Canada has taken a leadership role on the global arena in its approach to regulating the privacy interests of individuals while at the same time balancing other important economic and social objectives. While the United States has focused on a sectoral approach toward the protection of personal information, evidenced by the piecemeal framework offered by common law developments, federal legislation, the U.S. Constitution, state laws, and various state constitutions, Canada has adopted an umbrella approach to legislating privacy. Although the common law and the Canadian Charter of Rights and Freedoms do contain various privacy protections, the right to privacy in Canada is mostly set out under public- and private-sphere legislation.
Canada has a growing array of federal, provincial statutes as well as common-law requirements dealing with the privacy and the protection of personal information.
As of January 1, 2004, all Canadian businesses have been required to comply with the Protection of Personal Information and Electronic Documents Act (PIPEDA) and substantially similar legislation in various provinces (Quebec, Alberta and British Columbia, and Ontario in respect of personal health information). This act protects the Personal Information of individuals and how that information is used in the course of “commercial activities.” Canada also has personal health information privacy legislation, most notably, Ontario’s Personal Health Information Protection Act (PHIPA). PHIPA applies to personal health information regardless of whether the information is used in a commercial context or otherwise. Depending on the nature of an organization’s activities and the use made of Personal Information, compliance can be as simple as preparing privacy policies or can involve complex processes such as staff training, improvements to storage systems, or the implementation of other protective measures.
Privacy issues will likely affect an organization (an “Organization” or “Company”) in two ways: First, an Organization itself will have to comply with PIPEDA with respect to customer Personal Information it collects and controls. To the extent an Organization has employees located in the provinces of B.C., Alberta or Quebec, it will need to consider the impact of provincial privacy laws on employee Personal Information. Second, an organization’s partners (who must also comply with privacy obligations) will want to make sure that an organization properly uses and safeguards Personal Information it may access while performing services.
During the last two years, the Canadian government has introduced two important bills for individuals, businesses and in general those involved with the online marketplace. On December 15, 2010, Bill C-28, the so-called anti-spam legislation, received Royal Assent. Regulations under this new legislation (now referred to as “CASL”) are currently being drafted and will establish important details with respect to its implementation. The intent of CASL is to deter damaging and deceptive forms of electronic communication, such as identity theft, phishing and spyware from occurring in Canada, and to help drive out spammers. Bill C-12, which was introduced on September 29, 2011 reintroduces the amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA) proposed previously. The Bill introduces some potentially important changes to PIPEDA, including mandatory federal breach notification. Bill C-12 is still working its way through the parliamentary review process.
Overview of PIPEDA
The purpose of PIPEDA is to balance the right of privacy of individuals with the need of businesses to use Personal Information for reasonable purposes in order to operate successfully. “Personal Information” is specifically defined as “information about an identifiable individual.” It does not include the name, title, business address or telephone number of an employee of an organization. It includes such information as race, ethnic origin, colour, age, marital status, religion, education, medical, criminal, employment or financial history, address and telephone number, Social Insurance Number, fingerprints, blood type, tissue or biological sample, and views or personal opinions that are linked to an individual.
PIPEDA now applies to organizations in Canada that collect, use or disclose Personal Information in the course of all commercial activity. “Commercial activities” are defined to mean “any particular transaction, act or conduct or any regular course of conduct that is of a commercial character.”
Until recently, it was a commonly held belief that the legislation applied only to organizations clearly “carrying on business in Canada.” However, a recent decision by the Federal Court of Canada suggests that the federal Privacy Commissioner has a broad right to investigate organizations that collect, use or disclose personal information of Canadians.
What Does An Organization Need to Do?
PIPEDA outlines several key principles to protect Personal Information. It also requires that Personal Information be used or disclosed only for purposes for which it was collected. Once an organization collects Personal Information, it maintains ongoing obligations with respect to its use and safeguarding.
- Be Accountable: An organization must be responsible for Personal Information under its control and shall designate an individual or individuals who is/are accountable for the organization’s compliance with the following principles.
- Identify the Purposes: The purposes for which Personal Information is collected shall be identified by the Organization at or before the time the information is collected.
- Be Accurate: Personal Information shall be accurate, complete and up-to-date as is necessary for the purposes for which it is to be used.
- Be Open: An organization shall make readily available to individuals specific information about its policies and practices relating to the management of Personal Information.
- Give Individuals Access: Upon request, an individual shall be informed of the existence, use and disclosure of his or her Personal Information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
- Provide Recourse: An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals for the organization’s compliance.
What are the risks if an organization does not comply?
Complaints by individuals are heard by the federal Privacy Commissioner who has the authority to receive and investigate complaints and to try to resolve these disputes (similarly, complaints in the provinces are heard by the relevant provincial privacy commissioner). The Privacy Commissioner also has the right to make public any information relating to an organization’s Personal Information management practices if it is in the public interest to do so. Public disclosure of the details of the complaint can be the most damaging to a business, and is a destructive consequence of misusing Personal Information. The individual making the complaint can also apply to court for damages.
PIPEDA creates offences for obstructing an investigation or audit; destroying Personal Information that is the subject of an access request; or disciplining a whistleblower.
An organization that engages in these activities can be fined up to $10,000 for a summary conviction or $100,000 for an indictable offence. Canada’s new anti-spam legislation also carries monetary penalties, including up to one million dollars per violation for individuals and ten million dollars for businesses.
Processing of Personal Information in the United States
As indicated above, an Organization has an obligation to safeguard the Personal Information processes and not to disclose it to third parties without consent.
There is a great deal of sensitivity in Canada regarding outsourcing of any data management services outside the country. Many concerns can be dealt with through adequate data protection agreements combined with appropriate notice requirements.
Data Breach Notification in Canada
Mandatory breach notification is being introduced in some provincial jurisdictions. There are guidelines on data breach notification that are in effect at the federal level and in some provinces. As indicated above, Bill C-12 would introduce breach notification provisions under PIPEDA.