Police requests for information in a data-heavy world have thrust Canada’s telecommunications companies into the front line in the battle for their customers’ privacy rights, an expensive venture that is setting new guidelines for authorities and for the phone companies themselves.
For corporate legal teams, it’s a delicate balancing act. Do they challenge a production order, angering police or other authorities, or do they hand over the information that the police are seeking, risking consumer annoyance and a damaged reputation, and perhaps opening the door to even broader requests further down the road? What is the impact of any decision on public relations and how will customers react?
“We’ve moved beyond mere compliance with the law to a deeper trust relationship with our customers about how we manage and protect their privacy,” says Pam Snively, chief data and trust officer at Telus Communications. “We’ve done this out of recognition that in this more complex, data-driven world, the decisions around data have become more complex and we have to be a lot more thoughtful about how we use data, how we don’t use data, how we secure data, as well as how much data we collect and disclose.”
Snively’s job is a new one for Telus, and she says it was created to reflect the firm’s commitment to customer privacy. “We keep the core privacy principles top of mind as we look at all requests from the police or other decisions that we need to make,” she says, while stressing that Telus also recognizes its legal obligations to co-operate with the police.
The issue came to a head earlier this year (January), when Telus and Rogers Communications won their joint legal challenge of a far-reaching Peel Police production order that could have forced them to hand over data from perhaps 50,000 cellphone customers, including names and addresses and possibly also credit card information (R. v Rogers Communications). The order, which was withdrawn after initial complaints from the two companies, formed part of a police investigation into a string of jewelry store robberies in Mississauga.
Describing the production order as “particularly broad and onerous,” Ontario Superior Court Justice John Sproat ruled that the police requests breached the Canadian Charter of Rights and Freedoms and he issued a set of guidelines on how police and the courts should handle requests of this type in future, based on a principle of minimal intrusion.
“We went to court because we wanted to ensure our customers’ privacy rights are protected and that there are ground rules for the scope of what law enforcement is able to request and access,” Rogers’ chief privacy officer David Watt said in a statement released after the ruling. “At Rogers, we will only share customer information with law enforcement when required by law, or in emergencies after careful consideration of the request. For us, this request did not meet the test and we’re glad the court agreed.”
For Timothy Banks, Canadian leader of the global privacy and cybersecurity practice at Dentons, the case highlights the crucial role that telecommunications companies play in protecting their customers against excessively broad production orders like this “tower dump” order, where police ask for large volumes of information from a series of cellphone towers.
“The vast majority of people whose data would be taken through these tower dumps . . . have not done anything wrong, and yet in a fundamental way, their charter rights are being engaged,” he says. “They will never know, there is no natural forum for them to complain. And so it is very important that organizations like, in this case, Rogers and Telus, stand up on behalf of their customers when they see an over-broad production order, because there is no one else who can naturally stand up and say ‘this actually goes too far’.”
Banks says the fifth of Justice Sproat’s seven guidelines, a recommendation that the telecommunications companies provide a focused report based on the data that police request rather than handing over raw data, could effectively co-opt companies into doing police work. But it does not make the initial data request any less intrusive, and he, like others, is sure that further requests for legal clarification will follow as police seek information and companies and individuals fret about intrusion on privacy rights.
“With the Internet of Things and with other devices . . . transmitting data in nearly real time, if not real time, there is going to be a treasure trove of data out there that will be able to track the whereabouts and movements of Canadian citizens generally, and if there is data that can be useful for law enforcement investigation, you can bet that Canadian law enforcement is going to eventually seek access to it,” Banks says. “That’s not necessarily a bad thing, but it does mean that private sector businesses are being put in the position of doing investigative work for the police.”
Scott Hutchison, of Henein Hutchison LLP, who led the case on behalf of Rogers and Telus, says the initial police request was particularly troubling because police knew that most of the information they were asking for would relate to innocent people. He says the judge’s guidelines help clarify the roles for police and courts and for the companies, who have contractual and statutory obligations to protect their customers’ privacy. “The police should ask for less, the justices of the peace should be careful to make sure that they don’t grant more than they are supposed to grant, and companies presented with these orders should scrutinize them and not simply shovel everything out of the door without any kind of consideration as to whether or not the order is properly made,” he says.
“In all of these things, these companies are trying to balance their obligations as good corporate citizens with their obligations to their customers, and, candidly, protecting their customers’ privacy is part of being a good corporate citizen,” he adds. “In-house counsel has to be ready to have in mind in advance some sense of how your company is calibrated with respect to those issues.”
Readiness to challenge an order could depend on the urgency of the request, and of the scale of the issue that police are investigating, but the police must be able to explain why they need all the information they are looking for.
But Banks notes that legal challenges can be costly, especially for smaller phone or Internet providers. ”In many cases, it is going to be cheaper and there will be less friction with law enforcement to simply hand over whatever is being requested,” he says. “It is important that organizations that receive these requests frequently . . . actually do stand up and ensure that privacy laws and charter rights are respected.
Because if not them, who?”