Our online privacy rights are coming under intense scrutiny this month, as two bills threaten to expand the ability of law enforcement agencies (and others!) to access our personal information without a warrant. The highly unpopular C-13 is currently making its way through the Senate, and facing fierce opposition. Meanwhile Bill S-4, the Digital Privacy Act which amends the federal private sector privacy law (PIPEDA), was referred to committee before its second reading, opening it to much more extensive amendments than is normally the case.
This is important because as it currently stands, there are some serious questions about the constitutionality of this bill. Its referral to the House of Commons Standing Committee on Industry, Science, and Technology provides a unique opportunity to fix these problems.
The question of whether S-4 is unconstitutional stems from a landmark Supreme Court of Canada ruling in R. v. Spencer in June of this year. Currently, section 7(3)(c.1)(ii) of PIPEDA allows Internet Service Providers to voluntarily disclose metadata to a government institution if it has “made the request for the purpose of law enforcement and has stated its “lawful authority” for the request.” So the question considered in the SCC case, and which makes S-4 of questionable constitutionality, is what constitutes “lawful authority” to obtain metadata?
The court ruled that, contrary to the statements by a number of government officials and lawyers, the collection of IP address information and other metadata does constitute a “search,” and a person does have a reasonable expectation of privacy online. This means that a “simple request” from law enforcement is not enough; a warrant is required in order to allow ISPs to give that information to the authorities.
And this is where Bill S-4 runs into trouble, because it includes a provision that “allows organizations to disclose personal information without consent (and without a court order) to any organization that is investigating a contractual breach or possible violation of any law” (emphasis added). This includes law enforcement and other state agencies, but it also allows non-government organizations (or even individuals) to take advantage of warrantless access. This flies in the face of the SCC ruling.
Professor Michael Geist has highlighted the huge range of uses this new exception might have; from copyright conflicts to defamation claims, commercial battles, and consumer disputes. Protections that have been developed by the courts to create oversight and approval procedures would be replaced by the provisions of S-4 , which give immunity to ISPs that hand over our personal information without being shown a warrant, and without us ever knowing what they did.
There are several good things about S-4 (particularly the breach notification requirements) but the expansion of private organizations’ ability to disclose our personal information is not one of them. We want to see the Committee take advantage of its expanded scope to amend the bill and make it into a real improvement to PIPEDA.