Ontario Court of Appeal Clarifies Privacy Obligations for Utilities


On August 10, the Ontario Court of Appeal released its decision in R v Orlandis-Habsburgo (Orlandis).1 The Court held that a utility sharing residents’ energy consumption data with police, which led to a search and criminal charges, violated the residents’ reasonable expectation of privacy.

While Orlandis arose in a criminal context, the Court’s decision will have two major implications for utilities. First, Orlandis contributes to a trend of increasing judicial recognition of the privacy concerns that arise from the collection, use, and disclosure of energy consumption data. While consumption data is seemingly of low sensitivity, courts have begun to recognize that sensitive inferences can be made from the otherwise potentially non-sensitive information. Second, Orlandis establishes new and additional obligations for private sector and public sector organizations that disclose energy consumption data to police or other third parties.

The Facts and the Decision

In Orlandis, the tenants of a home in Ontario operated a marijuana grow-op. Their energy provider, noting a pattern of electricity use consistent with the operation of a grow-op, forwarded information about the electricity consumption to police. Using the information provided by the utility, the police obtained a search warrant for the residence, found marijuana plants and charged the residents with various criminal offences. At trial, the defendants argued that the police violated their right under section 8 of the Charter to be free from unreasonable search and seizure when they acquired energy consumption data from the energy provider without their consent or prior judicial authorization.

The trial judge rejected the defendants’ argument that they had a reasonable expectation of privacy in their energy consumption data, holding that the data “did not go to the biographical core of personal, intimate details of the lifestyle and personal choices of the Applicants.”

On appeal, the Court held that the defendants did have a reasonable expectation of privacy, and that the examination and use of the data by the police was not authorized by law. However, the Court ultimately refused to exclude the evidence obtained in the search, based on the state of the law at the time of the search.


The Orlandis decision is notable for two reasons: the explicit recognition of a privacy interest in energy consumption data; and the Court’s comments on acceptable information-sharing relationships with authorities.

A Reasonable Expectation of Privacy

The Court of Appeal held that there is a reasonable expectation of privacy in energy consumption data for two reasons. First, energy consumption data is information capable of supporting inferences that certain activities are occurring inside a home. Second, the contractual relationship between the utility and the consumer was not inconsistent with a reasonable expectation of privacy.

Energy consumption data can yield sensitive personal information

The Court’s conclusion that energy consumption data supports a privacy expectation is not a significant departure from the reasoning of previous courts.2 However, the Orlandis Court’s unequivocal acknowledgement of a privacy interest is a sign of the increasing jurisprudential recognition of the privacy implications of collecting, using, and disclosing energy consumption data.

While the trial judge in Orlandis found that electricity consumption information does not yield any meaningful biographical data, the Court of Appeal found that “the energy consumption data had a sufficient capacity to reveal personal activities within the home, particularly the existence of a marijuana grow-up, to potentially support the existence of a reasonable expectation of privacy.”3 Ultimately, since the information disclosed included both the raw usage data and the inferences that can be drawn from that data, the Court held that the accused had a reasonable expectation of privacy in the energy consumption information.

Contractual relationships may support an expectation of privacy

In R v Gomboc, the Supreme Court held that the nature of the relationship between customer and utility did not support a reasonable expectation of privacy. In that case, the regulation governing the utility put the onus on the customer to prohibit the energy provider from sharing information with police. Accordingly, the Supreme Court held that the customer could not have had a reasonable expectation of privacy.

In contrast, the Court of Appeal in Orlandis noted that the documents governing the relationship between the utility and the customer did not point away from a reasonable expectation of privacy. While the Court did not conclude that an expectation of privacy existed on the strength of the documents alone, utilities should take note of the Court’s reasoning that the contractual relationship between the customer and the provider and the regulatory framework governing the services will aid in determining the conditions of collection, use, and disclosure.

In Orlandis, the utility’s privacy policy referred to the use and disclosure of personal information only “for the purpose of providing the services,”4 with six exceptions for disclosure to third parties. Further, the utility’s distribution license stated that the “Licensee shall not use information regarding a consumer…obtained for one purpose for any other purpose without the written consent of the consumer.”5 The Court also found that Paragraph 4.3.1 of the Ontario Energy Board’s Distribution System Code allowed disclosure of “possible unauthorized energy use” to Measurement Canada, the Electrical Safety Authority, police officials, and “retailers that service consumers affected by the unauthorized energy use, or other entities.”6

Appropriate Information-Sharing Relationships with Police

The Orlandis Court focused in detail on the relationship between the utility and the police, and commented on the acceptable forms of information-sharing relationships between utilities and third parties.

In Orlandis, a revenue protection specialist employed by the utility monitored consumption data for patterns of “high” and “low” usage, and routinely shared that data with police when he became suspicious that the patterns indicated the presence of a marijuana grow-op. The utility and police ultimately developed a “usual practice” whereby the police would sometimes request information (often without a production order), and the utility would at other times volunteer the information without an initial request from police. These initial communications often led to more detailed requests for information, with which the utility always complied.

The Court assessed this information-sharing relationship in light of the utility’s obligations under the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA),7 and the federal Personal Information Protection and Electronic Documents Act (PIPEDA).8 Both acts prohibit disclosure of personal information without consent, but contain exceptions permitting disclosure of personal information to the police in prescribed circumstances. While assessing the utility’s information-sharing regime, the Court made comments that may restrict the scope of such statutory exceptions going forward. Those comments concern disclosure in response to a law enforcement request, and disclosure on the utility’s own initiative.

Law Enforcement Requests

First, the Court considered the exception in section 7(3)(c.1)(ii) of PIPEDA, which permits disclosure without consent to a government institution that discloses its “lawful authority” to obtain the information. Section 7(3)(c.1)(ii) of PIPEDA requires the police request to be made “for the purpose of enforcing any law in Canada…carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law.”

The Court recognized that PIPEDA requires the utility to maintain the confidentiality of its customers’ information, absent a lawful demand by the police. The Court held that the informal practice developed by the utility and the police was inconsistent with the “lawful authority” requirements of PIPEDA.

Second, the Court assessed the information-sharing relationship in light of the law enforcement disclosure exception in MFIPPA section 32(g). The Court noted that the MFIPPA exception appeared broader than the exception in PIPEDA in that it did not require the police to identify a source of “lawful authority” to obtain the information. Rather, section 32(g) of MFIPPA permits disclosure by a public institution to police “to aid an investigation undertaken with a view to a law enforcement proceeding or from which a law enforcement proceeding is likely to result.” There is no statutory requirement that the organization has reasonable grounds to believe the information relates to a crime, or that the information has been formally demanded by police.

However, the Court of Appeal narrowed the interpretation of MFIPPA to align with PIPEDA. The Court emphasized that the purpose of both statutes is to protect privacy, and that purpose would be negated by an overly broad reading of the exceptions to the requirement for consent to disclose personal information. Accordingly, the Court held that section 32(g) does not contemplate an ongoing arrangement for sharing of personal information with police. Indeed, the Court was explicit that section 32(g) does not contemplate the informal “usual practice” that had developed between the utility and police, where information was provided on the belief that the “police may have some interest in the information.” Rather, MFIPPA calls for the public institution to make an independent and informed judgment – after receiving a specific request in the context of a particular criminal investigation – on whether to exercise its discretion to release the information.

Disclosure on the Organization’s Own Initiative

Section 7(3)(d) of PIPEDA allows an organization, on its own initiative, to disclose personal information to a government institution on “reasonable grounds to believe that the information relates to a contravention of the laws of Canada.”

The Court held that this provision did not permit the utility’s informal information sharing arrangement with police. The utility had developed a practice of simply passing on the information if it thought the data could interest the police. Section 7(3)(d), the Court stated, requires an organization to “make… independent decision[s] to disclose information, based on its conclusion that reasonable grounds existed to believe that the appellants were engaged in criminal activity.” The Court noted that organizations could disclose information if they develop a formal policy permitting disclosure of energy consumption data or other information in the circumstances prescribed by PIPEDA, but did not weigh in on the elements of such a policy or the level of certainty required to establish “reasonable grounds” for the belief.

Consequences of the Decision

Organizations should take notice that the courts are increasingly willing to recognize that consumers have an expectation of privacy over their energy consumption data, which may outweigh the utility’s or the public interest in reporting potential criminal activity to the police. Because of this expectation of privacy, utilities should carefully review their internal policies and procedures related to the disclosure of customer information to third parties.

Establishing Procedures for Disclosure to Third Parties

Law Enforcement

Orlandis suggests that utilities cannot simply pass on suspicious information or tips. The Court’s decision suggests there is a heavy burden on both private sector organizations and public institutions to make independent factual and legal decisions that personal information of any level of sensitivity is evidence of criminal activity before providing such data to police.

Further, while the Court recognized that an organization may disclose information to police on its own initiative, it made clear that such voluntary disclosure must occur on the basis of reasonable grounds to believe the information relates to a crime.

Accordingly, organizations should develop clear and consistent policies for disclosing personal information that comply with the narrowly interpreted legislative disclosure exceptions. Employees should be specifically trained on what constitutes reasonable grounds to believe the information relates to a crime. Further, to best comply with the Court’s comments on PIPEDA and MFIPPA, utilities should designate a dedicated privacy representative to manage any information-sharing regimes with authorities. The Office of the Privacy Commissioner of Canada has published guidelines on choosing a dedicated representative, identifying that they should be a “senior decision-maker” able to “intervene on privacy issues across the organization” and dedicate resources to implementation of privacy obligations.9

Other Third Parties

Utilities may be particularly concerned about their ability to disclose customer information to non-law enforcement third parties, such as landlords, given the risks that activities requiring significant energy consumption can pose to people and property. The trial judge in Orlandis noted that excessive energy use may pose fire and electrical hazards to neighboring dwellings, or cause significant damage to property. Accordingly, utilities may wish to disclose the unauthorized use to third parties such as landlord owners of tenant-occupied dwellings. As is clear from the Court’s reasoning, the utility’s contractual relationship with tenants and their individual distribution licenses with the energy regulator must outline the scope of disclosure in order to permit sharing with third parties. Utilities should review their privacy policies and licenses in order to give effect to these disclosure plans, while remaining cognizant of their obligations under applicable privacy legislation.

* Molly Reynolds is a Senior Associate at Torys LLP in Toronto, admitted to practice in Ontario and New York. Her practice focuses on privacy law compliance and litigation, data security best practices and breach response coaching.

**Caitlin Morin is an Associate at Torys LLP in Toronto. Her practice involves all aspects of pensions, benefits and employment matters. Caitlin completed law school at McGill University and is admitted to practice in Ontario.

***Amir Eftekharpour is an Articling Student at Torys LLP in Toronto. Amir completed law school at the University of Toronto, and has an Honours BA (political science) from Western University.

  1. R v Orlandis-Habsburgo, 2017 ONCA 649 [Orlandis].
  2. R v Gomboc, 2010 SCC 55.
  3. Orlandis, supra note 2 at paras 66-68.
  4. Orlandis, ibid, fn 3.
  5. Orlandis, ibid, para 87.
  6. Ontario Energy Board, Distribution System Code, s 4.3.1.
  7. Municipal Freedom of Information and Protection of Privacy Act, RSO 1990, c M.56.
  8. Personal Information Protection and Electronic Documents Act, SC 2000, c 5.
  9. Office of the Privacy Commissioner of Canada, PIPEDA Self-Assessment Tool, (Ottawa, Office of the Privacy Commissioner of Canada, 2008), online: <https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda-compliance-help/pipeda_sa_tool_200807/>.

Leave a Reply