Disclosing Personal Information
It was interesting to hear the mini-flap in the media earlier this week over the Interim Privacy Commissioner’s revelation as to the number of times in 2011 internet service providers provided customer data in response to government agencies’ warrantless requests (over 700,000 times out of 1.1 million requests).
Some media outlets do not seem to understand the law.
Enacted in 2000, the Personal Information Protection and Electronic Documents Act (“PIPDEA”) permits law enforcement agencies to make warrantless requests to internet service providers (“ISPs”) and other personal information holders so long as:
1. the agency has identified its lawful authority to obtain the information; and,
2. it suspects that the information relates to national security, the defence of Canada or the conduct of international affairs; or,
3. the disclosure is requested for:
• the purpose of enforcing any federal, provincial or foreign law;
• carrying out an investigation relating to the enforcement of any such law;
• gathering intelligence for the purpose of enforcing any such law; or,
• the administration of any federal or provincial law.
Without the consent of the individual, an ISP may disclose the requested information if it reasonably believes that the information relates to 2 or 3, above, and, the individual has no reasonable expectation of privacy in the disclosed information.
Whether the individual has a reasonable expectation of privacy in the information turns entirely on the circumstances. In the contractual documents completed by the individual with the ISP, has the individual been forewarned that the ISP may monitor the service and that it cannot be used for any illegality? Is the request narrow in that the requested information is simply a name and address? Or is it broader in the sense that the information reveals details about the individual’s biographical core – details that one would reasonably expect would not be revealed to a third party?
So long as there is no reasonable expectation of privacy, there is no need for the requesting law enforcement agency to provide the ISP with a warrant or other court order requiring the production of the information. That is because the Charter of Rights and Freedoms only protects us from unreasonable search and seizure in relation to things (including information) in which we have a reasonable expectation of privacy.
There are very few cases that illustrate how the foregoing should work, but Doherty J.A. does an admirable job in R. v. Ward, 2012onca660.
The Commissioner’s real issue appears to be that there are large numbers of warrantless disclosures occurring with no oversight. That is a legitimate concern. Absent a disclosure being reviewed in a judicial proceeding like Ward, there is no effective method to discipline law enforcement for ill-conceived requests and ISPs for disclosing in circumstances where they should not.