Bill C-2 "Strong Borders Act" - New demands and orders for customer information (Part 14)

On June 3, the new Canadian government tabled Bill C-2 in Parliament, called “An Act respecting certain measures relating to the security of the border between Canada and the United States and respecting other related security measures” but with a short title of “Strong Borders Act”. 

As the name implies, it’s mostly about border measures, customs stuff, fentanyl and immigration. But once again, following in the footsteps of past conservative and liberal governments, it contains a trojan horse that revives what has come to be known as “Lawful Access”. The Bill contains a number of search, seizure and surveillance measures that have nothing to do with the border or fentanyl. In the past, governments have tried to introduce similar measures under the guise of fighting terrorism, child abusers and cyberbullies. Now it’s apparently border security.

I’m really getting tired of these sorts of bills and for a brief moment, I was hopeful that this new government would take a different route. Apparently not. I am completely confident that the lawful access provisions of his bill have been sitting in a drawer at the Department of Public Safety, desperately waiting for an opportunity to put it in a slightly relevant bill. Sigh. 

For now, I’m going to focus on Part 14 of Bill C-2 which amends the Criminal Code in a bunch of ways. Part 15 creates a whole new law called the “Supporting Authorized Access to Information Act”, which I’ll have to cover in another episode. 

Part 14 creates a new police order or “information demand”, without judicial oversight or control, to require service providers to hand over basic information about customers.  It dramatically truncates the response time for production orders and unrealistically gives service providers only five days to challenge a production order. It amends the law to clarify that cops can just ask for information and service providers can just hand it over. It may also permit the cops to use illegally hacked and leaked data in their investigations. 

It creates a new production order for subscriber information that police can get with only “reasonable grounds to suspect” an offence has taken place, not the usual “usual grounds to believe” an offence has taken place. And it’s broader than most general production orders I’ve seen for “basic subscriber information”. 

The Bill creates a puzzling new warrant that allows a judge to authorize a peace officer or public officer to obtain tracking data or transmission data that relates to any thing that is similar to a thing in relation to which data is authorized to be obtained under the warrant and that is unknown at the time the warrant is issued. So if the cops get a warrant to track a certain thing, and then discover it's related to another thing that can also track the person, they can get data from the second thing. Hmm.

Finally, Part 14 includes a weird judicial authorization to make a request for data from a foreign entity.

The new “information demands”. 

This new section 487.0121 of the Criminal Code authorizes a “peace officer or public officer”, without judicial authorization, to make a demand of any person who “provides service to the public” requiring them to provide any  of the following information in this list.

Information demand

487.‍0121 (1) A peace officer or public officer may make a demand in Form 5.‍0011 to a person who provides services to the public requiring the person to provide, in the form, manner and time specified in the demand, the following information:

(a) whether the person provides or has provided services to any subscriber or client, or to any account or identifier, specified in the form;

(b) if the person provides or has provided services to that subscriber, client, account or identifier,

(i) whether the person possesses or controls any information, including transmission data, in relation to that subscriber, client, account or identifier,

(ii) in the case of services provided in Canada, the province and municipality in which they are or were provided, and

(iii) in the case of services provided outside Canada, the country and municipality in which they are or were provided;

(c) if the person provides services to that subscriber, client, account or identifier, the date on which the person began providing the services;

(d) if the person provided services to that subscriber, client, account or identifier but no longer does so, the period during which the person provided the services;

(e) the name or identifier, if known, of any other person who provides services to the public and who provides or has provided services to that subscriber, client, account or identifier and any other information, if known, referred to in any of paragraphs (b) to (d) in relation to that other person and that subscriber, client, account or identifier; and

(f) if the person is unable to provide any information referred to in paragraphs (a) to (e), a statement to that effect.

Paragraphs (a) and (b) are clearly intended to deal with the situation where the police have a phone number, and want to go to Rogers or Bell and ask “is this number serviced by you”? And if so, where is the service provided and whether they have customer records. That tells them enough information to refer the case to the local police where the customer is. Regularly, the RCMP in Ottawa receive information from a foreign police agency that’s just associated with an IP address. They may know it’s a Rogers IP address, but they don’t know where the potential suspect is. Now Rogers will have to tell them, without a warrant or court order, “yes, that’s our customer and they live in Montreal.” No directly identifying information is supposed to be shared.

I don’t have a big problem with this. I am concerned about paragraph (e), however. 

(e)  the name or identifier, if known, of any other person who provides services to the public and who provides or has provided services to that subscriber, client, account or identifier and any other information, if known, referred to in any of paragraphs (b) to (d) in relation to that other person and that subscriber, client, account or identifier; and

So if the service provider knows that the customer in question gets services from anyone else, that also has to be disclosed. So if the Eastlink customer has a Hotmail address on file, I think they have to disclose that the person is also a Microsoft customer. What could be more problematic is if a company that supports OAuth logins (like using your Microsoft account to log into other services), this may require disclosing where those logins take place. 

The threshold for making such a demand is that they have “reasonable grounds to suspect” (a very low threshold) that (a) an offence has been or will be committed under any Act of Parliament and (b) the information demanded will assist with the investigation of the offence. The peace officer or public officer can impose a non-disclosure order. 

The person receiving the order has only 5 days to seek to have the demand varied or revoked, and has to give notice to the peace officer or public officer of its intent to have the demand varied or revoked. Five days is not much, in my view. The threshold for varying or revoking a demand is if “(a) it is unreasonable in the circumstances to require the applicant to provide the information; or (b) provision of the information would disclose information that is privileged or otherwise protected from disclosure by law.” Demands like these seem unlikely to disclose privileged information.

The next significant thing in Part 14 of Bill C-2 is a “production order for subscriber information”. Unlike in previous “lawful access” attempts, this does require judicial authorization, but the threshold is very, very low. It’s just above the police having a “hunch”.

We have a new section 487.0142, which creates a new production order for subscriber information with a very low threshold of simply “reasonable grounds to suspect” that (a) an offence has been or will be committed under the Criminal Code or any other Act of Parliament; and (b) the subscriber information is in the person’s possession or control and will assist in the investigation of the offence.

487.0142 (1) On ex parte application made by a peace officer or public officer, a justice or judge may order a person who provides services to the public to prepare and produce a document containing all the subscriber information that relates to any information, including transmission data, that is specified in the order and that is in their possession or control when they receive the order.

Unlike a General Production Order, this order requires the production of “all the subscriber information” in the recipient’s possession. The General Production Orders that I see on a regular basis name the specific data being sought. These orders are for “all subscriber information”, which is broadly defined:

subscriber information means, in relation to any client of a person who provides services to the public or any subscriber to the services of such a person,

(a) information that the subscriber or client provided to the person in order to receive the services, including their name, pseudonym, address, telephone number and email address;

(b) identifiers assigned to the subscriber or client by the person, including account numbers; and

(c) information relating to the services provided to the subscriber or client, including

(i) the types of services provided,

(ii) the period during which the services were provided, and

(iii) information that identifies the devices, equipment or things used by the subscriber or client in relation to the services. (renseignements relatifs à l’abonné)

Look at (a): it likely also includes billing information. If it’s a paid service, like a cell phone, bank account or credit card information would have been provided when the account was set up. I do not regularly see this in general production orders for subscriber information. 

It is worth pointing out that these orders can be obtained to investigate any “offence” in any Act of Parliament. This is not limited to the Criminal Code or the Controlled Drugs and Substances Act or the Customs Act. This includes the Canada National Parks Act. 

And I really must emphasise that “reasonable grounds to suspect” is a very low threshold. It is the lowest in our legal system, since our system doesn’t recognize “hunches” or “spidey senses”. 

This is in direct response to the Supreme Court of Canada’s decision in R. v. Spencer where the court said that the police can’t just ask for subscriber information, but it must be on the basis of exigent circumstances or in accord with a “reasonable law”. The government clearly thinks this is a “reasonable law” that gets them there. 

Next up are Applications for requests of transmission data or subscriber information from a foreign entity.

The new s. 487.0181 is a bit unusual, as it creates a power to authorize a “request” (not an order) directed at a “foreign entity that provides telecommunications service to the public.” The request is approved by a judge on an application by a peace officer or a public officer. 

487.‍0181 (1) On ex parte application made by a peace officer or public officer, a justice or judge may authorize a peace officer or public officer to make a request to a foreign entity that provides telecommunications services to the public to prepare and produce a document containing transmission data or subscriber information that is in the foreign entity’s possession or control when it receives the request.

The request is limited to transmission data or subscriber information. 

The threshold for issuing such a request is again “reasonable grounds to suspect that (a) an offence has been or will be committed under this or any other Act of Parliament; and (b) the transmission data or the subscriber information is in the foreign entity’s possession or control and will assist in the investigation of the offence.”

It is really weird. So the police go to a judge to get an authorization to make a non-compulsory request to a foreign entity. Essentially all this does is make sure that the cop swears in front of a judge that they have reasonable grounds to suspect, and the judge concurs with this. But it’s not compulsory.

I expect that this is in response to the controversy surrounding the Breknell case from British Columbia that questioned whether production orders can be issued naming entities physically outside of Canada. 

This may also be intended to take account of arrangements like a CLOUD Act agreement, contemplating the inclusion of information that may be necessary under the laws of a foreign state:

Form

(4) The production request is to be in Form 5.00803 and may include any information that is required by the foreign entity, by the foreign state in which the foreign entity is located or under an international agreement or arrangement to which Canada and the foreign state are parties.

Again, these are not court orders, but are issued like a court order. What the cop sends to the foreign service provider is the request, and a copy of the authorization. 

I think this will cause a lot of confusion. A large number of non-Canadian service providers will respond to general production orders, particularly where the investigation relates to a person they identify as being in Canada. For some such entities, their privacy policies say they’ll only disclose information where “required by law”, and if they are following PIPEDA with respect to Canadian customer data – as they should –  “required by law” is one of the exceptions that allows a disclosure to police. These requests don’t trigger the “required by law” exception in our privacy law. Also, some US service providers require that the thresholds largely align with the American “probable cause” standard. Reasonable grounds to suspect does not meet that threshold.

So cops may think they just have to send a request and the foreign service provider may say that’s not sufficient, we want a production order. So back to the judge.

I note these can be combined with an order of non-disclosure, which is binding at least under Canadian law. Whether it can really bind a foreign company is not clear. 

What’s also puzzling is that officials from the government, during the technical briefing on the Bill, said none of our “five eyes partners” (meaning the US, UK, Australia and New Zealand) require an order for police to get subscriber information. That’s not my experience.

Now onto “exigent circumstances”...

Clause 167 of the Bill codifies what I understand to be the common law related to “exigent circumstances.” Just so we’re on the same page: “Exigent circumstances” exist where (a) there is imminent threat to the public or public safety; or (b) a risk of loss or destruction of evidence.”

The Code has generally permitted peace officers to search and seize in “exigent circumstances” if the conditions for obtaining a warrant exist, but exigent circumstances mean it would be impracticable to obtain a warrant. The provision, s. 487.11 of the Code, is being replaced to scope in powers that are available under certain production orders. The underlined portions are what have been added to the existing s. 487.11.

Essentially, this means that a peace officer or public officer may make a demand that has the force of law without a court order where exigent circumstances make seeking the order impracticable. 

It is unclear to me whether a demand under (b) would have the same force and effect as a production order for the same data, and whether non-compliance could result in the same penalties. 

Bill C-2 amends section 487.0193 to dramatically and problematically truncate the window of time to commence a review to revoke or vary a production order issued under sections 487.014 to 487.018 of the Criminal Code. The new timeframe is FIVE DAYS after the date of the Order. It was previously prior to the deadline referred to in the order, which is generally 30 days. 

This is unworkable in my view. I regularly see production orders that were delivered to the service provider days after they were issued. I sometimes interact with cops who already have an order and want to know where to send it. After this amendment, the clock is ticking rather loudly. If a cop gets an order on a Thursday before a long weekend, delivers it on a Friday, it may not come to anyone’s attention until Tuesday. And making a decision to challenge a production order isn’t usually made by the person in corporate security who first review it. It’ll have to go up a chain of command. By the time a decision-maker gets their eyes on it, the window will have closed. And they can’t even make an application unless they get ahold of the cop to tell them that it will be challenged. 

In my experience, this will be completely unworkable for most service providers. 

For some time, s. 487.0195 of the Code has contained provisions that say a police officer can always ask for information that would otherwise be subject to a production order, and to obtain that information where the person is not prohibited by law from disclosing. Clause 164 Bill C-2 amends this section to add subsections that clarify that this includes data that could be the subject of an information demand under the new section 487.0121. 

The section appears intended to provide immunity to a service provider who voluntarily provides information that would otherwise be subject to a production order. So a cop asks a bank or a telco to “voluntarily” provide customer data, and the bank or telco says “sorry, we can’t because privacy laws prohibit it and we’ve agreed with our customers that we’ll only provide data where required by law.” The cop can point to this section and say “so what? They can’t successfully sue you and you have no civil or criminal liability for providing the data”. I’d respond saying that our privacy laws are not about criminal or civil liability, come back with a warrant.

And paragraph (4) says that cops can always use information that is “available to the public.” I’ve heard some raise concerns that this would include data that is publicly leaked via hacking or other nefarious means. So they can go trolling through the Ashley Madison leaks, I guess. 

I’ll have to save the deeply Supporting Authorized Access to Information Act for another episode, so stay tuned for that.

Overall, I really hope that the government gets a lot of shaming for putting this trojan horse in the border bill. These expanded law enforcement powers are consequential and deserve to be appropriately discussed and debated. I think that’s why the government decided to go this route, to avoid the huge outcry we’ve seen in the past related to prior lawful access attempts. 

Discussion with Michael Geist about the part of Bill C-2 that is not getting enough attention

Past Canadian "lawful access" attempts, both by Liberal and Conservative governments

2005 (Lib - Paul Martin - Minister Anne Maclellan) - C-74 (38-1) - LEGISinfo - Parliament of Canada - Short title: Modernization of Investigative Techniques Act (Did not pass)

Library of Parliament Legislative Summary for Bill C-74

2009 (Con - Stephen Harper - Minister Peter Van Loan) - C-47 (40-2) - LEGISinfo - Parliament of Canada - Short title: Technical Assistance for Law Enforcement in the 21st Century Act (Did not pass)

Library of Parliament Legislative Summary for Bill C-47 

2011 (Con - Stephen Harper / Minister Vic Toews) - C-52 (40-3) - LEGISinfo - Parliament of Canada - Short title: Investigating and Preventing Criminal Electronic Communications Act (Did not pass)

Library of Parliament Legislative Summary for Bill C-52

2012 (Con - Stephen Harper / Minister Vic Toews) - C-30 (41-1) - LEGISinfo - Parliament of Canada - Short title: Protecting Children from Internet Predators Act (Did not pass)

Library of Parliament Legislative Summary for Bill C-30

2013 (Con - Stephen Harper / Minister Peter MacKay)  C-13 (41-2) - LEGISinfo - Parliament of Canada - Short title: Protecting Canadians from Online Crime Act (Passed)

Library of Parliament Legislative Summary for Bill C-13

Materially misleading statements in the Charter Statement for Bill C-2's Lawful Access provisions

The government of Canada – specifically the Minister of Justice – just released its “Charter Statement” regarding Bill C-2, the Strong Borders Act. I’m particularly focused on the “lawful access” provisions in the Bill, and I read it with interest to see how the government thinks the expanded government access to data is compatible with Section 8 of the Charter. Section 8 prohibits unreasonable searches and seizures.

In the Charter Statement, the Minister significantly mischaracterizes his own bill in a manner that makes it appear more Charter-compliant. It could be a handful of honest mistakes, but I’m getting more cynical as my hair gets more grey. (The two may be connected, now that I think about it.)

Anyways, it’s not a huge “GOTCHA!”, but they should acknowledge the mistakes and fix them.

Some background on what Charter Statements are about can be found in the Charter Statement itself:

Section 4.2 of the Department of Justice Act requires the Minister of Justice to prepare a Charter Statement for every government bill to help inform public and Parliamentary debate on government bills. One of the Minister of Justice’s most important responsibilities is to examine legislation for inconsistency with the Canadian Charter of Rights and Freedoms. By tabling a Charter Statement, the Minister is sharing some of the key considerations that informed the review of a bill for inconsistency with the Charter. A Statement identifies Charter rights and freedoms that may potentially be engaged by a bill and provides a brief explanation of the nature of any engagement, in light of the measures being proposed.

So in this particular Charter Statement, there are a couple of troubling and significant mis-statements about the Lawful Access provisions which – surprise! surprise! – make it appear more Charter-compliant.

When discussing the new production order for Subscriber Information, it says:

The judge would have to be satisfied that an offence has or will be committed and that there are reasonable grounds to suspect that the information will assist in the investigation of an offence.

This is not true. Not even close. The conditions for issuing an order are set out in the new, proposed subsection 487.0142(2), which says:

(2) Before making the order, the justice or judge must be satisfied by information on oath in Form 5.‍004 that there are reasonable grounds to suspect that

(a) an offence has been or will be committed under this Act or any other Act of Parliament; and (b) the subscriber information is in the person’s possession or control and will assist in the investigation of the offence.

The judge only has to be satisfied based on a cop’s sworn say-so that there are reasonable grounds to suspect an offence has been or will be committed, and they have reasonable grounds to suspect the subscriber information will assist in the investigation. This is far from the judge having to be “satisfied” that an offence has been committed. The cop swearing the application doesn’t even have to be satisfied that an offence has been or will be committed. It’s enough that the judge believes that there are reasonable grounds to justify the cop’s tingling “Spidey sense”.

In the next paragraph about the production order for subscriber information, the Charter Statement says that this power will be used to “generate leads”, which sounds like a fishing expedition to me. I don’t think that’s a mistake.

We’ve been told that this power is to be used if the police have an IP address associated with someone they suspect is victimizing children, so they can identify THAT person, do an investigation and then get a search warrant. That’s not “generating leads”, as far as I understand that terminology.

The next material misstatement is in the last sentence of that paragraph, which says “if [the judge] chooses to issue an order, the judge would have discretion as to what information is specified in it.” I’m pretty sure that’s incorrect.

The new order power says it is for

ALL the subscriber information that relates to any information, including transmission data, that is specified in the order and that is in their possession or control when they receive the order.

ALL the subscriber information that relates to the identifier that is specified in the order. The form of the order, which is prescribed in the Act, does exactly that. The order is for ALL subscriber information, which is horribly broadly defined. I’m not seeing any discretion here.

I have some issues with the way certain things are characterized, like saying that information that can be subject to a warrantless demand by a cop is not sensitive information.

The way this provision is drafted, it can include going to a family doctor and saying “Do you provide services to David Fraser? What specialists (like psychiatrists) also provide him with services?” I would say I have a high expectation of privacy in that information. They can go to your bank and the definition of subscriber information can compel them to provide a list of all companies you do business with. That merely identifies the client and the services the client receives. But that’s sensitive information and goes well beyond going to a telco and asking “Do you provide service to this number, and what city does the customer live in?”

This is either sloppy or intended to be deceptive. If the government thinks this is defensible, they should defend it on its own actual, honest merits. In just about every lawful access provision in the Bill, they are lowering the bar to make it easier to get information, while widening the net to capture more information than they say they need.

I’ve said it before and I’ll say it again: Parts 14 and 15 need to be taken out of the Bill, put in their own Bill so we can discuss them. I want to have an honest debate with someone who is interested in an HONEST debate. Think about this …. Bill C-2 is the FIRST substantial bill that Mark Carney’s new government introduced in the House of Commons after getting elected. Correct me if I’m wrong – but I’m pretty sure I’m not – no liberal candidate or the present Prime Minister campaigned on any of the new police and national security powers mentioned in Parts 14 and 15 of Bill C-2.

Alberta's privacy law unconstitutionally violates freedom of expression -- again -- in a decision that has implications for All Canadian privacy laws

You may have seen some headlines that said that Alberta’s privacy law has been declared unconstitutional. Yup, it’s true that at least part of it was and here’s why …..

This case involves Clearview AI Inc. ("Clearview"), a U.S.-based facial recognition company, challenging an order issued by Alberta’s Information and Privacy Commissioner. The order, based on findings from a joint investigation by Canadian federal and provincial privacy regulators, required Clearview to cease offering services in Alberta, stop collecting, using, and disclosing images and biometric data of Albertans, and delete the relevant data already in its possession.

Clearview sought judicial review of the order on a number of grounds, including that it is not subject to the jurisdiction of Alberta and that the Personal Information Protection Act (aka “PIPA”) does not apply to it, the Commissioner adopted an unreasonable interpretation of the words “publicly available” in PIPA and the Personal Information Protection Act Regulation (the “PIPA Regulation”), and the Commissioner’s finding that Clearview did not have a reasonable purpose for collecting, using, and disclosing personal information is unreasonable. Clearview further asserted that the Commissioner’s interpretation of PIPA and the PIPA Regulation is unconstitutional contrary to Charter s 2(b) which guarantees freedom of expression. That last argument is the one we’re going to focus on.

One thing that is really interesting about the case is that the Court did not really have to address the Charter issues. The Commissioner found that Clearview’s purposes were not reasonable, which is necessary for a company to even collect, use or disclose personal information. The Court agreed, and could have just said “not reasonable!” – don’t have to decide the Charter question – just go follow the Commissioner’s order. But the Court delved into the Charter question as well.

It’s also notable that this is the second time that the Alberta statute has been declared to violate the Charter based on “publicly available information” in the Act and the Regulations as being too narrow. That was done by the Supreme Court of Canada in Alberta (Information and Privacy Commissioner) v. United Food and Commercial Workers, Local 401, when the Act was being applied to video recording by a union at a picket line.

The company at issue in this case, Clearview AI, has been the subject of many privacy investigations around the world. They collect facial images from publicly accessible websites, including social media, and use them to create a biometric facial recognition database, marketed primarily to law enforcement. In 2020, privacy commissioners from Alberta, B.C., Quebec, and Canada investigated Clearview’s operations and concluded in a joint report that its practices violated privacy laws.

In December 2021, Alberta’s Commissioner issued an order directing Clearview to cease operations in Alberta, based on violations of PIPA. The Commissioner essentially said that Clearview must do for Alberta what they agreed to do in setting a lawsuit in Illinois (which is notorious for its biometric laws).

Clearview AI then brought an application for judicial review in the Court of King’s bench, contesting:

• Jurisdiction of Alberta’s Commissioner,
• The reasonableness of the Commissioner's interpretation of "publicly available" under PIPA,
• The constitutionality of PIPA's consent-based restrictions on the collection, use, and disclosure of personal information.

It should be noted that the British Columbia Commissioner issued a similar order, which was upheld by the Supreme Court of British Columbia last year.

In Alberta, as far as the jurisdiction argument went, the Court upheld the Commissioner’s jurisdiction, finding a "real and substantial connection" between Clearview’s activities and Alberta. Clearview had marketed its services in Alberta and its database included images of Albertans. The bar for jurisdiction in Canada is pretty low.

On the statutory interpretation issue, the Court accepted as reasonable the Commissioner’s interpretation that images scraped from the internet, including social media, are not "publicly available" within the meaning of the PIPA Regulation. The Commissioner employed a purposive approach, interpreting the relevant provisions narrowly in light of the quasi-constitutional status of privacy rights.

PIPA, like other privacy regulatory regimes in Canada, provides that consent must be obtained to collect and use “personal information” unless certain exceptions apply. One of the exceptions provided for in PIPA is that the information is “publicly available.” PIPA uses the term “publicly available,” but the definition for those words is found in PIPA Regulation section 7(e). PIPA Regulation s 7(e) provides:

7 ... personal information does not come within the meaning of ... “the information is publicly available” except in the following circumstances: ... (e) the personal information is contained in a publication, including, but not limited to, a magazine, book or newspaper, whether in printed or electronic form, but only if (i) the publication is available to the public, and (ii) it is reasonable to assume that the individual that the information is about provided that information.

The private sector privacy laws of Alberta, British Columbia and Federally have similar, but not identical definitions of what is “publicly available” information that does not require consent for its collection and use. There are other categories, but this decision turned on information in a publication. Here are the three different definitions:

In Alberta, it says

the personal information is contained in a publication, including … but not limited to … a magazine, book or newspaper, whether in printed or electronic form, but only if (i) the publication is available to the public, and (ii) it is reasonable to assume that the individual that the information is about provided that information;

In British Columbia, it does not use “including but not limited to”:

personal information that appears in a printed or electronic publication that is available to the public, including a magazine, book or newspaper in printed or electronic form.

Under PIPEDA’s regulation, the analogous provision reads:

personal information that appears in a publication, including a magazine, book or newspaper, in printed or electronic form, that is available to the public, where the individual has provided the information.

Canadian privacy regulators have interpreted “publication” to exclude social media sites like Facebook and LinkedIn, where Clearview harvests much of its information.

Clearview argued that this narrow interpretation under the Alberta statute and regulation violated its freedom of expression rights under section 2(b) of the Charter of Rights and Freedoms, and could not be saved as a reasonable limitation under section 1 of the Charter.

The Court agreed that:

Clearview’s activities (compiling and using data to deliver a service) were expressive. The consent requirement effectively operated as a prohibition on expression where obtaining consent was impractical.

This amounted to a prima facie infringement of s. 2(b) of the Charter.

I should note that the Alberta Commissioner – ridiculously in my view – argued that the Charter wasn’t even engaged. Here’s what the Court said.

[107] The Commissioner submits that if Clearview’s activity is expressive, it should be excluded from constitutional protection because “the method – mass surveillance – conflicts with the underlying s 2(b) values.” Clearview’s activity, according to the Commissioner, conflicts with the purposes of Charter s 2(b) including the pursuit of truth, participation in the community, self-fulfillment, and human flourishing. The Commissioner offered no authority to support the position that expressive activity could be excluded from protection based on a conflict with underlying constitutional values. Short of violence, all expressive activity is protected by Charter s 2(b).

It’s just a dumb argument to make, in my view.

So once a prima facie infringement is made out, the burden shifts to the government to justify it as a reasonable limitation, prescribed by law that can be justified in a free and democratic society. This follows something called the Oakes test:

The test involves a two-stage analysis: first, the objective of the law must be pressing and substantial; second, the means used to achieve that objective must be proportionate, which requires

1. a rational connection between the law and its objective,
2. minimal impairment of the right or freedom, and
3. a proportionality between the law’s benefits and its negative effects on rights.

In this case, the Court found that there was a Pressing and Substantial Objective: Protecting personal privacy is valid and important. The Court also found that the requirement of consent is logically connected to privacy protection, and thus rationally connected.

The law failed on the “minimal impairment” part of the analysis. The dual requirement of consent and a reasonable purpose, without an exception for publicly available internet data, was overly broad.

In a nutshell, the court has to consider what expressive activities are captured – how broadly the net is cast – and whether everything that is caught in that net is necessary or rationally connected to the pressing and substantial objective.

The Court summarized Clearview’s argument at paragraph 129:

“Clearview asserts that people who put their personal information on the internet without protection do not have a reasonable expectation of privacy. Where there is no reasonable expectation of privacy, the protection of privacy is not a pressing and substantial state objective.”

The Court noted that the way the net is being cast by the Act and the regulations not only captures Clearview’s web-scraping, but it also captures legitimate indexing by beneficial search engines. The Commissioner’s interpretation would exclude search engines, meaning that they would have to get consent for all collection, use and disclosure of personal information obtained from websites.

Here’s what the Court said at paragraph 132 of the decision:

[132] A difficulty with the PIPA consent requirement for personal information publicly available on the internet is that it applies equally to Clearview’s search technology used to create a facial recognition database and regular search engines that individuals use to access information on the internet. … For the most part, people consider Google’s indexing of images and information to be beneficial. And certainly, Albertans use Google and similar search engines for expressive purposes. But according to my interpretation of PIPA and the PIPA Regulation and the Commissioner’s interpretation of those same instruments, Google and similar search engines cannot scrape the internet in Alberta for the purpose of building and maintaining an index of images of people without consent from every individual whose personal information is collected.

The Court then went on to say at paragraphs 136 and 137:

[136] PIPA and the PIPA Regulation are overbroad because they limit valuable expressive activity like the operation of regular search engines. There is no justification for limiting use of publicly available personal information by regular search engines just as there was no justification to limit use of publicly available personal information for reasonable purposes by the union in UFCW Local 401.

[137] Alberta has a pressing and substantial interest in protecting personal information where individuals post images and information to websites and social media platforms subject to terms of service that preserve a reasonable expectation of limited use. This pressing and substantial interest, however, does not extend to the operation of regular search engines. A reasonable person posting images and information to a website or social media platform subject to terms of service but without using privacy settings expects that such images and information will be indexed and retrieved by internet search engines; indeed, that is sometimes the point of posting images and information to the internet without using privacy settings.

Then, at paragraph 138, the court concluded that the “publicly available” exception was too narrow because it specifically would capture general search engines, which do not engage the “pressing and substantial limitation”

[138] The public availability exception to the consent requirement in PIPA and the PIPA Regulation is source-based, not purpose-based. Because it is source-based, it applies to regular internet search engines that scrape images and information from the internet like Clearview even if they use images and information for a different purpose. I find that PIPA and the PIPA Regulation are overbroad because the definition of “publication” in PIPA Regulation s 7(e) is confined to magazines, books, newspapers, and like media. Without a reasonable exception to the consent requirement for personal information made publicly available on the internet without use of privacy settings, internet search service providers are subject to a mandatory consent requirement when they collect, use, and disclose such personal information by indexing and delivering search results. There is no pressing and substantial justification for imposing a consent requirement on regular search engines from collecting, using, and disclosing unprotected personal information on the internet as part of their normal function of providing the valuable service of indexing the internet and providing search results.

The court essentially concluded that it was OK to limit what Clearview is doing, but it is NOT OK to limit what search engines are doing. The law, as written, does not distinguish between the “bad” and the “good”, and as a result, the law did not “minimally impair” this important Charter right.

On the final balancing, the Court concluded that the harm to freedom of expression was not outweighed by the benefit to privacy.

The Court declared that PIPA ss. 12, 17, and 20 and PIPA Regulation s. 7 unjustifiably infringed s. 2(b) of the Charter and could not be saved under s. 1 of the Charter, to the extent that they prohibited the use of publicly available internet data for reasonable purposes.

The Court upheld the Commissioner’s jurisdiction and found her statutory interpretation reasonable. However, the impugned provisions of PIPA and the Regulation were declared unconstitutional insofar as they infringed freedom of expression by unduly restricting the use of publicly available information online.

I fully expect that this decision will be appealed, and I don’t know if the British Columbia decision has been appealed.

In the big picture, though this decision is not binding on the Federal Commissioner, it pretty strongly stands for the proposition that PIPEDA’s publicly available information exception is also unconstitutional. This has implications for “the right to be forgotten” and for collecting data for training AI models, both of which are currently before the federal commissioner.

Drones and trespass law in Canada: You don't own your airspace over your property

A legal question that sometimes comes up for drone pilots is whether you can legally fly over private property and whether a property owner has any recourse against a drone pilot. It comes up on a daily basis for folks like DJAudits in the UK on his YouTube channel, where he educates property owners and security guards on this issue, whether they want to know or not.

I’m a recreational drone operator. I’ve advised other operators and have experience with investigations by Transport Canada related to RPV/UAV activities. I’ve been an invited speaker on this topic at various drone expos and to media lawyers. I would not call myself a drone lawyer, but I think I know more about this than most lawyers. I have another YouTube channel where I post my drone videos, mostly of Beautiful Nova Scotia. I’ll put a link below. 

And I should note what I’m about to talk about is applicable to Canada only. The law may be similar in other places, but I only practice Canadian law.  

Any legal claims like this would be governed by the common law, which is the body of law applied and interpreted by judges. There are no statutes passed by parliament or provincial legislatures that we can look to for the answer. And we really don’t have any reported cases in Canada that deal with trespass claims involving drones. 

The one case that comes the closest is Reynolds v Deep Water Recovery Ltd from the Supreme Court of British Columbia. In that case a drone operator and environmental activist was sued by a ship breaking company for trespass and nuisance, among other claims. It started when she sued the company alleging that they stole her drone and returned it damaged. She also alleged assault and harassment. The company filed a counterclaim alleging trespass, nuisance, invasion of privacy and the illegal operation of a drone. 

She then applied to have the company’s claims thrown out as a “strategic lawsuit against public participation.” The Court didn’t address whether flying the drone over her property was actually trespassing. Assuming this goes to trial, we’ll have to wait and see for this first of a kind decision.

But that doesn’t mean that the courts haven’t considered whether a property owner “owns” the airspace over the property. There’s a case called Didow v. Alberta Power Limited, which was between a property owner and a power company. The power company constructed a power line on the municipal road allowance along the side of the plaintiff’s land. The poles themselves were two feet outside the property line, but the cross-arms conductors and attaching wires at the top of each pole protruded six feet into the airspace above the plaintiff’s land. It went to the Alberta Court of Appeal, where the only question was whether that intrusion above the plaintiff’s property was a trespass. 

If you’re interested in geeking out about this question, the court of appeal decision is FOR YOU!  Justice Haddad had to go through all the old authorities and started with this really old “legal maxim”. I won’t try to pronounce the latin, but it means “whoever's is the soil, it is theirs all the way to Heaven and all the way to Hell”. Essentially, if you own the land,  you own the skies above it and the dirt below it.

It has been traced back to the 13th century, long before there was any kind of aircraft. Since then, there has been much litigation that has ultimately scaled back the principle from the latin maxim. 

The Alberta court of appeal favourably quoted from a 1977 English case called Bernstein v Skyviews. Though it’s from decades ago, it did deal with a case where the defendant flew over the plaintiff’s country house for the explicit purpose of taking photos of the property. In this case, the English Court of Queen's Bench said: 

“… The problem is to balance the rights of an owner to enjoy the use of his land against the rights of the general public to take advantage of all that science now offers in the use of air space. This balance is in my judgment best struck in our present society by restricting the rights of an owner in the air space above his land to such height as is necessary for the ordinary use and enjoyment of his land and the structures on it, and declaring that above that height he has no greater rights in the air space than any other member of the public.”

So your exclusive rights to the airspace over your property only extend as high as is necessary for your usual enjoyment of your land and whatever’s built on it. 

If you currently have bare land and then build a five storey structure and put up a windmill, then the airspace that you exclusively control goes up. 

The Alberta Court of Appeal also quoted from a 1946 decision of the Supreme Court of the United States called United States v Causby. In this case, a farmer's farm was located close to an airport and the planes flying over the farm were hurting – even killing – his chickens. Here’s what the Supreme Court of the United States said:

“The landowner owns at least as much of the space above the ground as he can occupy or use in connection with the land. … The fact that he does not occupy it in any physical sense-by the erection of buildings and the like - is not material. … While the owner does not in physical manner occupy that stratum of airspace or make use of it in the conventional sense, he does use it in somewhat the same sense that space left between buildings for the purpose of light and air is used. The superadjacent airspace at this low altitude is so close to the land that continuous invasions of it affect the use of the surface of the land itself. We think that the landowner, as an incident to his ownership, has a claim to it and that invasions of it are in the same category as invasions of the surface.”

The court concluded that if you permanently erect something above someone’s property at a height they might use the space, then that IS trespassing. “In any event, they serve to make clear that intrusion by an artificial or permanent structure into the airspace of another is forbidden as a trespass.”

The part that matters for drone operators is transient use of airspace at a height unlikely to affect the landowner is NOT a trespass. The door is still open for consideration of intrusions at lower altitudes. I think the cases would lead to the conclusion flying a drone above someone’s property at a low level – like below the roofline – would be a trespass. 

But it can be something called a “nuisance”. A nuisance is interfering with someone’s enjoyment of their property. The interference has to be substantial, and I think it would have to be pretty outrageous or regularly repeated. 

I can imagine a scenario in which someone has a backyard pool with a privacy fence around it. If someone hovered a drone over the pool while people are sunning themselves, the presence of the drone could interfere with the usual enjoyment of the pool. 

And the nuisance can be more than just the mere presence there; a court could take into account the noise made by the drone. I’m pretty sure if I installed a dozen of these drone hangars in my back yard and ran drone sorties from them 24/7, my neighbour would have a case that I’ve created a nuisance. 

It should also be noted that serious interference with someone’s lawful enjoyment of their property can also be a criminal code offence of mischief. I think it would have to be pretty serious and I can’t find any cases that have considered drones as causing the mischief. 

Appeal court reverses Facebook’s Canadian privacy win

Important new Ontario court decision on privilege in incident response documentation

The Ontario divisional court has just released a decision, LifeLabs LP v. Information and Privacy Commr. (Ontario), 2024 ONSC 2194, that should grab the attention of Canadian lawyers who work in cyber incident response. I don’t know whether it will be appealed, but the logic of the decision is pretty sound. But I expect this isn’t over. 

In a nutshell, after a significant ransomware incident, LifeLabs was assisted by well-known cybersecurity and forensic consultants for the investigation, remediation and negotiation with the ransomware bad guys. As required by the relevant privacy laws of those provinces, they notified the privacy commissioners of British Columbia and Ontario, and the commissioners started a joint investigation. In connection with their investigation, the commissioners demanded to see the consultants’ reports and LifeLabs claimed they were privileged. 

Not surprisingly, the ransomware incident was followed by a number of class action lawsuits that were still pending at all material times. 

In June 2020, the Commissioners issued a joint decision finding that LifeLabs had provided insufficient evidence to back up the privilege claim. They were also ordered to hand over the consultants’ reports.  So LifeLabs sought judicial review of the order in the Ontario Divisional Court. The Court just released its decision, upholding the IPC’s order. I’m not sure why it took so long to get to a hearing.

According to the IPC’s decision, there were five categories of records at issue:

i.          The investigation report prepared by the cybersecurity firm hired by LifeLabs, which described how the cyberattack occurred.

ii.          The email correspondence between the cyber intelligence firm and the cyber-attackers after the discovery of the attack by LifeLabs.

iii.         An internal data analysis prepared by LifeLabs on April 28, 2020 to describe which individual health information had been affected by the breach and to notify those affected pursuant to ss. 12(1) and 12(2) of the PHIPA.

iv.        A submission from LifeLabs to the Commissioners dated May 15, 2020 in response to certain specific questions, communicated through legal counsel.

v.         The report of Kevvie Fowler, Deloitte LLP dated June 9, 2020 prepared as part of the representations by LifeLabs and submitted to the Commissioners for that purpose.

Other than the internal LifeLabs assessments, the records were created by consultants retained by LifeLabs’ lawyers. The cybersecurity firm was already engaged by LifeLabs to assess the company’s security, and it was actually them who discovered the incident. They were instructed to provide their reports on the incident to legal counsel.  

The court reviewed the IPC’s privilege decision on a standard of correctness and found that it was correct. 

Before getting into the decision, it should be noted that LifeLabs claimed “solicitor client privilege” and “litigation privilege”. They are related and similar, but not the same. 

Solicitor client privilege protects communications that are made in confidence between a lawyer and their client (or third party acting on behalf of their client). In order to be privileged, the communication must be made for the purpose of seeking or giving legal advice, and the parties must have intended the communication to be confidential. Just because there’s a lawyer in the mix doesn’t make it privileged, and a third party’s involvement, like a consultant retained by the client or the lawyer, doesn’t waive that privilege.

Litigation privilege is intended to create a “zone of privacy” within which counsel can prepare draft questions, arguments, strategies or legal theories, in anticipation of litigation and for the purpose of preparing for that litigation. Documents created by others, to assist counsel, in preparing for litigation can also fit into this category. Notably, the privilege only exists while the litigation is anticipated or ongoing.

If you read the IPC’s decision, you’ll see that not much information was provided by LifeLabs (or at least not to the IPC’s satisfaction) to demonstrate that the five categories of records fit into either solicitor client privilege or litigation privilege.  In large measure, the IPC decided that LifeLabs HAD to investigate the incident and HAD an obligation to provide factual information to the IPC. It doesn’t look like the IPC was looking for actual advice given by counsel or anything related to LifeLabs’ trial strategy for their ongoing litigation. 

Ultimately, the decision turned on LifeLabs not providing evidence to the IPC’s satisfaction to back up their privilege claims.

The main conclusions, simplified a bit, are that: 

1.         Facts are not privileged, even if they were collected or compiled by a lawyer.

2.         If you have a statutory obligation to investigate and provide information to the regulator, the facts that are discovered in that investigation are not privileged.

3.         Solicitor client privilege only protects communications that are made for the purpose of seeking or obtaining legal advice.

4.         Litigation privilege only protects communications and records that are created for the dominant purpose of preparing for litigation.

This is not earth shattering, but it’s a reminder of how the law of privilege works in Canada. 

The court emphasized that even if certain communications or documents are privileged, the facts referred to or reflected in those communications may not be privileged if they exist independently, outside of the privileged context. Facts that have an independent existence outside of solicitor-client privileged communications are not automatically privileged.

The court quoted and agreed with paragraph 49 of the IPC’s decision:

Even if the communication is privileged, the facts referred to or reflected to in those communications are not privileged if they exist outside the documents and are relevant and otherwise subject to disclosure. Some facts have a life outside the communication between lawyer and client but have also been communicated within the solicitor-client relationship. Facts that have an independent existence outside of solicitor-client privileged communications are not privileged. When deciding if such facts are privileged, one must keep one eye on the need to protect the freedom and trust between solicitor and client and another eye on the potential use of privilege to insulate otherwise discoverable evidence. While privilege is jealously guarded it must be interpreted to protect only what it is intended to protect and nothing more.

The court further clarified that simply depositing a document or providing counsel with a copy of a document does not automatically extend privilege to the original document. The protection of privilege is intended to safeguard the communication between lawyer and client and the adversarial preparation for litigation, not the underlying facts themselves.

Therefore, the court concluded that facts concerning the investigation or remediation, even if communicated within a privileged context, may not be privileged if they have an independent existence outside of privileged documents. 

If an organization has a legal obligation to investigate, remediate and report to the privacy commissioner, interjecting lawyers into the process does not relieve the organization of its obligation to report to the commissioner. This obligation includes cooperating with the commissioner's inquiries and providing information necessary for investigations.

The Court wrote:

[76]           Health information custodians, such as LifeLabs, cannot defeat these responsibilities by placing facts about privacy breaches inside privileged documents. Although the claims of privilege here were rejected, even if they had been accepted, this would not have defeated the ON IPC’s duty to inquire into the facts about the data breach within the control and knowledge of LifeLabs. This result flows not only from the ON IPC’s statutory mandate, but also from how litigation privilege and solicitor client privilege function.

…

[79]           Thus, the IPC’s statutory duty to inquire, and LifeLabs’ duty to respond, does not permit a claim of litigation privilege over facts obtained through its lawyers, even where those facts might also play a role in defending against parallel civil litigation. As Nordheimer, J. wrote in R. v. Assessment Direct, at para. 10, “the privilege does not protect information that would otherwise have to be disclosed”.  LifeLabs did not identify any litigation strategy that would be disclosed in the Investigation Report because of the Privilege Decision.

On this point, the Court agreed with the findings of the IPC:

[80]           Similarly, solicitor-client privilege does not extend to protect facts that are required to be produced pursuant to statutory duty. The ON IPC correctly articulated the law when it stated at para. 49:

… Facts that have an independent existence outside of solicitor-client privileged communications are not privileged. … While privilege is jealously guarded it must be interpreted to protect only what it is intended to protect and nothing more.”

Furthermore, the court emphasized that organizations cannot use claims of privilege to shield facts about privacy breaches from the commissioner. Even if privilege is claimed over certain documents or information, it does not absolve the organization from its duty to cooperate with the commissioner's investigation and provide relevant facts. The court noted that placing unpalatable facts within privileged documents to avoid investigative orders would undermine the purpose of regulatory oversight and accountability.

Just saying something is privileged does not make it privileged. Including a lawyer in a conversation does not make it privileged. Having the lawyer hire the consultant does not automatically make it privileged. 

The IPC and the Court noted that the cybersecurity consulting firm had a prior retainer with LifeLabs related to what it was doing before the incident, during the incident and afterwards. Simply having the report related to the incident addressed to counsel didn’t make that report privileged. The IPC referred to a US case called In re Capital One, which LifeLabs said was an error. The court disagreed with LifeLabs, and reached the same conclusion as the IPC: 

[90]           I disagree. The In re Capital One case affords persuasive authority to support a finding that where a company has a prior retainer with a cybersecurity firm to provide essentially the same services before and after a breach, inserting  counsel’s name into the contract and stating that the deliverables would be made to counsel on behalf of the client, does not render any report prepared subject to the U.S. work product doctrine, which is akin to Canada’s litigation privilege.

Interestingly, the IPC in their March 2020 decision on privilege left the door open for LifeLabs to prove that portions of the records may include information that is subject to solicitor client or litigation privilege. 

I would have liked to have seen a bit more analysis of what is reasonably contemplated litigation and dominant purpose, in the context of the discussion of litigation privilege. The reality is that in the aftermath of an incident like this, litigation is almost certain to follow. Much of the response or even the approach to the incident response is informed by that likelihood. Many records are created in anticipation of defending litigation, but those records are also useful for (or maybe necessary for) dealing with the commissioner’s investigation. Is 50/50 dominant enough? And some of these records would be created because that’s what’s expected of a reasonably prudent company. Is 33/33/33 dominant enough? Should we create different tracks in incident response, assigning certain investigators to the litigation track and others to the commissioner reporting track?

Maybe we should consider amending our privacy laws (or Evidence Acts more generally) to say that the provision of information to a regulator pursuant to a statutory duty does not amount to a waiver of privilege as far as third parties are concerned.

I think lawyers who work in this area will have some interesting discussions about this decision.

It will be interesting to consider how this affects certain activities that take place outside of the context of dealing with an active incident. For example, I may be retained by a client to provide them with my assessment of whether they are complying with their safeguarding obligations under privacy laws. Often, an engagement like that involves working with expert consultants who examine the network security, do penetration testing and benchmark against best practices. New facts are uncovered that will be included in my opinion and advice to the client, and at that stage there is no obligation to assist any privacy regulator in that endeavour. The new facts were “uncovered” or discovered only for the purpose of providing legal advice. I think there are arguments that can be made in both directions regarding whether those new facts can be privileged. That’s a discussion for another day …

I should add this decision doesn’t create any new law about privilege. Nor does it put a dizzying spin on privilege law, but it serves as a reminder that you can’t throw a blanket of privilege over everything associated with incident response. I also don’t think it does away with privilege in connection with incident response. I have provided a lot of advice to a lot of organizations, and I’ve worked with a lot of outside consultants in that context. I remain confident that my communications with my clients, in the context of them seeking my legal advice, is untouched by this decision.