The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

Search this blog

Recent Posts

On Twitter

About this page and the author

The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.

For full contact information and a brief bio, please see David's profile.

Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.

David Fraser's Facebook profile

Privacy Calendar

Archives

Links

Subscribe with Bloglines

RSS Atom Feed

RSS FEED for this site

Subscribe to this Blog as a Yahoo! Group/Mailing List
Powered by groups.yahoo.com

Subscribe with Bloglines
Add to Technorati Favorites!

Blogs I Follow

Small Print

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.

Saturday, September 02, 2006

It's not your job to police your customers 

We constantly hear about the balance between privacy and security or between privacy and law enforcement. It is a precarious balance, but service providers need to be mindful of their place in the balance.

The Canadian general privacy law that is often the focus of this blog, the Personal Information Protection and Electronic Documents Act, addresses the role that the private sector can and should play in striking this balance. The short answer, if there is one, is that you are not a cop. The police have their job and are required to operate within the contraints of the law, including the Canadian Charter of Rights and Freedoms. The private sector gets to define its job, and it generally isn't law enforcement.

The hubub over the change to Sympatico's terms of service is evidence that customers don't expect their service providers to act as agents of law enforcement (see: Canadian Privacy Law Blog: More fallout from Sympatico privacy upset). Actors in the private sector, such as internet service providers, often collect and retain information that may be useful for law enforcement or as part of private litigation.

So what are service providers to do? Here's a short guide (and comments are welcome):

  1. Don't collect personal information that you don't need just because it could be useful, particularly if it could be useful to law enforcement or to private litigants. Even if you think you may be required to collect it later, that's no justification to collect it now.
  2. Don't keep personal information around any longer than you actually need it. If you are asked for personal information by law enforcement or private litigants, it is much easier to say you don't have it than to go to court to resist providing it (see below).
  3. Don't offer law enforcement unsolicited access to personal information just because you see something suspicious. Unless you come across evidence of fraud against your organization or compelling evidence of a serious crime, it is not your job to hand over reams of information to law enforcement.

    PIPEDA does allow you to disclose personal information to law enforcement on your own initiative under section 7(3) of the law:

    (3) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is ...

    (d) made on the initiative of the organization to an investigative body, a government institution or a part of a government institution and the organization

    (i) has reasonable grounds to believe that the information relates to a breach of an agreement or a contravention of the laws of Canada, a province or a foreign jurisdiction that has been, is being or is about to be committed, or

    (ii) suspects that the information relates to national security, the defence of Canada or the conduct of international affairs;

  4. If asked by law enforcement for personal information that is in your custody, don't hand it over without a warrant. This is the diciest situation and PIPEDA offers a bit of guidance. Under section 7(3), you are permitted to disclose personal information without consent in the following circumstances:

    (3) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is ...

    (c) required to comply with a subpoena or warrant issued or an order made by a court, person or body with jurisdiction to compel the production of information, or to comply with rules of court relating to the production of records;

    (c.1) made to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that

    (i) it suspects that the information relates to national security, the defence of Canada or the conduct of international affairs,

    (ii) the disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law, or

    (iii) the disclosure is requested for the purpose of administering any law of Canada or a province;

    It must be noted that these provisions are permissive, meaning that they allow you to disclose the information in these circumstances without offending PIPEDA. Nothing in the above require you to disclose the information. Any compulsion has to come from another statute or rule of law. So, if asked, preserve the information and ask that they return with a warrant. If they have probable cause and a reasonable basis to compel the information, they'll be back.

  5. If you are served with a subpoena for personal information, you should resist the disclosure. A subpoena is not a search warrant. In most jurisdictions, any lawyer representing any litigant can print out a subpoena and go to the court to get a fancy looking stamp on it. All a subpoena means is that you are required to attend at court with the information to have a judge make the final call. There may be no basis for the demand for information and your organization should avoid any situation where it has provided personal information that it was not legally required to hand over. When the internet service providers in the recent file sharing case resisted disclosure and took the matter to court, they emerged as staunch defenders of their users' privacy. That's certainly better than the alternatives.

Credit to the [non]billable hour for the photo.

Labels: , , , ,

Monday, July 17, 2006

Can you record telephone calls without consent? 

During the last week, the Supreme Court of California overturned a lower court and held that it is unlawful to record phone conversations of Californians, even if one party to the call is in a jurisdiction that permits such recording. (See: State Supreme Court Says Out-of-State Firms Can't Secretly Record Californians' Calls - Los Angeles Times.)

If often get e-mail from readers of this blog and the most common question is whether you can record phone calls (to which you are a party) without the other party's knowledge or consent. The answer to this question is a bit complicated, particularly because of rulings like that of the California Supreme Court.

What follows is a general discussion of the laws in Canada that need to be consulted to determine if recording is lawful. Circumstances vary widely and this is not a full review of all the laws that may be relevant, so this should not be considered to be legal advice. I also note this is not about recording for law enforcement purposes, where different rules will apply.

For calls originating and terminating in Canada, the first place to look (but not the last!) is the Criminal Code of Canada. Part VI of the Code is entitled "Invasion of Privacy" and addresses the issue of the interception of private communications. In short, it makes it illegal to intercept a private communications unless authorized by the Code (e.g. with a warrant or as part of maintaining the communications system) or unless the consent of one of the parties is obtained. The same holds true for radio-based communications, under both the Code and the Radiocommunications Act, which also prohibits divulging a radio-based communication without the consent of a party to that communication.

For private actors (as opposed to agents of the state), we have to also look at general privacy legislation, including the Personal Information Protection and Electronic Documents Act (Canada) aka PIPEDA, the Personal Information Protection Act (Alberta), the Personal Information Protection Act (British Columbia) and an Act Respecting the Protection of Personal Information in the Private Sector (Quebec). None of these statues apply to purely personal endeavours. For example, PIPEDA says:

[3](2) This Part does not apply to ...
(b) any individual in respect of personal information that the individual collects, uses or discloses for personal or domestic purposes and does not collect, use or disclose for any other purpose; or

(c) any organization in respect of personal information that the organization collects, uses or discloses for journalistic, artistic or literary purposes and does not collect, use or disclose for any other purpose.

Alberta's PIPA similarly reads:

[3](3) This Act does not apply to the following:
(a) the collection, use or disclosure of personal information if the collection, use or disclosure, as the case may be, is for personal or domestic purposes of the individual and for no other purpose;

(b) the collection, use or disclosure of personal information if the collection, use or disclosure, as the case may be, is for artistic or literary purposes and for no other purpose;

However, if the recording is for commercial purposes, such as the recording of customer service calls, the knowledge and consent of the individual is required. (Some consent exceptions may apply, but should not be relied upon unless you have specific legal advice.)

But that's not the end of the inquiry. Before you hit "record", you also have to consider whether the recording may be an invasion of privacy under the common law or those statutes which have created an express tort of invasion of privacy. For example, Newfoundland's Privacy Act creates a private right of action for an unreasonable invasion of privacy, but specifically excludes listening to or recording a conversation by a lawful party to a phone conversation. (Though the recording is not an invasion of privacy per se, the specific use of that call might be an invasion of privacy.)

So what is the conclusion? A lawful party to a call that starts and ends in Canada can record that call if they are doing so for a personal or journalistic reason and not a commercial purpose. If recording is to be carried out in connection with a commercial activity, check out "Focus on Privacy - Call Monitoring".

Labels: , , , ,

This page is powered by Blogger. Isn't yours? Creative Commons License
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License. lawyer blogs