The Changing Landscape of Privacy in the Digital Age: Supreme Court Rules Canadians’ IP Addresses Attract a Reasonable Expectation of Privacy

On March 1, 2024, the Supreme Court of Canada (SCC) issued its 5-4 decision in R. v. Bykovets (2024 SCC 6), ruling that IP addresses attract a reasonable expectation of privacy. While this is a Charter case that discusses whether section 8 was triggered in a criminal prosecution context, the Court's ruling highlights the critical role that private third parties play in the dissemination of information in the digital age. The decision effectively curbs the information that can be disseminated by third parties without a court order.

What does this decision mean for the private sector? The SCC provides guidance for technology and privacy lawyers who counsel private sector organizations (such as internet service providers, search engine companies, GenAI providers, retailers, advertising companies and other internet intermediaries like payment processors PayPal and Moneris) who are regularly requested by law enforcement authorities to disclose information about the cyber activities of their users and clients. Private sector organizations who collect internet users' information should approach the disclosure of internet users' information with caution—even when that information does not directly identify an individual. Private sector organizations should develop internal policies and procedures for responding to such requests before sharing IP addresses with law enforcement or other governmental authorities.

What is an IP address?

An IP address is a unique identification number which identifies internet activity and enables the transfer of information from one source to another. An IP address identifies the source of online activity and connects that activity to a specific location and internet user. This allows an internet service provider (ISP) to track a subscriber's information via an IP address.

Facts of the case

In September of 2017, the Calgary Police Service (CPS) launched an investigation relating to the online purchase of virtual gift cards using fraudulent credit card information. Payments for the gift cards were being processed by Moneris, a third-party payment processing company.
CPS contacted Moneris and requested the IP addresses associated with the purchases, which Moneris voluntarily provided. CPS then used a public website to determine the ISP of the IP addresses and applied to the court for an order requiring the ISP to provide the subscriber information – the name and address of the customer – associated with the IP addresses.

CPS used the subscriber information to obtain search warrants for two residences associated with the IP addresses. CPS found evidence related to fraud during the search. Mr. Bykovets (the Appellant) was arrested and ultimately convicted of 14 offences related to the possession and use of third parties' credit cards and personal identification documents, as well as the possession and storage of firearms. Before trial, the Appellant alleged that CPS's request to Moneris violated the Appellant's right against unreasonable search and seizure under section 8 of the Charter.

Lower court decisions

The trial judge held that CPS's request to Moneris was not a search under section 8 of the Charter, based on the trial judge's finding that the Appellant did not have a reasonable expectation of privacy in his IP address. The trial judge found that the Appellant’s expectation of privacy in his IP address was not reasonable because it did not disclose a "biographical core of personal information" without access to a third-party website.

The majority of the Alberta Court of Appeal dismissed the appeal on similar grounds. Justice Veldhuis dissented, stating that the trial judge did not consider a normative approach in their decision. Justice Veldhuis found that the subject matter of the search was not the IP address. Instead, the subject matter was the identity of the internet user that the IP address is linked to.

Summary of the SCC decision

Writing for the majority, Justice Karakatsanis stated that privacy considerations must be viewed in the context of the "new social, political and historical realities". She considered, for example, how the Internet has changed the "…human experience from physical spaces to the cyberspace" and has taken over as the dominant public forum of society. The SCC found that a broad, functional view of the subject matter of a search is therefore required.
Throughout the decision, the majority emphasized how an IP address can reveal deeply personal information about an internet user that an IP address is linked to. Notably, the majority found that the reasonable expectation of privacy analysis could not be limited to the privacy interests affected by what an IP address can reveal on its own. Instead, there must be consideration of what the IP address can reveal in combination with other available information, including the information held by third parties.

The majority correspondingly highlighted how Canadian courts have found heightened privacy interests in personal computer data flowing from the data's potential to expose "deeply revealing information". Using this context as a steppingstone, the majority assessed how IP addresses can be viewed in a similar way. In this case, the activity was a series of financial transactions through Moneris as the online intermediary. When linked to financial intermediaries such as Moneris or Paypal, an IP address can reveal all of a user’s transactions over the period that an IP address was assigned to them. These purchases can provide information about where a user eats, the places they go, their hobbies and other intimate biographical information, ultimately touching directly on the intimate details of the lifestyle and personal choices of a user. Obtaining such information without a court order was found to be an unacceptable intrusion into an individual's personal information, particularly given the importance of online anonymity.

The SCC also determined that the Alberta Court of Appeal decision adopted a narrow description of the subject matter of the search. A search under section 8 of the Charter occurs when the state invades a reasonable expectation of privacy. An expectation of privacy is reasonable where the public’s interest in being "left alone" by the state outweighs the state’s interest of intrusion on the privacy to advance its goals. The majority held that CPS was not interested in the IP address in and of itself, as it is simply a string of numbers. What CPS actually needed was the information that the IP address revealed about the user; specifically, their online activity and their identity. This information allowed CPS to draw direct inferences about the user behind the fraudulent internet activity.

Key takeaways

Although third parties (like Moneris in this case) are not themselves subject to section 8 of the Charter, the majority emphasized the critical role that private third parties play in the dissemination of personal information. The SCC went as far as to refer to private parties as "third parties to the constitutional ecosystem, and mediators to the relationship between an accused and law enforcement", which is directly governed by the Charter. When combined with an IP address, the information held by a third party is viewed as having the potential to expose deeply revealing information about a user at the discretion of the third party. The SCC found that this is an "informational power" that should not be left with private third parties to disseminate.

This decision largely curbs the discretion that private third parties previously had to provide a user's information to law enforcement. While third parties do not face any restrictions as to the information they can collect from users because of this decision, law enforcement can no longer legally request user information associated with an IP address without a court order. Third parties may not need to comply with requests for this type of information from law enforcement and should exercise caution when faced with such a request. Legal counsel should be consulted if a private third party is asked to disclose user information to avoid the risk of improperly disclosing personal information.

Private sector participants should also note that the approach adopted by the SCC differs in comparison to the approach taken in the United States. In the United States, the "third-party" doctrine negates a reasonable expectation of privacy if information is possessed or known by third parties. This approach was rejected by the SCC in 1988 in R. v. Dyment, [1988] 2 SCR 417. The majority again held that the approach taken in the United States does not apply, instead emphasizing the role of the Internet in the "new public square" and finding that "Canadians are not required to become digital recluses in order to maintain some semblance of privacy in their lives". As such, third parties with operations in the United States should note that the legal landscape surrounding the disclosure of user information to law enforcement varies substantially.

BD&P's team of experienced lawyers is here to assist you in navigating the legal landscape of technology.