Jul 3, 2020

Notices to Produce under CASL: what about third parties?

3510395 Canada Inc. v. Canada (Attorney General), 2020 FCA 103 (CanLII)

Ample commentary has discussed the Federal Court of Appeal’s finding, in 3510395 Canada Inc. v. Canada (Attorney General), 2020 FCA 103, that Canada’s anti-spam legislation creates a constitutionally-valid regulatory scheme:

  • for interprovincial electronic commerce,
  • that is neither criminal nor penal in nature,
  • under which documents can readily be compelled, as opposed to more intrusive physical searches of premises,
  • falling within a reasonable range of options for curtailing commercial speech so as to maintain confidence in using electronic communications for commercial activities.

This commentary focuses on the third of those four propositions -- the testing, against section 8 of the Charter (unreasonable search and seizure), of CASL’s scheme for the Canadian Radio-television and Telecommunications Commission’s issuance of “notices to produce” in respect of what the case called “records and documents produced in the ordinary course of a business’s regulated activities”.

A. Holding of the Federal Court of Appeal

The Federal Court of Appeal held, in 2020 FCA 103, that notices to produce merely “attract a diminished expectation of privacy”. In particular, the Court relied on the pre-PIPEDA, although not pre-Privacy-Act, Thomson Newspapers Ltd. v. Canada (Director of Investigation and Research, Restrictive Trade Practices Commission (1990) to find that only “limited privacy interests … can be said to reside in the records and documents that can be lawfully demanded”, the principal hurdle being the low bar that “[t]he material sought must be relevant to the inquiry in progress.”

The Thomson (1990) setting, and more recent R. v. Jarvis decision which the Federal Court of Appeal cited as further authority on the same point, relate to what the Supreme Court referred to in Jarvis as “records and documents that he or she produces during the ordinary course of regulated activities”. These might include, for instance, “a taxpayer’s privacy interest in records that may be relevant to the filing of his or her tax return”.

But what happens when the records and documents in question are not those that a business has merely produced itself but, rather, are personal information collected from third party, and for wholly different purposes? Shouldn't the bar be higher in this setting, in order to content with the different privacy interests engaged in the kind of setting which civil courts, for instance, consider requires the exercise of equitable jurisdiction under the Norwich order framework?

B. Holding of the CRTC

A 2020 CRTC decision issued on the heels of the FCA's own, broader decision sheds some light on the matter -- and, not for the first time, answers that question in the negative.

The CRTC decision disposed of Hydro-Québec’s application, under a mechanism set out in CASL, to review a “notice to produce” ordering Hydro-Québec to produce personal information associated with 10 service addresses. Compliance and Enforcement Decision CRTC 2020-196 echoes a similar 2016 letter decision in RBC’s appeal of a third-party notice to produce, interpreting the CRTC’s CASL information-gathering authority largely in terms of whether the information compelled by the notice “may aid”, “could … help”, or “can be of assistance” in an investigation.

Placed alongside the 2016 RBC decision and a controversial 2018 information bulletin on indirect liability for intermediaries like telcos, ISPs, Web hosts, and payment processors, the decision firmly answers the questions posed above in the negative. In doing so it contributes to a growing Commission body of guidance on how it will address the role of intermediaries, including common carriers, under CASL.

C. Some Context

From the mid-1980s through to about a decade ago, the CRTC’s activities regulating unsolicited communications were mostly about phone calls and faxes. That changed in 2010, when CASL added “commercial electronic messages” and uninvited computer programs to the CRTC’s unsolicited communications portfolio. The Commission promulgated regulations and two sets of guidelines in 2012; began enforcement with CASL’s 2014 coming-into-force; and has since issued two more sets of guidelines; six formal decisions; 16 published notices of violations, undertakings and citations; and, at last check, nearly $1.3 million in fines.

The CRTC’s enforcement activity in this area is underwritten by information gathered using orders called “notices to produce”. CASL lets the CRTC issue these production notices, which may include personal information, for three purposes: to verify compliance; to identify a contravention; or to assist a foreign counterpart’s investigation of a similar contravention. (The international component is grounded by international agreements between the CRTC and its Five Eyes counterparts in the U.S., U.K., Australia, and New Zealand, as well as Japan.)

Someone receiving a notice to produce but who takes issue with its scope can apply for it to be reviewed. CASL unites within the CRTC the authority to issue these notices, enforce them, and decide on first-order applications to review them. An application to review must show that the production notice is unreasonable in the circumstances, requires disclosure of privileged information like legal advice, or lacks protections to prevent disclosure. The CRTC, in turn, typically includes little information in its notices as to the nature of the investigation.

That makes it hard to know what the circumstances are that would make a production notice “unreasonable”. CED 2020-196 reflects this difficulty. It finds that “Hydro-Québec’s representations on this issue reveal a potential misunderstanding … of the circumstances of the issuance of the NTP”, because they “appear to assume” that the notice to produce pertained to the behaviour of the Hydro-Québec ratepayers living at the 10 addresses the CRTC listed, whereas the information could also, for instance, help to “identify new addresses not yet known to Commission enforcement staff where … evidence may be found.”

D. Intermediary Responsibility

Recent years have seen an increasing emphasis – especially when intermediaries are involved – on designing enforcement in ways that meet at least the 1980 OECD Fair Information Practices Principles (FIPPs), like “limiting collection”, embedded into most privacy laws. Telcos have begun to publish transparency reports providing insight into what personal information they have been compelled to disclose, and law enforcement guides identifying under what conditions they will do so and will tell affected parties about it. In the civil setting courts receiving applications for “Norwich orders”, which compel an innocent third party to provide information about a potential defendant, have applied a careful test, including whether the third party is the only practicable source of that information. In the more stringent criminal setting the Supreme Court established, in its landmark 2014 Spencer decision, that personal information gathered from a telco not lawfully compelled to provide it may not be admissible where, for instance, the telco’s terms of service protect that information. In the same vein, telcos stewarding this kind of information have taken active steps to challenge orders that are over-broad, as Rogers and TELUS did in the tower dump case.

The CRTC’s production notice authority in respect of third parties under CASL is not subject to Norwich Order tests. It does not, as the Hydro-Québec decision underlines, engage criminal law. No explicit balancing test calling out privacy rights is written into CASL’s broad notice to produce authority. Neither the CRTC Act establishing the CRTC, nor CASL delegating this authority to the CRTC, requires the CRTC to exercise of these powers in a manner that pursues the objective of “contribut[ing] to the protection of the privacy of persons”, as the Telecommunications Act does (and as the Yale Report recommended the Broadcasting Act do).

Intermediaries regarding themselves as having responsibilities stewarding the personal information of their customers have suggested the CRTC ought to exercise its discretion under CASL in ways that align with larger trends. The Commission’s 2016 letter decision gave little weight to the RBC’s Norwich-like argument that “the [Notice to Produce] is overbroad and places a disproportionate burden on RBC, since information could be more appropriately obtained directly from the numbered company”. Nor was the Commission moved by RBC’s related argument that the Privacy Act requires it to limit the collection of personal information to what is related directly to an operating program or activity – as opposed, presumably, to information that “could be” useful.

CED 2020-196 confirms this approach. It did not consider whether the information could be more appropriately obtained directly from other parties. It did not consider whether reading section 17 of CASL in conjunction with section 4 of the Privacy Act underscores its responsibility to limit collection in ways that are narrower than Thomson (1990)’s “relevant to the inquiry in progress” standard. Perhaps most importantly, it did not consider whether the breadth of its scope to compel this information was narrowed by the setting in which the CRTC was applying these section 17 powers, i.e. to a third party.

E. Next Steps

The regulatory authority that CASL establishes in respect of both commercial electronic messages and uninvited computer programs plays an important role in safeguarding a safe, secure communications environment. The rapid increase in the CRTC’s issuance under CASL of notices to produce, which the Commission’s own semi-annual transparency reports show have risen from 18 to 57 to 71 to 131 over the last four reporting periods, are surely the result of an increased focus on complex, large-scale, cybersecurity-comprising activity.

In other domains the industry has been well-served by consulting widely on establishing guidance. Establishing a record that canvasses a broad set of views has helped the CRTC take both specialized expertise and a range of potential circumstances into account -- and helped regulated parties have confidence and increased predictability in the manner in which they are regulated. Absent legislative reform, CASL ties the Commission’s hands somewhat in being able to hear third-party representations on reviews of specific notices to produce within the unsolicited communications sector, as the Commission might in hearing an application in the telecom or broadcasting sectors. However, it is difficult to imagine that the Commission could not do so in respect of broader guidance. Particularly in view of the impact of the subject matter of Compliance and Enforcement Information Bulletin CRTC 2018-415 on intermediaries, including telecommunications service providers acting as common carriers, it is surprising that it was issued without such consultation, and that the Commission has not sought to consult on its approach to intermediaries more broadly.

The CRTC is an agency charged with overseeing sectors whose privacy responsibilities continue to grow in importance. Efforts to embed these responsibilities alongside safety and security, in designing and marketing services to the public in the specialized communications sectors, are proceeding apace. That context creates a powerful incentive for the CRTC to make use of the tools available to it to continue to review and codify its approach to intermediary liability and responsibility. For instance, consulting more broadly on the possibility of structuring the discretion the Commission exercises in these matters would allow stakeholders like the Office of the Privacy Commissioner to provide broad guidance, as it has usefully done in past proceedings. In the same way, breaking out its semi-annual reporting figures, on notices to inform, into first- and third-party figures, would provide for enhanced monitoring of one aspect of this topic.

The CRTC’s approach to its unsolicited communications responsibilities has tended to diverge from that taken to its telecommunications and broadcast responsibilities, starting with a focus on “compliance and enforcement” as the broad heading for such activities. The decision in CED 2020-196 is consistent with that divergence. Perhaps, in some matters, the Commission might find that embracing convergence is the better approach.