Corporate Activism In the Protection of Privacy
Just how far is business supposed to go in protecting privacy? In the United States, one can starkly see an example with Apple and the retrieval of encrypted iPhone data. But a recent Canadian case also shines a spotlight on the role of the private sector in proactively protecting privacy interests.
The decision is R v. Rogers. The police sometimes seek “tower dump” production orders – essentially orders for all mobile phone traffic through a specific cell tower for an identified period. The volume of records sought can be very high and involve personal information such as location; call duration and, sometimes, credit card information.
A cynic might suggest that Rogers and TELUS were serving their own corporate interests in trying to get out from under a practice of responding to broad and onerous production orders. The U.S. government is already arguing that Apple is more interesting in product protection and marketing than privacy. Whatever self-interest may be present, however, does not make the privacy point less compelling.
Production Orders are issued pursuant to s. 487.012(3) of the Criminal Code. For the issuance of such an order, a justice (or judge) has to be satisfied that an offence has been or is suspected to have been committed; the information provides evidence concerning the offence and the person to be subject to the order has custody or control of the information.
It is not surprising that Mr. Justice Sproat found a reasonable expectation of privacy in tower data. In following the Ontario Court of Appeal decision in R. v. Mahmood, he noted that there was a reduced expectation of privacy because the customer name and location information was far removed from being part of the “biographical core of personal information”, for example intimate details of an individual’s lifestyle and personal choices.
Rogers and TELUS proactively applied for a court order that concerned the privacy interests of their subscribers. And because it was the privacy interests of those subscribers, the Crown argued that Rogers and TELUS had no standing to claim any relief. Barring a subsequent appeal opinion on the matter, the argument that they didn’t have standing has been removed.
The court held that each subscriber has a reasonable expectation of privacy in the information sought and each subscriber has contracted with Rogers and TELUS for an assurance that the subscribers’ personal information was, within certain (not described) limits, to be confidential. The court noted that, as a practical matter, that no individual subscriber would have an interest in litigating these issues. Therefore:
“To my mind the choice is clear. Rogers and Telus have standing to assert the privacy interests of their subscribers and are contractually obligated to do so.”
If you will allow me to reverse the order of words — “contractually obligated…to assert the privacy interests of their subscribers”.
What I find intriguing are the implications of those words. Does this now mean that corporations now have a duty to proactively protect the privacy interests of their customers? If there is one, just what makes up that duty? And what if the customer’s privacy interests are adverse to those of the corporation? How would this affect the overall relationship between business and law enforcement agencies? Is an individual to look to the business to actively protect his/her privacy interests? And if the business doesn’t?
One might be tempted to think that Mr. Justice Sproat wanted to get at the issue of guidelines for seeking production orders and he wasn’t going to let legal technical issues get in his way. Because it offers justices/judges that guidance the decision is commendable. But just what this decision means for business in the long run may be a more significant result.
Time will tell if this one decision makes a precedent but it does open the door to some rather interesting arguments about the role of business in protecting the privacy interests of their customers.