Ontario court provides clear guidance on privacy and "tower dumps" in R v Rogers and Telus

It is becoming clear that internet companies and telcos are the guardians of personal privacy in this connected age. We surf the internet and walk through the streets in relative anonymity, but the telcos are able to make the connections and name you for the police. For that reason, we need clear rules so that this ability is only used where it is reasonable to do so, in accord with our Charter of Rights and Freedoms.

This morning, the Ontario Superior Court released its important decision in R. v. Rogers & Telus, 2016 ONSC 70 [PDF]. (Some previous discussion is here.)This is a very important decision, which finally provides police and prosecutors with clear guidance on when and how they can obtain telco customer information through "tower dumps". In a nutshell, tower dumps are the production of all the records of a cell phone tower at a particular time. Since your mobile phone is always communicating with at least one tower, tower dumps can tell the police who is in the vicinity of a particular location at a particular time. They are really troubling or problematic because the records overwhelmingly contain information about people who have nothing to do with the underlying investigation.

The production orders obtained by the Peel Regional Police at issue were breathtakingly broad. The police were investigating a string of robberies and went to at least Telus and Rogers, looking for the following information related to cellular towers operated by them:

• Names of all customers connected to the towers at the relevant times;
  
• Addresses of all those customers;
  
• Who all those customers were calling at the relevant times, including the names and addresses of those persons
  
• Who all those customers were texting at the relevant times, including the names and addresses of those persons
  
• Billing information, including credit card and bank information, of all those customers

Rogers asserted that complying with the order would result in the disclosure of information about 34,000 customers. Telus said their demand would involve 9,000 customers. Remember, there was probably only one suspect in all that data, so it would have given the police detailed information about approximately 43,000 people who had NOTHING TO DO WITH THE CRIME. Also note that a justice of the peace granted these orders.

Thankfully, Rogers and Telus pushed back and went to court to challenge the production orders. The police withdrew them, presumably having been caught with their hands in the proverbial cookie jar seeking a breathakingly broad order, and argued that the telcos' application was now moot and that Rogers and Telus didn't have standing to assert the privacy interests of their customers. The court disagreed and ordered a hearing, which leads us to this decision.

The court agreed with the police that tower dumps are a valuable investigative technique. A police detective described the two most common scenarios in which tower dumps are sought:

a. the police have reasonable grounds to believe that a series of crimes were committed by the same person in various locations. For example, a series of robberies with similar hallmarks. Cellular records can identify any subscribers who were in close proximity to more than one of the crime scenes.

b. the police are investigating a single incident, such as a robbery or murder, and have reasonable grounds to believe that the perpetrator used a cell phone at or near the crime scene. The names of persons accessing the cell tower(s) close to the crime scene can then be cross-referenced with other investigative leads. Other such leads might be a list of the owners of Ontario registered vehicles of the type observed leaving the crime scene or the name of a person whose DNA was found at the scene.

The court framed the issues under review as (a) whether there is a reasonable expectation of privacy in the records at issue, (b) do Rogers and Telus have standing to assert their customers' privacy interests, (c) were the production orders overly broad? Did they thus infringe s. 8 of the Charter and what's the appropriate declaration, and (d) what guidance to the police and justices of the peace are appropriate?

Do users have a reasonable expectation of privacy in the cell phone records (including banking information)?

With respect to "reasonable expectation of privacy", the Court said it's a matter of common sense:

[19] Common sense indicates that Canadians have a reasonable expectation of privacy in the records of their cellular telephone activity. Whether and when someone chooses to contact a divorce lawyer, a suicide prevention hot line, a business competitor or a rehabilitation clinic obviously implicates privacy concerns. The location of a person at a particular time also, raises privacy concerns. Was the person at the Blue Jays game instead of at work?

[20] Admittedly this type of information is in the vast majority of cases innocuous. It remains that in a number of cases it will be quite sensitive. It is also not tenable to reason that since only the police will be in possession of this information any sensitive information will never see the light of day. One needs only read a daily newspaper to be aware of the fact that governments and large corporations, presumably with state of the art computer systems, are frequently "hacked" resulting in confidential information being stolen and sometimes posted on-line.

[21] I appreciate that cell phone data is not right up there with Wikileaks and Ashley Madison in terms of information likely to be hacked and published. It remains that it is information Canadians certainly regard as private. The law supports this conclusion.

...

[23] The Criminal Code, s. 492.2, requires judicial authorization, on a "reasonable grounds to suspect" standard, to install transmission data recorders, which can capture the telephone numbers of persons sending and receiving communications. This supports the conclusion that there is a reasonable expectation of privacy in this information.

...

[31] In my opinion the statutes and caselaw align with common sense. Canadians have a reasonable expectation of privacy in their cell phone records.

Do Telus and Rogers have standing to assert their customers' privacy interests

Perhaps not surprisingly, the crown argued that Telus and Rogers have no standing to argue in favour of their customers. And given that the production order likely contained a gag order, the natural result of that would be that nobody can argue for the 43,000 people whose information was implicated. The Court disagreed and notably came to the conclusion that they may have a contractual obligation to stand up for their customers:

[37] The choice is stark. There is an issue concerning the privacy rights of hundreds of thousands of Canadians. If Rogers and Telus are correct, this legal issue can and will be addressed with opposing points of view put forward by counsel. A decision on point can provide guidance to the police and issuing justices. If the Respondent is correct, this legal issue will never be addressed and some justices of the peace will continue to grant similar production orders which, as I will later explain, are overly broad and unconstitutional.

[38] To my mind the choice is clear. Rogers and Telus have standing to assert the privacy interests of their subscribers and are contractually obligated to do so.

Breadth of the production orders

The Court had little trouble concluding that the production orders, described above, were too broad and thus violated s. 8 of the Charter:

[41] The "minimal intrusion" principle embodied in s. 8 was described by Mr. Chan in Morelli and Beyond: Thinking about Constitutional Standards for Computer Searches, the Criminal Lawyers Association Newsletter, vol. 33, No. 2, as follows:

The animating policy is that the state must always be alive to the privacy interests of the individual and must always infringe such interests as little as possible.

[42] The issuing justice did not have the benefit of the evidence before me and the legal submissions of counsel. With that benefit, I have no hesitation in finding that the Production Orders were overly broad and that they infringed s. 8 of the Charter. The disclosure of personal information the Production Orders required went far beyond what was reasonably necessary to gather evidence concerning the commission of the crimes under investigation. For example, the Production Orders:

a) required production of information relating not only to the cell phone subscriber proximate to the crime scene but also the personal information and location of the other party to the call who may have been hundreds or thousands of miles removed from the crime scene;

b) required production of bank and credit card information which, if it had any relevance at all in locating an individual, could have been sought in a follow-up application for a small number of actual suspects (i.e.) a person whose cell phone was proximate to multiple crime locations; and

c) required production of personal information pertaining to over 40,000 subscribers when all the police were really interested in was information, which could have been provided in a report, listing the few individuals, if any, utilizing a cell phone proximate to more than one robbery location.

[43] I, therefore, make the requested declaration that the Production Orders authorized unreasonable searches and so breached the s. 8 Charter rights of the Rogers and Telus subscribers. As the Production Orders have been revoked nothing would be gained by addressing the further issue of whether the Production Orders also violated the rights of Rogers and Telus.

Interestingly (and shockingly, in my view), the Crown argued that the cure for an overly broad order is for the police and the telco to negotiate it down. The Court had little regard for this and I agree. Telcos like Rogers and Telus should only be asked to respond to legal (meaning constitutionally valid) production orders. And having advised clients regarding broad production orders myself, the police will never give you information that substantiates the breadth of the request.

Guidance for police and justices of the peace

The heart of the decision and the portion that will hopefully have a far-reaching and lasting impact, are the guidelines produced by the Court to be followed by the police and justices of the peace. In my view, it hits just the right balance between the clear public interest in having the police investigate crimes with the appropriate tools while respecting the privacy of those whose information is implicated.

Guidelines for police

[65] The police should include in the information to obtain a production order:

a) One — a statement or explanation that demonstrates that the officer seeking the production order is aware of the principles of incrementalism and minimal intrusion and has tailored the requested order with that in mind. — An awareness of the Charter requirements is obviously essential to ensure that production orders are focused and Charter compliant.

b) Two — an explanation as to why all of the named locations or cell towers, and all of the requested dates and time parameters, are relevant to the investigation. — This obviously flows from what is now the s. 487.014(2)(b) Criminal Code requirement that there be reasonable grounds to believe that the documents or data requested will afford evidence respecting the commission of the offence.

c) Three — an explanation as to why all of the types of records sought are relevant. - For example, the Production Orders sought bank and credit card information, and information as to name and location of the party to the telephone call or text communication who was not proximate to the robbery location. This information was clearly irrelevant to the police investigation.

d) Four — any other details or parameters which might permit the target of the production order to conduct a narrower search and produce fewer records. — For example, if the evidence indicates that a robber made a series of calls lasting less than one minute this detail might permit the target of the order to narrow the search and reduce the number of records to be produced. If the evidence indicates that the robber only made telephone calls then there may be no grounds to request records of text messages. (Although the use of voice recognition software may make it difficult to distinguish between a person making a telephone call and a person dictating a text message.)

e) Five — a request for a report based on specified data instead of a request for the underlying data itself. — For example, in this case a report on which telephone numbers utilized towers proximate to multiple robbery locations would contain identifying information concerning only a small number of robbery suspects and not the personal information of more than 40,000 subscribers which the Production Orders sought. This would avoid the concern expressed by Mr. Hutchison that 99.9% of vast amounts of tower dump personal information relates to individuals who are not actually suspects.

f) Six — If there is a request for the underlying data there should be a justification for that request. — In other words, there should be an explanation why the underlying data is required and why a report based on that data will not suffice.

g) Seven — confirmation that the types and amounts of data that are requested can be meaningfully reviewed. — If the previous guidelines have been followed the production order should be focused which will minimize the possibility of an order to produce unmanageable amounts of data. This confirmation does, however, provide an additional assurance of Charter compliance.

Guidelines for Issuing Justices

[66] The guidelines for issuing justices flow from the guidelines for police. Issuing justices should generally insist upon the police providing the information, confirmations and explanations outlined in the Guidelines for Police. Doing so will focus the scope of the production order and ensure that production orders conform to both the requirements of the Criminal Code and the dictates of the Charter.

I think this is ultimately a very important decision that pulls tower dump production orders out of the shadows, shines the light on abusive and overly-broad orders and has led to very sensible, balanced rules to be followed by the police and justices of the peace.

Ontario court case suggests that PGP and Blackberry security have been cracked

A recent case from the Ontario courts suggests -- quite strongly -- that PGP (Pretty Good Privacy) and Blackberry security have been cracked by the Royal Canadian Mounted Police.

We rarely get much insight about police techniques from reported cases, but this seems to be a doozy in R v Tsekouras, 2015 ONSC 1470:

[10] The police were presented with a Blackberry cell-phone ….44505 that had been seized from the accused. Their objective was to read the information embedded in that cellphone. The BlackBerry has a reputation for being a very secure means of communication. There were three levels of security. Entry was protected by a password, the device was protected by encryption generally and e-mails processed by this particular device were protected by PGP, a form of e-mail encryption provided as an “add-on” by a third party after-market supplier. This encryption was previously thought to be undefeatable. The RCMP technological laboratory destroyed this illusion and extracted from this phone 406 e-mails, 25 address book entries and other information all of which had been protected. These materials are collected in Exhibit 8.

Of course, it could have been defeated by really bad OpSec, but who knows?

Nova Scotia's cyberbullying law declared to be unconstitutional and a "colossal failure"

Full disclosure: I was counsel to the applicant respondent in this case. (The party seeking to have the order set aside and to have the statute found to be unconstitutional.)

The Nova Scotia Supreme Court has just released its decision in Crouch v Snell, 2015 NSCC 340 (PDF).

In the decision, the Supreme Court of Nova Scotia has declared the province’s cyberbullying law to be unconstitutional, from start to finish. The law has been found to violate the Canadian Charter of Rights and Freedoms' guarantees of freedom of expression and “life, liberty and security of the person” rights, in a manner that cannot be upheld as a reasonable limit on those rights that can be justified in a free and democratic society. In short, the law is a dramatic failure.

The case related to two adults, former business partners, who had a falling out. Mr. Crouch sought and obtained an ex parte cybersafety protection order before a justice of the peace in December 2014. The respondent (I was his counsel) challenged the order and the legislation.

I have not been known as a fan of the Cyber-safety Act. I've blogged about it, written Op-Eds about it and I've called it a dumpster fire. It was passed unanimously by the Nova Scotia legislature in the immediate aftermath of the tragic death of Rehtaeh Parsons. In my view, it was created in haste in the immediate, emotional aftermath of the tragic death of a young woman who had been sexually assaulted and had photos of the assault circulated around the community. The government of the day -- which was heading for an election -- was not willing to throw the police and the prosecution service under the bus for no charges being laid, so instead created the appearance of doing something by creating and passing a very poorly executed law. In the process, they trampled on the Charter rights of all Nova Scotians and created a distraction from the important discussion about sexual assault and consent.

Among other things, the Act allows an alleged victim of cyberbullying to appear before a justice of the peace to obtain a cybersafety protection order. These orders can go so far as to result in the confiscation of electronic devices and being barred from using the internet. An alleged cyberbully never has any notice of this hearing and has no right to give his side before the order is made. In this case, the order of the justice of the peace even ordered the respondent to delete all of his social media postings that didn’t refer to anyone in particular, as they may have referred to the complainant.

The case mainly focused on two aspects: the definition of "cyberbullying" at the heart of the Act and the scheme that permits applications and orders without notice to the other side. The Court found the Act violates freedom of expression rights and cannot be saved. The definition is overbroad and encompasses a range of expression that is constitutionally protected:

[115] The Act restricts "any electronic communication through the use of technology ... that is intended or ought reasonably be expected to cause fear, intimidation, humiliation, distress or other damage or harm to another person's health, emotional well-being, self-esteem or reputation, and includes assisting or encouraging such communication in any way". It is not difficult to come up with examples of expressive activity that falls within this definition, and at the same time promotes one of the core freedom of expression values. Moir J. did just that in Self, supra at para. 25:

A neighbour who calls to warn that smoke is coming from your upstairs windows causes fear. A lawyer who sends a demand letter by fax or e-mail causes intimidation. I expect Bob Dylan caused humiliation to P.F. Sloan when he released "Positively 4th Street", just as a local on-line newspaper causes humiliation when it reports that someone has been charged with a vile offence. Each is a cyberbully, according to the literal meaning of the definitions, no matter the good intentions of the neighbour, the just demand of the lawyer, or the truthfulness of Mr. Dylan or the newspaper.

[116] In conclusion, I find that the Act has both the purpose and effect of controlling or restricting freedom of expression.

Once any limitation on a Charter protected right is found, it can only be justified if (i) it is prescribed by law, (ii) it relates to a pressing and substantial objective, (iii) the impugned provision must be rationally connected to the objective, (iv) it must impair the Charter right "minimally" and (v) the effects must be proportional. In this case, remarkably, the Court found that it is not even "prescribed by law" as it is not sufficient intelligible:

[137] In this regard, I find that the Act provides no intelligible standard according to which Justices of the Peace and the judiciary must do their work. It does not provide sufficiently clear standards to avoid arbitrary and discriminatory applications. The Legislature has given a plenary discretion to do whatever seems best in a wide set of circumstances. There is no "limit prescribed by law" and the impugned provisions of the Act cannot be justified under s. 1. In the event I am wrong, I will perform the balance of the Oakes analysis.

The Court also found that the ex parte procedure is not rationally connected to the mischief to be addressed:

[156] ... Section 5(1) must be read as requiring protection order applications to be made without notice to the respondent. I also agree with the Respondent's submission that even if s. 5(1) did give applicants a choice in the matter, it would be a rare case indeed where an applicant would choose to give notice.

[157] Finally, with respect to the Attorney General's reliance on the various procedural safeguards set out in the Act, the reality is that while the respondent waits for the opportunity to be heard at a de novo hearing, his or her Charter-protected rights and freedoms will continue to be infringed upon. This will be on the basis of a proceeding that most likely occurred without notice to the respondent, and without the respondent having had an opportunity to be heard.

[158] I find the process set out in s. 5(1) of the Act is not rationally connected to the legislative objectives. The process does not specifically address a targeted mischief.

On "minimal impairment", the Court called the Act a "colossal failure":

[165] I need to consider all of the types of expression that may be caught in the net of the Cyber-safety Act, and determine whether the Act unnecessarily catches
material that has little or nothing to do with the prevention of cyberbullying: R. v. Sharpe, 2001 SCC 2, [2001] S.C.J. No. 3 at para. 95. In this regard, the Cyber-safety Act, and the definition of cyberbullying in particular, is a colossal failure. The Attorney General submits that the Act does not pertain to private communication between individuals, but rather, deals with "cyber messages or public communications". With respect, I find that the Act restricts both public and private communications. Furthermore, the Act provides no defences, and proof of harm is not required. These factors all culminate in a legislative scheme that infringes on s. 2(b) of the Charter much more than is necessary to meet the legislative objectives. The procedural safeguards, such as automatic review by this Court and the respondent's right to request a hearing, do nothing to address the fact that the definition of cyberbullying is far too broad, even if a requirement for malice was read in. Moir J.'s comments in Self supra at para. 25, are instructive:

The next thing to note is the absence of conditions or qualifications ordinarily part of the meaning of bullying. Truth does not appear to matter. Motive does not appear to matter. Repetition or continuation might ("repeated or with continuing effect") or might not ("typically") matter.

[166] In conclusion, the Cyber-safety Act fails the "minimum impairment" branch of the Oakes test.
Emphasis added

The Court also found that the Act fails on the final proportionality test:

[174] The Attorney General submits that the Act strikes an appropriate balance because it only restricts expression that is malicious, and therefore low-value. The
Respondent says this Court must instead balance an individual's right to express any sort of speech captured in the definition of "cyberbullying" against the objectives of the Act. The Respondent says the Act prevents an individual from telling the truth if it hurts another person's feelings or harms their self-esteem, and it does not provide any defences. The Act does not accommodate expression that relates to individual self-fulfillment, truth-finding or political discourse. The Respondent submits that the Act can therefore "limit speech that cuts to the core of Charter values". The Respondent distinguishes Lucas on the basis that the libel provisions in the Criminal Code were upheld because they prohibit only falsehoods that are known by the defendant to be false.

[175] It is clear that many types of expression that go to the core of freedom of expression values might be caught in the definition of cyberbullying. These deleterious effects have not been outweighed by the presumed salutary effects.

In the end, the Court found that the Cyber-safety Act offends sections 2(b) and 7 of the Charter and cannot be justified.

Interestingly, the Attorney General asked that if the Act were declared to be unconstitutional, the Court should suspend the declaration of invalidity so that the legislature could go back to the drawing board. In court, we agreed that it could be suspended with respect to anyone but my client. The Court declared the entire Act to be unconstitutional but refused to suspend the order:

[220] Both parties confined their submissions to the definition of cyberbullying and Part I of the Act. I have identified a number of problems with both components. The remaining parts of the Act cannot survive on their own. They are inextricably connected to the offending provisions, in particular the definition of cyberbullying. Severance would not be appropriate. The Act being over-inclusive rather than underinclusive, reading in also would not be an appropriate remedy. I have already explained why reading in a requirement for malice is not, in my view, appropriate or sufficient. The Act must be struck down in its entirety. The Attorney General has not persuaded me that a temporary suspension is warranted. To temporarily suspend the declaration of validity would be to condone further infringements of Charter protected rights and freedoms. Further, the fact that the Act was enacted to fill a "gap" in the legislation does not mean that victims of cyberbullying will be completely without redress in the time it takes to enact new cyberbullying legislation. They will have the usual albeit imperfect civil and criminal avenues available to them.
Emphasis added

So far, the government of Nova Scotia has not commented on the case and it remains to be seen whether they will appeal the case or go back to the drawing board, or both.

If they do go back to the drawing board, I really hope they will do it with very careful deliberation and full consultation with experts. But if nothing else, they have a good example of how not to do it.

Privacy Commissioner tables annual report on privacy in the federal government

The Privacy Commissioner of Canada has just tabled his Annual Report on the Privacy Act to Parliament for 2014-2015. The Privacy Act regulates how the federal government and its agencies can collect, use and disclose personal information. The full report is here: Annual Report to Parliament 2014-15 - Protecting personal information and public trust - Report on the Privacy Act.

The highlight of the Annual Report is an audit across government departments regarding the use of portable storage devices. Some might find it ironic, since the Office of the Privacy Commissioner recently lost a portable storage device containing personal information of its employees.

Here's the media release prepared by the Commissioner:

Federal government needs to do more to guard against breaches and privacy violations: Privacy Commissioner

2014-2015 Privacy Act Annual Report to Parliament highlights results of an audit of the government’s management of portable storage devices and reported data breaches

GATINEAU, QC, December 10, 2015 – The Privacy Commissioner of Canada is urging federal departments and agencies to develop and implement more rigorous procedures and safeguards to protect Canadians’ personal information.

This call comes as the Commissioner’s 2014-15 Annual Report on the Privacy Act was tabled today in Parliament, highlighting a record-high number of federal government data breaches reported to his Office and the results of an audit of the government’s management of portable storage devices.

“Many institutions have made some strides to better protect personal information,” says Commissioner Daniel Therrien. “That being said, the breach reports we’ve received, the results of our investigations and our latest audit all suggest there is still much room for improvement.”

Federal institutions reported 256 data breaches in 2014-2015, up from 228 breaches reported the year before—which itself was double the number reported a year earlier. As in previous years, the leading cause of breaches was accidental disclosure, a risk which can often be mitigated by more rigorous procedures.

Last year marked the first time institutions were required to report data breaches to the Privacy Commissioner. Until then, reporting was voluntary.

“Effectively protecting personal information is a challenge we do not want to minimize,” says Commissioner Therrien. “However, given that Canadians are required to provide very sensitive information to federal departments and agencies, the government’s duty of care is paramount.”

The annual report includes details of a recently completed audit which found that gaps in the federal government’s management of portable storage devices, such as memory sticks, are potentially putting the personal information of Canadians at risk.

The audit concluded that, while federal institutions do have policies, processes and controls related to portable storage devices, there is significant room for improvement in order to reduce the risk of privacy breaches.

Portable storage devices are convenient because they can hold huge amounts of data and are generally small and highly portable. But it is those attributes that also create significant privacy and security risks.

“These devices can be easily lost, misplaced or stolen. Without proper controls, federal institutions are running the risk that the personal information of Canadians will be lost or inappropriately accessed,” says Commissioner Therrien.

The audit was prompted by concerns over a number of federal government data breaches involving portable storage devices, including a 2012 incident in which a portable hard drive containing the personal information of almost 600,000 student loan recipients went missing.

The audit, which included a detailed examination of 17 institutions, identified a number of concerns, including:

• More than two-thirds (70%) of the institutions had not formally assessed the risks surrounding the use of all types of portable storage devices.
  
• More than 90% did not track all portable storage devices throughout their lifecycle.
  
• More than 85% did not retain records verifying the secure destruction of data retained on surplus or defective portable storage devices.
  
• One-quarter did not enforce the use of encrypted USB storage devices.
  
• Two-thirds did not have technical controls in place to prevent the connection of unauthorized portable storage devices (for example, privately owned device) on their networks, and more than half (55%) had not assessed the risk to personal information resulting from the absence of such controls.

There were also weaknesses in the security settings to protect data held on smart phones at some of the audited entities. These included, for example, a lack of encryption, strong password controls, or controls to prevent users from installing unauthorized applications.

The audited institutions have accepted all recommendations made in the audit.

“We hope all federal institutions will take note of the audit and its recommendations with respect to portable storage devices,” says Commissioner Therrien. “The audit highlights some preventive steps that can and must be taken to curtail breaches. There is a need for greater vigilance when it comes to protecting the personal information that Canadians entrust to their federal government.”

About the Office of the Privacy Commissioner of Canada

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman and guardian of privacy in Canada. The Commissioner enforces two laws for the protection of personal information: the Privacy Act, which applies to the federal public sector; and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private sector privacy law.

Once again, the RCMP calls for warrantless access to your online info. Once again, the RCMP is wrong

The CBC and the Canadian Press are reporting on comments made by RCMP Commissioner Bob Paulson calling for warrantless access to internet service provider customer information. (Bob Paulson, RCMP boss, wants warrantless access to online subscriber info - Politics - CBC News)

Yes, this is a revival of the lawful access debates that have taken place intermittently over the past decade or so.

Lets take a close look at what he said and why he's wrong.

Police need warrantless access to Internet subscriber information to keep pace with child predators and other online criminals, says RCMP Commissioner Bob Paulson.

The top Mountie said Wednesday that a Supreme Court of Canada ruling curtailing the flow of basic data about customers — such as name and address — has "put a chill on our ability to initiate investigations."

I don't disagree with that. But having to get a warrant to search someone's house also puts a chill on investigations.

"I'm all for warrantless access to subscriber info," Paulson told a security conference in Ottawa, comparing the process to his beat-cop days of entering licence-plate data into a computer and coming up with a vehicle owner's name.

"If I had to get a judge on the phone every time I wanted to run a licence plate when I was doing my policing, there wouldn't have been much policing getting done."

Whoa! This is an absurd characterization. Commissioner Paulson is either ignorant or disingenuous. The courts have held that you don't have an expectation of privacy -- vis-a-vis the police -- in your license plate information and your car registration information that it is connected to. The Supreme Court of Canada, in R v. Spencer (the case that Paulson clearly doesn't like or agree with), said very clearly that you have an expectation of privacy in your online customer data. In fact, the Court said at paragraph 50 of that decision:

"I conclude therefore that the police request to Shaw for subscriber information corresponding to specifically observed, anonymous Internet activity engages a high level of informational privacy."

And as Paulson should know, where there is an expectation of privacy, the police must get a warrant. It's that simple.

Mounting public concern

In June last year, the Supreme Court of Canada ruled police must have a judge's authorization to obtain customer data linked to online activities.

The high court rejected the notion the federal privacy law governing companies allowed them to hand over subscriber identities voluntarily.

The Supreme Court of Canada was not at all ambiguous about it. You and I have a reasonable expectation of privacy (which includes anonymity). In the absence of a production order from the Court or exigent circumstances, they police can't have it. (For a summary of the case, you may want to read this blog post.)

The Charter is the supreme law of Canada and the Supreme Court gets to have the final word. No amount of wishful thinking by the police will change that. Since their job is to uphold and enforce Canada's laws, they should start with that.

Police say telecommunications companies and other service providers — such as banks and rental companies — now demand court approval for nearly all types of requests from authorities for basic identifying information.

The Supreme Court judgment came amid mounting public concern about authorities quietly gaining access to customer data with little oversight or independent scrutiny.

Paulson said after his speech that he advocates giving police ready access to basic subscriber information while respecting the Charter of Rights and Freedoms.

'We've been consistent'

"I think we've been consistent in recognizing that we are very respectful of the charter and people's charter rights and nobody is recommending that we go any further," he said. "But there needs to be some sort of administrative access to basic subscriber information."

No, they really haven't. Not at all. The Charter requires a warrant. Paulson wants a way around that fundamental legal fact that is rooted in the supreme law of our country.

The Canadian Association of Chiefs of Police revealed in August that government officials were mulling just such a scheme — though it's not clear exactly how it would square with the court ruling.

The chiefs said a discussion paper spearheaded by the Department of Justice was presented to the federal, provincial and territorial cybercrime working group of senior officials.

The paper outlined three legislative options for allowing access to basic subscriber information:

• An administrative scheme that would not involve court approval.
  
• A new judicial order process or a tweak to the existing regime.
  
• A judicial order process for subscriber information with a greater expectation of privacy and an administrative, non-judicial one for less sensitive subscriber data.

Paulson said while the Internet is a marvellous boon to communication, education and commerce, it is also a place where a vast array of crime takes place, including rampant sexual abuse of youngsters.

Time for a public conversation

Children are "being hurt at a pace and a frequency that is alarming," the commissioner said.

"Technology is fuelling that. So now these people can encrypt their communications and they can exploit children for sexual purposes and it's a little harder to get at them from a police point of view."

Many people want the Internet to be completely free, without rules, Paulson noted. "That's fine if we don't want justice there."

The as expected "think of the children!" appeal. I'm surprised that he didn't mention the terrorists. It is worth noting that the RCMP Commissioner and the Canadian Association of Chiefs of Police advocated for Bill C-30, which would have provided for warrantless access to customer data even for a parking ticket or even no crime had been committed.

Also, nice straw man there, Paulson. Please show me the people who are contributing to the debate who call for the Internet to be "completely free, without rules." You won't find them. Your opponents in this debate do not question that police need appropriate powers to investigate online crime.

It's time for a public conversation about how best to prevent all kinds of exploitation in cyberspace, he said.

Allies in the United States, Britain, Australia and New Zealand are confronting the same issues, Paulson added.

"We're all struggling with this. It's hard to keep people safe on the internet right now.

The RCMP and the lobbying agency for Canadian police are obviously trying to revive a debate that has been definitively settled. If they want to try to make the judicial authorization process more efficient or to tweak the thresholds for getting customer information in the event of serious crime, I can help them with that. But when the police state things that are simply wrong about a subject matter they really should know very well, I'm going to call them on it.

Presentation: Use of drones in journalism & media

I had the great pleasure of speaking at the annual conference of the Canadian Media Lawyers Association's annual meeting in Toronto on the topic of legal issues related to the use of drones by the media and in journalism in Canada.

For anyone who may be interested, here's the presentation:

Let's all avoid technopanic in the call for additional privacy regulation for drones

Full disclosure: I'm not a bystander to this discussion. I'm an avid drone user, having purchased a training drone and then DJI Phantom 3 Advanced in May of this year. I've been capturing, editing and proudly showing relatively unique perspectives of the beautiful province in which I live. Feel free to check my videos out: https://www.youtube.com/playlist?list=PLFgopbjgzsAGlZhNB_mRf3VCgXAUPoZgO.

---

Over the past few months, Transport Canada has been engaged in a consultation process to look at how to safely integrate unmanned aerial vehicles into Canadian airspace. This involved a call for comments regarding draft regulations or proposed regulatory approaches. Sensibly, Transport Canada was focused on their mandate under the Canadian Aviation Regulations, which is to enhance safety and competition in Canadian airspace.

The Office of the Privacy Commissioner of Canada submitted a response dated August 27, 2015. (Notably, this was posted on the OPC's website in October, well after the opportunity to respond.) There has been some reporting on this (Protect schools, homes from drones' prying eyes, privacy czar says | Toronto Star), but not much.

If you think there's some vacuum regarding privacy and the use of drones, think again. Federal agencies are subject to the Privacy Act and the Charter. Provincial agencies are subject to relevant Freedom of Information and Protection of Privacy Acts and the Charter. Private companies are regulated under the Personal Information Protection and Electronic Documents Act or the Alberta, Quebec and British Columbia equivalents. All of them -- and private citizens -- are subject to the Criminal Code for voyeurism and the torts of "invasion of privacy". There really is no gap. And in most of them, we consider whether there is a reasonable expectation of privacy in the totality of the circumstances.

With respect, I think at least part of the position articulated in their submission is wrongheaded and is an example of technopanic. The Commissioner's office calls for the creation of a completely new concept of "sensitive and protected areas". These are areas that " while perhaps public, carry with them some expectation of privacy when people use them". Here's the relevant sections of the submission:

Sensitive and protected areas

From a safety perspective, operation of UAVs in crowded areas, around aerodromes, airports and heliports has already been restricted, both in Canada and many other countries. Other jurisdictions, including many in the US, have placed outright bans on usage of UAVs in certain sensitive areas where people might congregate or other aircraft might be operating – certainly until such time as sense and avoid systems are better developed and more widely deployed.

We would encourage CARAC members to give thought to exploring a similar line of reasoning with regard to privacy concerns. Residential areas, schoolyards and shelters, hospitals and prisons, places of worship and memorial sites – all come to mind as spaces which, while perhaps public, carry with them some expectation of privacy when people use them.

As with identification methods noted above, we do not here have an exhaustive list of locations in mind, nor would we recommend an outright prohibition on usage in these areas, but would ask CARAC to consider developing a best practices approach to flag certain spaces like those mentioned as privacy sensitive (places where individuals’ sense of potential intrusion is generally heightened). Just as we would anticipate organizations concerned about their own security would be alarmed by sudden increases in the use of UAVs around their property, we would expect citizens could be similarly concerned if certain spaces were encroached upon.

For a recent specific example of regulation in this context, please see guidance issued this summer by Argentina’s Data Protection Authority, and where investigative use is contemplated, you might refer to our own Office’s Guidelines on the Use of Video surveillance by Public Authorities.

One of the great characteristics of Canadian law is that it is technologically neutral. We generally focus on the mischief, rather than the instrumentality. Fraud is fraud, regardless of whether it is done with a quill, a pen, a phone or a fax machine. While we may get excited about new technologies, we don't legislate about them specifically unless there really is a need to do so or a clear gap in the law.

With "sensitive and protected areas", we are still talking about public spaces. Is there any difference between taking a photo in a residential area with a DSLR or with a drone? I have a 300mm lens for my Nikon D90 and any law that said I couldn't use it to take photos in the park down the street would be unconstitutional. My drone has a 20mm wide angle. A military predator drone can do much better than anyone's civilian digital camera. If there is a problem with people taking photos in parks or residential areas, make a law that deals with photos in residential areas or parks. And any law would have to apply to me in the same what that it applies to a TV news crew. (And then see whether it survives a Charter challenge.) It should not matter what technology you use to do that. If the problem is the effect, focus on the effect. Not on the shiny new technology that you think may be creepy.

Everyone who uses these devices needs to follow all relevant laws, which include privacy laws. And that covers it.

---

If you want more about this, I just gave a presentation at the Unmanned Systems Canada 2015 conference on privacy law and drones and will be speaking at the Canadian Media Lawyers Association - Ad Idem conference on privacy and drones.

Presentation: Privacy and drones in Canada - the current state of the law

I had the pleasure of presenting at the Unmanned Systems 2015 conference this week, on the topic of privacy and drones (or unmanned aerial vehicles or unmanned aerial systems). I mostly spoke about what privacy laws apply to the different aerial activities in Canada, with a bit of discussion about what might be over the horizon.

For anyone who may be interested, here's the presentation I gave:

Supreme Court to hear important case about legal privilege and access to information/privacy laws

This morning, the Supreme Court granted leave to appeal the Alberta Court of Appeal decision in University of Calgary v JR, 2015 ABCA 118.

In a nutshell, this will be a revisiting of Blood Tribe, but in the context of the provincial access to information laws that govern public bodies and government agencies.

Here’s the summary of the issue in appeal from the SCC website:

36460
Information and Privacy Commissioner of Alberta v. Board of Governors of the University of Calgary

(Alberta) (Civil) (By Leave)

Keywords Privacy - Access to information.

Summary

Case summaries are prepared by the Office of the Registrar of the Supreme Court of Canada (Law Branch) for information purposes only.

Privacy — Access to information — What words must a statute employ to empower a tribunal to review records to determine whether a claim of privilege is valid?

In the course of a wrongful dismissal suit by an individual against the respondent University, the University asserted solicitor-client privilege over certain material. The individual made an access to information request under s. 7 of the Freedom of Information and Protection of Privacy Act, R.S.A. 2000, c. F-25, seeking certain records about her in the University’s possession. The University provided some disclosure, but claimed solicitor-client privilege over some of the requested material. The Commissioner’s delegate eventually directed the University to the Commissioner’s “Solicitor-Client Privilege Adjudication Protocol”. When the University did not comply, the delegate issued a “notice to produce records” under s. 56(3) of the Act. It reads, in part, “[t]he Commissioner may require any record to be produced to the Commissioner and may examine any information in a record… [d]espite any other enactment or any privilege of the law of evidence”. The delegate indicated in an accompanying letter that the purpose of the notice was to enable him to determine whether solicitor-client privilege had been properly asserted because the University had not provided sufficient evidence to allow him to make that determination. The University sought judicial review of the delegate’s decision to issue the notice to produce. The Law Society of Alberta was granted intervener status at the Court of Queen’s Bench and the Court of Appeal. The application for judicial review was dismissed, and the subsequent appeal was allowed.

In the same batch of leave applications, the Court dismissed leave to appeal from the Ontario decision of Hopkins v. Kay, 2015 ONCA 112. In that Case, the Ontario Court of Appeal declined to throw out a class action brought against a health authority which had argued that the provinces Personal Health Information Protection Act was a complete code which ousts claims for intrusion upon seclusion.

EU Court of Justice invalidates "Safe Harbour" framework for EU-US personal data transfers

The European Court of Justice has just declared that the European-American Safe Harbour framework to be invalid. The Safe Harbour Framework was a compromise solution to address the prohibition against transfers of European personal information to any jurisdiction without "adequate" privacy protections. The American government and the European Union arrived at a voluntary, opt-in framework by which US companies could submit to a form of regulation that would be considered adequate for European standards. Following a complaint by an Austrian Facebook user, the court essentially determined that -- in light of the Snowden revelations -- that personal data in the US is not afforded adequate protection.

The decision is here: Maximillian Schrems v Data Protection Commissioner.

Here's the Court's press release 117/15:

Court of Justice of the European Union

PRESS RELEASE No 117/15 Luxembourg, 6 October 2015

Press and Information

Judgment in Case C-362/14

Maximillian Schrems v Data Protection Commissioner

The Court of Justice declares that the Commission’s US Safe Harbour Decision is invalid

Whilst the Court of Justice alone has jurisdiction to declare an EU act invalid, where a claim is lodged with the national supervisory authorities they may, even where the Commission has adopted a decision finding that a third country affords an adequate level of protection of personal data, examine whether the transfer of a person’s data to the third country complies with the requirements of the EU legislation on the protection of that data and, in the same way as the person concerned, bring the matter before the national courts, in order that the national courts make a reference for a preliminary ruling for the purpose of examination of that decision’s validity

The Data Protection Directive1 provides that the transfer of personal data to a third country may, in principle, take place only if that third country ensures an adequate level of protection of the data. The directive also provides that the Commission may find that a third country ensures an adequate level of protection by reason of its domestic law or its international commitments. Finally, the directive provides that each Member State is to designate one or more public authorities responsible for monitoring the application within its territory of the national provisions adopted on the basis of the directive (‘national supervisory authorities’).

Maximillian Schrems, an Austrian citizen, has been a Facebook user since 2008. As is the case with other subscribers residing in the EU, some or all of the data provided by Mr Schrems to Facebook is transferred from Facebook’s Irish subsidiary to servers located in the United States, where it is processed. Mr Schrems lodged a complaint with the Irish supervisory authority (the Data Protection Commissioner), taking the view that, in the light of the revelations made in 2013 by Edward Snowden concerning the activities of the United States intelligence services (in particular the National Security Agency (‘the NSA’)), the law and practice of the United States do not offer sufficient protection against surveillance by the public authorities of the data transferred to that country. The Irish authority rejected the complaint, on the ground, in particular, that in a decision of 26 July 20002 the Commission considered that, under the ‘safe harbour’ scheme,3 the United States ensures an adequate level of protection of the personal data transferred (the Safe Harbour Decision).

The High Court of Ireland, before which the case has been brought, wishes to ascertain whether that Commission decision has the effect of preventing a national supervisory authority from investigating a complaint alleging that the third country does not ensure an adequate level of protection and, where appropriate, from suspending the contested transfer of data.

In today’s judgment, the Court of Justice holds that the existence of a Commission decision finding that a third country ensures an adequate level of protection of the personal data transferred cannot eliminate or even reduce the powers available to the national supervisory authorities under the Charter of Fundamental Rights of the European Union and the directive. The Court stresses in this regard the right, guaranteed by the Charter, to the protection of personal data and the task with which the national supervisory authorities are entrusted under the Charter.

The Court states, first of all, that no provision of the directive prevents oversight by the national supervisory authorities of transfers of personal data to third countries which have been the subject of a Commission decision. Thus, even if the Commission has adopted a decision, the national supervisory authorities, when dealing with a claim, must be able to examine, with complete independence, whether the transfer of a person’s data to a third country complies with the requirements laid down by the directive. Nevertheless, the Court points out that it alone has jurisdiction to declare that an EU act, such as a Commission decision, is invalid. Consequently, where a national authority or the person who has brought the matter before the national authority considers that a Commission decision is invalid, that authority or person must be able to bring proceedings before the national courts so that they may refer the case to the Court of Justice if they too have doubts as to the validity of the Commission decision. It is thus ultimately the Court of Justice which has the task of deciding whether or not a Commission decision is valid.

The Court then investigates whether the Safe Harbour Decision is invalid. In this connection, the Court states that the Commission was required to find that the United States in fact ensures, by reason of its domestic law or its international commitments, a level of protection of fundamental rights essentially equivalent to that guaranteed within the EU under the directive read in the light of the Charter. The Court observes that the Commission did not make such a finding, but merely examined the safe harbour scheme.

Without needing to establish whether that scheme ensures a level of protection essentially equivalent to that guaranteed within the EU, the Court observes that the scheme is applicable solely to the United States undertakings which adhere to it, and United States public authorities are not themselves subject to it. Furthermore, national security, public interest and law enforcement requirements of the United States prevail over the safe harbour scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements. The United States safe harbour scheme thus enables interference, by United States public authorities, with the fundamental rights of persons, and the Commission decision does not refer either to the existence, in the United States, of rules intended to limit any such interference or to the existence of effective legal protection against the interference.

The Court considers that that analysis of the scheme is borne out by two Commission communications,4 according to which the United States authorities were able to access the personal data transferred from the Member States to the United States and process it in a way incompatible, in particular, with the purposes for which it was transferred, beyond what was strictly necessary and proportionate to the protection of national security. Also, the Commission noted that the persons concerned had no administrative or judicial means of redress enabling, in particular, the data relating to them to be accessed and, as the case may be, rectified or erased.

As regards a level of protection essentially equivalent to the fundamental rights and freedoms guaranteed within the EU, the Court finds that, under EU law, legislation is not limited to what is strictly necessary where it authorises, on a generalised basis, storage of all the personal data of all the persons whose data is transferred from the EU to the United States without any differentiation, limitation or exception being made in the light of the objective pursued and without an objective criterion being laid down for determining the limits of the access of the public authorities to the data and of its subsequent use. The Court adds that legislation permitting the public authorities to have access on a generalised basis to the content of electronic
communications must be regarded as compromising the essence of the fundamental right to respect for private life.

Likewise, the Court observes that legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, compromises the essence of the fundamental right to effective judicial protection, the existence of such a possibility being inherent in the existence of the rule of law.

Finally, the Court finds that the Safe Harbour Decision denies the national supervisory authorities their powers where a person calls into question whether the decision is compatible with the protection of the privacy and of the fundamental rights and freedoms of individuals. The Court holds that the Commission did not have competence to restrict the national supervisory authorities’ powers in that way.

For all those reasons, the Court declares the Safe Harbour Decision invalid. This judgment has the consequence that the Irish supervisory authority is required to examine Mr Schrems’ complaint with all due diligence and, at the conclusion of its investigation, is to decide whether, pursuant to the directive, transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data.

---

NOTE: A reference for a preliminary ruling allows the courts and tribunals of the Member States, in disputes which have been brought before them, to refer questions to the Court of Justice about the interpretation of European Union law or the validity of a European Union act. The Court of Justice does not decide the dispute itself. It is for the national court or tribunal to dispose of the case in accordance with the Court’s decision, which is similarly binding on other national courts or tribunals before which a similar issue is raised.

Unofficial document for media use, not binding on the Court of Justice. The full text of the judgment is published on the CURIA website on the day of delivery. Press contact: Christopher Fretwell  (+352) 4303 3355 Pictures of the delivery of the judgment are available from "Europe by Satellite"  (+32) 2 2964106