The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Sunday, October 08, 2006
In response to the most recent debate over the role of internet service providers as potential agents of law enforcement in Canada (see Bell warns customers about privacy loss with lawful access, et seq), OnlineRights.ca and CIPPIC are calling for all internet service providers to take the ISP Privacy Pledge:
ISP Privacy PledgeAs an Internet Service Provider, we pledge to:
1. Not respond to government/law enforcement requests for personal information about users unless the request is supported by a warrant or court order, or unless the request is being made explicitly under ss.184.4 or 487.11 of the Criminal Code.
2. Not collect personally identifying information about users or monitor user content for law enforcement, national security, or other state purposes except where required by law to do so. If we see evidence of illegal activity, we may notify law enforcement authorities for further action.
3. Notify the subscriber as soon as possible after we receive a legal request or court order for that subscriber's personal information, unless the order does not permit such notification.
Michael Geist writes about it on his blog and points to a debate between him and Marc Goldberg, responded to by Alec Saunders.
This issue has more recently come to the fore in an Ontario application for a search warrant (Canadian Privacy Law Blog: Ontario court considers "lawful authority" under PIPEDA) and I've blogged on a similar topic in Canadian Privacy Law Blog: It's not your job to police your customers.
Simply put, commercial entities such as internet service providers should not arrange their service offerings to act as agents or adjuncts to law enforcement. This does not mean that ISPs should turn a blind eye to criminal activity. If clearly illegal conduct comes to their attention, they can and should report it. I say "clearly" because most commercial entities do not have the nuanced understanding of the law to be able to identify many kinds of allegedly unlawful conduct. Many think that downloading copyright material, such as songs, is illegal but the debate about it rages on in Canada. Whether any content is obscene depends upon a very sophisticated legal analysis, which most ISPs probably don't know, don't understand and aren't trained to apply. Other conduct is more clearly illegal, such as a death threat or sexual depictions of pre-pubescent children. If we expect private companies to make these nuanced judgements, we are opening the door to many "false positives" that may have a chilling effect on the use of the Internet by individual Canadians. If I thought that my ISP was acting as a deputy of the law enforcement apparatus, I may hesitate to post academic debates on religious fundamentalism for fear I may be reported for inciting hatred.
There really isn't anything specifically "anti-law enforcement" in the privacy pledge. It only demarcates the boundary between law enforcement and commercial service providers, who have privileged access to personal information. This boundary already exists in our laws, which provide a balance between the interests of the individual and those of the state. Our Charter and privacy laws provide for specific procedures that must be followed and thresholds that must be met before law enforcement are given access to these troves of data. These are in place to allow individuals to be free from unwarranted intrusions except in specific circumstances. If law enforcement can meet these thresholds, the intrusion is warranted. Deputizing private service providers interferes with that critical balance.
Labels: breach notification, law enforcement, lawful access, lawful authority, privacy, warrants
The Canadian Privacy Law Blog is licensed under a
Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.