Supreme Court broadens cyber-privacy to include IP addresses: 5 business takeaways from Bykovets

March 13th, 2024

Mere hours after it was issued on March 1, 2024, the Supreme Court of Canada’s decision in Bykovets was already making rounds in the dailies and on social media, leaving no doubt that Internet privacy remains a hot topic. In a 5-4 majority decision, the Court ruled that requiring businesses to voluntarily disclose IP addresses without a production order, in the context of criminal and penal investigations, is a violation of the constitutional protection from unreasonable search and seizure under section 8 of the Canadian Charter of Rights and Freedoms.

The majority makes a compelling case: an IP address (i.e., the unique identifier assigned to each and every Internet-connected device) is the gateway to cyber-privacy. The issue isn’t the the IP address’ numerical label per se, but rather the private data it can reveal about a user’s “cybernetic peregrinations” (para 69). The ruling is unequivocal: users’ right to “informational privacy” on the Internet is still very much alive even though the Internet “has exponentially increased both the quality and quantity of information stored about Internet users” (para 73).

There are 5 key points for businesses to remember:

  1. Bykovets is the Supreme Court’s umpteenth reminder that authorities must use their compulsory powers when collecting private personal information from businesses. For administrative audits, this normally takes the form of a letter (e.g., a requirement or subpoena) invoking the regulator’s administrative authority to compel disclosure of specific, regulation-related information. In criminal or penal investigations, this can be a judicial authorization (e.g., production order or search warrant) from a justice of the peace, in a form prescribed by the Criminal Code or penal legislation. The Court notes that “the burden imposed on the state [by forcing it to obtain prior judicial authorization in criminal or penal investigations] pales compared to the substantial privacy concerns implicated in this case”, especially given that such authorizations are quick and easy to obtain “in the age of telewarrants and around-the-clock access to justices of the peace” (para 86).
  2. The judgment considers, without saying explicitly, the mosaic effect—where seemingly innocuous information “correlated with other online information associated with that IP address”, can “reveal highly private information” or “a range of highly personal online activity”. (para 9). In the majority opinion, “[t]he ubiquity of the Internet means we must increasingly consider ‘the ways in which different data sets in combination with other data sets affect privacy rights’” (para 74). The ruling encourages both authorities and corporations to avoid a “piecemeal” (para 6) approach to analyzing the privacy of personal information by looking beyond the information itself and considering “any inferences about associations and activities that can be drawn from that information” (para 38).
  3. Bykovets is particularly relevant for businesses operating in Quebec, as well as their directors and officers. The judgment refers to businesses as “third-party mediators […] that are not themselves subject to the [Canadian] Charter” (para 10). However, Bykovets stems from Alberta, where the abusive search prohibition in s. 8 of the Canadian Charter applies only to the state. The Quebec Charter of Human Rights and Freedoms, meanwhile, grants businesses rights and even obligations. One might reasonably ask if Quebec businesses would be more than “third-party mediators”, and if they in fact have a constitutional duty not to participate in abusive searches and seizures by the state.
  4. After Bykovets, it seems even less likely that private-sector privacy laws would allow for the voluntary exchange of private information with authorities that could reveal—on its own, by inference or by pairing it with other data—personal or intimate information, except perhaps when reporting offences. And even then, it’s still good practice to limit the information to what is strictly necessary for the authorities to start their investigation. Businesses should always take a cautious approach. If there is any doubt, they should require the authorities to produce a compulsory request or order before communicating any personal information.
  5. While Bykovets is front and centre, businesses would be well advised to:
    a) sensitize their employees about the importance of routing any type of information request, formal or informal, to those responsible for your organization’s compliance with privacy and personal information protection legislation;
    b) review and update internal privacy policies; and
    c) update training for employees assigned to the management of dawn raids and information requests from authorities.

We would be happy to talk to you about how Bykovets can impact your business. Our white-collar crime and privacy experts have represented and advised businesses on complex electronic information requests and dawn raids.