Lawful Access and Privacy: The Legislative Framework

Dara Lithwick and Dominique Valiquet, Legal and Social Affairs Division This HillNote is the first in a series of four. (Aussi disponsible en français: Accès légal et vie privée : le cadre législatif) Lawful access is an investigation technique used by national security and law enforcement agencies. It entails the interception of private communications and the seizure of information where authorized by law. This document examines how the Canadian legislative framework strikes a balance between the need for lawful access and privacy protection.

The Primacy of the Canadian Charter of Rights and Freedoms

The main privacy and lawful access provisions in Canadian law are found in the Privacy Act, the Personal Information Protection and Electronic Documents Act, the Criminal Code, the Canadian Security Intelligence Service Act and the National Defence Act. However, all of these laws are subject to the application of sections 7 and 8 of the Canadian Charter of Rights and Freedoms. Section 7 of the Charter guarantees the “right to life, liberty and security of the person.” An emerging body of jurisprudence suggests that section 7 can be a source for the constitutional protection of privacy, based on the notion that this section provides citizens with a reasonable expectation of privacy from the state as an aspect of their liberty. Section 8, which states that “everyone has the right to be secure against unreasonable search or seizure,” provides a clearer expression of the reasonable expectation of privacy from the state.

The Privacy Act

Canada’s Privacy Act came into force in 1983, and it has not been substantially modified since. The purpose of the Act is to “protect the privacy of individuals with respect to personal information about themselves held by a government institution” and to “provide individuals with a right of access to that information” (section 2). “Personal information” is defined as “information about an identifiable individual that is recorded in any form” (section 3). The Act applies to the roughly 250 federal government departments and agencies set out in its schedule. Those departments and agencies must limit the collection, use and disclosure of personal information to purposes necessary for the operation of programs or activities. As far as possible, they must obtain the consent of individuals to collect the information (sections 4–9). The Privacy Act also gives individuals the right to access, and to request the correction of, personal information about themselves held by the listed federal departments and agencies. Finally, the Act created the position of the Privacy Commissioner of Canada, an independent ombudsperson tasked with overseeing compliance with the legislation.

The Personal Information Protection and Electronic Documents Act

The Personal Information Protection and Electronic Documents Act (PIPEDA) generally applies to the collection, use and disclosure of personal information for commercial purposes. Personal information is defined broadly as “information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization” (section 2). The Act applies in every province, unless a province has a substantially similar law applying to information collected, used or disclosed entirely within the province. To date, Quebec, British Columbia, Alberta and, in matters relating to health care, Ontario, New Brunswick, and Newfoundland and Labrador have passed legislation deemed substantially similar to PIPEDA. The Act, which came into force in three stages between 2001 and 2004, is divided into two main parts. Part 1, which is of interest here, addresses the protection of personal information in the private sector, while Part 2 relates to electronic documents. PIPEDA is designed to recognize the relationship between the need to protect personal information and the need to use it in a world increasingly driven by information technology (section 3). PIPEDA is based on the Canadian Standards Association’s Model Code for the Protection of Personal Information, which is incorporated as Schedule 1 of the Act. The Code sets out 10 fair information principles, such as accountability, consent and accessibility, that were developed in concert by representatives of government, consumer and business groups. The Privacy Commissioner oversees compliance with PIPEDA. Bill S-4, The Digital Privacy Act, introduced in the Senate on 8 April 2014, would amend PIPEDA in a number of significant ways. Among others, it would:

  • allow the disclosure of personal information without consent in some additional circumstances;
  • require organizations to take various measures in cases of data security breaches;
  • create offences for failure to comply with obligations related to data security breaches; and
  • enable the Privacy Commissioner to enter into compliance agreements with organizations.

The Criminal Code

Part VI of the Criminal Code (“Invasion of Privacy,” sections 183 to 196) is the centrepiece of federal legislation concerning electronic surveillance by law enforcement agencies. It establishes stricter privacy protections for the issuance of judicial authorizations of surveillance than for the granting of conventional warrants. Since most of these provisions date back to the 1970s, the courts must often interpret them so as to apply them appropriately to new communications technologies. For example, in 2013, in the Telus case, the Supreme Court ruled that police officers must comply with the lawful access requirements in Part VI to obtain text messages stored by an Internet service provider. Recently, in R. v. Spencer, the Court held that there is a reasonable expectation of privacy for the names and addresses of Internet services subscribers. Bill C-13, the Protecting Canadians from Online Crime Act, aims to modernize the lawful access provisions in the Code. Part VI also contains two special accountability measures:

The Canadian Security Intelligence Service Act

Under the Canadian Security Intelligence Service Act, the Director of the Canadian Security Intelligence Service (CSIS) must, for the purpose of lawful access, make an application for a warrant from a judge of the Federal Court. The warrant must serve to investigate “a threat to the security of Canada” or provide assistance to the departments of National Defence or Foreign Affairs (section 21). The accountability measures set out in Part VI of the Code do not apply to electronic surveillance undertaken by CSIS. However, the Security Intelligence Review Committee examines all past CSIS operations, investigates complaints and makes recommendations to the Minister. The Committee took over some of the responsibilities of the Office of the Inspector General of CSIS in 2012, but is not tasked with overseeing CSIS’s operational activities in real time.

The National Defence Act

Enacted in 2001 by the Anti-terrorism Act, Part V.1 of the National Defence Act (“Communications Security Establishment,” sections 273.61 to 273.7) sets out a lawful access framework for the Communications Security Establishment (CSE). The CSE may intercept communications only for the purposes of collecting “foreign intelligence” or protecting Canadian infrastructure. It cannot target Canadians or any person in Canada, unless the goal is to assist agencies such as the Royal Canadian Mounted Police or CSIS. Unlike police officers and CSIS, the CSE does not need a judicial warrant to intercept communications. Instead, the Minister of Defence authorizes interceptions, provided they are directed at foreign entities located outside Canada and satisfactory measures are in place to protect the privacy of Canadians. The CSE Commissioner carries out an independent review of these activities and submits an annual report to the Minister. The British Columbia Civil Liberties Association is currently challenging the constitutional validity of Part V.1 before the courts in that province.