Establishing the Parameters of Privacy and Trust in the Sharing Economy
TheCourt.ca has published commentary on R v Reeves from when it was heard at the Ontario Court of Appeal and most recently at the Supreme Court of Canada. This post is a forward-thinking piece on the impact of R v Reeves on the sharing economy.
2019 has arrived with a slew of upcoming Initial Public Offerings of technology companies featuring peer-to-peer services. As ride-sharing (Uber & Lyft) and hospitality-sharing (Airbnb) services go public this year, they stabilize the future of the sharing economy worldwide. The sharing economy is an umbrella term that describes economic activities made possible by technology. What was once thought to be an odd and unprofitable idea—sharing a ride or an apartment with a stranger—has more than tripled in value since its inception. As this phenomenon continues to expand across the country, legal issues emerge in relation to the Canadian Charter of Rights and Freedoms [Charter].
The federal government has acknowledged the sharing economy by creating a new Cabinet position entitled the “Minister of Digital Government.” Yet little directive has emerged from Ottawa. This has created an opportunity for the judiciary to position Canada on a trajectory of legal stability and economic growth in the sharing economy. Recent decisions by the Supreme Court of Canada (“SCC”), such as R v Reeves, 2018 SCC 56 [Reeves] have defined the parameters of trust and privacy in the sharing economy.
At first read, Reeves is not a case regarding the sharing economy, but rather is a case that turns on evidence law in a spousal context. Yet upon greater inspection, Reeves delineates the privacy rights of all Canadians who use shared devices. In Reeves, the device is a home computer shared between spouses. The shared computer is comparable to other devices in the shared economy, such as cars, scooters, apartments, and professional photography equipment. All devices in the sharing economy are connected through the Internet of Things, and as such, collect information from its users. The information collected and stored within these devices is not prima facie nefarious, but it is vulnerable to breaches of confidentiality between multiple users. Reeves is a vanguard case for dealing with an increasingly common problem in the sharing economy: how may confidential information be used by co-users of a device?
Facts, Issues, and Judicial History of the Case
Thomas Reeves and his common-law spouse, Nicole Gravelle shared a home computer. Ms. Gravelle reported to the police that she had discovered child pornography on the shared computer. Following up on her tip, a police officer came to the family home and Ms. Gravelle allowed the officer to enter. The police officer did not have a warrant, but Ms. Gravelle signed a consent form authorizing him to take the shared computer. The police then held the computer for over four months without a warrant. Additionally, the police failed to report the seizure of the computer to a justice, contrary to section 489.1 of the Criminal Code, RSC 1985, c C-45.
Once the police obtained a warrant to search the shared computer, they discovered child pornography. Mr. Reeves was charged with possessing and accessing child pornography. At trial, Mr. Reeves applied to exclude the evidence originating from the shared computer. He cited section 8 of the Charter and contended that his right to be secure against unreasonable search or seizure was infringed. The application judge agreed and excluded the computer evidence under section 24(2) of the Charter, and Mr. Reeves was acquitted at trial. The Ontario Court of Appeal (“ONCA”) set aside the exclusionary order and ordered a new trial. On appeal, the SCC held that the computer evidence should be excluded and restored the acquittal.
Justice Karakatsanis outlined the key issue in this case: whether the police could rely on the consent provided by Ms. Gravelle to take the shared computer from Mr. Reeves’ and Ms. Gravelle’s home. The question then is not whether Mr. Reeves broke the law by possessing and accessing child pornography, but rather whether the police “exceeded the limits of the state’s authority” by accessing the shared computer without a warrant or Mr. Reeves’ consent (Reeves, para 2). This issue explores whether one co-user of the shared computer has the rights to the other user’s data on the device. This issue and others have been analyzed in detail by my colleague in a previous post.
The Right to Data Security
The Charter and the Canada Evidence Act, RSC 1985 c C-5 police the state’s interaction with Canadians’ right to privacy and data security. While neither affords individuals the right to delete incriminating personal data, section 8 of the Charter affords everybody the “right to be secure against unreasonable search or seizure.” The SCC identified the purpose of section 8 as protecting individuals from “unjustified state intrusions upon their privacy” (Reeves, para 11, quoting Hunter v Southam Inc,  2 SCR 145). In Reeves, the SCC conducted a section 8 Charter analysis to assess whether the police’s search and seizure of the shared computer exceeded the limits of the state’s authority.
Section 8 of the Charter is only engaged if Mr. Reeves has a reasonable expectation of privacy in the shared computer. In the case at hand, Mr. Reeves did not have exclusive control over the shared computer, but Justice Karakatsanis clarified that “control does not need to be exclusive to support a reasonable expectation of privacy” (Reeves, para 16). Thus, Mr. Reeves had not assumed the risk that the police could seize the shared computer at the sole discretion of the computer’s co-user. Since Mr. Reeves had not waived his Charter rights, he had a reasonable expectation of privacy in the shared computer. Despite Ms. Gravelle’s consent, the warrantless seizure of the shared computer and the search of it without a valid warrant were both unreasonable actions by the police. Not only did they constitute a breach of Mr. Reeves’ fundamental rights under section 8 of the Charter, the admission of this evidence would bring the administration of justice into disrepute. Consequently, the SCC held that the evidence must be excluded under section 24(2) of the Charter.
Privacy in the Sharing Economy
If Mr. Reeves had a reasonable expectation of privacy in the shared computer, then consumers are similarly entitled to privacy while participating in peer-to-peer services. The Personal Information Protection and Electronic Documents Act, SC 2000, c 5 [PIPEDA] attempts to protect consumer confidentiality. Any business organization—including a peer-to-peer service provider—must report a breach involving personal information of its customers if it creates “a real risk of significant harm to an individual” (PIPEDA, s.10.1(1)). PIPEDA is the reason Canadian consumers are informed when their confidential information is hacked. Reputable organizations are often the target of data privacy breaches, and many consumers participate in the sharing economy with the working assumption that any information they provide may at some point be hacked.
Yet the breach of confidential information on a peer-to-peer service feels more personal than the standard breach of credit card details while online shopping. The SCC recognizes that consumers have a heightened expectation of privacy in the context of using a device, like a computer, even if it is also part of the sharing economy (Reeves, paras 4, 70). This expectation of privacy continues even after the consumer has finished using the device and no longer has control over it. The majority of the SCC finds that limited control over the shared devices is “not necessarily fatal to a reasonable expectation of privacy,” but Justice Côté suggests in her concurring opinion that “[c]ontrol of access is central to the privacy concept” (Reeves, para 130 quoting R v Belnavis, 3 SCR 341). Justice Côté implies that a consumer who no longer exercises any physical control over the shared device may be giving up on their right to their confidential information still stored on said device. While not binding, this obiter identifies the significance of entrusting confidential information to a shared device.
Trust in the Sharing Economy
Although the word “trust” does not appear once in the SCC’s decision in Reeves, greater trust in peer-to-peer services is arguably the outcome of the case. Trust is imbedded in the business model of the sharing economy and is an essential multi-level element required for consumers to utilize a peer-to-peer service. For example, consumers need to trust that their Uber driver has a valid license, they also need to trust that the app reflects accurate waiting times, and on top of that they need to trust that the technology will calculate the correct fare. Remove trust at even one of these levels and consumers would not use the service. As such, trust is the single most important element consumers require to participate in the sharing economy.
Canadian consumers will be pleased with the SCC’s decision in Reeves as it inadvertently establishes trust in the sharing economy. By concluding that co-users of an electronic device cannot unilaterally consent to its search or seizure, consumers can rest assured that they will not relinquish their right to data security or privacy simply by participating in the sharing economy. I believe that Justice Karakatsanis’ firm statement that “shared control does not mean no control” will result in greater consumer consumption of peer-to-peer services (Reeves, para 37). With the sharing economy still in its infancy, Reeves may have made a significant contribution to its enduring success in Canada.