Section Eight, PIPEDA, and the problem of shifting norms: a case for a contract model of data privacy. (Personal Information Protection and Electronic Documents Act)

• Published date: 22 September 2017
• Author: Perry, John D.
• Date: 22 September 2017

INTRODUCTION

In recent years, governmental and private entities have engaged in unprecedented data-collection practices. (1) Edward Snowden's 2013 leak regarding the NSA's bulk telephony metadata program was only the "tip of the iceberg" when viewed alongside the burgeoning private marketplace for personal data. Today, "Big Data" firms comprise a multi-billion-dollar industry in which personal information is "bartered and sold" to the highest bidder. (3) Low access-costs of social media sites, blogs, and other forms of internet media ensure a constant flow of personal information that firms collect and analyze to create "full-scale psychological profile[s]" of consumers. (4) According to the International Data Corporation, the "global volume of data" will double every two years and, at its current trajectory, will balloon to over "40 trillion gigabytes" by 2020. (5)

Canada has struggled to adapt its privacy law to the Big Data paradigm. While the Personal Information Protection and Electronic Documents Act ("PIPEDA") (6) has enhanced data security among users and service providers, the act has done little to restrict or establish coherent parameters for information sharing among service providers and law enforcement agencies. (7) Judicial enforcement of Section Eight of the Charter of Canadian Rights and Freedoms ("Section Eight"), (8) moreover, has had limited effect in carving out expectations of privacy independent of existing legislative and regulatory frameworks. (9) Without this independence, the courts neglect their duty under Section Eight to judicially review statutes that intrude on reasonable expectations of privacy. (10)

The difficulty Canadian lawmakers and courts face when crafting data privacy protections stems not so much from identifying minimal privacy standards as it does from wide variations in data privacy norms." Social media users, for example, vary significantly in the types of information they are willing to share online. (12) For those who broadcast personal (perhaps incriminating) details about their lives to large groups of individuals online, society's need to prosecute crime probably outweighs the need to recognize those individuals' privacy interests. (13) But the calculus becomes much less clear for individuals who use online technology to communicate with people they know and trust. (14) Even among those who share minimal personal information online, the trivial details they do share can become comprehensive biographies when aggregated by third-party service providers. (15) Law enforcement agents can then use these biographies to investigate and prosecute individuals for a wide-array of criminal conduct. (16)

The Supreme Court of Canada has begun to develop a promising jurisprudence based on a contractual right of privacy. (17) Faced with the prospect of adapting normative constraints to the increasingly more complex and wide-scale data collection practices, the court has begun to utilize privacy policies a user assents to as an indication of the user's reasonable privacy expectations. (18) Contract law, which potentially allows parties to negotiate constraints on privacy, is well-suited to handle variations in the types of information people want to keep private. (19) So long as the law provides users opportunities to bargain over terms in their policies, a contract law framework can protect reasonable privacy expectations among users with diverse privacy preferences. (20)

This Note will proceed in two parts. In Part I, I will explain the current statutory and constitutional data privacy law in Canada. In Part II, I will set forth several recommendations about how courts and the legislature can create a framework in which terms of use and privacy policy terms can provide sufficient notice to users and allow them to have more meaningful bargaining power in negotiating privacy terms. Because Canadian and American search and seizure law both utilize the reasonable expectation of privacy test in determining whether a search or seizure is reasonable, this Note will often cite American cases that support similar principles in case and statutory law. However, the principal focus of this Note is Canadian privacy law.

PART I: EXISTING LEGAL PROTECTIONS FOR DATA PRIVACY

A. Personal Information Protection & Electronic Documents Act ("PIPEDA ")

PIPEDA regulates the private sector's collection, use and disclosure of personal information in the course of commercial activities. (21) The Canadian Parliament passed PIPEDA primarily to ensure compliance with Article 25 of the European Union's Directive on Data Protection ("the Directive"), (22) which was necessary to preserve important trade relations with European Union (EU) members. (23) For this reason, the Directive can be viewed as a prototype of PIPEDA's core features. The Directive regulates data sharing among member and non-member states and establishes an array of privacy principles for the collection of personal data. (24) These include rules on the processing of data, as well as requirements that service providers limit data collection to legitimate purposes, (25) obtain consent for personal data collection, (26) and allow users access to the data that service providers have collected. (27) Additionally, the Directive prohibits member EU states from sharing information with nonmember countries whose data privacy laws do not provide users an "adequate level of protection." (28)

The Directive is significant in part for its limitations. (29) Since its primary focus is on the processing of information, the Directive's provisions relate to obligations imposed on data controllers and not to the protection of users' data ownership rights. (30) The Directive, moreover, allows member and complying non-member states to create a law enforcement exception to most of its data protections. (31) In crafting PIPEDA, the Canada national assembly incorporated the Directive's central provisions. (32) PIPEDA "recommends" that service providers explain the purpose for why they collect personal data, seek express consent when information is likely sensitive, develop a data retention policy, and account for third parties to whom they share information. (33) Like the Directive, PIPEDA also eschews recognition of a customer's ownership rights in his or her personal information, as service providers may collect, use, or disclose personal information according to an overarching reasonableness principle. (34) This reasonableness mandate, however, has not been interpreted as applying constraints on prospective uses of information. (35) PIPEDA, therefore, does not prohibit service providers from using novel technologies to generate more complete biographies of users based on data they previously disclosed. (36)

While the scope of PIPEDA's data protections is quite broad, it contains numerous collection, use and disclosure exceptions that constrain its privacy protections. First, PIPEDA's provisions are limited to commercial data collection. (37) In McKesson v. Teamsters, (38) the Ontario Arbitration court held that an employer who caught an employee's absence by "surreptitiously" making a video recording of him off-site did not violate PIPEDA because such monitoring was not made "in the course of commercial activities." (39) Second, while PIPEDA generally restricts service providers from collecting sensitive personal information from users, Section 7(1)(b) allows service providers to collect information without obtaining the subject's consent if they reasonably believe that: (1) obtaining consent would "compromise the availability...of the information" and (2) the information is of a type that could reasonably be expected to aid in investigating a "breach of an agreement or a contravention of the laws of Canada or a province." (40) Third, PIPEDA contains a contains a broad voluntary disclosure provision. Under Section 7(3)(c.1)(ii), a service provider may disclose personal information to a government agent who has "lawful authority" and who requests information: (1) relating to national security, (2) necessary for investigating and enforcing any breach of federal or provincial law, or (3) necessary to administer any federal or provincial law.

In Spencer, the Court had an opportunity to assess the meaning of "lawful authority" under 7(3)(c.1). (41) Rather than interpreting the provision as enhancing law enforcement's investigatory capabilities, the Court held that the provision merely codified the police's traditional, investigatory powers, including the authority of police to conduct a search in exigent circumstances. (42) The scope of PIPEDA's disclosure provisions, however, remains unclear in the wake of Spencer. Unlike the United States' Stored Communications Act (SCA), PIPEDA does not distinguish between content and non-content data. (43) Under the SCA, service providers can only voluntarily disclose non-content subscriber information except in emergencies, with the suspect's consent or pursuant to a court order or warrant. (44) Since PIPEDA's provisions does not make this distinction, Canadian courts assume the onus of gauging a user's privacy interest in particular types of information in a particular context. (45)

B. Constitutional Privacy Protections under Section Eight

Section Eight protects individuals from unreasonable searches and seizures. (46) Like other Charter provisions, Section Eight is the supreme law of Canada that renders null and void any federal or provincial laws inconsistent with it. (47) In Canada v. Southam, Inc., the Supreme Court of Canada judicially interpreted Section Eight for the first time. (48) Taking into account the relatively mature American search and seizure law at the time, the Court elected to interpret Section Eight according to the "reasonable expectation of privacy" ("REP") test set forth in Katz v. United States. (49) In Katz, the United States Supreme Court held that a Fourth Amendment search occurs when law...