PIPEDA, disclosure without consent and COVID-19 in Canada

On Saturday April 4, 2020, newspapers in Québec reported the geolocation of a person infected with COVID-19 through cell phone data by the Québec City Police Service (SPVQ). Lawful access was based on section 108 of the Québec Public Health Act, which provides for the issuance of an order by the public health director to “do everything reasonably possible to locate and apprehend the person whose name appears in the order.” As the COVID-19 crisis deepens, it is fair to expect the practice to expand. This article seeks to provide some guidance for an organization facing a request from law enforcement authorities to obtain geolocation data for public health purposes.

The starting point is the prohibition under the Personal Information Protection and Electronic Documents Act (PIPEDA) for an organization to disclose personal information without consent save in exceptional circumstances listed in section 7(3). The exception relevant to COVID-19 is subsection 7(3) (c.1) (ii), allowing an organization to disclose personal information without consent to a government institution that (i) has identified its lawful authority to obtain the information; and (ii) indicated that the disclosure is requested for the purpose of enforcing any law of Canada. Beyond legislative provisions, case law has recognized “exigent circumstances” as grounds for lawful authority. 

In 2016, the Ontario Superior Court went a step further in R. v Rogers Communications siding with Rogers and Telus, which had refused to grant the Peel Regional Police a “tower dump” of cell phone data to investigate a robbery. What is of most relevance here is that the court went beyond recognizing the reasonable expectation of privacy in cell phone data. It also found Rogers and Telus to have a contractual obligation towards their customers to challenge and refuse to comply with a warrant manifestly unconstitutional, as was the case for the requested indiscriminate “tower dump” for the purpose of investigating a robbery. 

The decision shed new light on the exceptions to the prohibition to disclose personal information without consent. It was also a bittersweet victory for the private sector, as the court recognized not only the right of an organization not to comply with a warrant it judges unconstitutional, but also its contractual duty to do so. Here are some parameters that may assist in decision-making in the face of a request for cell phone location data in relation to fighting the spread of COVID-19: 

  1. Don’t just look for warrants. In R. v Spencer, in 2014, the Supreme Court of Canada (SCC) clarified that the exception of 7(3) (c.1) (ii) did not only apply to warrants, but more broadly “to the authority of police to conduct warrantless searches under exigent circumstances or where authorized by a reasonable law.” An access request for cell phone data under public health legislation may be based on other lawful authority than a warrant.
  2. Assess “exigent circumstances.” In 2017, in R. v Paterson, the SCC provided guidance in assessing “exigent circumstances.” The SCC insisted that the circumstances must make obtaining a warrant “impracticable,” they must create a situation of “urgency,” and they must call for immediate action to preserve public safety.
  3. Request identification of lawful authority. Public health legislation creates exceptional powers for government, including those to access personal information for public safety, executed by peace officers. An organization must request identification of lawful authority to obtain the information and specification of the legal provision to be enforced before disclosing without consent.
  4. Notify the customer. Once the information is provided, if notifying the customer would not defeat the purpose of the information request, the right to privacy of the individual calls for notification to ensure transparency and accountability to the customer.
  5. Issue Transparency Reports. As a matter of accountability to customers and openness regarding the protection of personal information, organizations are encouraged to provide Transparency Reports stating how often, and in what circumstances, they provide information about their customers to government authorities. For more information on these reports, the Government of Canada has issued Transparency Reporting Guidelines.

Of course, seeking legal counsel minimizes risk of violating PIPEDA in these unprecedented times. For more information, please contact Chantal BernierKirsten Thompson, or another member of Dentons’ Privacy, Cybersecurity and Data Protection group.