Canada: Supreme Court Rules That Private Companies Cannot Disclose IP Addresses To Law Enforcement Without A Warrant Due To Their "Deeply Personal" Nature

In R v. Bykovets¹, the Supreme Court of Canada ruled that a criminal accused's Charter rights against unreasonable search and seizure were violated when law enforcement obtained his IP address without prior judicial authorization (i.e., a warrant) because the accused had a reasonable expectation of privacy in his IP address information.

What you need to know

• The Supreme Court held that IP addresses can easily reveal deeply personal information about individuals, which can include both their identity and a related trove of intensely private information contained in or inferable from their Internet activity.
• Due to this reasonable expectation of privacy, law enforcement collecting IP address information from private organizations without judicial pre-authorization constitutes a violation of section 8 of the Charter, which protects against unreasonable search and seizure.
• Private organizations should note that voluntarily disclosing IP addresses and other Internet activity-related information to law enforcement may result in increased privacy-related risk following this decision. The decision may also influence the views of privacy regulators regarding the sensitivity of IP addresses and analogous data, which could, in turn, heighten the privacy law requirements applicable to such information.

The decision

Background and ruling

The Bykovets case concerned a police investigation into fraudulent online purchases from a liquor store. During the course of the investigation, police obtained the IP address linked to the purchases from a private payment processing company, Moneris, used by the store. The accused, the appellant in this case, was convicted at trial, and his convictions were confirmed on appeal.

The appellant claimed both at trial and at appeal that his right against unreasonable search and seizure (protected by section 8 of the Charter) was violated when police obtained the IP addresses from Moneris. A violation of section 8 can only be found in this context if law enforcement interfered with the individual's reasonable expectation of privacy in what was searched or seized. Here, both lower courts found that the appellant did not have a reasonable expectation of privacy in his IP address information, and so his section 8 rights were neither engaged nor violated.

In a 5-4 split, the Supreme Court deviated from the lower courts' decisions and ruled that an individual's IP address information does, in fact, have "deeply personal" characteristics when considered in context, and it should, therefore, be obtained by law enforcement from a private company only with prior judicial authorization. The Court allowed the appeal and ordered a new trial.

The Supreme Court's analysis of IP addresses as personal information

The Court found that the disclosure of IP addresses provides law enforcement with the means to draw immediate and direct inferences about the user based on their Internet activity, given that IP addresses link specific Internet activity to a specific location and/or device. Information about such activity can lead law enforcement directly to an individual user's identity. Even before being linked to an identity, the Internet activity associated with an IP address itself can be "deeply personal" and "capable of revealing personal and core biographical information" about the user, as in this case with consumer transaction information².

The Court noted that private companies are likely to voluntarily or proactively provide other information that they hold about an individual to law enforcement, in addition to their IP address, which can further increase the volume and sensitivity of the information that law enforcement can access about an individual. For instance, the Court observed that websites that track IP addresses also collect "massive amounts" of "extremely personal" information about an individual, like location data and search history³.

For the purposes of section 8 of the Charter, the Court's decision suggests that any information that can provide the state with a "means" or "roadmap" to a trove of personal, potentially "intensely private" data should be accorded a reasonable expectation of privacy, even where an individual is not directly identifiable from the information itself. With respect to IP addresses, the public's interest in being left alone by the state was held to outweigh the comparatively light burden on law enforcement necessary to obtain judicial pre-authorization⁴.

Legal implications for businesses

While private organizations are not directly affected by the ruling as they have no obligations under the Charter, they should note that this decision may increase the privacy risk associated with sharing IP addresses (and other Internet activity-related information) with law enforcement on a voluntary or proactive basis. For instance, an individual could allege that the police violated their section 8 rights and concurrently submit a complaint to a privacy regulator alleging that the voluntary disclosure of their IP address by a private business constituted a breach of its privacy obligations—a position which this decision could be used to provide some support for in certain contexts.

Private-sector privacy law (including PIPEDA) generally allows businesses to proactively share personal information with law enforcement to support a police investigation into a crime perpetrated against them, and this is not expected to change with this ruling. However, when receiving a request for information from law enforcement related to a separate investigation, businesses must ensure that they have done their due diligence in confirming that the law enforcement body has the lawful authority to obtain the information in the first place. This may now include confirming that judicial authorization has been granted prior to sharing IP addresses with law enforcement in order to mitigate this privacy risk.

In this decision, the Court emphasized that the sensitivity and personal nature of information is determined just as much by its own content as by its potential to reveal sensitive information about an individual. This is not a novel finding in either the Charter or the privacy law context, and Canadian privacy regulators have long recognized IP addresses as personal information where they can be associated with an identifiable individual.

That said, given the Court's strong language asserting the "deeply" and "intensely" private nature of information that can be obtained directly from IP addresses, in some cases, even before a specific individual's identity is linked to the IP address, privacy regulators in future investigations and reports may be influenced by this decision to take an even stronger position regarding the sensitivity of IP addresses and analogous data for contexts directly applicable to the private sector. Higher sensitivity can, in turn, mean heightened privacy obligations, including with respect to the type of consent required to handle the information and the protections that should be put in place.

Key takeaways for businesses

• Businesses that regularly receive access requests from law enforcement or other governmental authorities should consider updating internal policies and procedures for responding to such requests to take into account the Court's approach to IP address and internet activity information, given the possibility of increased regulatory scrutiny on the issue. Specifically, internal procedures should provide guidance on confirming that law enforcement bodies have prior judicial authorization for requests involving IP addresses.
• Businesses that track, collect, or otherwise handle IP addresses or analogous data should review their policies and practices to confirm whether:
  • external privacy policies specifically identify relevant practices;
  • the appropriate type of consent is being obtained;
  • the appropriate safeguards are being used to protect the data in question; and
  • the appropriate data governance practices, such as those relating to data segregation, classification, retention, and permissions, are being applied to the data in question.
• Businesses should ensure that the potentially sensitive and personal nature of IP addresses is communicated to appropriate personnel. Unlike more obviously sensitive personal information (e.g., credit card information or medical records), IP addresses may not register to everyone as sensitive (or even personal) because the IP address itself is a collection of numbers that cannot identify anyone, so internal communication and education to ensure internal consistency on this point may be appropriate.

Footnotes

1. 2024 SCC 6.

2. Paras 41-42, 60-63.

3. Paras 65-66.

4. Paras 69-70, 80-81, 90.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.