What Cole says:
The Supreme Court of Canada’s decision in R. v. Cole addresses personal privacy rights in a computer. For the first time, the Court recognized that citizens can have a reasonable expectation of privacy on work-issued devices. For the first time, it stated that Internet use and web browsing history is “protected private information” even when that information is stored on a employer-issued computer. When an individual reasonably uses an Internet-connected device for personal purposes, the device is assumed to contain “extremely personal information” over which the user has a valid privacy interest.
Employers cannot eliminate this privacy interest simply by enacting policies declaring information on the device to be their property. An employer who discovers evidence of criminal activity on a work-issued device can tell the police what they found. They can turn the device over to the police for safekeeping if there is a concern about the potential loss of evidence. The employer cannot consent to a police search of the device.
What Cole does not say:
Cole does not establish that employees always have a protected privacy interest in personal information on employer-owned devices. The key is “reasonableness.” Whether personal information attracts a reasonable expectation of privacy depends on the facts of the case. An individual cannot claim a privacy interest in information that she could not have reasonably expected to keep private. Use of a shared device, or an organization’s express prohibition on personal use, for example, are factors to be considered in determining the scope of an individual’s reasonable expectation of privacy.
Although the Supreme Court admitted the evidence seized by the police from the computer, Cole does not establish that warrantless examination of work-issued devices is a permissible breach. The Court admitted the evidence because the law governing privacy expectations in work computers was still unsettled and thus the police did not act in bad faith in failing to get a warrant. In future, the police will be expected to know they need a warrant to search any Internet-connected device used for personal purposes. Breaches of this rule are not likely to attract the same judicial leniency.
The Cole decision will affect the way organizations view their employees’ use of workplace devices, the way police investigate crimes involving work-issued devices and the way in which defence counsel prepare for trials involving the seizure of such evidence.
An organization’s computer use policies should reflect the reality that most work-issued devices will contain protected information. Employers should consider the following rules and principles in regulating computer use by their employees:
- Use policies do not determine privacy rights. It is not enough to assert that data and messages generated on or handled by employer-owned equipment belong to the employer. If a policy permits an employee to use a device for personal purposes, courts will likely find that the employee has a protected privacy interest in at least some information stored on it.
- Ownership of the device does not confer the right to consent to a police examination of the device.
- Employers may inform the police of the discovery of contraband or criminal activity on a work-issued device.
- Where necessary, employers may turn a physical device over to the police – but only to safeguard potential evidence. Employers should inform the police that an employee has been using the device for personal purposes. This will trigger the need to obtain a warrant.
Defence counsel should consider the following questions in applying to exclude information seized from an employer-owned device:
- Is there a written administrative policy relating to the device?
- If so, does the policy expressly permit or prohibit personal use?
- Is there a convention or custom in the workplace that employees can use devices for personal use regardless of a contrary written policy?
- Regardless of written policies, was the employee able to use the work-issued computer for browsing the Web or sending personal e-mail?
- Who else had access to the information on the device, and to what extent?
- Was the device shared or did the client have exclusive use? Was the device password-protected?
- Did the employer have access to the device and, if so, how frequently and for what purpose?
- Did the client know that technicians, webmasters or other users had access to the device?
These factors will help counsel determine the strength of the argument that their client had a reasonable expectation of privacy in personal data on their work-issued devices.