My name is Micheal Vonn and I am the Policy Director of the British Columbia Civil Liberties Association. The BCCLA is a non-partisan, non-profit society and one of the oldest and most active civil liberties and human rights organizations in Canada. Privacy is a key portfolio for our association and we thank you for the invitation to appear on Bill S-4.
Our Association would support and echo many of the concerns and recommendations that have already been made by civil society and academic witnesses appearing on this bill. For example, we strongly support the position of BC FIPA that there is a need–indeed, an urgent need–to bring federal political parties under PIPEDA.
We also endorse the position of PIAC that compliance agreements are of limited assistance in protecting Canadians’ privacy and that the time is long overdue for the federal Commissioner to have order-making powers, like provincial counterparts. It is unacceptable that statutory privacy rights, which the courts characterise as “quasi-constitutional,” are regulated federally largely on the basis of moral suasion, without effective enforcement. In our view, S-4 falls far short of addressing this critical and long-standing problem.
However, time being limited, I will devote my prepared remarks to the issue of the Supreme Court of Canada’s decision in R. v. Spencer, and the implications for S-4.
The Spencer Decision
The Spencer decision dealt with the provision of PIPEDA (s. 7(3)(c.1)(ii)) that allows for disclosure without consent to a government institution where the institution has identified its lawful authority to obtain the information. The issue in the case was whether the police seeking access to subscriber information without a warrant from an Internet Service Provider (ISP) had the requisite authority. The answer to that question depends on whether there is a reasonable expectation of privacy in customers’ subscriber information. The Supreme Court of Canada resolved this issue – on which lower courts had been divided – and found that there is a reasonable expectation of privacy in customer’s subscriber information and that it is reasonable for Internet users to expect that a simple request by police would not trigger an obligation to disclose personal information or defeat PIPEDA’s general prohibition on the disclosure of personal information without consent.
For the purposes of our s. 8 Charter rights to be secure against unreasonable search seizure, a request by a police officer that an ISP voluntarily disclose subscriber information amounts to a search (Spencer, para. 66). A warrantless search is presumptively unreasonable. (R. v. Collins,  1 S.C.R. 265). The Crown bears the burden of rebutting this presumption by showing that the search was (a) authorized by law, (b) the law itself was reasonable, and (c) the search was carried out in a reasonable manner.
The question in Spencer was whether the provision in PIPEDA allowing for disclosures without consent was a law authorizing the disclosure. It was not. If it were, said the court (at para 70): “PIPEDA’s protections become virtually meaningless in the face of a police request for personal information.” The police, the Court said, do have “lawful authority” to “ask questions relating to matters that are not subject to a reasonable expectation of privacy” and they have “lawful authority” to conduct warrantless searches in exigent circumstances. But “lawful authority” in PIPEDA as it stands, requires more than a bare request.
This we know from Spencer.
Need to Repeal s.7 (c.1)
Thus, there is a need for Bill S-4 to amend the provision at issue in Spencer. A provision so confusing, that we had to go all the way to the Supreme Court of Canada to have it definitely interpreted. Some very limited and very narrow voluntary disclosures may still be viable, post-Spencer, but outside of exigent circumstances, such disclosures would require legal advice.
It is patently unreasonable to maintain a provision that cannot be understood on its face and requires a Charter analysis to be used appropriately. As we argued in our lawful access report of 2012, the best approach is to remove s. 7(3)(c.1) in its entirety.
Alternatively, the term “lawful authority” could be replaced by “statutory authority” and then organizations would at least have some clarity, although the constitutionality of the statutory authority may still ultimately be in question.
The BC and Alberta Acts – Not a Model
This further question of the constitutionality of express statutory authority for disclosure in light of the court’s privacy analysis in Spencer has lead the Special Legislative Committee Reviewing PIPA in British Columbia to call for a narrowing of the voluntary disclosure provisions under that Act. There are at least two reasons why we cannot look to Alberta and BC’s private sector privacy legislation for assurance that proposed expansions of voluntary disclosures found in S-4 are likely to go well. One, there is a clear concern that the PIPA provisions may not be constitutional in light of Spencer. And two, however little historical challenge there has been in relation to those provisions, the same will certainly not be the case in relation to the arenas governed by PIPEDA – most especially telecommunications.
We share, like many other witnesses, a concern with the breadth of the proposed change to allow for voluntary disclosures to organizations for the purposes of investigating a breach of an agreement or a contravention of a provincial or federal law. We do appreciate that there is a limitation in the requirement that such disclosures only occur where “it is reasonable that disclosure with the knowledge or consent of the individual would compromise the investigation.” However, we question how the disclosing organizing is to make such a determination. The concern, naturally, is that due diligence in this regard will prove resource intensive and costly, will not be routinely done and statutorily impermissible disclosures will occur largely unchecked because there is no notice. This provision is supposed to apply to only a very narrow set of disclosures, and addresses a very narrow problem. Too narrow in our view, to justify the clear risk of unauthorized disclosures, especially given there is a specific third-party discovery process for lawsuits that seeks to balance disclosure and privacy interests.