In a landmark privacy decision, R. v. Spencer, (2014 SCC 43), the Supreme Court of Canada has ruled that individuals have a reasonable expectation of privacy in Internet usage information, and that law enforcement authorities who wish to obtain subscriber information from ISPs must, in most circumstances, do so pursuant to a warrant.
The court rejected the argument that Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) allowed ISPs to provide subscriber information to authorities in response to a simple request. Subject to certain exemptions, one of which was at issue in this case, PIPEDA generally requires consent for private-sector organizations to disclose personal information.
In Spencer, police investigators in Saskatoon, Canada identified the IP address of a computer that was being used to access and store child pornography through an Internet file-sharing program. Without obtaining a warrant or production order, investigators made a “law enforcement request” to the ISP for subscriber information connected with that IP address, including the name, address and telephone number of the customer. The request was made pursuant to section 7(3)(c.1)(ii) of PIPEDA, which permits an organization to disclose personal information without consent to a government institution which has made a request for the information, identified its “lawful authority” to obtain the information, and indicated that the disclosure is requested for the purpose of enforcing a law, carrying out an investigation or gathering intelligence to enforce a law.
The ISP complied with the request and provided the name, address and telephone number of Matthew Spencer’s sister, the ISP’s customer and with whom he was living. With this information, the police obtained a warrant to search Mr. Spencer’s home and seize his computer, which resulted in a search that revealed extensive child pornography on Mr. Spencer’s computer.
At trial, Mr. Spencer tried to exclude the evidence found on his computer on the basis that the police actions in obtaining his address from the ISP without prior judicial authorization amounted to an unreasonable search contrary to section 8 of the Canadian Charter of Rights and Freedoms. The trial judge rejected this argument and convicted Mr. Spencer on possession of child pornography. The Saskatchewan Court of Appeal upheld the trial judge’s decision with respect to the search issue.
The Supreme Court held in a unanimous decision that the police action in obtaining the subscriber information matching the IP address without a warrant constituted a search that was not authorized by law. In the circumstances, Mr. Spencer had a reasonable expectation of privacy in the information provided to the police and PIPEDA did not provide a “lawful authority” to obtain the information.
With respect to the question of whether there was a reasonable expectation of privacy, the court first considered the subject matter of the search and rejected the argument that what was sought and obtained (name, address, telephone number) was simply “generic information.” Rather, it was information that had the potential to reveal intimate details of the lifestyle and personal choices of the individual in question.
The court described three general types of privacy interests – territorial, personal and informational – and noted the descriptions were analytical tools, not strict or mutually-excusive categories. The court also provided a framework for analyzing the “informational” privacy interest that had been compromised in this case. Informational privacy includes privacy as secrecy or confidentiality, privacy as control (over when, how and to what extent information about a person is communicated to others), and privacy as anonymity.
On the last point, the court accepted that “maintaining anonymity can be integral to ensuring privacy”. It also elaborated on the notion of privacy as anonymity, stating that anonymity “permits individuals to act in public places but to preserve freedom from identification and surveillance.” As an example, the court referred to a previous decision in which it had found that monitoring of a vehicle’s whereabouts on public highways amounted to a violation of a suspect’s reasonable expectation of privacy. However, the court stopped short of recognizing a general right to anonymity.
The court found that, in this case, a high level of informational privacy was engaged when the police requested subscriber information corresponding to specifically observed, anonymous Internet activity.
In considering whether Mr. Spencer had a reasonable expectation of privacy, the court also examined the ISP’s terms of service agreement – though it was Mr. Spencer’s sister, not he, who had been the customer – and relevant user and privacy policies. The court concluded these were of little assistance as they ultimately referred back to PIPEDA but that, if anything, the contractual provisions supported the existence of a reasonable expectation of privacy since they narrowly circumscribed the ISP’s right to disclose subscriber information.
The court went on to conclude that a simple request to ISPs to disclose subscriber information without power to compel compliance with the request is not a “lawful authority to obtain the information”, as required by section 7(3)(c.1)(ii) of PIPEDA. The reference to “lawful authority” must mean something other than a warrant, since providing information pursuant to a warrant has its own exemption under PIPEDA. The court noted the term could refer to the common law authority of the police to ask questions relating to matters that are not subject to a reasonable expectation of privacy – for example, the content of conversations between a suspect and a potential witness – and could also refer to the authority of police to conduct warrantless searches under exigent circumstances, such as imminent harm, or where authorized by a reasonable law.
Ultimately, the court held that while the police conduct was a serious infringement of Mr. Spencer’s Charter rights and emphasized that anonymity is “an important safeguard for privacy interests online,” society’s interest in seeing this case adjudicated on its merits meant that the evidence should not be excluded. The court affirmed the conviction on the possession of child pornography count.
The Spencer decision has implications for Canadian ISPs and other private sector entities subject to PIPEDA, as well as law enforcement authorities. The need to obtain a warrant for Internet usage information could change law enforcement practices in everything from investigations of online frauds to national security issues. Information provided to the Privacy Commissioner of Canada in 2011 showed that nine Canadian ISPs collectively reported receiving just short of 1.2 million data requests from government authorities annually, on average. The Supreme Court, however, made the point that the effectiveness of law enforcement for online offences was not at risk, noting that the police had ample information to obtain a warrant in Spencer.
It is important to note that ISPs and other private-sector organizations remain free to use a separate, broader exemption in PIPEDA where the ISP itself detects illegal activity and on its own initiative wishes to report it to the police. Such a disclosure by a non-governmental body that is not acting as an agent of the police is not subject to the Charter restrictions that apply to government actions.
The decision in Spencer also raises questions about two pieces of proposed legislation currently before the Canadian Parliament. First, the government has introduced a “cyberbullying bill” (Bill C-13), which purports to expand the Canada Criminal Code provision on voluntary assistance to police without prior judicial authorization, and include an immunity provision protecting organizations that preserve personal information or disclose it without a warrant from criminal or civil liability.
Questions are also being raised in the media about the PIPEDA reform bill (Bill S-4), which includes a provision to extend disclosure of subscriber information without a warrant to private-sector organizations investigating a contractual breach or possible violation of any law; however, the lack of any governmental involvement makes such a disclosure different from the Charter-restricted police seizure at issue in Spencer. It remains to be seen whether the federal government will move forward with the bills in their current form or propose amendments.