In a landmark ruling, the Supreme Court of Canada in R. v. Bykovets, 2024 SCC 6, confirmed that Canadians’ IP addresses are private, mandating law enforcement to obtain a search warrant for access, as well as setting a precedent with profound implications for privacy and data management.
In a recent blog post, MLT Aikins lawyers discussed the Supreme Court’s decision in R. v. Bykovets from a criminal law perspective. However, beyond the regulatory and criminal offense implications, this case has important privacy considerations since it confirmed that Canadians have a reasonable expectation of privacy with their IP addresses. This decision not only impacts Canadian law enforcement, who now need prior judicial approval to request IP addresses, but also the organizations that collect and use IP addresses in their services.
The Supreme Court’s comments on privacy
In the majority decision, Justice Karakatsanis provided the following comments concerning the privacy of IP addresses:
- An IP address is the critical link between an internet user and their online activity. It is the key for unlocking a user’s internet activity and, by extension, their identity. Therefore, an IP address warrants a reasonable expectation of privacy.
- As the link that connects specific internet activity to a specific location, an IP address can reveal deeply personal information, even before law enforcement attempts to connect the address to the user’s identity. Furthermore, activity associated with the IP address can be correlated with other online activity tied to the same address.
- Private corporations can volunteer detailed profiles of an individual’s internet activity over days, weeks or months. This information can eventually be traced back to a user’s identity. This can be a deeply intrusive invasion of privacy.
Key practical takeaways
One – For organizations that collect or use IP addresses, it is important to review privacy practices to confirm that they align with the privacy principles (for example, collect only what you need, confirm that appropriate consent or an exemption is in place, disclose and retain information only as necessary for the purpose for which it was collected and protect information with appropriate safeguards).
Two – Review policies and communications to ensure that IP information is treated as personal information when it is collected, used or disclosed and appropriate communications are provided to users.
Three – Review each request for IP information on a case-by-case basis to confirm that your organization has the appropriate authority to share this information and then share the minimal amount of information possible with appropriate safeguards and documentation in place.
Our Privacy, Data Protection & Cybersecurity group has the practical experience to assist your organization in all aspects of privacy planning. Whether you need assistance in drafting agreements that protect your customers’ privacy interests, responding to requests to disclose personal information or navigating new privacy laws, our privacy team is here to assist. Contact us to learn more.
Note: This article is of a general nature only and is not exhaustive of all possible legal rights or remedies. In addition, laws may change over time and should be interpreted only in the context of particular circumstances such that these materials are not intended to be relied upon or taken as legal advice or opinion. Readers should consult a legal professional for specific advice in any particular situation.