Using the information provided by the ISP, police obtained a warrant to search the accused’s residence; after seizing a computer containing child pornography, the accused was subsequently charged with several child pornography-related offences. At his trial, the accused argued that the "law enforcement request" that was made infringed the prohibition against unreasonable search and seizure under Section 8 of the Canadian Charter of Rights and Freedoms, and that police should be required to obtain a warrant before ISPs provide subscriber information.
Reasonable expectation of privacy
In assessing whether Section 8 was engaged, the Supreme Court first assessed whether the law enforcement request constituted a search. The Court applied the traditional Section 8 analysis and found that it would if the accused had a reasonable expectation of privacy in the information provided to the police. The Court conducted this analysis by considering the "totality of the circumstances," including the subject matter of the alleged search, the claimant’s interest in the subject matter, the claimant’s subjective expectation of privacy in the subject matter, and whether the claimant’s subjective expectation was objectively reasonable.
In this case, the Court defined the accused’s privacy interest broadly "to account for the role that anonymity plays in protecting privacy interests online." The Court inferred a subjective expectation of privacy based on the accused’s "use of the network connection to transmit sensitive information," and found that, objectively, a reasonable and informed person concerned about the protection of privacy would expect one’s activities on one’s own computer used in one’s own home would be private, engaging a direct and personal informational privacy interest. In light of the ISP’s terms of service and PIPEDA, the Court concluded that an Internet user would not reasonably expect that a simple request by police would trigger an obligation to disclose personal information or defeat the general PIPEDA prohibition against the disclosure of personal information without consent.
Violation of privacy not authorized by law
The Court held that because the accused had a reasonable expectation of privacy, his Section 8 rights were engaged. It then found that the accused’s rights were infringed because the search was not authorized by law. The Court noted that the Criminal Code did not create search and seizure powers, as the relevant provision requires a production order for a search unless disclosure of the information is not prohibited by law. The Court also found that PIPEDA similarly prohibits disclosure of information unless the requesting government institution has "lawful authority" to compel disclosure of the information, and so did not create a new police search power.
Because the warrant to search the residence was obtained based on subscriber information that was unconstitutionally obtained, there were not adequate grounds to sustain the warrant, and the search of the residence was therefore unlawful (though it went on to find the evidence admissible as its exclusion would bring the administration of justice into disrepute).
The decision in Spencer has implications beyond IP address information for third-party individuals or companies possessing customer or user personal information. In particular, the Supreme Court has made it clear that the threshold for engaging constitutional protection of privacy rights over Internet-accessible personal information is low, and the threshold for justifying disclosure of this personal information is high.
When is there a reasonable expectation of privacy?
When should personal information be disclosed?
The Court emphasized that third parties holding personal information are not required to, and in many instances should not, disclose personal information in response to a simple request for information without a warrant, even where the request is from police. The Court recognized that a third party may detect illegal activity and "of its own motion" report it to the police. However, third parties should have clear and consistent disclosure procedures or policies for dealing with requests for this information to properly inform and comply with the reasonable expectations of privacy of customers or users.
Potential legislative impact
It remains to be seen whether Spencer will impact currently proposed legislation that trends toward lowering protection of Internet users. The more controversial provisions of Bill C-13 (the Protecting Canadians from Online Crime Act or the "cyberbullying bill") and Bill S-4 (the Digital Privacy Act) lower the threshold for police to obtain a warrant (requiring only "reasonable grounds for suspicion"), grant immunity for ISPs who voluntarily provide information that they are not prohibited from disclosing, and extend disclosure of subscriber information without a warrant by allowing organizations to disclose personal information without consent to any organization that is investigating a contractual breach or possible violation of any law. These bills were preceded by the withdrawn Bill C-30 (the Protecting Children from Internet Predators Act), which proposed warrantless mandatory disclosure of basic subscriber information (including name, address, telephone number, email address and IP address) and required ISPs to maintain systems that allowed police to intercept and track online communications.
1 2014 SCC 43
To discuss these issues, please contact the author(s).
This publication is a general discussion of certain legal and related developments and should not be relied upon as legal advice. If you require legal advice, we would be pleased to discuss the issues in this publication with you, in the context of your particular circumstances.
For permission to republish this or any other publication, contact Janelle Weed.
© 2019 by Torys LLP.
All rights reserved.