Saturday, April 03, 2004

Privacy aspects of THE MATTER OF BMG Canada Inc. et al v. Jane Doe et al

The Canadian and US media have been abuzz with reports that "file sharing is legal in Canada!" (see Google News coverage). The actual decision doesn't, in my view, go that far (much of it seemed to turn on a deficient affidavit and the difficulty of connecting an IP address and a Kazaa screen name), but that's a bit ultra vires my blog. Here we deal with privacy. But fear not, there is some privacy-related analysis in the decision rendered by von Finckenstein J (2004 FCT 488).

Part of the argument advanced by the internet service providers was that they were prohibited from revealing personal information of their subscribers, absent a court order. The parties agreed in advance that the subscribers have an expectation of privacy regarding their identities, pursuant to their subscriber agreements and sections 3 and 5 of PIPEDA. They also agreed that this personal information can be released without the consent of individuals if the court so orders under section 7(3)(c) of PIPEDA.

[13] I read the Norwich and Glaxco Wellcome cases as establishing that the test for granting an equitable bill of discovery involves the following five criteria: ...

Criterion e: the public interests in favour of disclosure must outweigh the legitimate privacy concerns

[36] It is unquestionable but that the protection of privacy is of utmost importance to Canadian society. In the words of Lamer J. in R. v. Dyment, [1988] 2 S.C.R. 417 (S.C.C.): Grounded in man's physical and moral autonomy, privacy is essential for the well-being of the individual. For this reason alone, it is worthy of constitutional protection, but it also has profound significance for the public order.

[37] In respect of the internet specifically, Wilkins J. in Irwin Toy v. Doe (2000), 12 C.P.C. (5th) 103 (Ont. S.C.J.) stated at paras. 10-11: Implicit in the passage of information through the internet by utilization of an alias or pseudonym is the mutual understanding that, to some degree, the identity of the source will be concealed. Some internet service providers inform the users of their services that they will safeguard their privacy and/or conceal their identity and, apparently, they even go so far as to have their privacy policies reviewed and audited for compliance. Generally speaking, it is understood that a person's internet protocol address will not be disclosed. Apparently, some internet service providers require their customers to agree that they will not transmit messages that are defamatory or libellous in exchange for the internet service to take reasonable measures to protect the privacy of the originator of the information. In keeping with the protocol or etiquette developed in the usage of the internet, some degree of privacy or confidentiality with respect to the identity of the internet protocol address of the originator of a message has significant safety value and is in keeping with what should be perceived as being good public policy. As far as I am aware, there is no duty or obligation upon the internet service provider to voluntarily disclose the identity of an internet protocol address, or to provide that information upon request.

[38] Parliament has also recognized the need to protect privacy by enacting PIPEDA, which has as one of its primary purposes the protection of an individual’s right to control the collection, use and disclosure of personal information by private organizations (section 3).

[39] However while the law protects an individual’s right to privacy, privacy cannot be used to protect a person from the application of either civil or criminal liability. Accordingly, there is no limitation in PIPEDA restricting the ability of the Court to order production of documents related to their identity. Section 7(3)(c) allows disclosure without consent if such disclosure is: c) required to comply with a subpoena or warrant issued or an order made by a court, person or body with jurisdiction to compel the production of information, or to comply with rules of court relating to the production of records. (emphasis added).

[40] Thus, both PIPEDA as well as the test set out in Norwich/Glaxco, require the Court to balance privacy rights against the rights of other individuals and the public interest.

[41] This motion is not a novel proceeding. In the past, third parties have been compelled to disclose documents identifying the name and address of a defendant previously identified solely by an Internet Protocol address. In no case have privacy or other concerns weighing against disclosure outweighed the interest in obtaining documents and information necessary to identify the defendants. See: Irwin Toy v. Doe (2000), 12 C.P.C. (5th) 103 (Ont. S.C.J.); Ontario First Nations Limited Partnership v. John Doe (3 June 2002) (Ont.S.C.J.); Canadian Blood Services/Société Canadienne du Sang v. John Doe (June 17, 2002) (Ont. S.C.J.); Wa’el Chehab v. John Doe (October 3, 2003) (Ont. S.C.J.); Kibale v. Canada, [1991] F.C.J. No. 634 (QL) (FC); Loblaw Companies Ltd. v. Aliant Telecom Inc. and Yahoo [2003] N.B.J. No.208 (N.B.Q.B.), online: QL (NBJ).

One thing that surprises me is that there is no obligation on the part of the ISPs to inform the "owners" of the IP addresses that their information is the subject of an application for an equitable bill of discovery, affording them the opportunity to retain counsel and -- anonymously - resiting the application. To do otherwise seems to put too much discretion in the hands of the ISPs. Afterall, they choose whether to resit the discovery request.

No comments: