The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

Search this blog

Recent Posts

On Twitter

About this page and the author

The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.

For full contact information and a brief bio, please see David's profile.

Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.

David Fraser's Facebook profile

Privacy Calendar



Subscribe with Bloglines

RSS Atom Feed

RSS FEED for this site

Subscribe to this Blog as a Yahoo! Group/Mailing List
Powered by

Subscribe with Bloglines
Add to Technorati Favorites!

Blogs I Follow

Small Print

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.

Saturday, September 02, 2006

It's not your job to police your customers 

We constantly hear about the balance between privacy and security or between privacy and law enforcement. It is a precarious balance, but service providers need to be mindful of their place in the balance.

The Canadian general privacy law that is often the focus of this blog, the Personal Information Protection and Electronic Documents Act, addresses the role that the private sector can and should play in striking this balance. The short answer, if there is one, is that you are not a cop. The police have their job and are required to operate within the contraints of the law, including the Canadian Charter of Rights and Freedoms. The private sector gets to define its job, and it generally isn't law enforcement.

The hubub over the change to Sympatico's terms of service is evidence that customers don't expect their service providers to act as agents of law enforcement (see: Canadian Privacy Law Blog: More fallout from Sympatico privacy upset). Actors in the private sector, such as internet service providers, often collect and retain information that may be useful for law enforcement or as part of private litigation.

So what are service providers to do? Here's a short guide (and comments are welcome):

  1. Don't collect personal information that you don't need just because it could be useful, particularly if it could be useful to law enforcement or to private litigants. Even if you think you may be required to collect it later, that's no justification to collect it now.
  2. Don't keep personal information around any longer than you actually need it. If you are asked for personal information by law enforcement or private litigants, it is much easier to say you don't have it than to go to court to resist providing it (see below).
  3. Don't offer law enforcement unsolicited access to personal information just because you see something suspicious. Unless you come across evidence of fraud against your organization or compelling evidence of a serious crime, it is not your job to hand over reams of information to law enforcement.

    PIPEDA does allow you to disclose personal information to law enforcement on your own initiative under section 7(3) of the law:

    (3) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is ...

    (d) made on the initiative of the organization to an investigative body, a government institution or a part of a government institution and the organization

    (i) has reasonable grounds to believe that the information relates to a breach of an agreement or a contravention of the laws of Canada, a province or a foreign jurisdiction that has been, is being or is about to be committed, or

    (ii) suspects that the information relates to national security, the defence of Canada or the conduct of international affairs;

  4. If asked by law enforcement for personal information that is in your custody, don't hand it over without a warrant. This is the diciest situation and PIPEDA offers a bit of guidance. Under section 7(3), you are permitted to disclose personal information without consent in the following circumstances:

    (3) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is ...

    (c) required to comply with a subpoena or warrant issued or an order made by a court, person or body with jurisdiction to compel the production of information, or to comply with rules of court relating to the production of records;

    (c.1) made to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that

    (i) it suspects that the information relates to national security, the defence of Canada or the conduct of international affairs,

    (ii) the disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law, or

    (iii) the disclosure is requested for the purpose of administering any law of Canada or a province;

    It must be noted that these provisions are permissive, meaning that they allow you to disclose the information in these circumstances without offending PIPEDA. Nothing in the above require you to disclose the information. Any compulsion has to come from another statute or rule of law. So, if asked, preserve the information and ask that they return with a warrant. If they have probable cause and a reasonable basis to compel the information, they'll be back.

  5. If you are served with a subpoena for personal information, you should resist the disclosure. A subpoena is not a search warrant. In most jurisdictions, any lawyer representing any litigant can print out a subpoena and go to the court to get a fancy looking stamp on it. All a subpoena means is that you are required to attend at court with the information to have a judge make the final call. There may be no basis for the demand for information and your organization should avoid any situation where it has provided personal information that it was not legally required to hand over. When the internet service providers in the recent file sharing case resisted disclosure and took the matter to court, they emerged as staunch defenders of their users' privacy. That's certainly better than the alternatives.

Credit to the [non]billable hour for the photo.

Labels: , , , ,

Links to this post:

Create a Link

This page is powered by Blogger. Isn't yours? Creative Commons License
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License. lawyer blogs