On June 13, 2014 the Supreme Court of Canada decided that
Canadians have a reasonable expectation of privacy in their online
activities, and confirmed that a police investigation isn't
enough to give them the "lawful authority" to get
personal information from organizations without a warrant under
privacy laws – though it's not clear what is.
Police asked an Internet Service Provider (ISP) for the identity
of a subscriber associated with an "internet protocol"
(IP) address (a unique string of numbers) connected to online
activities during a criminal investigation – and the ISP gave
it. The police used the information to ultimately charge
Matthew David Spencer. Spencer said the police got his identity and
the evidence without a warrant, breaching his right to be free from
unreasonable search and seizure under the Charter of Rights and
Freedoms, and couldn't use any of it. The police said they
didn't need a warrant: PIPEDA (Personal Information Protection
and Electronic Documents Act) allows an organization to disclose
personal information without consent if a government institution
with "lawful authority" requests it – and an
investigation is enough to give them that "lawful
The SCC disagreed with the police. Its decision is in the
context of criminal proceedings, but PIPEDA and similarly worded
provincial privacy legislation applies across Canada to the
obligations of many organizations when they collect, use –
and disclose – personal information. The decision therefore
applies across Canada and to the disclosure of personal information
that any organization (not just an ISP) holds:
Expectation of Privacy in Online Activities.
Internet users understand privacy as anonymity. A person's
privacy interest in her Internet use goes beyond her inherent
privacy interest in the name, address and telephone number found in
her subscriber information: linking an IP address to subscriber
information effectively links a specific person to specific online
activities – activities that are usually intimate or
sensitive, are usually carried out on the understanding they would
be anonymous, and which engage significant privacy interests.
Internet users have a reasonable expectation of anonymity, and thus
privacy, in their online activities – and in the subscriber
information an ISP holds that links them to those activities.
Neither PIPEDA's section permitting disclosure based on
"lawful authority" or the ISP's sections permitting
expectation of privacy.
Charter Applies. A police request to the ISP to
voluntarily disclose customer information is a "search"
under the Charter – but the considerations could be different
if an ISP detects illegal activity and reports it.
Lawful Authority. The police request had no
"lawful authority" under PIPEDA: they could ask but had
no authority to compel the ISP to produce the information, and the
ISP did not acquire the right to disclose it.
From a practical perspective, this decision confirms that if the
police come knocking, a business should not hand over any personal
information it holds based only on a police investigation.
It's now clear the "lawful authority" required to
compel disclosure of personal information means something more than
a mere police investigation – though since PIPEDA deals
specifically with search warrants, production orders and other
legal compulsions elsewhere, it's still not clear exactly what
more it means. The decision doesn't affect an organization
ability to voluntarily report criminal activity.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).