When I heard about the Supreme Court of Canada’s decision in the Federation of Law Societies’ challenge of Ottawa’s Terrorist Financing Act, I saw it as a win — and one that reiterated Canadian values of freedom and liberty. The ruling sanctified solicitor-client privilege and confirmed the right, albeit for lawyers and law firms only, to be secure against unreasonable search or seizure as stated in section eight of the Charter of Rights and Freedoms.
The decision stresses that “lawyers must keep their clients’ confidences and act with commitment to serving and protecting their clients’ legitimate interests” and concludes that “some provisions of Canada’s anti-money laundering and anti-terrorist financing legislation are repugnant to these duties [because] they require lawyers, on pain of imprisonment, to obtain and retain information that is not necessary for ethical legal representation and provide inadequate protection for the client’s confidences subject to solicitor-client privilege.” Also, “they unjustifiably limit the right to be free of unreasonable searches and seizures …”
These statements support the importance of solicitor-client privilege and the protection of information exchanged under that privilege. On further deliberation, however, I remembered that the original legislation dated back to 2000. Pre-9/11, pre-Edward Snowden and before cyber-security took centre stage.
As a lawyer, I’ve been trying to find a way to comply with my ethical and legal obligations in light of constant technological evolution and what we learn on an ongoing basis about electronic surveillance, industrial spying and criminal hacking. While being relatively tech-savvy (for a jurist that is), I must confess to my failure to find proper solutions. In fact, it feels as though every time we find a solution, we hear it’s been compromised shortly thereafter.
In a world where some governments collect much of the information that flows through the Internet and criminals actively seek to steal sensitive information, what relevance does this decision have? We must remember that the Internet is not a jurisdictional matter, in that the collection of privileged information by any nation or organization constitutes a breach of solicitor-client privilege.
It would be unfair to suggest this decision is useless. It does seem to protect documents that were brought to lawyers by their clients or documents generated by the lawyers but not communicated to anyone on a public network. This amounts to an invitation for increased in-person meetings and secured internal networks to prevent any external communication and access. The second of these points, investment in security, is equally relevant in the broader context of today’s information-security landscape. Any legal organization that is not taking active steps to secure their communications and information does so at their own potential peril.
As stated by the court in this ruling, “the reasonable expectation of privacy in relation to communications subject to solicitor-client privilege is invariably high, regardless of the context. The main driver of that elevated expectation of privacy is the specially protected nature of the solicitor-client relationship, not the context in which the state seeks to intrude into that specially protected zone.”
Quoting Justice Arbour in Lavallee, the court explicitly recognizes protection from state intrusion: “It is critical to emphasize here that all information protected by the solicitor-client privilege is out of reach for the state. [A]ny privileged information acquired by the state without the consent of the privilege holder is information that the state is not entitled to as a rule of fundamental justice.”
However, this statement, while strong in principle, may lack strength in terms of enforcement. Without specific oversight and active defence, governments, criminals and others are able to sift through clients’ privileged communications without much control, and then, in the case of governments, use ex post facto legal means to present the information in evidence.
The court notes “that the scheme wrongly transferred the burden of protecting the privilege from the state to the lawyer … [because] the initial claim of privilege may only be made by legal counsel … there is no requirement for notice to the client, who is the holder of the privilege, and no protocol for independent legal intervention where it is not feasible to notify the client.”
With this in mind, we must consider not only what the ruling states, but whether or not the burden for the protection of privileged information has transferred almost exclusively to the legal firms and lawyers involved. One thing is for sure, there is likely to be more conversation and perhaps litigation on this subject. In the meantime, law firms and lawyers would be well-advised to study their cyber-protection posture and invest in the securing of this privileged information.
Dominic Jaar is the National Practice Leader in the information management services group at KMPG Canada.
