Tanya Dupuis and Christine Morris
Legal Affairs and Social Affairs Division
This HillNote is the second in a series of four. (Aussi disponsible en français : Mégadonnées et vue d’ensemble dans les enquêtes criminelles)
Given the ubiquity of communication technologies and the potential for the Internet to be used in criminal activities, telecommunications data are becoming increasingly important to domestic and international criminal investigations.
Bill C-13 (Protecting Canadians from Online Crime Act) proposes to allow peace officers and public officers engaged in investigations to issue demands or obtain court orders compelling telecommunications (telecom) companies to preserve computer data. Computer data are defined loosely in the bill to include all representations suitable for processing in a computer system.
Preservation demands and orders would be temporary in nature, requiring companies to “quick freeze” computer data pending a search warrant or production order being obtained by the law enforcement agency.
Such preservation demands and orders would be made on the basis of a reasonable possibility (that is, reasonable grounds to suspect), rather than a probability, that the targeted person or entity under investigation is engaged in criminal activity and that the computer data sought will assist law enforcement in investigations.
The data preservation measures in the bill are intended to expedite the preservation of stored data. To ensure that data are kept and are therefore available by the time that their preservation is sought, data retention measures set out in other legislation generally aim to require telecom companies to retain metadata generated through the use of network services. In this sense, data retention is a precursor to data preservation.
With respect to international obligations regarding the policing of Internet-based crime, Canada has signed, but not ratified, the Council of Europe Convention on Cybercrime. The Convention requires the adoption of legislative measures that will help authorities deal with new technologies and enable them to order or obtain the expeditious preservation of specified computer data.
Although the data preservation measures proposed in Bill C-13 target investigations and respond to international objectives, from a policy perspective their purpose and justification should also be assessed in light of their potential consequences, including the erosion of privacy rights. A fundamental part of this issue involves considering existing data retention obligations – that is, whether and how telecom companies are required to retain customer computer data.
The current domestic legislative framework governing Canadian private sector privacy legislation – more precisely, the Personal Information Protection and Electronic Documents Act (PIPEDA) and substantially similar provincial legislation – is not specifically aimed at data retention by telecom companies for the purpose of criminal investigations.
Rather, Principle 5 under Schedule 1 of PIPEDA imposes a legal obligation that “personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law.” Pursuant to this general obligation, personal information should be retained “only as long as necessary for the fulfilment of those purposes.”
Under PIPEDA, a client’s personal data used for purposes such as transmitting communications, marketing and payments could possibly be retained indefinitely by telecom companies.
Some computer data that appear innocuous can actually reveal sensitive information; for example, telephone metadata can capture patterns of use, such as a series of communications with health services providers, lawyers, or religious or political organizations.
In June 2014, in R. v. Spencer, the Supreme Court of Canada drew limits on allowable warrantless requests by police for telecom company customer information by considering the potential for such information to reveal intimate details of the lifestyle and personal choices of the individual.
Privacy versus security: The European context
In April 2014, the Court of Justice of the European Union (EU) considered the validity of the European data retention directive. The directive required EU member states to enact laws mandating that telecom companies retain user data for up to two years. The Court found the directive to be invalid, mainly on the following grounds:
- the lack of limits on the authorities’ ability to access retained data;
- the wide-ranging scope of the data it would cause to be retained; and
- the failure to differentiate within the data to be retained in order to distinguish their usefulness and relevance to investigating serious crime and terrorism.
In its decision, the Court recognized that “the fight against international terrorism in order to maintain international peace and security constitutes an objective of general interest” and accepted that the retention of telecommunications data is a means of achieving this objective. With respect to the protection of privacy interests, the Court stated:
The EU legislation in question must lay down clear and precise rules governing the scope and application of the measure in question and imposing minimum safeguards so that the persons whose data have been retained have sufficient guarantees to effectively protect their personal data against the risk of abuse and against any unlawful access and use of that data.
Security concerns in Canada
In Canada, current national security concerns are bringing the issue of state access to telecommunications data to the forefront. The threat to Canada’s national security resulting from the use of telecommunications technologies by certain groups or individuals was recently described to the Standing Committee on Public Safety and National Security by Michel Coulombe, Director of the Canadian Security Intelligence Service.
In reference to the nature of the threat, he stated:
[T]he threat today … [is] more diffused. It develops a lot more rapidly. With the use – and the sophisticated use – of social media, for example, radicalization can happen really quickly. The development of an attack actually can also happen really rapidly. There’s the movement of people.
“The threat is different. This phenomenon of what we call ‘foreign fighters,’ especially in the developments in Iraq and Syria … does pose a real threat,” he concluded.