Industry Committee on April 17th, 2024

I certainly can't speak for the Privacy Commissioner, but as I read his submission on Bill C‑11, which was quoted earlier in the session, it is a test that has an “or” in it, so already it's not a cumulative test. I think the paragraph at the beginning does say “clarity is also required with respect to the impact of...R v. Spencer”.

There are two points there. One, they're asking for R. v. Spencer to be codified. Two, the three things that the Privacy Commissioner lists do have an “or” in them. To me, that's indicative that they're not cumulative, so I think the intent was to codify the Spencer decision, and that is what the motion proposes.

The way the GDPR works is a little bit different. There are six bases for processing data, consent being one of them. Legitimate interest is another, and lawful authority as well. I would assume that lawful authority would be defined nationally because, of course, the GDPR applies to all European member states and they would have their own jurisprudence and legislation that define lawful authority. I can't really speak to that.

This is something that's very specific to the Canadian law enforcement and criminal law context. I think a better reference would be the Supreme Court of Canada.

The way Spencer has been used is that it is the test that any disclosure from a private entity to law enforcement is subject to. Therefore, every organization right now, when they get a request from law enforcement, will look at these Spencer criteria to decide whether or not they will disclose. Again, it's permissive. It does not compel disclosure like a warrant would, for example. This is really the organization making the determination based on the three criteria in Spencer. It would apply to all information. Again, the criteria are “exigent”, “reasonable law” and “reasonable expectation of privacy”.

Therefore, if you're talking about very sensitive health data or genetic information, I think it would be hard to argue that. Unless it's exigent—something's going to explode—or there is a reasonable law that authorizes it specifically, it would be really hard to meet the third criterion, which is that it doesn't attract a reasonable expectation of privacy. It is quite a high bar to meet for lots of those types of information.

The only difference is in the third branch of the test. The Privacy Commissioner uses the words “prescribed circumstances where personal information would not attract a reasonable expectation of privacy”.

I don't have the motion in front of me, but I think it says “pursuant to common law authority”, which is the wording that's used in paragraph 71 of the Spencer decision. In this circumstance, I think that putting “prescribed” in CPPA would probably lead to more confusion because when we say “prescribed”, we typically mean regulation.

Again, assuming that the Privacy Commissioner wants Spencer codified, that's not what Spencer says. Spencer says “common law authority”; those are obviously authorities that are prescribed by the court, not through regulation.

What I'm going to do is take Spencer, because Supreme Court justices are smarter than I am.

What Spencer says is that common-law authority is the “authority of the police to ask questions relating to matters that are not subject to a reasonable expectation of privacy.”

Roughly.

There isn't a definition of “exigent circumstances” that I can see.

Yes.

The Supreme Court has defined “a reasonable law” as a law that balances a state purpose—whatever the purpose of that act may be—with the interest of privacy.