Since most information these days is generated, communicated and stored electronically, those who need access to a person’s information need access to the person’s information systems. That access may require a password and perhaps a means of decrypting the information. To what extent can the person with a legal right or even duty to access the information compel disclosure of these access methods?
In Ireland, a receiver is investigating the corporate and personal affairs of Sean Quinn in his dealings with the Bank of Ireland. The High Court of Ireland has ordered that several members of the Quinn family turn over to the receiver the passwords needed to access a number of their personal and business accounts. The court responded to concerns about privacy by limiting the number of people who can have access and the nature and date of the records to be accessed.
The US law firm Steptoe and Johnson has commented with respect to this case,
Courts globally are just beginning to wrestle with whether they can order people to turn over encryption keys or passwords, or to produce unencrypted data, and what limits, if any, to put on searches for electronic evidence that might be buried in a sea of unrelated, private data. So nearly every decision in the area is breaking new ground.
Would this happen in Canada? If not, why not? Does it matter whether it is a criminal case, a civil case or – as here – a regulatory investigation (in a bankruptcy proceeding)?