All About Information

On November 6th, the Nova Scotia Court of Appeal held that the RCMP did not conduct an unreasonable search by reviewing a WestJet passenger manifest without a warrant and without making a formal request.

The context and the background

The issue of law enforcement’s access to personal information held by business organizations has arisen in a number of recent criminal cases, and it is becoming common for courts to judge the reasonableness of a police search in light of standards set by PIPEDA. PIPEDA restricts regulated organizations from disclosing personal information without consent, but includes the following key exemption:

7(3) For the purposes of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge and consent of the individual only if the disclosure is…

(c.1) made to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that

(i) it suspects that the information relates to national security, the defence of Canada or the conduct of international affairs,

(ii) the disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law, or

(iii) the disclosure is requested for the purpose of administering any law of Canada or a province…

In this case, the RCMP reviewed a passenger manifest from a domestic flight, identified a passenger who had paid by cash shortly before the flight and who only had one piece of luggage and proceeded to search that passenger’s luggage. It found drugs and laid charges.

Trial judge finds Charter breach

In December of last year, Mr. Justice Simon MacDonald of the Nova Scotia Supreme Court held the RCMP breached PIPEDA because it did not make a “request” required by section 7(3)(c.1) given its “cozy” relationship with WestJet:

It might be a fair comment to say the officers had assumed they had permission to look at the manifest from their daily discussions and associations with the staff at Westjet.  However, in my mind that is not a satisfactory answer to the problem.  There were certain obligations upon the RCMP officers in reviewing the manifest which were legislated under PIPEDA and applied when they went to look at this manifest without a warrant.  Mr. Plimmer said Westjet put a protocol on procedures in place for the police to follow in order to see manifests.  The police were aware of the procedure they had to follow.  I find they didn’t do so in this case, but rather cavalierly walked into Westjet and simply started looking at manifests.

In addition to signaling that the procedural requirements in section 7(3)(c.1) are likely to be read strictly, the trial judgement was notable for its close consideration of WestJet’s privacy policy. The policy said that WestJet might be “required by legal authorities” to disclose personal information without consent, but did not say that WestJet would voluntarily cooperate with law enforcement. MacDonald J. said the policy “seems to emphasize that WestJet would only collect and disclose what is required by law and nothing more.” This weighed in favour of finding the search to be unreasonable and therefore unconstitutional.

MacDonald J. then excluded the evidence based on an application of the Collins test.

Court of Appeal disagrees

The Court of Appeal held that MacDonald J. erred by finding that the RCMP did not have legal authority for the collection of information and by equating a breach of PIPEDA with a breach of the Charter right to be free from unreasonable search and seizure. It then conducted its own contextual expectation of privacy analysis and held that section 8 of the Charter was not engaged in the circumstances. It noted the following in its analysis:

• It could not infer a subjective expectation of privacy given the information used by the RCMP was not particularly private – that is, the defendant purchased a ticket from Vancouver to Halifax at the last minute with cash and checked a single bag all in public view.
• The place searched was a third-party’s office, not a home or not even a business premises.
• Westjet’s privacy policy, with its reference to being “required by authorities” to disclose certain information, was nonetheless a warning to passengers.
• Given the exception to the consent rule in section 7(3)(c.1)(ii), PIPEDA does not support an expectation of privacy.
• The police tactic was limited, in that the RCMP relied on a drug courier profile and sought only information that fit that profile.
• The information collected by the RCMP did not go to the defendant’s “biographical core” of information. The Court said it “amounted to no more than Westjet’s record of Mr. Chehil’s public activities in transacting business with the airline.”
• The fact that the passenger record had a space where more sensitive personal information could be entered (e.g. food preferences) did not support an expectation of privacy. The Court said this fact was too theoretical to count.

Thanks to David Fraser for the tip on this important case.

R. v. Chehil, 2009 NSCA 111.

One June 4th, the Supreme Court of Canada denied an application for leave to appeal the Ontario Court of Appeal’s decision in Royal Bank of Canada v. Ren. This January, Ontario’s top court affirmed the dismissal of a Charter application that claimed RBC violated section 8 of the Charter in investigating a case of mortgage fraud. My summary of the Ontario Court of Appeal judgement is here.

On February 18th, the Federal Court dismissed a PIPEDA application that alleged an executive had unlawfully collected personal information by sending an e-mail to members of his firm to inquire about the applicant.

The facts leading to the application are twisted. Martha McCarthy, a prominent family law lawyer in Ontario, had represented the applicant’s wife in a contentious family law dispute. The judgement reports that Ms. McCarthy told her brother, Peter McCarthy, that she had received two threatening phone calls from the applicant. Mr. McCarthy, a Vice-President at J.J. Barnicke, e-mailed the company’s sales force for information. His subject line stated “Mark Waxer” and his e-mail stated, “Does anyone know what firm Mark is with?” Mr. Waxer complained to the federal Privacy Commissioner and subsequently filed his application.

These facts raise a good issue about PIPEDA application, but the Privacy Commissioner took jurisdiction over the complaint and the court application did not address whether the collection at issue was made in the course of J.J. Barnicke’s commercial activity or for Mr. McCarthy’s personal purposes. (Query whether a finding of jurisdiction is consistent with the Federal Court’s recent Johnson v. Bell Canada ruling.)

The Court dismissed the unlawful collection complaint because the applicant had not proven that Mr. McCarthy had actually collected personal information as result of his request. Notably, the Court gave no weight to the applicant’s argument that it should infer that Mr. McCarthy’s inquiry was fruitful from the respondent’s failure to adduce evidence of a thorough search of its computer system (including a search of e-mail archives and back-up tapes). It was satisfied with Mr. McCarthy’s sworn denial, which the applicant did not challenge in cross-examination .

The Court also declined to award damages for breach of PIPEDA’s accountability principle. The Privacy Commissioner had concluded that J.J. Barnicke did not have appropriate privacy policies in place nor did it have a designated privacy officer accountable for compliance as required by the Principles 4.1 and 4.1.4 of Schedule 1 to PIPEDA. The company complied with the Commissioner’s recommendations, and she therefore deemed the complaint to be “well-founded and resolved.” Without re-visiting the question of breach, the Court held that it was not proper to award damages in the circumstances. It held the applicant could not claim damages for the stress of the proceedings themselves and held that the he had not otherwise proven any other humiliation or embarrassment that would warrant a damages award. It noted that the applicant’s aggressive and assertive position throughout the litigation was inconsistent with his damages claim.

Waxer v. J.J. Barnicke Limited, 2009 FC 168 (CanLII).

I attended Osgoode’s Symposium on Technology Crime and Electronic Evidence today. A great program, with dialogue on search and electronic evidence issues from keynote speaker Jennifer Granick of the EFF, Crown counsel Susheel Gupta, computer forensic professional Philip Fodchuck, Crown counsel Michel Fairburn, defence counsel Scott Fenton and defence counsel Alan Gold among others.

I didn’t plan on live blogging but had my computer open and kind of got into it. Here’s the stream, which includes some “nuggets” and cites to case law.

Thanks to the presenters and organizers. Inspiring.

Dan

On February 10th, the Ontario Superior Court of Justice dismissed a Charter application that challenged a letter request made by the police to an internet service provider for the name and address of an account holder associated with a specific IP address at a specific point in time.

The Court held that the applicant had no expectation of privacy in the information disclosed, which the police used to obtain a warrant and lay child pornography charges. The Court narrowly construed the personal information collected in the search as one’s name and address (or the name and address of a cohabiting spouse) and held that this information is not “biographical information” that is protected by the Charter. It also relied on the service provider’s contract of service, which expressly permitted the transfer:

In addition, in this case the terms of the contract with the internet provider is one of the factors to be considered in assessing whether the asserted expectation of privacy is reasonable in the totality of the circumstances. That contract includes an agreement that the service provider could disclose any information necessary to satisfy any laws, regulations or other governmental request from any applicable jurisdiction. Further, the agreement contained a provision that by subscribing to the service, one consents to the collection, use and disclosure of personal information as described in the Bell Customer Privacy Policy and the Bell Code of Fair Information Practices. This privacy statement includes a provision that Bell Canada may also provide personal information to law enforcement agencies. Therefore by virtue of the contractual terms on which the internet service was provided an expectation of privacy is not reasonable

Thank you to David Fraser for digging up a copy of the decision!

R. v. Wilson (10 February 2009), 4191/08 (Ont. S.C.J.).

On December 19, the Nova Scotia Supreme Court excluded evidence supporting drug trafficking charges after finding that the RCMP breached PIPEDA by reviewing a WestJet passenger manifest without making a formal request.

The issue of law enforcement’s access to personal information held by business organizations has arisen in a number of recent criminal cases, and it is becoming common for courts to judge the reasonableness of a police search in light of standards set by PIPEDA. PIPEDA restricts regulated organizations from disclosing personal information without consent, but includes the following key exemption:

7(2) For the purposes of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowedge and consent of the individual only if the disclosure is…

(c.1) made to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that

(i) it suspects that the information relates to national security, the defence of Canada or the conduct of international affairs,

(ii) the disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law, or

(iii) the disclosure is requested for the purpose of administering any law of Canada or a province…

In this case, the RCMP reviewed a passenger manifest from a domestic flight, identified a passenger who had paid by cash shortly before the flight and who only had one piece of luggage and proceeded to search that passenger’s luggage. It found drugs and laid charges.

The Court held the RCMP breached PIPEDA because it did not make a “request” required by section 7(3)(c.1) given its “cozy” relationship with WestJet:

It might be a fair comment to say the officers had assumed they had permission to look at the manifest from their daily discussions and associations with the staff at Westjet.  However, in my mind that is not a satisfactory answer to the problem.  There were certain obligations upon the RCMP officers in reviewing the manifest which were legislated under PIPEDA and applied when they went to look at this manifest without a warrant.  Mr. Plimmer said Westjet put a protocol on procedures in place for the police to follow in order to see manifests.  The police were aware of the procedure they had to follow.  I find they didn’t do so in this case, but rather cavalierly walked into Westjet and simply started looking at manifests.

In addition to signaling that the procedural requirements in section 7(3)(c.1) are likely to be read strictly, the judgement is notable for its close consideration of WestJet’s privacy policy. The policy said that WestJet might be “required by legal authorities” to disclose personal information without consent, but did not say that WestJet would voluntarily cooperate with law enforcement. The Court said the policy “seems to emphasize that WestJet would only collect and disclose what is required by law and nothing more.” This weighed in favour of finding the search to be unreasonable and therefore unconstitutional.

The Court then excluded the evidence based on an application of the Collins test. In characterizing the breach as serious it said, “It is not the rights of a drug trafficker here that I am protecting.  It is the rights of a member of society who chooses to give personal information to an airline ticket agent which is recorded on a flight manifest.”

R. v. Chehil, 2008 NSSC 357 (CanLII).

On January 27th, the federal Privacy Commissioner released a document entitled “Guidelines for Processing Personal Data Across Borders.” The guidelines reflect the OPC’s pragmatic approach to the issue, but seem to put slightly greater emphasis than in prior commentary on the need for organizations to examine local and polictical factors in their due dilligence process:

In the case of outsourcing to another jurisdiction, PIPEDA does not require a measure by measure comparison by organizations of foreign laws with Canadian laws. But it does require organizations to take into consideration all of the elements surrounding the transaction. The result may well be that some transfers are unwise because of the uncertain nature of the foreign regime or that in some cases information is so sensitive that it should not be sent to any foreign jurisdiction.

The Guideline is available here.

On January 22nd, the New Brunswick Court of Appeal held that the Federal Court is the proper forum for a broad challenge to the powers granted to the federal Privacy Commissioner by PIPEDA.

The Court held that the matter was essentially a request for judicial review of an OPC decision despite the applicant’s constitutional validity argument, which it had made in the alternative. Given this characterization, the Court held that the Federal Court was the proper forum.

This is not a privacy judgement, but it is nonetheless worth note given the thrust of the applicant’s substantive objection. As a defendant’s insurer, it claimed the OPC had no jurisdiction to deal with its video surveillance of a plaintiff. The Court explained the argument as follows:

State Farm raises a core issue in its application: whether it engaged in “commercial activity” within the meaning of PIPEDA when it collected information about Mr. Gaudet in discharging its duty to defend Ms. Vetter. It contends that the only relationship that exists between Mr. Gaudet and Ms. Vetter stems from the accident, which is not a commercial activity. Section 4 of PIPEDA applies to the collection, use and disclosure of personal information in the course of commercial activities. “Commercial activity” is defined in PIPEDA as a transaction, act, or regular course of conduct that is of a “commercial character”. Whether State Farm’s actions amounted to “commercial activity” is the very question the Privacy Commissioner must investigate and report on in accordance with her mandate and expertise.

The resolution of this argument would have broad significance in defining the meaning of PIPEDA’s application provision, which triggers application where an organization collects, uses or discloses personal information “in the course of commercial activity.” The OPC considered a similar case in 2006 and held, perhaps surprisingly, that it had jurisdiction to investigate two lawyers who collected information on behalf of their “commercial” clients. Some would argue that Parliament did not intend a collection through a paid agent to trigger application. Others would argue that application based on this theory raises constitutional issues where it attracts PIPEDA application to information flows that are, in their essence, about matters within the exclusive jurisdiction of the provinces such as property and civil rights and employment.

State Farm Mutual Automobile Insurance Company v. Privacy Commissioner of Canada, 2009 NBCA 5 (CanLII)

On January 20th, the Ontario Court of Appeal affirmed the dismissal of a Charter application that claimed RBC violated section 8 of the Charter in investigating a case of mortgage fraud.

RBC had collected information from T-D Bank which allowed it to pursue an alleged fraud. Both banks are members of the Bank Crime Investigation Office of the Canadian Bankers Association, a designated “investigative body” under PIPEDA. They relied on sections 7(3)(d)(i) and (h.2) of PIPEDA in sharing the information. The Applicants took issue with these provisions and RBC’s actions taken in reliance on these provisions. They read:

(3)… an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is…

(d) made on the initiative of the organization to an investigative body… and the organization…

(i) has reasonable grounds to believe that the information relates to a breach of an agreement or a contravention of the laws of Canada, a province or a foreign jurisdiction that has been, is being or is about to be committed…

(h.2) made by an investigative body and the disclosure is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province…

In February, the Superior Court of Justice held this grant of discretion to make disclosures did not necessarily threaten Charter rights, so was not unlawful itself. It also held that RBC was not acting as a government agent in its investigation and therefore was not bound directly by the Charter.

The Court of Appeal affirmed the application judge’s reasoning and added that the “main protagonist” was in a solicitor-client relationship with RBC that stripped him of standing to make a section 8 claim: “In the circumstances, he cannot lay claim to a reasonable expectation of privacy in the records relating to the receipt and disbursement of funds received from his client concerning the suspect mortgage transactions.”

Royal Bank of Canada v. Ren, 2009 ONCA 48.

On September 26th, the Federal Court held that PIPEDA does not give employees of federally-regulated employers a right of access to e-mails concerning them that are sent between co-workers in their personal capacity and stored on the employers e-mail system.

The applicant, a former employee, filed a request for all e-mails “concerning” him. At the Federal Court, the primary issue in dispute was about whether “personal” (i.e. non-work related) e-mails about the applicant were subject to the right of access in PIPEDA.

PIPEDA does not include a traditional “custody or control” standard for access. Though the access principle refers to personal information “held” by an organization, the existence of a right of access turns on whether a request is for personal information that is collected used or disclosed by an employer “in connection with the operation of a federal work or undertaking.” PIPEDA also expressly excludes information that an individual collects, uses or discloses for exclusively “personal or domestic purposes.”

Mr. Justice Russel Zinn held that the personal e-mails sought were not collected in connection with the operation of a federal work or undertaking and were also excluded as e-mails collected, used and disclosed for personal or domestic purposes. The core of his reasoning is captured in the following excerpt:

First, in my view, the information is not being “handled” by Bell Canada. Like the bycatch of the cod fisherman, personal e-mail is the bycatch of the commercially valuable information that is being handled by Bell Canada. Secondly, to be information collected in connection with the operation of the business, requires that there be a business purpose for the information. There is none with respect to personal e-mails. In fact, from the viewpoint of organizations like Bell Canada, personal e-mails are refuse that take up valuable space and time. It is for this reason, among others, that organizations discourage or limit employee utilization of their computer systems for personal reasons.

Zinn J. also appears to have been influenced by the rights of the co-workers who sent and received the impugned e-mails and their interest in what has otherwise been called “mixed personal information.” He suggests that these individuals would be deprived of the personal and domestic purposes exclusion if PIPEDA was held to apply to their e-mails, hence framing the exclusion as a form of right. Notably, Zinn J. did not expressly consider whether Bell reserved a right to monitor “personal” e-mails under its computer use policy.

There are other very significant aspects of the judgement that relate to the nature of an organization’s duty to clarify the scope of a request and its duty conduct a reasonable search for responsive information.

On duty to clarify the scope of broad requests, Zinn J. stated:

I am of the view that the position stated by Bell Canada that Mr. Johnson “had a responsibility to focus his request” overstates the responsibility of an applicant making an access request. In my view, and in keeping with the practicality of the application of PIPEDA to a request that may suggest an extensive, costly and time-consuming search, the organization receiving a broad request such as that made by Mr. Johnson has two options open to it: (1) it can inquire of the party making the request if he can be more specific as to the information he is requesting, in which case the requesting party does have an obligation to cooperate in defining his request, or (2) it can conduct a reasonable search of information that it can reasonably expect to be responsive to the request. In this case Bell Canada chose the latter course.

And on the duty to conduct a reasonable search, he stated:

The search [Bell Canada] was required to conduct was a search that could reasonably be expected to produce the personal information of Mr. Johnson that, in the ordinary course, would fall under PIPEDA.

…

It cannot be seriously suggested that an organization has a responsibility to recover deleted or overwritten data in the absence of compelling evidence that it existed and that it can be recovered at a reasonable cost. Further, in my view, such a Herculean task should only be required to be undertaken, if ever, in circumstances where there is a critical need for the recovered information.

Johnson v. Bell Canada, 2008 FC 1086.