The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

Search this blog

Recent Posts

On Twitter

About this page and the author

The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.

For full contact information and a brief bio, please see David's profile.

Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.

David Fraser's Facebook profile

Privacy Calendar

Archives

Links

Subscribe with Bloglines

RSS Atom Feed

RSS FEED for this site

Subscribe to this Blog as a Yahoo! Group/Mailing List
Powered by groups.yahoo.com

Subscribe with Bloglines
Add to Technorati Favorites!

Blogs I Follow

Small Print

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.

Saturday, September 15, 2007

Some necessary background to the fuss over warrantless access to Canadian personal information 

Over the last week, there's been a huge fuss in the media and among bloggers about the consultation that was initiated by the Department of Public Safety over an apparent revival of "lawful access" in Canada. Two things really seemed to catch the attention of commentators: first, the suggestion that the government is again contemplating a system of warrantless access to personal information and, second, that the consultation was taking place in secret. I first heard about it from Michael Geist, who deserves a lot of credit for making it well-known (Public Safety Canada Quietly Launches Lawful Access Consultation). Since then it has been widely reported on in the media and among bloggers.

So what is the fuss about? I hope I can provide some background and context for some of the discussion that is taking place.

Canadian law enforcement and national security agencies are looking for a quick and easy way to obtain access to the names, phone numbers, IP addresses, etc of customers of Canadian telecommunications service providers. (Quick and easy, in this context, means without the delay and paperwork involved in applying to a judge for a search warrant.) This information is sought in a number of contexts, including in the very beginning of investigations or as part of "intelligence gathering." It is also sought, at times, when there is insufficient evidence to connect an individual to a crime so that a judge would not issue a warrant. (Which raises the question: Why should the police be able to require the information without oversight in circumstances where a judge says that the Charter of Rights and Freedoms doesn't permit them to require the information?)

So why shouldn't telecommunications service providers, being good citizens, hand over this information when asked by the police or by national security agents? Simply put, because it is illegal for them to do so. Since 2001, Canadian telecommunications service providers have been subject to the Personal Information Protection and Electronic Documents Act (aka "PIPEDA"). PIPEDA requires the consent of the individual for all collection, use and disclosure of personal information, subject to a number of exceptions. "Personal information" includes any information about an identifiable individual. If it is information and it's about an identifiable individual (either alone or in combination with information that it accompanies), it's "personal information". This would include my name, my address, my phone number, the IP address of my computer, etc.

Some might say that's public information, because my name and phone number may be in a phone book. Interesting point, but that doesn't remove the protections to the information if it is in the hands of my TSP. If the police get it from the phone book, then they can do what they want with it. But if they want to get it from my TSP, then it is personal information and the TSP can't disclose it unless a "consent exception" applies. (See s. 7(1)(d), 7(2)(c.1) and 7(3)(h.1) of PIPEDA and, very importantly, the Regulations Specifying Publicly Available Information (SOR/2001-7)).

The police (who are not bound by PIPEDA) may be within their rights to ask for the information, but TSPs (who are bound by PIPEDA are not able to hand it over without consent unless a PIPEDA consent exception applies. Section 7 contains many consent exceptions, some of which might apply in the circumstances described in the consultation document put out by Public Safety Canada:

"Some [telecommunications] companies provide this information voluntarily, while others require a warrant before providing any information, regardless of its nature or the nature of the situation. If the custodian of the information is not cooperative when a request for such information is made, law enforcement agencies may have no means to compel the production of information pertaining to the customer. This poses a problem in some contexts. For example, law enforcement agencies may require the information for non-investigatory purposes (e.g., to locate next-of-kin in emergency situations) or because they are at the early stages of an investigation. The availability of such building-block information is often the difference between the start and finish of an investigation."

Under PIPEDA, TSPs can likely disclose information about a customer in an emergency. Section 7(3)(e) permits a disclosure without consent if the disclosure is:

(e) made to a person who needs the information because of an emergency that threatens the life, health or security of an individual and, if the individual whom the information is about is alive, the organization informs that individual in writing without delay of the disclosure;

What it doesn't permit is disclosures to law enforcement unless they have a warrant. In this context, s. 7(3)(c.1) is the subject of a bit of debate. This reads:

7(3) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is ...
(c) required to comply with a subpoena or warrant issued or an order made by a court, person or body with jurisdiction to compel the production of information, or to comply with rules of court relating to the production of records;

(c.1) made to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that

(i) it suspects that the information relates to national security, the defence of Canada or the conduct of international affairs,

(ii) the disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law, or

(iii) the disclosure is requested for the purpose of administering any law of Canada or a province;

It must be noted that these provisions are permissive, meaning that they allow the TSP to disclose the information in these circumstances without offending PIPEDA. Nothing in the above requires a TSP to disclose the information. Any compulsion has to come from another statute or rule of law. Section 7(3)(c) says if they have a warrant, the TSP can hand it over. (The obligation comes from the warrant, not PIPEDA.) There is authority from the Ontario Courts that an investigation does not create the "lawful authority" to obtain the information. "Lawful access" is an effort to change the law to have an investigation constitute "lawful authority". Or just remove the "lawful authority" requirement altogether.

What is also very interesting from the consultation document is that many TSPs currently hand over the information when asked by law enforcement (worth quoting again):

"Some [telecommunications] companies provide this information voluntarily, while others require a warrant before providing any information, regardless of its nature or the nature of the situation. If the custodian of the information is not cooperative when a request for such information is made, law enforcement agencies may have no means to compel the production of information pertaining to the customer. This poses a problem in some contexts. For example, law enforcement agencies may require the information for non-investigatory purposes (e.g., to locate next-of-kin in emergency situations) or because they are at the early stages of an investigation. The availability of such building-block information is often the difference between the start and finish of an investigation."

I have it on reliable authority from within the industry that most internet service providers will provide a customer's full name and billing address when given an IP address. It doesn't seem to be because they think they legally can, but because they have succumbed to pressure from law enforcement who take a position that not providing the information puts them in league with child molesters and terrorists.

The fact remains, and must be borne in mind, that if a person's life or safety is in jeopardy, the TSP can disclose information without consent. This would include the ticking bomb scenario, a child being abused, etc. In exigent circumstances, the police always have access to the expedited telewarrant procedures in the Criminal Code. There isn't an exception in PIPEDA, the Criminal Code or the Charter for compelled disclosures of personal information absent lawful authority.

Labels: , , , , , , ,

Links to this post:

Create a Link

This page is powered by Blogger. Isn't yours? Creative Commons License
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License. lawyer blogs