Landmark Canadian Privacy Cases

Supreme Court of Canada decisions, appellate rulings, and Privacy Commissioner investigations that shape how privacy law is applied across the country.

Case summaries are for general information and are not legal advice. Always read the decision in full and consult a lawyer for anything relying on its outcome.

Supreme Court of Canada 1984 Charter section 8 and the reasonable expectation of privacy

Hunter v. Southam

Hunter v. Southam Inc., [1984] 2 SCR 145

Facts: Federal investigators entered newspaper offices under the Combines Investigation Act without prior judicial authorization. Southam challenged the search as unreasonable.

Holding: Section 8 of the Charter protects a reasonable expectation of privacy. A warrantless search is presumptively unreasonable. Prior authorization by a neutral arbiter, on reasonable and probable grounds, is the default constitutional standard for searches.

Why it matters: This is the foundational Charter privacy decision. Every subsequent Canadian search and seizure case traces back to the reasonable expectation of privacy framework established here.

Read the full decision

Supreme Court of Canada 2014 Anonymity and subscriber information from internet service providers

R v. Spencer

R v. Spencer, 2014 SCC 43

Facts: Police obtained Spencer's name and address from his ISP without a warrant by matching an IP address to his subscriber account. The question was whether Canadians have a reasonable expectation of privacy in subscriber information tied to online activity.

Holding: Yes. There is a reasonable expectation of privacy in the identity of an internet subscriber when it is linked to their anonymous online activity. Warrantless disclosure by the ISP to police was a search under section 8.

Why it matters: Spencer recognized anonymity as a privacy interest protected by the Charter and is the leading case on ISP subscriber disclosure and online privacy in Canada.

Read the full decision

Supreme Court of Canada 2017 Privacy in text messages after they are received

R v. Marakah

R v. Marakah, 2017 SCC 59

Facts: Police seized an accomplice's phone containing text messages Marakah had sent. The Crown argued he lost any privacy interest once the messages were delivered.

Holding: A sender can have a reasonable expectation of privacy in text messages even after they are received by the recipient. The totality of the circumstances test still governs and control of the device is only one factor.

Why it matters: Marakah is the leading case on privacy in digital communications and is cited in nearly every challenge to cell phone or messaging evidence.

Read the full decision

Supreme Court of Canada 2019 Reasonable expectation of privacy under the voyeurism offence

R v. Jarvis

R v. Jarvis, 2019 SCC 10

Facts: A high school teacher used a pen camera to record female students in hallways and classrooms. The defence argued students had no privacy expectation in semi-public school spaces.

Holding: The reasonable expectation of privacy for voyeurism is contextual. Students in a school setting retain a privacy interest in not being surreptitiously recorded for a sexual purpose, even in locations visible to others.

Why it matters: Jarvis established that privacy is not lost simply because a person is in public view. The decision now shapes analysis of surveillance in workplaces, schools, and public spaces.

Read the full decision

Supreme Court of Canada 2024 Reasonable expectation of privacy in IP addresses

R v. Bykovets

R v. Bykovets, 2024 SCC 6

Facts: Police asked a payment processor for the IP addresses associated with suspicious transactions, then used those IPs to request subscriber information. The question was whether police needed judicial authorization for the IPs themselves.

Holding: Yes. Canadians have a reasonable expectation of privacy in IP addresses. Obtaining an IP address from a third party without a warrant engages section 8 and is a search.

Why it matters: Bykovets extends Spencer from subscriber identity to the IP address itself. It is the most recent SCC statement on internet privacy and is already changing law enforcement practice.

Read the full decision

Ontario Court of Appeal 2012 Recognition of the tort of intrusion upon seclusion

Jones v. Tsige

Jones v. Tsige, 2012 ONCA 32

Facts: A bank employee accessed the banking records of her partner's ex-wife at least 174 times over four years. The plaintiff sued for breach of privacy.

Holding: Ontario recognized the common law tort of intrusion upon seclusion. Elements: intentional or reckless conduct, intrusion into private affairs, and a reasonable person would regard the intrusion as highly offensive. Damages are capped around CAD 20,000 where no pecuniary loss is shown.

Why it matters: Jones created a private law remedy for privacy breaches in Ontario and influenced tort recognition across several provinces. It is the foundation of most civil privacy claims in Canada.

Read the full decision

Ontario Superior Court of Justice 2016 Public disclosure of private facts and non-consensual intimate images

Jane Doe 464533 v. N.D.

Jane Doe 464533 v. N.D., 2016 ONSC 541

Facts: An ex-boyfriend posted an intimate video of the plaintiff online without her consent. She sued for privacy torts.

Holding: The court recognized a new tort of public disclosure of embarrassing private facts, grounded in the same policy as Jones v. Tsige. Significant damages were awarded.

Why it matters: This decision opened a civil avenue for victims of non-consensual intimate image distribution, complementing Criminal Code section 162.1 and provincial image-based abuse statutes.

Read the full decision

Office of the Privacy Commissioner of Canada 2021 Mass scraping of facial images to build a biometric database

Clearview AI Joint Investigation

PIPEDA Findings # 2021-001 (joint investigation with AB, BC, QC)

Facts: Clearview AI scraped over three billion images from the public internet, extracted biometric identifiers, and sold access to law enforcement. Four Canadian privacy regulators investigated jointly.

Holding: Clearview AI's practices were mass surveillance and clearly contrary to PIPEDA and provincial private-sector privacy laws. The company was ordered to stop collecting images of Canadians and delete existing ones.

Why it matters: This is the leading Canadian regulatory statement on facial recognition and shaped subsequent guidance on biometric processing, AI training data, and consent.

Read the full decision

Office of the Privacy Commissioner of Canada 2020 Covert facial recognition in shopping malls

Cadillac Fairview

PIPEDA Findings # 2020-004 (joint investigation with AB, BC)

Facts: Cadillac Fairview used cameras with facial analysis technology in wayfinding directories at Canadian malls, collecting biometric information from roughly five million shoppers without meaningful consent.

Holding: The collection was unlawful. Notice was inadequate and consent was not meaningful. The company was required to cease the practice and delete the biometric data.

Why it matters: A high-profile reminder that brick-and-mortar businesses using video analytics must meet the same consent and transparency standards as online services.

Read the full decision

Office of the Privacy Commissioner of Canada 2020 Breach of sensitive health information of millions of Canadians

LifeLabs Data Breach

PIPEDA Findings # 2020-005 (joint investigation with ON and BC)

Facts: A cyberattack exposed personal and health information of approximately 15 million LifeLabs customers, including test results. The company paid a ransom but the data was compromised.

Holding: LifeLabs failed to meet its duties to safeguard personal information and to deploy adequate information technology security. Orders required remediation, notification, and improved controls.

Why it matters: A benchmark Canadian health-sector breach case. The investigation shaped expectations on ransomware response, encryption, and vulnerability management for custodians of sensitive data.

Read the full decision

Office of the Privacy Commissioner of Canada 2020 Insider data theft affecting millions of members

Desjardins Breach

PIPEDA Findings # 2020-002

Facts: A Desjardins employee exfiltrated the personal information of about 9.7 million members and shared it outside the organization over several years before detection.

Holding: Desjardins did not have adequate safeguards against insider threats. Extensive remediation and long term monitoring commitments were required.

Why it matters: Treated as the modern Canadian baseline for insider threat controls, access governance, and breach notification expectations.

Read the full decision

Supreme Court of Canada 2017 Global de-indexing order against a non-party search engine

Google v. Equustek

Google Inc. v. Equustek Solutions Inc., 2017 SCC 34

Facts: A British Columbia court ordered Google to de-index a defendant's websites worldwide. Google argued a Canadian court could not impose global internet orders on a non-party.

Holding: The Supreme Court upheld the global injunction. Canadian courts can order a worldwide de-indexing remedy where it is the only effective way to prevent ongoing harm.

Why it matters: An important Canadian decision on jurisdiction over online intermediaries and a reference point in later debates about right to be forgotten and takedown orders.

Read the full decision

Supreme Court of Canada 2019 Privacy expectations in online conversations with a stranger police officer

R v. Mills

R v. Mills, 2019 SCC 22

Facts: Police posed as a 14 year old child online. Mills engaged in sexual conversations and was charged with child luring. He argued his communications were private.

Holding: There was no reasonable expectation of privacy in communications with a stranger who turned out to be an undercover officer, on the specific facts. The decision is narrow and does not displace Marakah.

Why it matters: Mills clarifies that Marakah is not absolute. Courts still apply the totality of the circumstances test and the identity of the recipient can matter.

Read the full decision

Supreme Court of Canada 2018 Third party consent to seize a shared home computer

R v. Reeves

R v. Reeves, 2018 SCC 56

Facts: Reeves's spouse consented to police seizing a shared home computer. Police later found child pornography. The question was whether the spouse could waive Reeves's privacy interest.

Holding: A co-user's consent cannot waive another co-user's reasonable expectation of privacy in a shared personal computer. Police needed prior judicial authorization.

Why it matters: Reeves is the leading case on shared device privacy and restricts when police can rely on third party consent for electronic devices in the home.

Read the full decision

How to read a Canadian privacy case

Canadian privacy law pulls from three streams: constitutional protection under Charter section 8, statutory protection under federal and provincial privacy acts, and common law torts like intrusion upon seclusion. When reviewing a decision, identify which stream is in play, the specific legal test applied, and the factual context. A holding in a criminal case may not carry over directly to a private-sector dispute.

Start with our Learn the law primers