When in Rome, do as the Romans do. Similarly, when doing
business in Canada, do as Canadian privacy law requires.
That is the lesson learned by a foreign-based airline following
a finding by the Office of the Privacy Commissioner (OPC) of Canada
that the carrier had violated Canadian privacy law, even though the
company operates in compliance with European privacy requirements.
The decision further confirms the fact that foreign businesses that
operate or provide services in Canada will be subject to all
requirements of Canadian privacy law, regardless of the scope of
the privacy regimes in their home countries.
In a Report of Findings recently posted by
the OPC, Netherlands-based KLM Royal Dutch
Airlines (KLM) was found to have breached several provisions of the
Personal Information Protection and Electronic Documents
Act (PIPEDA), including failing to respond in a
timely way to a request by a customer for access to records
containing personal information; failing to implement practices to
ensure that the requirements of the Act; and failure to
make available to the public its policies respecting the management
of personal information.
In a preliminary report of findings, the OPC had recommended
that KLM develop a clear and simple access to information request
version of its website comply with PIPEDA.
KLM took the position that the Dutch Data Protection Authority
supervises KLM in the security of personal data under the Dutch Personal Data Protection
Act, including requirements respecting
transparency and the manner in which access to information requests
must be processed. The airline further noted that Dutch law does
not require further transparency of policies and practices, and
only allows individuals to view their personal information, not to
access it. KLM questioned the OPC's jurisdiction over KLM.
Relying on the Federal Court's decision in Lawson v. Accusearch
Inc., which had earlier found that the OPC
had jurisdiction to investigate complaints respecting the
collection by foreign organizations of personal information about
Canadian residents, the OPC confirmed that it had jurisdiction in
the complaint against KLM because there was a real and substantial
connection to Canada. In this regard, the OPC noted that:
The complainant seeking access to his personal information was
a Canadian resident
KLM offers services in Canada, and has employees at several
KLM operates a Canadian version of its website, which actively
targets Canadians, and through which Canadians may reserve
KLM operates scheduled non-stop flights to and from Canadian
cities (and in fact, the complainant originally booked a KLM flight
departing from Toronto);
KLM needs to collect personal information from Canadian
passengers to offer air travel to those passengers.
In the circumstances, and in view of judgement in the
Accusearch case, the finding of Canadian jurisdiction over
the handling of the personal information in question may not be
particularly surprising: it was collected from Canadians, in
Canada, with respect to a service provided - at least in part - in
However, many businesses may be surprised that compliance with a
European data protection law will not guarantee compliance with
Canadian law – despite the fact that the European Data Protection
Directive (on which member state privacy laws are
based) and PIPEDA were derived from the same set of
essential privacy principles, and even though European data
protection laws tend to be viewed in some jurisdictions as being
Although Canadian privacy laws are in broad accord with many
international data protection regimes, there are often subtle
differences between these foreign laws and Canadian privacy
requirements. Accordingly, foreign organization doing business in
Canada should not assume that practices and policies that comply
with the law of their home country will necessarily suffice when
collecting, using and disclosing information in Canada.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).