In Canada, everyone has a right to expect a certain amount of data privacy. Data privacy includes control over, access to and use of personal information and data, whether generated intentionally or created through connection to the "Internet of Things". The courts have recognized that an individual's computer data is particularly sensitive because it comprises highly private information, such as medical information, banking information, and information that can reveal specific interests, likes and propensities.
Last Thursday, in R. v. Reeves, the Supreme Court of Canada clarified the law around an individual's right to privacy in relation to shared devices, such as personal computers (Justices Côté and Moldaver wrote separate, concurring reasons). In holding that a third party cannot waive an individual's rights under s. 8 of the Charter of Rights and Freedoms, Reeves marks the Court's first pronouncement on whether a third party with a property interest in an electronic device can unilaterally consent to state seizure of the device and the data within it.
Section 8 of the Charter of Rights and Freedoms protects individuals from unjustified state intrusions upon their privacy, including intrusions upon data privacy. The objective of s. 8 is to protect a core of personal information, which an individual in a free and democratic society would wish to maintain and control, from dissemination to the state. The essence of s. 8 of the Charter is protection from the taking of an item by a public authority without a warrant, unless the claimant has no reasonable expectation of privacy in the item or the claimant has given consent to the taking: valid consent acts as a waiver of the claimant's s. 8 rights.
In Reeves, the Court affirmed that the test for whether an individual has a reasonable expectation of privacy in an item is a consideration of the "totality of the circumstances" taking into account:
- the subject matter of the alleged seizure;
- whether the individual had a direct interest in the subject matter;
- whether the individual had a subjective expectation of privacy in the subject matter; and
- whether this subjective expectation of privacy was objectively reasonable.
The majority of the Court held that when dealing with computing devices, the subject matter of the seizure includes the data within. Further, the majority held that informational privacy interests are engaged by the mere seizure of the data, since the seizure deprives the individual of control over the stored data and ensures that the data remains preserved, and thus subject to further state inspection.
The majority also confirmed that control over or ownership of the computing device, while relevant, is not determinative of whether a subjective expectation of privacy is objectively reasonable. Justice Karakatsanis, writing for the majority, ruled that joint ownership of a computing device does not render a subjective expectation of privacy objectively unreasonable:
I cannot accept that, by choosing to share our computers with friends and family, we are required to give up our Charter protection from state interference in our private lives. We are not required to accept that our friends and family can unilaterally authorize police to take things that we share. The decision to share with others does not come at such a high price in a free and democratic society.
In Reeves, the focus of the Court's analysis was on personal computers. However, the majority's reasoning – that the legitimate interests of third parties can only attenuate, not eliminate, a person's reasonable expectation of privacy – suggests a broader application of s. 8's protection against data seizure by a public authority. As the law in Canada and internationally continues to move further toward the view that individuals own their personal information, rather than those who have collected and hold it on their computers, this case may lead to further evolutions and changes in the law. In combination with recently updated guidance on valid consent from the Federal Privacy Commissioners, financial institutions may wish to review their privacy policies and form of consent to ensure that their right to investigate and disclose to law enforcement does not run contrary to client expectations. Alternatively, financial institutions may wish to invite production orders in challenging cases to ensure they produce documents under a court order.