Bill C-12 and “Lawful Authority” Under PIPEDA
by Philippa Lawson*
Those following the development of Canadian privacy law have long awaited amendments to the Personal Information Protection and Electronic Documents Act (“PIPEDA”), some of which are proposed in Bill C-12. This rather long post addresses just one of these amendments: the proposed new definition of “lawful authority”.
Under PIPEDA, telecom service providers (“TSPs”) are permitted to disclose “personal information” (which includes name, address, and any other information about an identifiable individual) without the knowledge or consent of the individual only in certain specified circumstances. One of those circumstances is if the disclosure is “made to a government institution …that has made a request for the information, identified its lawful authority to obtain the information and indicated that…(ii) the disclosure is requested for the purpose of…carrying out an investigation related to the enforcement of any such law [of Canada, a province or a foreign jurisdiction]…” (emphasis added).
The meaning of “lawful authority”
In the absence of clear statutory authority for police to obtain subscriber information (and other personal information) without a warrant, the term “lawful authority” has been fraught with conflicting interpretations, with some TSPs taking the position that it means a warrant or court order, and with courts struggling to determine its scope.
As a result, the government has proposed to amend PIPEDA to include the following clarification:
s.7(3.1) For greater certainty, for the purpose of paragraph (3)(c.1):
(a) lawful authority refers to lawful authority other than
(i) a subpoena or warrant issued, or an order made, by a court, person or body with jurisdiction to compel the production of information, or
(ii) rules of court relating to the production of records; and
(b) the organization that discloses the personal information is not required to verify the validity of the lawful authority identified by the government institution or the part of a government institution. (clause 6(12) of Bill C-12)
While this amendment would certainly clarify that “lawful authority” does not mean a court order or warrant, it does nothing to specify what is required for “lawful authority” to exist. The proposed amendment therefore does little to assist courts and leaves TSPs uncertain as to when they can and cannot legally disclose customer information to the police.
One possible interpretation of “lawful authority” in the context of PIPEDA is that it simply means establishing one’s credentials as a legitimate law enforcement agent acting within the scope of one’s functions and duties. But this interpretation is unlikely as it is already implicit in the existing provision’s requirement that the request be made by a government agent for a law enforcement purpose. As noted by Justice of the Peace Conacher in his reasons for denying a search warrant request in S.C. (Re) 2006 ONCJ 343 para.9:
… s. 7(3) stipulates that the information can be provided without consent only if the body seeking the information has “identified its lawful authority to obtain the information” and has indicated that the disclosure is requested (in this case) for law enforcement purposes. The Act does not set out that the existence of a criminal investigation is, in and of itself, “lawful authority” within the meaning of the Act nor, therefore, does a “Letter of Request for Account Information Pursuant to a Child Sexual Exploitation Investigation” establish such authority. Accordingly, there must still be some “legal authority” to obtain the information; in the view of this Court s. 7(3)(c.1)(ii) by itself does not establish what that “lawful authority” is.
Another interpretation is that “lawful authority” requires statutory authority, such as the proposed new law mandating warrantless access to subscriber data. But if by “lawful authority” the legislature meant only “statutory authority”, it could and would have used that term. It must be presumed that the legislature meant more than statutory authority when it used the broader term “lawful authority”.
If “lawful authority” has any meaning (other than subpoena, warrant or court order), there must be circumstances involving law enforcement when it is not present. Such circumstances could include statutory authority, common law authority and, superseding both of these, constitutional authority. Indeed, the senior policy advisor and legal advisor to the government in the drafting of PIPEDA (Stephanie Perrin and Heather Black) explained in a text entitled The Personal Information and Electronic Documents Act: An Annotated Guide, published in 2001 shortly after the Act came into force, that:
[Section 7(3(c.1)(ii)] is aimed at ‘pre-warrant’ activities in which private sector organizations cooperate with domestic law enforcement agencies who are collecting the information on a ‘casual’ or ‘routine’ basis and for which no warrant is required. Only information that is of a relatively innocuous nature will be collected by these means, since the collection of information in which the individual has a reasonable expectation of privacy would require the Charter protection of a warrant. (p.75; emphasis added)
Effectively refuting the now common practice of police to treat s.7(3)(c.1) of PIPEDA as authority for obtaining subscriber information from TSPs without a warrant, they note that “When [s.7(3)(c.1)] was introduced, the government stated that the amendment did not give any new powers to law enforcement but that it merely reflects the status quo.” (p.74)
Later, in answer to the question “If the local police wish to obtain information about a customers, what must happen?”, Perrin and Black confirm the intended meaning of “lawful authority in s.7(3)(c.1):
The organization can only comply with that request if the police can identify their lawful authority to get the information, which essentially means that it is information in which the individual does not have a reasonable expectation of privacy under section 8 of the Charter. (p.165; emphasis added)
This interpretation is buttressed by subsection 5(3) of PIPEDA which states that “an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances”. In other words, none of the exceptions in subs.7(3) permit collection, use or disclosure that would be considered inappropriate by reasonable persons. And surreptitious gathering by police of personal information in which the individual has a reasonable expectation of privacy would surely be considered inappropriate by reasonable people.
Hence, when a police request for information is not Charter compliant by reason, for example, of the lack of reasonable grounds to suspect that the information requested has anything to do with criminal wrongdoing, or because the information requested attracts a reasonable expectation of privacy, the TSP is not authorized under s.7(3)(c.1) to disclose the information. This statutory prohibition on the TSP’s right to disclose perfectly mirrors the police officer’s absence of constitutional authority to demand the information.
But whether a given request is Charter compliant is not always clear even to lawyers and judges. It is therefore unreasonable to expect TSPs to be able to conduct their own Charter analysis with respect to each request they receive from law enforcement. For this reason alone, s.7(3)(c.1) of PIPEDA needs to be amended. But the proposed amendment would not give TSPs the certainty they need (despite relieving the disclosing organization of the requirement to verify the validity of the asserted lawful authority). This is because it fails to state what “lawful authority” is – i.e., what it would look like to a TSP who is presented with a request. “Lawful authority” needs to be positively defined as something concrete that TSPs can easily assess without legal advice.
The simplest resolution to this problem that would both remove uncertainty for TSPs and ensure Charter compliance is to remove s.7(3)(c.1) entirely, thus prohibiting disclosures of customer information in response to requests from law enforcement without a subpoena, warrant or court order. This is the strongly favoured approach of those who value civil liberties.
Alternatively, the term “lawful authority” could be replaced by “statutory authority”. The government could then enact legislation such as proposed in this package of reforms permitting or requiring organizations to disclose certain kinds of personal information to law enforcement agencies upon request without a subpoena, warrant or court order. TSPs and others would then have the certainty they need regarding the legality of warrantless requests, and issues of constitutionality would focus on the statutory authority relied upon for such disclosures.
Failure to distinguish between different types of personal information
PIPEDA applies broadly to all forms of “personal information” while importing notions of “appropriateness”, “reasonableness” and flexibility so as to allow for differential treatment of different types of information depending on the privacy interest at stake. However, most of the exceptions to the general rule against disclosure without consent set out in s.7(3) do not distinguish among different types of data; they permit the disclosure of any personal information as long as the conditions in the exception are met. In particular, subs.7(3)(c.1) does not distinguish between content and other, non-content data – it allows organizations to disclose any and all personal information to law enforcement agencies upon request without warrant.
This “one size fits all” approach to voluntary disclosures permitted under PIPEDA is inappropriate insofar as it fails to recognize the generally very different privacy interests inherent in different types of data. Yet, as discussed above, such differences are the basis for application under the Criminal Code, common law and Charter of different standards for permitting law enforcement access to different kinds of personal information. The US Stored Communications Act (18 USC. 2702) also applies different disclosure rules depending on the type of data in question, with much more stringent limits applicable to e-mail messages and other communications content than to non-content records such as subscriber name and address and session logs.
Without detracting from the point that subscriber information and other non-content records can reveal a great deal about individuals and thus deserve to be protected by appropriate standards (for compelled as well as voluntary disclosure), the voluntary disclosure of personal information under s.7(3)(c.1) of PIPEDA in response to requests from law enforcement agencies, if maintained, should at least be limited to non-content information. Because they are responding to requests from law enforcement, private organizations are acting as agents of the state when providing this information. It has been clearly established that the Charter requires prior judicial authorization for the non-consensual interception of communications unless exigent circumstances exist, and this general rule logically extends to the surreptitious collection of data revealing the content of private communications. The exceptions set out in s.7(3) of PIPEDA that allow voluntary disclosure of personal information to police without the knowledge or consent of the individual should therefore be limited to non-content information in a manner consistent with the Charter.
* Philippa Lawson is legal counsel with the Yukon government and was formerly Executive Director of the Canadian Internet Policy & Public Interest Clinic (CIPPIC)
Pippa: excellent article. May I add one point that wasn’t addressed? The question of accuracy and ability to correct, is not addressed.
Privacy comes with two safeguards, and they are: 1) you have an inherent “right” for your personal information to be correct, and 2) you have the “right” to correct the information when the information is incorrect.
Using the policy/legal framework argued above, neither of these rights can be addressed, given the personal information is accessed upon some authority without the knowledge of the person. There is no opportunity to know the information has been collected, distributed or used and no trigger for correctness. In other words, in the event the information is incorrect, because of the secrecy of the process to obtain the information, neither the ability to know the information is incorrect, nor the ability to correct the information will ever be triggered. Much harm can be done before the person will ever have the opportunity to correct.
An issue falling out of the above, is the fact that IP addresses, (and other technical forms of submissions to the courts) will appear as jiberish to most judges. Reading log reports, or understanding IP jargon or processes used to obtain IP addresses, etc, is not a skill expected of a judge.
These particular skills are present in administrative tribunals, or quasi-judicial bodies that address privacy on a daily basis. The chances of incorrectness increases with the risk of judges not understanding the IP process, and having to take the word of the applicant that the IP addresses are correct in the first place.
Perhaps the authority of obtaining personal information should better be placed with administrative tribunals who have the technical skills to make an informed decision, rather than the regular courts who lack the skill and where there is no expectation of having the skills to address accuracy and correctness.
It was really good to read your article… hope all is well in the great white north!