Privacy Law

Police can search smartphone without a warrant on arrest

Smartphones today hold our entire digital lives. Not only do they hold our intimate emails and text messages, but much more importantly our smartphones also contains apps such as Dropbox and OneDrive which are already logged in and allows access to a treasure trove of our most personal files in the cloud. What happens when the police get a hold of our smartphone?

The good news is that the courts realize our smartphones are used to do more than just make phone calls, and recognize that a search of a smartphone is much more intrusive than, for example, a simple search of a bag. In R. v. Fearon, 2014 SCC 77, the Supreme Court wrote at at para 51:

[…] the search of cell phones, like the search of computers, implicates important privacy interests which are different in both nature and extent from the search of other “places” […]. It is unrealistic to equate a cell phone with a briefcase or document found in someone’s possession at the time of arrest. As outlined in Vu, computers — and I would add cell phones — may have immense storage capacity, may generate information about intimate details of the user’s interests, habits and identity without the knowledge or intent of the user, may retain information even after the user thinks that it has been destroyed, and may provide access to information that is in no meaningful sense “at” the location of the search […]

Moreover, the Supreme Court at para 53 recognizes that the law should not treat a smartphone differently whether it is password protected or not:

An individual’s decision not to password protect his or her cell phone does not indicate any sort of abandonment of the significant privacy interests one generally will have in the contents of the phone.

But the good news ends there. In a ruling released today, the Supreme Court held in R. v. Fearon, 2014 SCC 77 at para 64 & 83 that the police can search a smartphone without a warrant when arresting a suspect, and that this does not infringe on our constitutional rights against unreasonable search and seizure (which is what s. 8 of the Charter is all about):

I therefore reject the idea that s. 8 of the Charter categorically precludes any search of a cell phone seized incidental to a lawful arrest.

[…]

To summarize, police officers will not be justified in searching a cell phone or similar device incidental to every arrest. Rather, such a search will comply with s. 8 where:

(1) The arrest was lawful;

(2) The search is truly incidental to the arrest in that the police have a reason based on a valid law enforcement purpose to conduct the search, and that reason is objectively reasonable. The valid law enforcement purposes in this context are:

(a) Protecting the police, the accused, or the public;

(b) Preserving evidence; or

(c) Discovering evidence, including locating additional suspects, in situations in which the investigation will be stymied or significantly hampered absent the ability to promptly search the cell phone incident to arrest;

(3) The nature and the extent of the search are tailored to the purpose of the search; and

(4) The police take detailed notes of what they have examined on the device and how it was searched.

This is in contrast to a series of rulings by the Supreme Court recently in R. v. Spencer, 2014 SCC 43, R. v. Vu, 2013 SCC 60, and R. v. Telus, 2013 SCC 16, where the court concluded that searches of a computer in a residence required a separate warrant for computer data, and searches of records at a telecommunications provider also required a warrant.

Fearon was a narrow 4-3 decision with a strong dissent, and in time it may be overturned. However,  given the state of the law at the moment, it would be prudent to lock your phone with a strong password (instead of a biometric feature like a fingerprint or a weak 4 digit passcode), and to enable strong data protection/encryption.  Finally, keep in mind that if questioned by the police, you are under no obligation to answer any questions, incriminate yourself, or to disclose your password to the authorities.

Telus records all your texts

Yesterday, the Supreme Court in R. v. Telus, 2013 SCC 16 made an interesting ruling on what types of warrants are applicable to text messages under the Criminal Code.  What’s interesting isn’t the ruling – as expected, the Court decided that text messages are “private communications” and require a more specific warrant authorizing the interception of private communications rather than a general warrant order.

What’s really interesting is this case provides a glimpse into the internal workings of Telus as it processes text messages from its mobile subscribers.

It starts off quite normally, just like any other service provider:

When Telus subscribers send a text message, the transmission of that message takes place in the following sequence.  It is first transmitted to the nearest cell tower, then to Telus’ transmission infrastructure, then to the cell tower nearest to the recipient, and finally to the recipient’s phone.  If the recipient’s phone is turned off or is out of range of a cell tower, the text message will temporarily pause in Telus’ transmission infrastructure for up to five days.  After five days, Telus stops trying to deliver the message and deletes it without notifying the sender.

But then things get interesting:

Unlike most telecommunications service providers, Telus routinely makes electronic copies of all the text messages sent or received by its subscribers and stores them on a computer database for a period of 30 days. Text messages that are sent by a Telus subscriber are copied to the computer database during the transmission process at the point in time when the text message enters Telus’ transmission infrastructure. Text messages received by a Telus subscriber are copied to the computer database when the Telus subscriber’s phone receives the message. In many instances, this system results in text messages being copied to the computer database before the recipient’s phone has received the text message and/or before the intended recipient has read the text message.

This is interesting for a few reasons:

  1. If the sender or recipient of a text message is on Telus, then the text message will be stored for at least 30 days, and
  2. In light of this SCC ruling, Telus will give up the contents of all your text messages for the last 30 days when given a specific warrant under Part VI of the Criminal Code that authorizes the interception of private communications. However, for other mobile providers which don’t routinely store text messages like Telus, even when given such a specific warrant for the interception of private communications, they will be unable to supply the police with the contents of your previous text messages because no record of it exists.

Ontario court confirms new privacy tort

Earlier this year, the Ontario Court of Appeal in Jones v. Tsige, 2012 ONCA 32 confirmed the existence of a new tort of privacy, a cause of “action for intrusion upon seclusion”:

One who intentionally intrudes, physically or otherwise, upon the seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the invasion would be highly offensive to a reasonable person.

The key features of this cause of action are:

  • the defendant’s conduct must be intentional, within includes reckless conduct;
  • the defendant must have invaded, without lawful justification, the plaintiff’s private affairs or concerns;
  • a reasonable person would regard the invasion as highly offensive causing distress, humiliation or anguish.

Proof of harm to a recognized economic interest is not required. However, given the intangible nature of the interest protected, damages for intrusion upon seclusion will ordinarily be modest.

The court also emphasized that the types of intrusions covered are to be decided objectively:

Claims from individuals who are sensitive or unusually concerned about their privacy are excluded: it is only intrusions into matters such as one’s financial or health records, sexual practices and orientation, employment, diary or private correspondence that, viewed objectively on the reasonable person standard, can be described as highly offensive.

This new development in tort law is welcome as previous cases were unclear whether a tort of privacy actually exists in Ontario. Businesses which keep financial or health records should make their employees aware that such a tort of privacy exists and should take steps to further protect their customers’ information.

A Canadian’s right to access information held by the government

Under Canada’s Access to Information Act, in general any Canadian citizen or permanent resident may request and may be given access to any record under the control of a government institution.

The Act includes a list of all such “government institutions”, which includes for example the Department of National Defence, the Department of Health, the Department of Justice, and the Royal Canadian Mounted Police, but does not include ministerial offices for any of the listed Departments.

However, records located within ministerial offices for any of the listed Departments may nonetheless be subject to disclosure if the record relates to a departmental matter, and if a senior official of the government institution could reasonably expect to obtain a copy upon request (Canada (Information Commissioner) v. Canada (Minister of National Defence), 2011 SCC 25).

Journalists, lawyers, and Canadians of all walks of life have relied on Access to Information requests to obtain enlightening information from a sometimes reluctant government.  If you need help with enforcing an Access to Information request, a lawyer may be able to help.

Federal Privacy Commissioner outlines proposed changes to PIPEDA

In a previous post I outlined some of the priorities of Federal Privacy Commissioner Jennifer Stoddart as she enters her new 3 year term.

One of her priorities is to strengthen PIPEDA, the Personal Information Protection and Electronic Documents Act, when it faces a mandatory review by Parliament later this year.

The main items that Stoddart has hinted she’ll push for include increased enforcement powers for the Federal Privacy Commissioner and tougher penalties for companies found to have failed to comply with PIPEDA, including publicly naming violators.

With regards to enforcement and penalties, Commissioner Stoddart notes that Canada has “become one of the few major countries where the data protection regulator lacks the ability to issue orders and impose fines.”  In contrast, “the CRTC has the power to to impose fines for violations of the do-not-call rules (and recently slapped Bell Canada with a record-setting $1.3-million penalty).”  In addition, “there are significant fines – $10 million for businesses – provided for in the new anti-spam law.”  Furthermore, privacy regulators like the UK Information Commissioner and the Spanish Data Protection Agent all use their enforcement powers to successfully signal that privacy violations will be met with financial penalties.

Finally, Commissioner Stoddart candidly admitted that there is a growing discomfort with the secretive nature of privacy investigations under PIPEDA:

It seems to me that not naming names is robbing the Canadian public of much of the educational value of our investigative findings.

Privacy law up for review this year

Parliament recently approved Federal Privacy Commissioner Jennifer Stoddart’s re-appointment for an additional three-year term. In a speech at the University of Ottawa, she outlined some of her priorities for her new term: 1) ensuring social networking and online dating sites respect privacy, 2) educating Canadians to better understand their privacy rights and to make well-informed choices, and 3) ensuring privacy complaints made to her office are dealt with in a timely manner.

Stoddart also indicated that she wants to strengthen PIPEDA, the Personal Information Protection and Electronic Documents Act.  With PIPEDA facing a mandatory review by Parliament this year, it is likely that at least some legislative change will take place.  In a future post I’ll explore some of the possible changes to PIPEDA.