Canada’s highest court issued its strongest statement in support of privacy and the Internet on June 13, in R v Spencer, 2014 SCC 43. In doing so, the court recognized that individuals may have an interest in anonymity on the Internet that should be taken into account in determining whether law enforcement should have warrantless access to subscriber information associated with Internet Protocol (IP) addresses. The court also ended debate regarding a provision in Canada’s federal private sector privacy legislation that organizations and law enforcement commonly relied on to obtain pre-warrant information.

Organizations in Canada must now rethink how they handle police requests for personal information of customers and employees. Organizations must consider whether there is a reasonable expectation of privacy in the information requested, whether there are exigent circumstances and whether there are other laws that might require or authorize disclosure. If there is a reasonable expectation of privacy, police should obtain a production order or warrant unless there are exigent circumstances or another law requires or authorizes the disclosure.

Search and Seizure

In Canada, section 8 of the Charter of Rights and Freedoms protects individuals against unreasonable search and seizure. A warrantless search and seizure in circumstances where an individual has a reasonable expectation of privacy is a violation of the Charter. The mere fact that information is held by a third party does not mean that the person about whom the information relates has no expectation of privacy in that information (see: R v Ward, 2012 ONCA 660 at para. 77).

In order to determine whether an individual has a reasonable expectation of privacy, it is necessary to determine the subject matter of the search. A person will have an expectation of privacy if the search was of core biographical data revealing intimate and private information. In the case of R v Spencer, the court had to decide whether the subscriber information was simply generic subscriber information or whether it touched the biographical core of Mr. Spencer. The court then had to determine whether the expectation of privacy in the subscriber data was objectively reasonable.

It Isn’t “Just” Subscriber Information

When considering the subject matter of the search, the court concluded that it must take into account more than just the narrow information that is collected, in this case, the subscriber information. The court must consider “the tendency of [the] information sought to support inferences in relation to other personal information” when characterizing the subject matter of the search (R v Spencer, para. 31).

Viewed from that angle, the court held that subscriber information isn’t just a name and address of someone in a contractual relationship with the Internet Service Provider (ISP). Narrowly defining the subject matter of the search obfuscated the significance of that information. The subscriber information was capable of revealing a great deal about an individual’s online activities when connected with the IP address (at para. 32). Therefore, the court accepted that the search indirectly involved information that touched on broader informational interests of Mr. Spencer.

A Privacy Interest in Anonymity

The court then analyzed the privacy interest that was at stake in relation to this information to determine whether it was worthy of protection under the Charter. The court affirmed that the nature of a privacy interest does not depend on whether privacy shelters a legitimate activity (R v Spencer, para. 36).  

In this case, the issue was informational privacy. In analyzing the content of the right to informational privacy, the Supreme Court identified three conceptually distinct but overlapping concepts of informational privacy: privacy as secrecy, privacy as control and privacy as anonymity (R v Spencer, para. 38).

The court concluded that the conception of privacy as anonymity is protected from unreasonable state search and seizure under section 8 of Canada’s Charter of Rights and Freedoms. In one of the key passages of the decision, the court held: “Internet users do not expect their online anonymity to cease when they access the Internet outside their homes, via smartphones, or portable devices” (R v Spencer, para. 37). The court was careful to say that the recognition that informational privacy includes an interest in anonymity does not mean that there is a right to anonymity (at para. 49). Rather, the court recognized that there may be a value in practical anonymity when using the Internet. The court noted that individuals leave a rich digital trail of their activities on the Internet and that the maintenance of anonymity is one way to exercise informational privacy (R v Spencer, para. 46):

[46] [...]  the Internet has exponentially increased both the quality and quantity of information that is stored about Internet users. Browsing logs, for example, may provide detailed information about users’ interests. Search engines may gather records of users’ search terms. Advertisers may track their users across networks of websites, gathering an overview of their interests and concerns. “Cookies” may be used to track consumer habits and may provide information about the options selected within a website, which web pages were visited before and after the visit to the host website and any other personal information provided: [...] . The user cannot fully control or even necessarily be aware of who may observe a pattern of online activity, but by remaining anonymous — by guarding the link between the information and the identity of the person to whom it relates — the user can in large measure be assured that the activity remains private: [...]

[47] In my view, the identity of a person linked to their use of the Internet must be recognized as giving rise to a privacy interest beyond that inherent in the person’s name, address and telephone number found in the subscriber information. [...] subscriber information, by tending to link particular kinds of information to identifiable individuals, may implicate privacy interests relating not simply to the person’s name or address but to his or her identity as the source, possessor or user of that information.

The court concluded that the police request for subscriber information corresponding to anonymous Internet activity engages a high level of informational privacy (R v Spencer, para. 51).

Reasonable Expectation of Privacy

The fact that a person has a privacy interest does not necessarily mean that the person will have a reasonable expectation of privacy in the factual circumstances of the case. However, an objectively reasonable expectation of privacy is necessary in order to be protected under the Charter.

Although not always consistent, prevailing judicial opinion prior to R v Spencer appeared to suggest that an expectation of privacy in subscriber data was not reasonable given the ISP’s contractual terms of service, the ISP’s interests in ensuring its services were not used for criminal activity, the power of police to seek information from the ISP and particular terms of the Personal Information Protection and Electronic Documents Act (PIPEDA) regarding disclosure in response to “lawful access” requests.

In order to understand the issues, some background is required regarding how pre-warrant requests for information were handled in Canada until last Friday. In the absence of clear legislation or judicial guidance, ISPs had worked out a system of letters of request, in which a police officer would make a written request for limited subscriber information (see: R v Ward, para. 36). The trial judge in R v Ward, 2008 ONCJ 355, quoted a sample of such a letter:

I, Constable [...] of the National Child Exploitation Coordination Centre, am a law enforcement officer with the Royal Canadian Mounted Police. I am conducting an investigation in relation to child sexual exploitation offences under the Criminal Code and I am requesting account information pursuant only to that investigation.

I request this disclosure in accordance with s. 7(3)(c.1) of the Personal Information Protection Electronic Documents Act.  My authority to request and obtain this information derives from the Royal Canadian Mounted Police Act and the Royal Canadian Mounted Police Regulations as well as common law.

I am requesting the last known customer name and address of the account holder associated with IP address [number] used [date and time].

Should you agree to this request, please provide the information in the section below and reply via e-mail to [...].

This form of letter was created to address the exception in clause 7(3)(c.1)(ii) of PIPEDA, which provides that personal information may be disclosed by an organization to police without the knowledge or consent of the individual if (a) a police officer makes a request for the information, (b) the police officer identifies his or her lawful authority to make the request and (c) the disclosure is requested for the purposes of, among other things, carrying out an investigation relating to the enforcement of a law:

7(3) [...] an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is


(c.1) made to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that


(ii) the disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law, or


Although there were inconsistent judicial decisions, until the Supreme Court’s pronouncement, it appeared that the majority of cases tended to the view that an Internet user’s expectation of privacy in subscriber information was not reasonable.

For example, the Saskatchewan Court of Appeal, in R v Spencer, 2011 SKCA 144, the majority of the court concluded that the search was not unreasonable. The ISP’s terms of service, the powers of the police to request information from the third parties, and the provisions of PIPEDA all undermined any reasonable expectation of privacy. In particular, the majority of the court held (at para. 41 and note 2, per Caldwell JA and para 99 per Cameron JA) that there was common law lawful authority to ask organizations to divulge information in the course of an investigation and specific authority under section 487.014 of the Criminal Code, which states:

787.014 no production order is necessary for a peace officer or public officer enforcing or administering this or any other Act of Parliament to ask a person to voluntarily provide to the officer documents, data or information that the person is not prohibited by law from disclosing.

Furthermore, the majority of the Saskatchewan Court of Appeal concluded that the purpose of clause 7(3)(c.1)(ii) of PIPEDA was to permit an organization to disclose information in response to a police request and that this is a factor that is relevant to considering whether there is a reasonable expectation of privacy in information held by a third party (R v Spencer, para. 41 per Caldwell JA).

Other courts, such as the Ontario Court of Appeal in its decision in R v Ward, cited earlier, have taken a more restrictive approach but ultimately arrived at similar conclusions. In R v Ward, the court concluded that police officers have the authority to make requests of organizations to provide information and organizations have the right to respond voluntarily. The court held that a reasonable expectation of privacy in subscriber information must take into account the ISP’s “legitimate interests in voluntarily disclosing that information to the police when that disclosure would assist in an investigation of the alleged criminal misuse of [the ISP’s] services, assuming the disclosure was not prohibited and would not violate any laws or the terms of applicable customer agreement” (R v Ward, para. 50).

Lawful Authority Does Not Mean the Power to Investigate

The Supreme Court corrected the logical fallacies of earlier decisions. The court accepted that the ISP’s terms of service and PIPEDA were relevant to the analysis but concluded that they did not affect the analysis in the way previous courts had suggested. The ISP could only disclose information (irrespective of its terms of service) if it were lawful to do so. In examining, paragraph 7(3)(c.1) of PIPEDA, the court unanimously rejected the proposition that this provision could diminish an otherwise reasonable expectation of privacy. In particular, the court rejected the idea that PIPEDA permits an organization to respond to a police request that would otherwise violate an individual’s reasonable expectation of privacy.

Although clause 7(3)(c.1)(ii) of PIPEDA permits an organization to disclose personal information in response to a police request where the police officer has identified his or her lawful authority, the reference to “lawful authority” did not mean merely the power of a police officer to investigate a crime. “Lawful authority” may include “the common law authority of the police to ask questions relating to matters that are not subject to a reasonable expectation of privacy” (R v Spencer, para. 71). The court observed that the concept may also “refer to the authority of police to conduct warrantless searches under exigent circumstances or where authorized by a reasonable law” (at para. 71). However, a police officer has no “lawful authority” to conduct a search for which a warrant is required. Therefore, clause 7(3)(c.1)(ii) will not apply if there is a reasonable expectation of privacy in the personal information held by the organization. In those cases, the organization must ask the police to obtain a production order or warrant.

Given that neither the ISP terms of service, nor PIPEDA, diminished Spencer’s reasonable expectation of privacy, the court concluded that Spencer’s rights had been infringed by the police obtaining disclosure of the subscriber information. Notwithstanding the Charter breach, however, the evidence was not excluded as the court concluded doing so would bring the administration of justice into disrepute. The police had acted in good faith at a time when the law was not clear and the crimes were extremely serious.


This unanimous decision of the Supreme Court demonstrates that the court is developing a rich understanding how technical data associated with an individual, such as an IP address, can be used ultimately to reveal significant biographical information about an individual. The court’s approach sets the stage for consideration of other data such as metadata in communications over the Internet.

Furthermore, even though the case involved access to subscriber records based on an IP address, the court’s ruling has broad implications for any organization that receives a police request for information that is not accompanied by a production order or warrant. Whether Parliament may attempt to intervene is uncertain.

Written By

Timothy M. Banks, CIPM, CIPP/C


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum is sold out! But you can still add your name to the wait list, and we'll keep in touch about your status. Good luck!

Asia Privacy Forum 2017

Call for Speakers open! Join the Forum in Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region.

Privacy. Security. Risk. 2017

We're bringing the best of the best in privacy and infosecurity to sunny San Diego. Early registration for P.S.R. opens May 1.

Europe Data Protection Congress 2017

Call for Speakers open! The Congress is your source for European policy debate, multi-level strategic thinking and thought-provoking discussion. Submit a proposal by March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»