The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

Search this blog

Recent Posts

On Twitter

About this page and the author

The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.

For full contact information and a brief bio, please see David's profile.

Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.

David Fraser's Facebook profile

Privacy Calendar



Subscribe with Bloglines

RSS Atom Feed

RSS FEED for this site

Subscribe to this Blog as a Yahoo! Group/Mailing List
Powered by

Subscribe with Bloglines
Add to Technorati Favorites!

Blogs I Follow

Small Print

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.

Saturday, April 03, 2004

Privacy aspects of THE MATTER OF BMG Canada Inc. et al v. Jane Doe et al 

The Canadian and US media have been abuzz with reports that "file sharing is legal in Canada!" (see Google News coverage). The actual decision doesn't, in my view, go that far (much of it seemed to turn on a deficient affidavit and the difficulty of connecting an IP address and a Kazaa screen name), but that's a bit ultra vires my blog. Here we deal with privacy. But fear not, there is some privacy-related analysis in the decision rendered by von Finckenstein J (2004 FCT 488).

Part of the argument advanced by the internet service providers was that they were prohibited from revealing personal information of their subscribers, absent a court order. The parties agreed in advance that the subscribers have an expectation of privacy regarding their identities, pursuant to their subscriber agreements and sections 3 and 5 of PIPEDA. They also agreed that this personal information can be released without the consent of individuals if the court so orders under section 7(3)(c) of PIPEDA.

[13] I read the Norwich and Glaxco Wellcome cases as establishing that the test for granting an equitable bill of discovery involves the following five criteria: ...

Criterion e: the public interests in favour of disclosure must outweigh the legitimate privacy concerns

[36] It is unquestionable but that the protection of privacy is of utmost importance to Canadian society. In the words of Lamer J. in R. v. Dyment, [1988] 2 S.C.R. 417 (S.C.C.): Grounded in man's physical and moral autonomy, privacy is essential for the well-being of the individual. For this reason alone, it is worthy of constitutional protection, but it also has profound significance for the public order.

[37] In respect of the internet specifically, Wilkins J. in Irwin Toy v. Doe (2000), 12 C.P.C. (5th) 103 (Ont. S.C.J.) stated at paras. 10-11: Implicit in the passage of information through the internet by utilization of an alias or pseudonym is the mutual understanding that, to some degree, the identity of the source will be concealed. Some internet service providers inform the users of their services that they will safeguard their privacy and/or conceal their identity and, apparently, they even go so far as to have their privacy policies reviewed and audited for compliance. Generally speaking, it is understood that a person's internet protocol address will not be disclosed. Apparently, some internet service providers require their customers to agree that they will not transmit messages that are defamatory or libellous in exchange for the internet service to take reasonable measures to protect the privacy of the originator of the information. In keeping with the protocol or etiquette developed in the usage of the internet, some degree of privacy or confidentiality with respect to the identity of the internet protocol address of the originator of a message has significant safety value and is in keeping with what should be perceived as being good public policy. As far as I am aware, there is no duty or obligation upon the internet service provider to voluntarily disclose the identity of an internet protocol address, or to provide that information upon request.

[38] Parliament has also recognized the need to protect privacy by enacting PIPEDA, which has as one of its primary purposes the protection of an individual’s right to control the collection, use and disclosure of personal information by private organizations (section 3).

[39] However while the law protects an individual’s right to privacy, privacy cannot be used to protect a person from the application of either civil or criminal liability. Accordingly, there is no limitation in PIPEDA restricting the ability of the Court to order production of documents related to their identity. Section 7(3)(c) allows disclosure without consent if such disclosure is: c) required to comply with a subpoena or warrant issued or an order made by a court, person or body with jurisdiction to compel the production of information, or to comply with rules of court relating to the production of records. (emphasis added).

[40] Thus, both PIPEDA as well as the test set out in Norwich/Glaxco, require the Court to balance privacy rights against the rights of other individuals and the public interest.

[41] This motion is not a novel proceeding. In the past, third parties have been compelled to disclose documents identifying the name and address of a defendant previously identified solely by an Internet Protocol address. In no case have privacy or other concerns weighing against disclosure outweighed the interest in obtaining documents and information necessary to identify the defendants. See: Irwin Toy v. Doe (2000), 12 C.P.C. (5th) 103 (Ont. S.C.J.); Ontario First Nations Limited Partnership v. John Doe (3 June 2002) (Ont.S.C.J.); Canadian Blood Services/Société Canadienne du Sang v. John Doe (June 17, 2002) (Ont. S.C.J.); Wa’el Chehab v. John Doe (October 3, 2003) (Ont. S.C.J.); Kibale v. Canada, [1991] F.C.J. No. 634 (QL) (FC); Loblaw Companies Ltd. v. Aliant Telecom Inc. and Yahoo [2003] N.B.J. No.208 (N.B.Q.B.), online: QL (NBJ).

One thing that surprises me is that there is no obligation on the part of the ISPs to inform the "owners" of the IP addresses that their information is the subject of an application for an equitable bill of discovery, affording them the opportunity to retain counsel and -- anonymously - resiting the application. To do otherwise seems to put too much discretion in the hands of the ISPs. Afterall, they choose whether to resit the discovery request.

Labels: , , ,

Links to this post:

Create a Link

This page is powered by Blogger. Isn't yours? Creative Commons License
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License. lawyer blogs