Canada: Developments In The Law Of Consumer Privacy

By Phil Rogers

Volume 3:3 July 2000

With the omnipresence of computer networks in all spheres of modern society, as well as the ever increasing speed with which technology develops, organizations are in a position, more than ever, to collect personal information about consumers (including things such as ethnic origin, age, marital status, education, criminal or medical data, and financial history), communicate it rapidly and extensively, and use it to provide their services. Indeed, personal information is now a marketable asset which has a considerable commercial value: it can be bought, sold and traded not only within the boundaries of each province, but nationally and internationally. In response to this new reality, Prime Minister Chrétien announced, on September 22, 1998, the Canadian Electronic Commerce Strategy, which aims at "recreating in cyberspace the same expectations of trust, confidence and reliability that now exist in everyday commerce".

The Personal Information and Electronic Documents Act, (previously Bill C-6), which received Royal Assent on April 13, 2000, is one of the components of this Strategy. Its objective is to regulate the collection, use and disclosure of personal information about individuals in the course of commercial activities, so as to balance every individual's right to privacy with the right of organizations to use this information for appropriate purposes.

The Act comes into force on January 1, 2001 and will be applied in successive phases. For the first three years, it will apply strictly to organizations in the federally-regulated private sector, in respect of both customer and employee information. It will also apply to situations where information about individuals is sold across provincial and national borders. After these first three years, the Act will also apply to provincially-regulated organizations, except where provinces adopt substantially similar legislation, in which case the organizations located in such provinces will be regulated by the provincial statute. Finally, organizations collecting, using or disclosing personal health information are subject to an exception. The Act will only apply to them one year after its coming into force, in order to provide the health sector more time to adapt to the requirements of the new legislation.

The Act provides for several exceptions. For example, information collected, used or disclosed for personal or domestic use, for journalistic, artistic or literary use, for law enforcement investigations, for life-threatening emergencies, for disclosure required by a judicial order or by the Rules of Court, or for disclosure made after the earlier of 100 years after the creation of the record and 20 years after the death of the individual, are not subject to the Act 's measures.

The Act incorporates in its Schedule 1 the Canadian Standards Association ("CSA") Model Code for the Protection of Personal Information ("the Code"), which was recognized as a national standard for the private sector in 1996. This Code is similar to that of many industry specific codes, such as that of the Canadian Association of Internet Providers and the Canadian Marketing Association, as well as that of many banks and telecom carriers.

Schedule 1 of the Act sets out ten broad privacy protection principles, which are explained in sub-clauses, sometimes by way of examples, comments or discussions. The structure of Schedule 1 gives organizations sufficient flexibility to adapt the principles to their own activities. Furthermore, it is interesting to note that some of the clauses in Schedule 1 contain language which is not generally found in legislation. Indeed, while the word "shall" may be found in most provisions, thereby imposing obligations upon organizations, other clauses contain the word "should"or expressions such as "organizations are encouraged to". This wording implies that certain provisions constitute mere recommendations, and do not impose obligations.

The CSA Code's 10 principles are:

1. Accountability: An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization's compliance with the following principles.
2. Identifying Purposes: The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.
3. Consent: The knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except where inappropriate.
4. Limiting Collection: The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means
5. Limiting Use, Disclosure, And Retention: Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfilment of those purposes.
6. Accuracy: Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.
7. Safeguards: Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
8. Openness: An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.
9. Individual Access: Upon request, an individual shall be informed of the existence, use and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
10. Challenging Compliance: An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization's compliance.

An individual whose personal information was misused by an organization should first attempt to settle the issue directly with the organization by complaining to the organization's official responsible for privacy matters. If the individual is not satisfied with the results of this first attempt to resolve the situation, he can complain to the Privacy Commissioner (who may also initiate a complaint on his own initiative).

Upon receiving or initiating a complaint, the Commissioner will conduct an investigation. He may also act as an ombudsman and attempt to resolve the complaint through the use of dispute resolution mechanisms such as mediation and conciliation. Within a year after the complaint is initiated, the Commissioner issues a report to the parties with his findings and recommendations.

Within 45 days of receiving the Commissioner's report, a complainant may apply to Federal Court (Trial Division) for a hearing. The Court may, inter alia, order the organization to correct its practices, order the publication by the organization of its corrective actions, and award damages. The Act also provides for offences in limited circumstances, such as situations where a person obstructs the Commissioner in an investigation, where records are destroyed during the course of an investigation or enquiry, or where an organization disciplines a whistleblower employee who, upon reasonable grounds, notified the Commissioner that his or her employer contravened the Act .

The Commissioner may, on reasonable notice and at any reasonable time, audit an organization's personal information practices where there are reasonable grounds to believe that the organization is contravening the privacy provisions of the Act or that it is not following a recommendation set out in Schedule 1. The Commissioner has the power to compel and receive evidence and administer oaths, enter an organization's premises, carry out inquiries, and examine and obtain copies of documents relevant to the audit. After an audit, the Commissioner is required to provide a report to the audited organization with the findings of the audit and any recommendations deemed appropriate.

Outsourcing of data processing is very common, whether it be to the United States or overseas. Accordingly, in such situations, the Act requires "contractual or other means to provide a comparable level of protection". However, it is not clear what specific measures are required by the Act to protect personal information sent to third parties outside Canada: Is a contractual non-disclosure clause between organizations sufficient, or does the Act require greater due diligence?

The United States and the European Union policies with respect to this issue are quite different. The EU has taken a legislative and regulatory approach to protect personal information. Its Directive on Data Protection, which introduces privacy protection applying to the private sector, became effective on October 25, 1998. It prohibits member countries from transferring personal information to an organization located in a non-member country, unless the non-member country provides "adequate protection" for personal information through its laws and regulations.

The approach in the U.S. is generally non-legislative, due to political opposition to comprehensive legislation regarding privacy issues. Supported by the policy of the U.S. federal government, industries have developed self-regulatory measures regarding personal information protection. Consequently, the EU Directive threatens the EU/US data flows, and efforts are being made to resolve the situation through the Safe Harbor Draft Agreement, pursuant to which U.S. organizations may agree to be bound by privacy principles on a voluntary basis. Member organizations who fail to comply with the Safe Harbor principles may face prosecution under the Federal Trade Commission Act.

The new legislation on privacy is likely to affect most organizations, directly or indirectly. Accordingly, organizations should consider and may be required to take the following measures:

• conduct audits and investigations in order to determine what personal information has been collected on consumers and on employees;
• designate individuals responsible for compliance with privacy legislation;
• review their form of consent and notification of intended use (the form of consent may vary and should reflect the sensitivity of the data);
• review their current safeguards on personal information;
• prepare a procedure for individual access to and inspection of personal information;
• use any Privacy Codes that regulate their industry (e.g. CAIP);
• review the information practices of any third party data processors
• recognize that there are often lapses between corporate policy and actual practice and strive to prevent such lapses
• schedule audits of privacy practice and maintain due diligence.