This morning, the Supreme Court of Canada released its decision in R v Spencer, 2014 SCC 43.
The case, on appeal from the Saskatchewan Court of Appeal, has finally provided some certainty regarding the expectation of privacy that all Canadians enjoy in their online activities. All internet users expose their IP addresses to the sites they visit and the computers they connect to, but generally it is only the internet service provider who can connect that innocuous string of digits to a real identity.
In this case, the police had obtained information about an internet user from his internet service provider without a warrant. The police asked for it using a "PIPEDA request" and the ISP simply provided it, relying on a broad provision in PIPEDA which -- in its view -- permits certain disclosures to law enforcement.
I am still digesting the decision, but some very important conclusions from the case:
- Internet users have a reasonable expectation of anonymity in their online activities
Contrary to the views of most police agencies and the government of Canada, this information is not innocuous "phone book information" but "Rather, it was the identity of an Internet subscriber which corresponded to particular Internet usage."
- A police request to the ISP for customer information amounts to a "search" for Charter purposes
- The fact that an ISP may be able to disclose information pursuant to s. 7(3)(c.1) of PIPEDA or the terms of use is relevant to the expectation of privacy, but not determinative of it
- The request by the police had no "lawful authority" since they had no authority to compel the production of the information
There has been much controversy surrounding the term "lawful authority" in PIPEDA, which permits an organization to disclose personal information without consent in connection with an investigation where the police have identified their "lawful authority" to obtain the information. The police have generally argued that an investigation is sufficient to satisfy that. The Court disagreed:
[62] Section 7(3)(c.1)(ii) allows for disclosure without consent to a government institution where that institution has identified its lawful authority to obtain the information. But the issue is whether there was such lawful authority which in turn depends in part on whether there was a reasonable expectation of privacy with respect to the subscriber information. PIPEDA thus cannot be used as a factor to weigh against the existence of a reasonable expectation of privacy since the proper interpretation of the relevant provision itself depends on whether such a reasonable expectation of privacy exists. Given that the purpose of PIPEDA is to establish rules governing, among other things, disclosure “of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information” (s. 3), it would be reasonable for an Internet user to expect that a simple request by police would not trigger an obligation to disclose personal information or defeat PIPEDA’s general prohibition on the disclosure of personal information without consent.[63] I am aware that I have reached a different result from that reached in similar circumstances by the Ontario Court of Appeal in Ward, where the court held that the provisions of PIPEDA were a factor which weighed against finding a reasonable expectation of privacy in subscriber information. This conclusion was based on two main considerations. The first was that an ISP has a legitimate interest in assisting in law enforcement relating to crimes committed using its services: para. 99. The second was the grave nature of child pornography offences, which made it reasonable to expect that an ISP would cooperate with a police investigation: paras. 102-3. While these considerations are certainly relevant from a policy perspective, they cannot override the clear statutory language of s. 7(3)(c.1)(ii) of PIPEDA, which permits disclosure only if a request is made by a government institution with “lawful authority” to request the disclosure. It is reasonable to expect that an organization bound by PIPEDA will respect its statutory obligations with respect to personal information. The Court of Appeal in Ward held that s. 7(3)(c.1)(ii) must be read in light of s. 5(3), which states that “[a]n organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances”. This rule of “reasonable disclosure” was used as a basis to invoke considerations such as allowing ISPs to cooperate with the police and preventing serious crimes in the interpretation of PIPEDA. Section 5(3) is a guiding principle that underpins the interpretation of the various provisions of PIPEDA. It does not allow for a departure from the clear requirement that a requesting government institution possess “lawful authority” and so does not resolve the essential circularity of using s. 7(3)(c.1)(ii) as a factor in determining whether a reasonable expectation of privacy exists.
[64] I also note with respect to an ISP’s legitimate interest in preventing crimes committed through its services that entirely different considerations may apply where an ISP itself detects illegal activity and of its own motion wishes to report this activity to the police. Such a situation falls under a separate, broader exemption in PIPEDA, namely s. 7(3)(d). The investigation in this case was begun as a police investigation and the disclosure of the subscriber information arose out of the request letter sent by the police to Shaw.
[65] The overall impression created by these terms is that disclosure at the request of the police would be made only where required or permitted by law. Such disclosure is only permitted by PIPEDA in accordance with the exception in s. 7, which in this case would require the requesting police to have “lawful authority” to request the disclosure. For reasons that I will set out in the next section, this request had no lawful authority in the sense that while the police could ask, they had no authority to compel compliance with that request. I conclude that, if anything, the contractual provisions in this case support the existence of a reasonable expectation of privacy, since the Privacy Policy narrowly circumscribes Shaw’s right to disclose the personal information of subscribers.
[66] In my view, in the totality of the circumstances of this case, there is a reasonable expectation of privacy in the subscriber information. The disclosure of this information will often amount to the identification of a user with intimate or sensitive activities being carried out online, usually on the understanding that these activities would be anonymous. A request by a police officer that an ISP voluntarily disclose such information amounts to a search.
Here is the headnote summary of the decision:
Constitutional law — Charter of Rights — Search and seizure — Privacy — Police having information that IP address used to access or download child pornography — Police asking Internet service provider to voluntarily provide name and address of subscriber assigned to IP address — Police using information to obtain search warrant for accused’s residence — Whether police conducted unconstitutional search by obtaining subscriber information matching IP address — Whether evidence obtained as a result should be excluded — Whether fault element of making child pornography available requires proof of positive facilitation — Criminal Code, R.S.C. 1985, c. C‑46, ss. 163.1(3), 163.1(4), 487.014(1) — Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, s. 7(3)(c.1)(ii) — Charter of Rights and Freedoms, s. 8.The police identified the Internet Protocol (IP) address of a computer that someone had been using to access and store child pornography through an Internet file sharing program. They then obtained from the Internet Service Provider (ISP), without prior judicial authorization, the subscriber information associated with that IP address. The request was purportedly made pursuant to s. 7(3)(c.1)(ii) of the Personal Information Protection and Electronic Documents Act (PIPEDA). This led them to the accused. He had downloaded child pornography into a folder that was accessible to other Internet users using the same file sharing program. He was charged and convicted at trial of possession of child pornography and acquitted on a charge of making it available. The Court of Appeal upheld the conviction, however set aside the acquittal on the making available charge and ordered a new trial.
Held: The appeal should be dismissed.
Whether there is a reasonable expectation of privacy in the totality of the circumstances is assessed by considering and weighing a large number of interrelated factors. The main dispute in this case turns on the subject matter of the search and whether the accused’s subjective expectation of privacy was reasonable. The two circumstances relevant to determining the reasonableness of his expectation of privacy in this case are the nature of the privacy interest at stake and the statutory and contractual framework governing the ISP’s disclosure of subscriber information.
When defining the subject matter of a search, courts have looked not only at the nature of the precise information sought, but also at the nature of the information that it reveals. In this case, the subject matter of the search was not simply a name and address of someone in a contractual relationship with the ISP. Rather, it was the identity of an Internet subscriber which corresponded to particular Internet usage.
The nature of the privacy interest engaged by the state conduct turns on the privacy of the area or the thing being searched and the impact of the search on its target, not the legal or illegal nature of the items sought. In this case, the primary concern is with informational privacy. Informational privacy is often equated with secrecy or confidentiality, and also includes the related but wider notion of control over, access to and use of information. However, particularly important in the context of Internet usage is the understanding of privacy as anonymity. The identity of a person linked to their use of the Internet must be recognized as giving rise to a privacy interest beyond that inherent in the person’s name, address and telephone number found in the subscriber information. Subscriber information, by tending to link particular kinds of information to identifiable individuals may implicate privacy interests relating to an individual’s identity as the source, possessor or user of that information. Some degree of anonymity is a feature of much Internet activity and depending on the totality of the circumstances, anonymity may be the foundation of a privacy interest that engages constitutional protection against unreasonable search and seizure. In this case, the police request to link a given IP address to subscriber information was in effect a request to link a specific person to specific online activities. This sort of request engages the anonymity aspect of the informational privacy interest by attempting to link the suspect with anonymously undertaken online activities, activities which have been recognized in other circumstances as engaging significant privacy interests.
There is no doubt that the contractual and statutory framework may be relevant to, but not necessarily determinative of whether there is a reasonable expectation of privacy. In this case, the contractual and regulatory frameworks overlap and the relevant provisions provide little assistance in evaluating the reasonableness of the accused’s expectation of privacy. Section 7(3)(c.1)(ii) of PIPEDA cannot be used as a factor to weigh against the existence of a reasonable expectation of privacy since the proper interpretation of the relevant provision itself depends on whether such a reasonable expectation of privacy exists. It would be reasonable for an Internet user to expect that a simple request by police would not trigger an obligation to disclose personal information or defeat PIPEDA’s general prohibition on the disclosure of personal information without consent. The contractual provisions in this case support the existence of a reasonable expectation of privacy. The request by the police had no lawful authority in the sense that while the police could ask, they had no authority to compel compliance with that request. In the totality of the circumstances of this case, there is a reasonable expectation of privacy in the subscriber information. Therefore, the request by the police that the ISP voluntarily disclose such information amounts to a search.
Whether the search in this case was lawful will be dependent on whether the search was authorized by law. Neither s. 487.014(1) of the Criminal Code, nor PIPEDA creates any police search and seizure powers. Section 487.014(1) is a declaratory provision that confirms the existing common law powers of police officers to make enquiries. PIPEDA is a statute whose purpose is to increase the protection of personal information. Since in the circumstances of this case the police do not have the power to conduct a search for subscriber information in the absence of exigent circumstances or a reasonable law, the police do not gain a new search power through the combination of a declaratory provision and a provision enacted to promote the protection of personal information. The conduct of the search in this case therefore violated the Charter. Without the subscriber information obtained by the police, the warrant could not have been obtained. It follows that if that information is excluded from consideration as it must be because it was unconstitutionally obtained, there were not adequate grounds to sustain the issuance of the warrant and the search of the residence was therefore unlawful and violated the Charter.
The police, however, were acting by what they reasonably thought were lawful means to pursue an important law enforcement purpose. The nature of the police conduct in this case would not tend to bring the administration of justice into disrepute. While the impact of the Charter‑infringing conduct on the Charter protected interests of the accused weighs in favour of excluding the evidence, the offences here are serious. Society has a strong interest in the adjudication of the case and also in ensuring the justice system remains above reproach in its treatment of those charged with these serious offences. Balancing the three factors, the exclusion of the evidence rather than its admission would bring the administration of justice into disrepute. The admission of the evidence is therefore upheld.
There is no dispute that the accused in a prosecution under s. 163.1(3) of the Criminal Code must be proved to have had knowledge that the pornographic material was being made available. This does not require however, that the accused must knowingly, by some positive act, facilitate the availability of the material. The offence is complete once the accused knowingly makes pornography available to others. Given that wilful blindness was a live issue and that the trial judge’s error in holding that a positive act was required to meet the mens rea component of the making available offence resulted in his not considering the wilful blindness issue, the error could reasonably be thought to have had a bearing on the trial judge’s decision to acquit. The order for a new trial is affirmed.
For some background on "PIPEDA requests", check out the blog posts tagged with "PIPEDA requests".
No comments:
Post a Comment