Document Type
Article
Abstract
Lawful access—the legal regime that authorizes various methods used by law enforcement to intercept, search, or seize information for investigatory purposes—has been subject to much debate in Canada. However, those debates need a new solution space for the digital age. This must be able to incorporate new technological solutions for minimizing rights infringements and provide new forms of accountability and safeguards against misuse. This is not simply a matter of adopting the popular framework of “privacy by design,” or even a reworked “lawful access by design.” We argue that an appreciation of the challenges of the digital world requires us to rethink our basic constitutional framework. The Canadian constitutional framework for lawful access was set out by the Supreme Court of Canada in Hunter v Southam and was then refined in the subsequent jurisprudence. We argue that this framework is ill-suited to contemporary digital challenges to informational privacy and requires four fundamental shifts. First, this framework’s basic point-of-collection focus needs to shift to the broader life cycle of the data. Second, this framework needs to shift away from its categorical approach to informational privacy, where some categories of information are thought to be inherently more private than others, and instead approach informational privacy in terms of the use-context of the data. Third, this framework needs to shift away from its exclusive focus on procedural safeguards at the point of collection (e.g., the warrant requirement), and consider procedural, legislative, and technical safeguards throughout the life cycle of the data as well. Overall, this framework needs to shift away from a dominant focus on privacy and recognize a broader set of rights and interests at stake in lawful access practices, including the rule of law, equality, and other fundamental freedoms. Once we have a constitutional framework that is better able to address the digital era, then we can more precisely craft new techniques for protecting rights, ensuring accountability, and safeguarding against abuse within this framework. Indeed, we can then see why some of these techniques are constitutional requirements. The payoff for doing so, we argue, is a way of enabling specific justified uses of data by law enforcement, while safeguarding the data against non-justified uses over its life span.
Creative Commons License
This work is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 4.0 License.
Citation Information
Austin, Lisa M. and Slane, Andrea.
"Digitally Rethinking Hunter v Southam."
Osgoode Hall Law Journal
60.2 (2023)
: 419-472.
DOI: https://doi.org/10.60082/2817-5069.3895
https://digitalcommons.osgoode.yorku.ca/ohlj/vol60/iss2/5
EPUB version (e-reader software required)
References
1. See Canada, Department of Justice, Lawful Access - Consultation Document (DOJ, 25 August 2002), online (pdf): www.justice.gc.ca/eng/cons/la-al/la-al.pdf [perma.cc/B6YP-6X5B].
2. See Canada, CyberCrime Working Group, Access to Basic Subscriber Information and the Impact of the Supreme Court of Canada's Decision in R. v. Spencer (Federal-Provincial- Territorial Coordinating Committee of Senior Officials (Criminal Justice), 16 December 2016) [on file with authors] [Access to Basic Subscriber Information]. This was originally a confidential document, but it was leaked before the stakeholder meetings and became a public document.
3. 2014 SCC 43 [Spencer].
4. Access to Basic Subscriber Information, supra note 2 at 3.
5. [1984] 2 SCR 145 [Hunter].
6. See Part I(A), below.
7. There is a substantial literature in the US context discussing the limits of traditional search and seizure doctrine in the face of new technologies. See generally Elizabeth Joh, "Policing by Numbers: Big Data and the Fourth Amendment" (2014) 89 Wash L Rev 35; Margaret Hu, "Orwell's 1984 and a Fourth Amendment Cybersurveillance Nonintrusion Test" (2018) 92 Wash L Rev 1819; Orin S Kerr, "The Fourth Amendment and New Technologies: Constitutional Myths and the Case for Caution" (2004) 102 Mich L Rev 801 https://doi.org/10.2307/4141982; Daniel J Solove, "Digital Dossiers and the Dissipation of Fourth Amendment Privacy" (2002) 75 S Cal L Rev 1083. https://doi.org/10.2139/ssrn.313301
8. See Part I(B), below.
9. Part I of the Constitution Act, 1982, being Schedule B to the Canada Act 1982 (UK), 1982, c 11.
10. See Hunter, supra note 5 at 159.
11. Ibid at 167-68.
12. Ibid at 160-64.
13. The language of "totality of the circumstances" is from R v Edwards. See [1996] 1 SCR 128. However, these four questions were articulated in later cases. See R v Tessling, 2004 SCC 67 at para 32 [Tessling]; R v Patrick, 2009 SCC 7 at para 27; R v Cole, 2012 SCC 53 at para 40. https://doi.org/10.1080/09613218.2011.610608
14. See Tessling, supra note 13 at para 32.
15. See R v Kang-Brown, 2008 SCC 18 [Kang-Brown].
16. See Entick v Carrington (1765), 95 ER 807 (KB) [Entick]. Entick is the case to which the trespass roots of search and seizure are generally traced back. For a discussion of the mismatch between physical searches and digital searches, see Orin S Kerr, "Searches and Seizures in a Digital World" (2005) 119 Harv L Rev 531 [Kerr, "Searches"]. See also Christopher Slobogin, "Is the Fourth Amendment Relevant in a Technological Age?" in Jeffrey Rosen & Benjamin Wittes, eds, Constitution 3.0: Freedom and Technological Change (Brookings Institution Press, 2011) 11.
17. See Steven Penney, "The Digitization of Section 8 of the Charter: Reform or Revolution?" (2014) 67 SCLR (2d) 505 https://doi.org/10.60082/2563-8505.1298; Lee-Ann Conrod, "Smart Devices in Criminal Investigations: How Section 8 of the Canadian Charter of Rights and Freedoms Can Better Protect Privacy in the Search of Technology and Seizure of Information" (2019) 24 Appeal 115.
18. For different views on use restrictions in the US context, see Ric Simmons, "The Mirage of Use Restrictions" (2017) 96 NCL Rev 133. See also Orin S Kerr, "Use Restrictions and the Future of Surveillance Law" in Rosen & Wittes, eds, supra note 16, 37.
19. See Information and Privacy Commissioner of Ontario, De-identification Guidelines for Structured Data (IPC, June 2016), online (pdf): www.ipc.on.ca/wp-content/uploads/2016/08/Deidentification-Guidelines-for-Structured-Data.pdf [perma.cc/YT5E-H98C]; Information and Privacy Commissioner of Ontario, De-identification Protocols: Essential for Protecting Privacy, by Ann Cavoukian & Khaled El Emam, (IPC, 25 June 2014), online (pdf): www.ipc.on.ca/wp-content/uploads/resources/pbd-de-identifcation_essential.pdf [perma.cc/AJZ4-3WFX].
20. See Michael Geist, "Why Watching the Watchers Isn't Enough: Canadian Surveillance Law in the Post-Snowden Era" in Michael Geist, ed, Law, Privacy and Surveillance in Canada in the Post-Snowden Era (University of Ottawa Press, 2015) 225; Craig Forcese, "Law, Logarithms, and Liberties: Legal Issues Arising from CSE's Metadata Collection Initiatives" in ibid, 127. https://doi.org/10.2307/j.ctt15nmj3c.9
21. Note that there can be other forms of metadata than that associated with communications, including metadata collected from smart home devices. See Ana Qarri, "Bringing Section 8 Home: An Argument for Recognizing a Reasonable Expectation of Privacy in Metadata Collected from Smart Home Devices" (2022) 9 CJLT 457.
22. See e.g. Criminal Code, RSC 1985, c C-46, ss 487.016 (Production order-transmission data), 487.017 (Production order- tracking data), 492.1 (Warrant for tracking device), 492.2 (Warrant for transmission data recorder) [Criminal Code]. For a discussion of these provisions, see Daniel Ikonomov, "Warrants and Production Orders Based on Reasonable Suspicion" (2006) 37 CR (6th) 193. https://doi.org/10.1002/piuz.200690069
23. See Kang-Brown, supra note 15 at paras 75-79.
24. See Criminal Code, supra note 22, ss 487.016, 487.017.
25. See Spencer, supra note 3 at para 24; Access to Basic Subscriber Information, supra note 2 at 6; Michael Geist, "Canada's need for the Tories' snooping law is not proven," The Toronto Star (10 December 2011), online: www.thestar.com/business/2011/12/10/canadas_need_for_the_tories_snooping_law_is_not_proven.html [perma.cc/NM7L-ZKUV]. https://doi.org/10.12968/eyed.2011.12.12.10
26. See e.g. Bill C-30, An Act to enact the Investigating and Preventing Criminal Electronic Communications Act and to amend the Criminal Code and other Acts, 1st Sess, 41st Parl, 2011-2012 (introduction and first reading 14 February 2012); Bill C-52, An Act regulating telecommunications facilities to support investigations, 3rd Sess, 40th Parl, 2010; Bill C-46, An Act to amend the Criminal Code, the Competition Act and the Mutual Legal Assistance in Criminal Matters Act, 2nd Sess, 40th Parl, 2009; Bill C-74, An Act regulating telecommunications facilities to facilitate the lawful interception of information transmitted by means of those facilities and respecting the provision of telecommunications subscriber information, 1st Sess, 38th Parl, 2005.
27. See Steven M Bellovin et al, "It's Too Complicated: How the Internet Upends Katz, Smith, and Electronic Surveillance Law" (2016) 30 Harv JL & Tech 1.
28. Bill C-13, An Act to amend the Criminal Code, the Canada Evidence Act, the Competition Act and the Mutual Legal Assistance in Criminal Matters Act, 2nd Sess, 41st Parl, 2013-2014 (assented to 9 December 2014), SC 2014, c 31.
29. For a discussion of this, see Andrea Slane & Lisa M Austin, "What's in a Name? Privacy and Citizenship in the Voluntary Disclosure of Subscriber Information in Online Child Exploitation Investigations" (2011) 57 Crim LQ 486. For a more general account of the role of internet service providers in safeguarding consumer privacy, see Mike Zajko, "Internet Service Providers as Privacy Custodians" (2018) 33 CJLS 401. https://doi.org/10.1017/cls.2018.25
30. See Spencer, supra note 3 at para 74.
31. Ibid at para 66.
32. Ibid at para 32.
33. For an argument regarding why a statutory authorization for BSI on a suspicion standard would be constitutional, see Steven Penney, "Updating Canada's Communications Surveillance Laws: Privacy and Security in the Digital Age" (2008) 12 Can Crim L Rev 115. For a discussion of the ongoing uncertainties pertaining to warrantless access for BSI, see Matthew P Ponsford, "The Lawful Access Fallacy: Voluntary Warrantless Disclosures, Customer Privacy, and Government Requests for Subscriber Information" (2017) 15 CJLT 153.
34. Spencer's recognition that anonymity is protected under section 8 is an important development of privacy interests, but its protection against unauthorized unmasking of anonymity is still an exclusively point-of-collection approach, which we argue does not adequately address rule of law concerns about unfettered police discretion across the life cycle of the data. We therefore disagree with Chris Hunt and Micah Rankin's argument that Spencer's focus on protecting anonymity solves rule of law issues. See "R. v. Spencer: Anonymity, the Rule of Law, and the Shrivelling of the Biographical Core" (2015) 61 McGill LJ 193. https://doi.org/10.7202/1035388ar
35. See R v Boersma, [1994] 2 SCR 488.
36. See R v Patrick, 2009 SCC 17.
37. See R v Duarte, [1990] 1 SCR 30 [Duarte].
38. See R v Nguyen, 2017 ONSC 1341.
39. See R v Wise, [1992] 1 SCR 527 [Wise].
40. See R v Marakah, 2017 SCC 59 [Marakah].
41. See Canadian Security Intelligence Service Act, RSC 1985, c C-23, ss 11.07(1)(a), 11.11(1).
42. Communications Security Establishment Act, SC 2019, c 13, s 76, ss 22(1), 23(1).
43. For an overview of local ordinances that have purportedly banned use of facial recognition technology by police, see Nathan Sheard & Adam Schwartz, "The Movement to Ban Government Use of Face Recognition" (5 May 2022), online: Electronic Frontier Foundation www.eff.org/deeplinks/2022/05/movement-ban-government-use-face-recognition [perma.cc/BL7U-MWU6]. We note, however, that the ordinances named as "bans" actually more accurately impose strict oversight requirements on acquisition and use of surveillance technology. Such oversight mechanisms, with which we broadly agree, may well make acquisition and use of facial recognition technology by police impossible, at least with their current technological capabilities. The ordinances themselves are not straightforward "bans," however.
44. Privacy Act, RSC 1985, c P-21 [Privacy Act] Personal Information Protection and Electronic Documents Act, SC 2000, c 5, s 2(1) [PIPEDA].
45. For an attempt to regulate de-identified personal information, see Bill C-11, An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts, 2nd Sess, 43rd Parl, 2020.
46. See Lisa Austin & David Lie, "Bill C-11 and Exceptions to Consent for De-identified Personal Information," Legislative Comment on An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts, (Schwartz Reisman Institute for Technology and Society, 11 January 2021), online: srinstitute.utoronto.ca/news/austin-lie-deidentified-personal-information-c11 [perma.cc/HN2B-TZFW].
47. The Charter Statement issued by the Minister of Justice regarding Bill C-11 does not identify any section 8 issues arising from the legislation. See House of Commons, "Bill C-11: An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make related and consequential amendments to other Acts," by David Lametti (Minister of Justice), Charter Statement, 43-2 (2 December 2020), online: www.justice.gc.ca/eng/csj-sjc/pl/charter-charte/c11.html [perma.cc/C83D-N7NY].
48. See Patrick Howell O'Neill, Tate Ryan-Mosley & Bobbie Johnson, "A flood of coronavirus apps are tracking us. Now it's time to keep track of them" (7 May 2020), online: MIT Technology Review www.technologyreview.com/2020/05/07/1000961/launching-mittr-covid-tracing-tracker [perma.cc/8HN7-LF7C].
49. See Lisa M Austin et al, "Test, Trace, and Isolate: Covid-19 and the Canadian Constitution" (Osgoode Legal Studies Research Paper, 2020) at 7-8, online: SSRN ssrn.com/abstract=3608823 [perma.cc/WSQ3-3UQV] [Austin et al, "Test, Trace, and Isolate"].
50. Human Rights Watch, "Mobile Location Data and Covid-19: Q&A" (13 May 2020), online: www.hrw.org/news/2020/05/13/mobile-location-data-and-covid-19-qa [perma.cc/R3GA-TXDL].
51. See Ali Farzanehfar, Florimond Houssiau & Yves-Alexandre de Montjoye, "The Risk of Re-Identification Remains High Even in Country-Scale Location Datasets" (2021) 2:3 Patterns. https://doi.org/10.1016/j.patter.2021.100204
52. See Lisa M Austin, "Information Sharing and the 'Reasonable' Ambiguities of Section 8 of the Charter" (2007) 57 UTLJ 499. https://doi.org/10.1353/tlj.2007.0006
53. See B(R) v Children's Aid Society of Metropolitan Toronto, [1995] 1 SCR 315; Cheskes v Ontario (Attorney General), 2007 CarswellOnt 5849 (WL Can) (SC).
54. See R v Mills, [1999] 3 SCR 668 at para 88 [Mills]. Mills addresses the overlap between section 8 and the principles of fundamental justice.
55. See EC, Charter of Fundamental Rights of the European Union, [2012] OJ, C 326/391, art 52; Ernest J Weinrib, "Private Law and Public Right" (2011) 61 UTLJ 191 at 207. For a discussion of proportionality in relation to US Fourth Amendment jurisprudence, see Christopher Slobogin, "Let's Not Bury Terry: A Call for Rejuvenation of the Proportionality Principle" (1998) 72 St John's L Rev 1053. See also Christopher Slobogin, "Government Data Mining and the Fourth Amendment" (2008) 75 U Chicago L Rev 317.
56. Supra note 9, s 1.
57. See R v Oakes, [1986] 1 SCR 203. Because most section 8 cases arise in the context of section 24(2) arguments to deny the introduction of evidence obtained through an allegedly unconstitutional search, they do not proceed to a section 1 analysis-with the result that the relationship between section 8 balancing and section 1 justification is unclear. However, the courts have said that a reasonable search and seizure is one that is consistent with the principles of fundamental justice. See e.g. Mills, supra note 54 at para 88. See also Reference re B.C. Motor Vehicle Act, [1985] 2 SCR 486 at 501-502. We think that the difference between them is that section 1 understands proportionality within the context of an analysis of a "free and democratic society," whereas the ambit of section 8 is the (possibly) narrower "principles of fundamental justice." For a different argument for considering section 8 violations under section 1, see Graham Mayeda, "Privacy in the Age of the Internet: Lawful Access Provisions and Access to ISP and OSP Subscriber Information" (2016) 53 Alta L Rev 709. https://doi.org/10.29173/alr426
58. Hunter, supra note 5 at 167.
59. See Lisa M Austin, "Towards a Public Law of Privacy: Meeting the Big Data Challenge" (2015) 71 SCLR (2d) 541 [Austin, "Towards a Public Law of Privacy"]. https://doi.org/10.60082/2563-8505.1323
60. See Duarte, supra note 37; Wise, supra note 39; R v Wong, [1990] 3 SCR 36 [Wong]. Alternatively, for a discussion of Justice Cromwell's digital privacy trilogy, see Stephen Aylward, "Technological Neutrality or Novelty? Two Models of Privacy in the Digital Era" (2017) 80 SCLR (2d) 423.
61. See The Honourable M Blane Michael, "Reading the Fourth Amendment: Guidance from the Mischief that Gave it Birth" (2010) 85 NYUL Rev 905; Thomas Y Davies, "Recovering the Original Fourth Amendment" (1999) 98 Mich L Rev 547 https://doi.org/10.2307/1290314; Steve Coughlan, "Charter Protection Against Unlawful Police Action: Less Black and White Than It Seems" (2012) 57 SCLR (2d) 205. https://doi.org/10.60082/2563-8505.1237
62. See Lisa M Austin, "Technological Tattletales and Constitutional Black Holes: Communications Intermediaries and Constitutional Constraints" (2016) 17 Theor Inq L 451. https://doi.org/10.1515/til-2016-0017
63. See Andreas Liljegren et al, "The Police and 'the Balance'-Managing the Workload Within Swedish Investigation Units" (2021) 8 J Professions & Organization 70. https://doi.org/10.1093/jpo/joab002
64. See James Brown & Michael Doucet, "'Chief, I Think We Can Make this Work': Perceptions of Successes and Failures in Technology Implementation from Canadian Police Leaders" (2020) 5 J Community Safety & Well-Being 171. https://doi.org/10.35502/jcswb.157
65. Kerr, "Searches," supra note 16 at 534.
66. See Teresa Scassa, "A Human Rights-Based Approach to Data Protection in Canada" in Elizabeth Dubois & Florian Martin Bariteau, eds, Citizenship in a Connected Canada: A Research and Policy Agenda (University of Ottawa Press, 2020) 173 at 178. https://doi.org/10.2307/jj.17610838.13
67. See Andrea Slane, "There Is a There There: Forum Selection Clauses, Consumer Protection and the Quasi-Constitutional Right to Privacy in Douez v Facebook" (2019) 88 SCLR (2d) 87 at 94-99 [Slane, "There Is a There There"].
68. For a discussion of accountability reporting as a public policy instrument, see Christopher Parsons & Adam Molnar, "Government Surveillance Accountability: The Failures of Contemporary Canadian Interception Reports" (2018) 16 CJLT 143. See also Nicholas Koutros & Julien Demers, "Big Brother's Shadow: Decline in Reported Use of Electronic Surveillance by Canadian Federal Law Enforcement" (2013) 11 CJLT 79 (for a discussion of the lack of transparency for many forms of surveillance compared to the requirements for wiretapping).
69. See Elizabeth E Joh, "Policing the Smart City" (2019) 15 Intl JLC 177 https://doi.org/10.1017/S1744552319000107; Catherine Crump, "Surveillance Policy Making by Procurement" (2016) 91 Wash L Rev 1595. https://doi.org/10.2139/ssrn.2737006
70. See Part II(B), below.
71. See Statistics Act, RSC 1985, c S-19, ss 17, 30 [Statistics Act].
72. Ibid, s 17(2).
73. Ibid, s 18(1).
74. Supra note 3 at para 26.
75. In some ways, the Supreme Court of Canada's emphasis on use-context in defining the subject matter of the search mirrors the US Supreme Court's adoption of the "mosaic theory" that looks at a sequence of state actions in order to determine if there has been a search. See Orin S Kerr, "The Mosaic Theory of the Fourth Amendment" (2012) 111 Mich L Rev 311.
76. See Marakah, supra note 40 at paras 19-20.
77. 2017 FC 1047.
78. Ibid at paras 244-45.
79. Ibid at paras 141, 149.
80. Ibid at para 189.
81. Ibid at paras 244-45.
82. Ibid at paras 189, 198, 245.
83. See R v Fearon, 2014 SCC 77 at para 83 [Fearon].
84. See R v Rogers Communications Partnership, 2016 ONSC 70 at paras 41-42 [Rogers], citing Gerald Chan, "Morelli and Beyond: Thinking about Constitutional Standards for Computer Searches," Criminal Lawyers Association Newsletter 33:2 (28 April 2012).
85. See Fearon, supra note 83 at para 82.
86. 2014 SCC 72 [Wakeling]. Justice Moldaver did not think that additional safeguards were required, whereas Justice Karakatsanis would have required more: "[T]o render the scheme constitutional, Parliament must require the disclosing party to impose conditions on how foreign officials can use the information they receive, and must implement accountability measures to deter inappropriate disclosure and permit oversight" (ibid at para 105).
87. Supra note 86. For a discussion of the limits of relying upon criminal law legislation to respond to new technologies, see Colton Fehr, "Criminal Law and Digital Technologies: An Institutional Approach to Rule Creation in a Rapidly Advancing and Complex Setting" (2019) 65 McGill LJ 67 https://doi.org/10.7202/1074418ar ; Colton Fehr, "Criminal Law & Digital Technologies: Drawing Lessons from the Canadian and American Experience" (2021) 53 UBC L Rev 653.
88. See Chris Parsons, Lawful Access and Data Preservation/Retention: Present Practices, Ongoing Harm, and Future Canadian Policies (BC Civil Liberties Association, 2012).
89. See Austin, "Towards a Public Law of Privacy," supra note 59.
90. PIPEDA, supra note 44, sched 1, s 4.7.
91. Ibid, s 4.7.3.
92. The federal legislation does not include security obligations. See generally Privacy Act, supra note 44. Ontario's provincial legislation imposes security obligations through regulations. See Freedom of Information and Protection of Privacy Act, RRO 1990, Reg 460, ss 3-4; Municipal Freedom of Information and Protection of Privacy Act, RRO 1990, Reg 823, ss 2-3.
93. Security safeguard obligations are among the recommendations for reforming the Privacy Act. See Canada, House of Commons, Standing Committee on Access to Information, Privacy and Ethics, Protecting the Privacy of Canadians: Review of the Privacy Act, 42-1, No 4 (December 2016) (Chair: Blaine Calkins) at 16 (recommendations 7-8), online (pdf): www.ourcommons.ca/Content/Committee/421/ETHI/Reports/RP8587799/ethirp04/ethirp04-e.pdf [perma.cc/XY6N-DJXU].
94. Facebook, News Release, "Suspending Cambridge Analytica and SCL Group from Facebook" (16 March 2018), online: Facebook Newsroom about.fb.com/news/2018/03/suspending-cambridge-analytica [perma.cc/5P23-VK8C].
95. See Office of the Privacy Commissioner of Canada, Joint investigation of Facebook, Inc. by the Privacy Commissioner of Canada and the Information and Privacy Commissioner for British Columbia, PIPEDA Report of Findings No 2019-002 (OPC, 25 April 2019) at paras 190-92, online: www.priv.gc.ca/en/opc-actions-and-decisions/investigations [perma.cc/BHE8-4VXN]; United Kingdom, Information Commissioner's Office, Investigation Into the Use of Data Analytics in Political Campaigns (ICO, 6 November 2018) at 27, online (pdf ): https://ico.org.uk/media [perma.cc/9397-DEGV].
96. See e.g. Privacy Act, supra note 44. For example, in relation to the federal Privacy Act, there are exceptions to the requirements that personal information to be collected directly from an individual and with notification (ibid, s 5(3)), accuracy obligations only apply to "administrative" purposes (ibid, s 6(2)), and there are many exceptions for uses and disclosures for secondary purposes that apply to law enforcement (ibid, ss 7(b) and 8(2)).
97. See Douez v Facebook, Inc, 2017 SCC 33 at paras 59, 76.
98. Slane, "There Is a There There," supra note 67 at 95-96.
99. The section 8, and to a lesser extent section 7, case law discusses the fundamental importance of privacy generally to democracy. See e.g. R v Dyment, [1988] 2 SCR 417 at 427-28. Although the parameters of Charter protection for information privacy have been confined to fairly limited, intimate biographical information in cases. See e.g. R v Plant [1993] 3 SCR 281; Tessling, supra note 13; R v AM, 2008 SCC 19.
100. For cases that progressed the recognition that personal data protection legislation protected related fundamental values, see Lavigne v Canada (Office of the Commissioner of Official Languages), 2002 SCC 53 (regarding the federal Privacy Act); Eastmond v Canadian Pacific Railway, 2004 FC 852 (regarding the federal private sector data protection legislation, PIPEDA); Alberta (Information and Privacy Commissioner) v United Food and Commercial Workers, Local 401, 2013 SCC 62 [Alberta IPC] (regarding Alberta's Personal Information Protection Act, SA 2003, c P6.5 [Alberta PIPA]). What the cross-pollination of protection against unreasonable search and seizure with personal data protection means going forward is an ongoing debate. See Austin, "Towards a Public Law of Privacy," supra note 59.
101. Slane, "There Is a There There," supra note 67 at 96-97.
102. Alberta IPC, supra note 100 at para 19. Alberta PIPA is "substantially similar" to provincial private sector privacy legislation, as set out via an order of the Governor in Council under PIPEDA. Alberta PIPA, supra note 100; PIPEDA, supra note 44, s. 26(2).
103. See Scassa, supra note 66 at 177.
104. See Eric H Reiter, "Privacy and the Charter: Protection of People of Places?" (2009) 88 Can Bar Rev 119 at 120-21.
105. Christopher S Yoo, "Toward a Closer Integration of Law and Computer Science" (2014) 57 Communications ACM 33. https://doi.org/10.1145/2542503
106. See generally Ann Cavoukian, "Privacy by Design: the 7 Foundational Principles" (IPC, August 2009), online (pdf ): Information and Privacy Commissioner of Ontario https://www.ipc.on.ca/wp-content/uploads/resources/7foundationalprinciples.pdf [perma.cc/Q9SV-23BJ].
107. Ibid. See EC, Commission Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), [2016] OJ, L 119/1, art 25 [GDPR].
108. See EC, European Data Protection Supervisor, Preliminary Opinion on privacy by design (Opinion 5/2018), [2018] OJ, C, s 1.1.
109. For an overview, see Office of the Privacy Commissioner of Canada, Privacy Enhancing Technologies - A Review of Tools and Techniques (OPC, November 2017) at no 6.
110. "Privacy Regulation Cannot Be Hardcoded. A Critical Comment on the 'Privacy by Design' Provision in Data-Protection Law" (2014) 28 Intl Rev L Comp & Tech 159. https://doi.org/10.1080/13600869.2013.801589
111. See Lyria Bennett Moses & Monika Zalnieriute, "Law and Technology in the Dimension of Time" in Sofia Ranchordás & Yaniv Roznai, eds, Time, Law and Change: An Interdisciplinary Study (Hart, 2020).
112. See e.g. Stanford Law School, "Computational Law," online: law.stanford.edu/projects/computational-law [perma.cc/EX3Y-KCLB] (the Computational Law project at Stanford Law School).
113. See Koops & Leenes, supra note 110. See also Ira S Rubinstein & Nathaniel Good, "The Trouble with Article 25 (and How to Fix It): The Future of Data Protection by Design and Default" (2020) 10 Intl Data Privacy L 37. https://doi.org/10.1093/idpl/ipz019
114. "Privacy by Design by Regulation: The Case Study of Ontario" (2018) 4 CJCCL 115 at 118.
115. See Cavoukian, supra note 106.
116. Ibid.
117. See Deirdre K Mulligan, Colin Koopman & Nick Doty, "Privacy is an Essentially Contested Concept: A Multi-Dimensional Analytic for Mapping Privacy" (2016) 374:2083 Philosophical Transactions of the Royal Society A: Mathematical Physical & Engineering Sciences. https://doi.org/10.1098/rsta.2016.0118
118. Lawrence Lessig, Code: Version 2.0, 2nd ed (Basic Books, 2006) at 5.
119. Ibid at 79.
120. See Michael Birnhack, "Reverse Engineering Informational Privacy Law" (2012) 15 Yale JL & Tech 24. https://doi.org/10.2139/ssrn.2002757
121. See Aylward, supra note 60.
122. See The Real World of Technology, revised ed (House of Anansi Press, 1992), ch 1.
123. See Access to Basic Subscriber Information, supra note 2 at 11-12.
124. R v Paterson, 2017 SCC 15 at para 32 [citations omitted].
125. For discussion of the history of warrantless searches, see R v Rao, [1984] OJ No 3180 (QL) (CA), cited in R v Grant, [1993] 3 SCR 223 at para 22.
126. The Federal-Provincial-Territorial Coordinating Committee of Senior Officials (Criminal Justice) Cybercrime Working Group proposed a new regime for warrantless access to subscriber information that would include exigent circumstances but be much broader. See Access to Basic Subscriber Information, supra note 2 at 10.
127. We thank Ian Goldberg for this insight and for outlining how this could work.
128. This is loosely modelled after the facts in Rogers. See supra note 84.
129. See Part I(B), above.
130. Tamir Israel & Christopher Parsons, Gone Opaque? An Analysis of Hypothetical IMSI Catcher Overuse in Canada Ver. 2 (Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic & Telecom Transparency Project, 18 August 2016), online (pdf ): cippic.ca/uploads/20160818-Report-Gone_Opaque.pdf [perma.cc/R35M-5ZNL].
131. Aaron Segal, Bryan Ford & Joan Feigenbaum, "Catching Bandits and Only Bandits: Privacy-Preserving Intersection Warrants for Lawful Surveillance" (4th USENIX Workshop on Free and Open Communications on the Internet, 18 August 2014), online (pdf ): dedis.cs.yale.edu/dissent/papers/bandits-abs [perma.cc/D2CL-FMCW].
132. Cynthia Dwork et al, "Calibrating Noise to Sensitivity in Private Data Analysis" (Conference paper delivered at the Theory of Cryptography Conference, New York, March 2006), (2006) 3876 Lecture Notes in Computer Science 265. https://doi.org/10.1007/11681878_14
133. Lisa M Austin & David Lie, "Safe Sharing Sites" (2019) 94 NYU L Rev 581 at 612ff.
134. We would like to thank Ian Goldberg, David Lie, and Michael Vonn for their work on outlining this method for a privacy-preserving cell-tower dump.
135. See e.g. Dan Bogdanov et al, "High-Performance Secure Multi-Party Computation for Data Mining Applications" (2012) 11 Intl J Information Security 403. Google has introduced open-source tools to help organizations implement Secure Multiparty Computation. See Google Online Security Blog, "Helping Organizations Do More Without Collecting More Data" (19 June 2019), online: security.googleblog.com/2019/06/helping-organizations-domore-without-collecting-more-data.html [perma.cc/VF4H-GFNU]. https://doi.org/10.1007/s10207-012-0177-2
136. See e.g. Andrew G Ferguson, "Facial Recognition and the Fourth Amendment" (2021) 105 Minn L Rev 1105. See also R v Chief Constable of South Wales Police, [2020] EWCA Civ 1058.
137. See Kaleigh Rogers, "That Time the Super Bowl Secretly Used Facial Recognition Software on Fans" (7 February 2016), online: Vice www.vice.com/en/article/kb78de/that-time-the-super-bowl-secretly-used-facial-recognition-software-on-fans [perma.cc/SF8R-UAAB].
138. See Georgetown Law, News Release, "Center on Privacy & Technology: Making News, Impacting Policy on Facial Recognition Technology" (11 July 2019), online: Georgetown Law www.law.georgetown.edu/news/center-on-privacy-technology-making-news-impacting-policy-with-research-on-police-facial-recognition [perma.cc/2F9G-5ARE].
139. See Wong, supra note 60.
140. Andrea Slane, "Privacy Protective Roadblocks and Speedbumps Restraining Law Enforcement Use of Facial Recognition Software in Canada" (2021) 69 Crim LQ 216 at 217.
141. R v Jarvis, 2019 SCC 10 at para 29.
142. Canadian Civil Liberties Association, "Facial Recognition," online: ccla.org/our-work/privacy/surveillance-technology/facial-recognition [perma.cc/S8L3-6T9B].
143. See Office of the Privacy Commissioner of Canada, Joint investigation of the Cadillac Fairview Corporation Limited by the Privacy Commissioner of Canada, the Information and Privacy Commissioner of Alberta, and the Information and Privacy Commissioner for British Columbia, PIPEDA Report of Findings No 2020-004 (OPC, 28 October 2020), online: www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2020/pipeda-2020-004 [perma.cc/4JYG-ND5Q]; "Reclaim Your Face," online: [perma.cc/FM2A-TQPZ].
144. Woodrow Hartzog & Frederic D Stutzman, "Obscurity by Design" (2013) 88 Wash L Rev 385.
145. See Office of the Privacy Commissioner of Canada, Joint investigation of Clearview AI, Inc Joint investigation of Clearview AI, Inc. by the Office of the Privacy Commissioner of Canada, the Commission d'accès à l'information du Québec, the Information and Privacy Commissioner for British Columbia, and the Information Privacy Commissioner of Alberta, PIPEDA Report of Findings No 2021-001 (OPC, 2 February 2021), online: www.priv.gc.ca/en/opc-actions-and-decisions/investigations [perma.cc/HW6W-HW2K].
146. Privacy Act, supra note 44, s 4.
147. See Office of the Privacy Commissioner of Canada, Special report to Parliament on the OPC's investigation into the RCMP's use of Clearview AI and draft joint guidance for law enforcement agencies considering the use of facial recognition technology (10 June 2021), online: www.priv.gc.ca/en/opc-actions-and-decisions/ar_index/202021/sr_rcmp [perma.cc/UBZ6-67VT].
148. See Information and Privacy Commissioner of Ontario, Privacy Fact Sheet: Disclosure of Personal Information to Law Enforcement (IPC, November 2018), online (pdf): www.ipc.on.ca/wp-content/uploads/2018/11/fs-privacy-law-enforcement.pdf [perma.cc/L9R9-ELJC].
149. See Office of the Information & Privacy Commissioner for British Columbia, Investigation Report F12-01: Investigation Into the Use of Facial Recognition Technology By the Insurance Corporation of British Columbia, (OIPC BC, 16 February 2012) at 8, online (pdf): www.oipc.bc.ca/investigation-reports/1245 [perma.cc/5XJK-3WTU].
150. See e.g. Ferguson, supra note 136; Barry Friedman & Andrew Guthrie Ferguson, "Here's a Way Forward on Facial Recognition: The police should be able to use it, but in a very limited way," The New York Times (31 October 2019), online: www.nytimes.com/2019/10/31/opinion/facial-recognition-regulation.html [perma.cc/49D8-RLE7].
151. The Criminal Code sets out a similar necessity requirement for authorization to intercept private communications: "that other investigative procedures have been tried and have failed, other investigative procedures are unlikely to succeed or the urgency of the matter is such that it would be impractical to carry out the investigation of the offense using only other investigative procedures." Criminal Code, supra note 22, ss 185(1)(h), 186(1)(b).
152. See Joy Buolamwini & Timnit Gebru, "Gender Shades: Intersectional Accuracy Disparities in Commercial Gender Classification" (Paper delivered at the Proceedings of the 1st Conference on Fairness, Accountability and Transparency, New York, 23-24 February 2018), (2018) 81 Proceedings Machine Learning Research 77.
153. Toronto police (among others) admit to using FRT this way. See Betsy Powell, "How Toronto police used controversial facial recognition technology to solve the senseless murder of an innocent man," The Toronto Star (13 April 2020), online: www.thestar.com/news/gta/2020/04/13/how-toronto-police-used-controversial-facial-recognition-technology-to-solve-the-senseless-murder-of-an-innocent-man.html [perma.cc/5LLC-LTAP].
154. See Aviv Gaon & Ian Stedman, "A Call to Action: Moving Forward with the Governance of Artificial Intelligence in Canada" (2019) 56 Alta L Rev 1137. https://doi.org/10.29173/alr2547
155. See United Kingdom, Home Office, Surveillance Camera Commissioner & Biometrics Commissioner, News Release, "The Home Secretary has appointed Fraser Sampson as the government's new independent Biometrics and Surveillance Camera Commissioner" (last modified 15 March 2021), online: UK Government www.gov.uk/government/news/new-biometrics-and-surveillance-camera-commissioner-appointed [perma.cc/YBR9-PU39].
156. Public Health Ontario, "COVID-19 Contact Tracing Initiative" (last modified 24 Feb 2021), online: www.publichealthontario.ca/en/diseases-and-conditions [perma.cc/77SF-F5WN]; Austin et al, "Test, Trace, and Isolate," supra note 49.
157. See generally Susan Landau, People Count: Contact-Tracing Apps and Public Health (MIT Press, 2021).
158. This was then to be extended to the operating system itself.
159. See Apple & Google, Exposure Notifications: Frequently Asked Questions: v1.2 (September 2020), online (pdf ): static.googleusercontent.com/media/www.google.com/en//covid19/exposurenotifications/pdfs/Exposure-Notification-FAQ-v1.2.pdf [perma.cc/JT7K-WJPN].
160. See GSM Association, "COVID-19: Digital Contact Tracing Applications" (June 2020), online (pdf): www.gsma.com/newsroom/wp-content/uploads/GSMA-Briefing-Paper-Contact-TracingApps.pdf [perma.cc/Y2VR-XSY6].
161. See Austin et al, "Test, Trace, and Isolate," supra note 49.
162. Australian Government Department of Health, "COVIDSafe app" (last modified 15 December 2020), online: www.health.gov.au/resources/apps-and-tools/covidsafe-app#about-the-app [perma.cc/V5A2EQFH].
163. See Emily Seto, Priyanka Challa & Patrick Ware, "Adoption of COVID-19 Contract Tracing Apps: A Balance Between Privacy and Effectiveness" (2021) 23:3 J Medical Internet Research. https://doi.org/10.2196/25726
164. "Blind-Sided by Privacy? Digital Contact Tracing, the Apple/Google API and Big Tech's Newfound Role as Global Health Policy Makers" (2021) 23 Ethics & Information Technology 45 at 51. https://doi.org/10.1007/s10676-020-09547-x
165. Pew Research Center, "Experts Say the 'New Normal' in 2025 Will Be More Tech-Driven, With More Big Challenges" (18 February 2021), online (pdf ): eloncdn.blob.core.windows.net/eu3/sites/964/2021/02/Elon-Pew-Digital-Life-2025-After-Covid-Outbreak.pdf [perma.cc/SN2E-NAR4]; Binoy Kampmark, "The Pandemic Surveillance State: An Enduring Legacy of COVID-19" (2020) 7 J Global Faultlines 59. https://doi.org/10.13169/jglobfaul.7.1.0059
166. See Criminal Code, supra note 22, ss 185-86.
167. See Statistics Act, supra note 71.