Mere hours after it was issued on March 1, 2024, the Supreme Court of Canada's decision in Bykovets was already making rounds in the dailies and on social media, leaving no doubt that Internet privacy remains a hot topic. In a 5-4 majority decision, the Court ruled that requiring businesses to voluntarily disclose IP addresses without a production order, in the context of criminal and penal investigations, is a violation of the constitutional protection from unreasonable search and seizure under section 8 of the Canadian Charter of Rights and Freedoms.
The majority makes a compelling case: an IP address (i.e., the unique identifier assigned to each and every Internet-connected device) is the gateway to cyber-privacy. The issue isn't the the IP address' numerical label per se, but rather the private data it can reveal about a user's "cybernetic peregrinations" (para 69). The ruling is unequivocal: users' right to "informational privacy" on the Internet is still very much alive even though the Internet "has exponentially increased both the quality and quantity of information stored about Internet users" (para 73).
There are 5 key points for businesses to remember:
- Bykovets is the Supreme Court's
umpteenth reminder that authorities must use their compulsory
powers when collecting private personal information from
businesses. For administrative audits, this normally takes the form
of a letter (e.g., a requirement or subpoena) invoking the
regulator's administrative authority to compel disclosure of
specific, regulation-related information. In criminal or penal
investigations, this can be a judicial authorization (e.g.,
production order or search warrant) from a justice of the peace, in
a form prescribed by the Criminal Code or penal
legislation. The Court notes that "the burden imposed on the
state [by forcing it to obtain prior judicial authorization in
criminal or penal investigations] pales compared to the substantial
privacy concerns implicated in this case", especially given
that such authorizations are quick and easy to obtain "in the
age of telewarrants and around-the-clock access to justices of the
peace" (para 86).
- The judgment considers, without saying explicitly, the mosaic
effect—where seemingly innocuous information "correlated
with other online information associated with that IP
address", can "reveal highly private information" or
"a range of highly personal online activity". (para 9). In the majority opinion,
"[t]he ubiquity of the Internet means we must increasingly
consider 'the ways in which different data sets in
combination with other data sets affect privacy
rights'" (para 74). The ruling encourages both
authorities and corporations to avoid a "piecemeal"
(para 6) approach to analyzing the
privacy of personal information by looking beyond the information
itself and considering "any inferences about associations and
activities that can be drawn from that information" (para 38).
- Bykovets is particularly relevant for
businesses operating in Quebec, as well as their directors and
officers. The judgment refers to businesses as "third-party
mediators [...] that are not themselves subject to the
[Canadian] Charter" (para 10). However, Bykovets stems from Alberta, where
the abusive search prohibition in s. 8 of the Canadian
Charter applies only to the state. The Quebec Charter of
Human Rights and Freedoms, meanwhile, grants businesses rights
and even obligations. One might reasonably ask if Quebec businesses
would be more than "third-party mediators", and if they
in fact have a constitutional duty not to participate in abusive
searches and seizures by the state.
- After Bykovets, it seems even less likely
that private-sector privacy laws would allow for the voluntary
exchange of private information with authorities that could
reveal—on its own, by inference or by pairing it with other
data—personal or intimate information, except perhaps when
reporting offences. And even then, it's still good practice to
limit the information to what is strictly necessary for the
authorities to start their investigation. Businesses should always
take a cautious approach. If there is any doubt, they should
require the authorities to produce a compulsory request or order
before communicating any personal information.
- While Bykovets is front and centre,
businesses would be well advised to:
a) sensitize their employees about the importance of routing any type of information request, formal or informal, to those responsible for your organization's compliance with privacy and personal information protection legislation;
b) review and update internal privacy policies; and
c) update training for employees assigned to the management of dawn raids and information requests from authorities.
We would be happy to talk to you about how Bykovets can impact your business. Our white-collar crime and privacy experts have represented and advised businesses on complex electronic information requests and dawn raids.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.