By Hasna Shireen
Bill S-4, the Digital Privacy Act came into force on June 18, 2015 to amend the Personal Information Protection and Electronic Documents Act (PIPEDA). The Government of Canada Backgrounder stated that “Canada’s Digital Privacy Act provides important improvements to Canada’s private sector privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA)” and that it “will ensure that Canadians are safer and more secure when they surf the web or shop online”. However, experts and critics contend that it will open the floodgate to warrantless data-sharing and will become an extensive threat to the privacy rights it apparently aims to preserve. (Michael Geist, “Why the Digital Privacy Act Undermines Our Privacy: Bill S-4 Risks Widespread Warrantless Disclosure,” (Blog), 10 April 2014. Online: <http://www.michaelgeist.ca/2014/04/s-4-post/>).
I have two main issues with the latest amendments to the PIPEDA. First, Bill S-4 expands the possibility of personal information disclosure to anyone, not just law enforcement, without consent or court oversight. Secondly, broadly worded disclosure of personal information without consent and court oversight runs contrary to Canadians’ reasonable expectation of privacy.
A. Personal Information Disclosure – without consent or court oversight
Subsection 7(3) (d) of the PIPEDA is amended by clause 6(10) of Bill S-4. These new amendments permit organization to organization disclosures in several new ways:
- Disclosure without consent to another organization is allowed in order to investigate a breach of an agreement or a contravention (or anticipated contravention) of a federal or provincial law where it is reasonable to expect that obtaining the consent from the individual for the disclosure would compromise the investigation 7(3) (d.1); and
- Disclosure is allowed without consent to a government institution or to the individual’s next of kin or authorized representative if there are reasonable grounds to believe that the individual has been the victim of “financial abuse,” and where it is reasonable to expect that obtaining the consent from the individual for the disclosure would compromise the ability to prevent or investigate the abuse 7(3) (d.2) (d.3).
The new PIPEDA sub-sections 7(3)( d.1) (d.2) and (d.3) permit an organization to disclose personal information to another organization without its customers’ knowledge or consent where it is reasonable to expect that obtaining the consent from the individual for the disclosure would compromise the investigation.
These sub-sections restricted the former concept of "investigative bodies" from the PIPEDA (under the investigative body scheme, the Governor in Council may approve (by regulation) specific bodies or categories of bodies which organization’s may disclose personal information under explicit circumstances).
Previously under the PIPEDA, investigators who wanted to access personal information without consent were required to be listed as an investigative body by Industry Canada. To be listed, the investigator had to justify the need to access the information. According to the new regime an organization can voluntarily share its customers’ personal information with another organization if it meets the following four criteria:
- The other organization is investigating;
- The information that is requested must be relevant to the investigation;
- The investigation must pertain to a contravention or anticipated contravention of the law or breach of a contract; and
- It must be reasonable to believe that seeking the consent of the individual to disclose the information would compromise the investigation.
It is concerning that the new provisions allow the organizations to share confidential customer information without any consent or court oversight. Moreover, these new guidelines apply to anticipated breaches of federal or provincial law in addition to actual breaches. The government has argued that the provisions are needed to combat the escalating sophisticated cybercrimes. Yet without any investigative bodies, the broadly worded provisions open the door to the massive expansion of warrantless non-notified voluntary disclosures. Moreover, without any knowledge of the disclosure, affected individuals will not be able to challenge the violation of their privacy.
B. Contrary to reasonable expectation of privacy
The new provisions run contrary to Canadian caselaw, which established clear limits and oversight on basic subscriber information disclosures. In the landmark privacy decision, R v Spencer, 2014 SCC 43,  2 SCR 212, the Supreme Court of Canada ruled that an individual has a reasonable expectation of privacy in basic subscriber information. Before obtaining an individual’s subscriber information from Internet service providers (ISPs) it is important to look beyond the “mundane” aspects of the subscriber information because the “potential of that information to reveal intimate details of the lifestyle and personal choices of the individual must also be considered” (see also R v Trapp, 2011 SKCA 143, 377 Sask R 246, at paras 33-37). In the Spencer decision the Supreme Court of Canada emphasized the strong privacy interest individuals have in maintaining the anonymity of their online activities and noted that the “lawful authority” exemption in PIPEDA does not create a basis to turn subscriber information to the police.
The leading cases on disclosure of customer information in private litigation stressed the need for protections before the disclosure, even as part of an investigation. (Warman v Fournier et al, 2010 ONSC 2126, BMG Canada Inc. v Doe, 2005 FCA 193, Voltage Pictures LLC v Jane Doe, 2011 FC 1024)
In its Feb. 12, 2015, Submission to the Standing Committee on Industry, Science and Technology, the Office of the Privacy Commissioner (OPC) provided comments in light of the Spencer decision and noted that carrying out a reasonable expectation of privacy analysis under PIPEDA is highly complex and contextual, leaving organizations in a state of uncertainty as to when they may or may not disclose personal information without a warrant. Based on Spencer, the OPC recommended that a legal framework be created to help organizations comply with the PIPEDA and ensure that state authorities respect the decision of the Supreme Court of Canada.
Stakeholders and experts on privacy legislation raised several concerns regarding Bill S-4’s effect on individual privacy. On April 10, 2014, law professor Michael Geist of the University of Ottawa commented that the bill would expand the possibility of warrantless disclosure to anyone, not just law enforcement organizations. (Michael Geist, “Why the Digital Privacy Act Undermines Our Privacy: Bill S-4 Risks Widespread Warrantless Disclosure,” (Blog), 10 April 2014. Online: http://www.michaelgeist.ca/2014/04/s-4-post/). Geist also appeared before the Industry Committee on March 10, 2015, noting that the broadly worded voluntary disclosure exception runs counter to the Canadian court decisions, including Spencer. Geist also noted that the bill lacks transparency and reporting requirements associated with personal information disclosure. (Michael Geist, “Fixing the Digital Privacy Act: My Bill S-4 Appearance Before the Industry Committee,” (Blog), March 11, 2015. Online: <http://www.michaelgeist.ca/2015/03/fixing-digital-privacy-act-bill-s-4-appearance-industry-committee/>).
Concluding thoughts, the new provisions in the PIPEDA open the door to potential massive warrantless, non-notified disclosure of personal information. Without individual consent or court oversight the new amendments run contrary to the decision of Canadian Courts on privacy protection. Clearly Bill S-4 does not effectively balance individual privacy rights and the public interest.