Last April, David Canton noted an Alberta Court of Appeal decision that Leon’s Furniture was justified in collecting licence plate information from people picking up furniture at the store. The AB CA held that the licence plate number was not personal information.
Recently the Supreme Court of Canada refused leave to appeal, a decision that disappointed some privacy authorities.
Are licence plate numbers like Internet Protocol addresses (at least in the eyes of the federal Minister of Justice), in that they point to a machine and not to a person, and a machine that may be used by more than one person? A licence number is also visible to anyone who looks at the car to which it is attached, so what expectation of privacy can one have about it?
Some debate is possible whether a licence plate number is personally identifiable information, in the term used by PIPEDA. Does it depend on how hard one must work at identification? While on the surface, in a one-step analysis, the number does not necessarily relate to a particular individual (though it might, if only the single owner ever drove the car), these days there are a lot of big data bases around, and it would not take too many analytic steps (or snooping) to find other references that might allow one to figure out the individual to whom the information relates.
Some people have figured out how to identify the real people behind even apparently anonymized data.
It may be helpful separating the question whether a licence number is personally identifiable information, on the one hand, from whether Leon’s was justified in asking for it, on the other. I don’t have a problem with the store’s asking for that kind of identification from someone picking up goods, especially on behalf of someone else. How does one explain to the real purchaser that one has delivered his or her goods to a fraudster without keeping any means of tracing that person?
For whatever reason, the SCC has declined to set the law right, for the moment. Or is it right already?