Supreme Court of Canada rules access to IP addresses protected by the Charter
March 8, 2024
The Supreme Court of Canada ruled, in a 5-4 decision, that law enforcement must have a warrant to obtain an IP address. [1] While this case was decided in the context of criminal law and the Charter, it is important to understand the implications for private businesses that collect IP address information.
Background on the case and ruling
The court's decision stemmed from a criminal case involving a man in Alberta who was convicted of numerous fraud offences for online purchases he made with stolen credit cards at a liquor store. Calgary Police — investigating the alleged crime — contacted the liquor store's third-party payment processing company, Moneris. The police asked for the IP address associated with the purchases without providing a court order or warrant, which Moneris gave.
Calgary Police then went to the internet service provider with a court order to get the name and address associated with the IP address. [2] Police used this information to identify and search the man's residence. They subsequently charged him with the related offences.
The Supreme Court's majority decision concluded that the request to Moneris by Calgary Police for the man's IP address constituted a search within the meaning of section 8 of the Charter. This meant that a judicial authorization was required by the police to get his IP address from Moneris.
The court reasoned that an individual's privacy interests cannot be limited to what the IP address can reveal on its own, but rather must be considered in the context of what it can reveal in combination with other available information, particularly from other third parties. It further added that if the Charter was “to meaningfully protect the online privacy of Canadians in today's overwhelmingly digital world, it must protect their IP addresses”. [3] An IP address is the crucial link between an Internet user and their online activity and “it is the key to unlocking a user's Internet activity and, ultimately, their identity, such that it attracts a reasonable expectation of privacy”. [4]
What does this mean for private organizations and businesses?
Prior to this decision, IP addresses were not explicitly considered personal information under PIPEDA. An IP address “could be considered personal information if it can be associated with an identifiable individual”. [5] As such, the context of why and how a business collects IP addresses is important.
For instance, if an App developer collects an IP address from a bug report, but nothing else that can be used to identify the individual, then it is likely not considered personal information. However, if a website automatically collects IP addresses combined with other data such as the page or pages visited, dates and times, etc. to create a profile of an individual, than that could be considered personal information.
It is important to note that this Supreme Court decision is not saying that an IP address is always personal information, as the court opined a reasonable expectation of privacy only exists as it relates to the search and seizure provisions of the Charter. The Charter does not apply to private businesses. Nevertheless there are still spillover implications that private organizations should be aware of.
We must acknowledge the complex role that private organizations now play when police investigate crimes in the digital landscape. The court states that the internet “has fundamentally altered the topography of informational privacy under the Charter by introducing third party mediators between the individual and the state". [6] Private organizations are often met with requests for internet-related information from authorities. This latest decision supports the view that it would be prudent for organizations to withhold IP information and treat it as personal information unless it is accompanied with a valid court order. [7]
Looking beyond, the ruling makes it clear that a reasonable expectation of privacy may even go beyond IP addresses and to other “digital breadcrumbs” such as user profiles, location and network data, shopping histories, etc. This could possibly even apply to anonymized information. Any digital information, when combined with other available information, which could reveal personal information may also be subject to Charter protection. Therefore, this latest ruling could also be interpreted to mean any type of internet-related information could be personal information.
[1] R. v. Bykovets, 2024 SCC 6
[2] See R. v. Spencer, 2014 SCC 43, a request for internet subscriber
information from an ISP must be accompanied by judicial authorization.
[3] See note 1 at para 28
[4] See note 1 at para 28
[5] Office of the Privacy Commissioner of Canada -
Interpretation Bulletin: Personal Information, Oct. 2013
[6] Supra note 1 at para 10
[7] Under s.7(3)(c) of PIPEDA, disclosure of personal information without consent
is permitted where there is a subpoena or warrant issued or an order made by a court.