Saturday, February 18, 2012

Police "PIPEDA requests" for customer information

As a follow-up to my previous post 'Dealing with police "Letters of Request for Information"', I thought I'd discuss a particular species of request letters, commonly referred to as "PIPEDA Requests".

The names are a bit misleading, since in many cases the recipient is led to believe that the authority to obtain the information is found in PIPEDA (the Personal Information Protection and Electronic Documents Act).

Here is an example letter, taken from R. v. Ward, 2008 ONCJ 355:

I, Constable Jason Tree of the National Child Exploitation Coordination Centre, am a law enforcement officer with the Royal Canadian Mounted Police.

I am conducting an investigation in relation to child sexual exploitation offences under the Criminal Code and I am requesting account information pursuant only to that investigation.

I request this disclosure in accordance with s. 7(3)(c.1) of the Personal Information Protection Electronic Documents Act. My authority to request and obtain this information derives from the Royal Canadian Mounted Police Act and the Royal Canadian Mounted Police Regulations as well as common law.

I am requesting the last known customer name and address of the account holder associated with IP address [number] used [date and time].

Should you agree to this request, please provide the information in the section below and reply via e-mail to Jason.tree@rcmp-grc.gc.ca.

As I understand it, the form of letter was a result of the coordinated effort of law enforcement and a group of internet service providers who have agreed to provide warrantless access to customer account information in connection with child exploitation investigations. They are designed to satisfy the requirements of Section 7(3)(c.1)(ii) of PIPEDA which permits disclosures of personal information to the police where they have the "lawful authority" to obtain the information and the information relates to "enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law".

While I generally have a dim view of disclosing customer information without a warrant, I can certainly understand why internet service providers have worked with law enforcement to address these particularly grim crimes.

2 comments:

John said...

Shouldn't the letter state that the police officer has a reason to believe that the specific IP address in question has been used in the commission of the offense being investigated.

As worded, it seems to me, this letter could be used for a fishing expedition.

I'm not a lawyer, so I'm willing to be corrected.

Jonesy said...

See R v Spencer and R v Trapp, from the Sask. C.A. (2011), which essentially endorse the use of these letters by the police. The combination of this section of PIPEDA and 487.014 of the Code seem to have largely eviscerated meaningful privacy rights in their subscriber status information (including IP address) with their local ISP.