Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


II. Surveillance policies

Online privacy

In May 2005, the Federal Court of Appeal ruled on the Canadian Recording Industry Association's (CRIA's) request to have Internet Service Providers (ISPs) reveal the identities of subscribers who had allegedly infringed copyright law by sharing music online.1 In BMG Canada Inc. v. John Doe,2 the Court recognized the importance of online privacy, and set out a test that plaintiffs must meet in order to obtain court orders for the disclosure of subscriber identities.3

In January 2006, class actions were launched against SONY BMG in Ontario, Quebec and British Columbia for the use of DRM technologies, such as the notorious "rootkit," on some of its CDs. In September, SONY BMG reached settlements in each jurisdiction. Included in the settlement were several terms aimed at addressing DRM-related privacy issues, though mainly, requiring a guarantee that settlement class members will not have to provide any personal data in order to use the uninstaller software provided by SONY; that SONY BMG will take commercially reasonable steps to destroy the data it collects to provide enhanced CD functionality, including logs of IP addresses; and that privacy audits are to be performed by independent third parties in 2006 and 2007.4


  • 1. CRIA argued for documents to be disclosed but they were relying on a rule that did not compel the creation of documents that did not already exist. Several of the ISPs noted that it would be too costly for them to keep the type of records that CRIA sought. Furthermore, there was no foolproof way for CRIA to demonstrate that the filesharers' Kazaa usernames would not be linked to an innocent subscribers' identity.
  • 2.
  • 3. Noting that the need of plaintiffs to be able to sue those who are harming them through illegal activities must be balanced against the private rights of individuals, the court set out a test that requires a bona fide claim of illegal behavior, admissible and timely evidence linking the IP address in question to the impugned behavior, clear evidence that the information cannot be obtained from another source, and the collection of no more information than necessary for the purposes of the civil suit. In order to make out a bona fide claim, plaintiffs must show that they intend to bring an action for copyright protection based on the personal information that they obtain and that there is no other improper purpose for Seeking the identity of these persons. As well, the court stated that, "caution must be exercised by the courts in ordering such disclosure, to make sure that privacy rights are invaded in the most minimal way". In particular, if a disclosure order is granted, specific directions should be given as to the type of information disclosed and the manner in which it can be used. In addition, courts should consider making a confidentiality order or identifying the defendant by initials only.
  • 4.