Recent debates about enhanced police and national security surveillance powers in Canada have drawn attention to the vulnerability of Canadians’ privacy rights in the absence of proper safeguards and oversight. This problem is particularly acute in our big data economy, where participation in the economy – simply by being consumers of products and services – leaves a detailed trail of data in the hands of private sector actors. The Criminal Code provides for extensive access by police to personal information in the hands of third parties through its warrant system. Laws such as the Personal Information Protection and Electronic Documents Act (PIPEDA) also allow private sector companies to provide law enforcement and other government entities with personal information, without the knowledge and consent of the individual. This is often done in response to a court order or search warrant; however, PIPEDA also permits voluntary sharing even without a warrant in some circumstances.
The courts have had to play an important role in placing limits on the extent of access by state authorities to Canadians’ personal information. Just this week, in another significant decision, Justice Sproat of the Ontario Superior Court, issued a long-awaited decision in R. v. Rogers Communication (2016 ONSC 70) on the constitutional limitations on “tower dump” warrants.
The original tower dump warrants in this case were issued to police who were investigating a jewellery store robbery in Toronto. The police believed that the unidentified suspects had used cell phones during or just after the robbery. They asked the court for an order requiring the relevant cell phone service providers (in this case Rogers and Telus) to provide a dump of all of the data from cell phone towers that might have picked up and transmitted these calls within a window of time surrounding the robbery. On Telus’ estimate, compliance with the original order would have required it to provide data relating to at least 9,000 customers. Rogers estimated that it would need to provide the records of 34,000 subscribers. In addition to the data regarding all of the customers who had placed calls through those towers, the police also sought their name and address information, the names and contact information of all of the individuals who these people called, and credit card and bank information on file for the callers. The police subsequently revised their request, seeking a much more limited amount of data. However, Rogers and Telus pursued their Charter case, arguing that a court ruling on the constitutional legitimacy of this type of data request was necessary to protect not just their own interests but those of their customers.
The Court agreed that the customers of telecommunications companies had a reasonable expectation of privacy in their cell phone data and that if Rogers and Telus could not proceed with the Charter claims, it would be difficult for these issues to be effectively litigated. It agreed to hear and rule on the Charter arguments notwithstanding that the police had withdrawn their initial request for the data and notwithstanding the fact that the Charter rights in question belonged to thousands of private citizens and not to the Telcos directly.
Justice Sproat did not hesitate in ruling that the original production orders sought in this case were overly broad and that they infringed the Charter rights of the individuals whose data would have been captured by them. He found that the orders “went far beyond what was reasonably necessary to gather evidence concerning the commission of the crimes under investigation” (at para 42). He then went on to formulate a set of guidelines for police seeking tower dump warrants. He premised his guidelines on the “fundamental principles of incrementalism and minimal intrusion” (at para 63). He emphasized as well the requirement for police who seek such a warrant to explain “clearly in the information to obtain how requested data relates or does not relate to the investigation.” (at para 64)
The guidelines and their more detailed articulation can be found at paragraph 63 of the decision. In summary though, they are that the police must provide:
1. A statement or explanation that demonstrates that the officer seeking the production order is aware of the principles of incrementalism and minimal intrusion and has tailored the requested order with that in mind;
2. An explanation as to why all of the named locations or cell towers, and all of the requested dates and time parameters are relevant to the investigation;
3. An explanation as to why all of the types of records sought are relevant;
4. Any other details or parameters which might permit the target of the production order to conduct a narrower search and produce fewer records;
5. A request for a report based on specified data instead of a request for the underlying data itself;
6. If there is a request for the underlying data there should be a justification for that request
7. Confirmation that the types and amounts of data that are requested can be meaningfully reviewed
These are important guidelines that seek to limit the reach of state authorities into the private lives of Canadians to only that information which is genuinely necessary to investigate criminal activity.
It is worth noting that Justice Sproat declined to consider post-seizure safeguards in relation to tower dump data. Where a production order legitimately allows police to seek tower dump data, nothing in the Criminal Code provides any guidance as to what safeguards should govern the security and retention of this data. These are important issues – we are all painfully aware of the rising number of public and private sector data security breaches, and of cases of excessive retention and careless destruction of no-longer useful personal information. According to Justice Sproat, issues regarding retention of this data are best left to the legislator. Given the vast amount of personal information now capable of collection from the private sector through the host of different production orders available under the Criminal Code, Parliament should be strongly encouraged to address this issue. In the meantime, it would be good to see police forces develop policies regarding the retention and destruction of personal information obtained under warrants that is no longer necessary for its original purpose.