Canada's privacy regime can be described as a web of legislation at both the federal and provincial/territorial level. Some commentators express concern that this web has become tangled, lacks uniformity and actually undermines the predictability and consistency that, in their view, would exist under a single (federal) privacy regime. Canada has two primary privacy statutes: the Privacy Act and the Personal Information Protection and Electronic Documents Act ("PIPEDA"). The Privacy Act, R.S.C. 1985, c. P-21 (Can.), took effect on July 1, 1983, and imposed certain privacy rights obligations on approximately 250 federal government departments and agencies by limiting the use and disclosure of personal information. The Privacy Act also gives individuals the right to access and, if necessary, correct personal information held by governmental organizations subject to the Act.
PIPEDA, S.C. 2000, c. 5 (Can.) was enacted on April 13, 2000 to support and promote electronic commerce by protecting "personal information" collected, used, or disclosed by public or private entities conducting business in Canada. PIPEDA is blanket federal legislation, and it applies unless "substantially similar" provincial legislation has been adopted. To date, Quebec, British Columbia, Alberta, and Ontario have all adopted substantially similar "provincial legislation." Accordingly, PIPEDA applies throughout Canada with the exception of certain provinces. While PIPEDA is comprehensive legislation, it has attracted criticism due to its level of generality and also because of perceived weakness in its enforcement mechanisms.
PIPEDA does not apply to organizations to which the Privacy Act applies, nor does it apply to non-profit organizations and charitable activities unless they are of a "commercial nature." However, PIPEDA does cover the personal information of customers and employees of "federal works, undertakings and businesses." The Privacy Commissioner of Canada has made it clear that, "[g]enerally speaking, PIPEDA would apply to the personal information handling practices of private-sector organizations engaged in online tracking, targeting, profiling, and cloud computing." See Stoddart, Jennifer (Privacy Commissioner of Canada), Report on the 2010 Office of the Privacy Commissioner of Canada's Consultations on Online Tracking, Profiling and Targeting and Cloud Computing (discussed in greater detail, infra). Indeed, the Privacy Commissioner notes that the "dominant theme of our work in 2009 was the protection of privacy in an increasingly online, borderless world." Therefore, it is reasonable to suspect that online privacy and data collection increasingly will be on the radar of the Privacy Commissioner.
The Privacy Commissioner of Canada was established in 1990 pursuant to the Privacy Act, and is authorized to receive and investigate complaints under both the Privacy Act as well as PIPEDA, and is responsible for overseeing the enforcement of both Acts. If necessary, the Privacy Commissioner, after investigation or audit, can invoke the help of the Federal Court, which can then order companies to: comply with the provisions of PIPEDA, publish notices or corrections, and award damages (including punitive damages). Similarly, Alberta and British Columbia have their own privacy commissioners whose roles are to oversee the implementation and enforcement of respective provincial privacy legislation. While the Privacy Commissioner is certainly active in investigating and responding to complaints, the case summaries in the Annual Report of the Office of the Privacy Commissioner of Canada on the Personal Information and Electronic Documents Act (2009) and the Report on the 2010 Office of the Privacy Commissioner of Canada's Consultations on Online Tracking, Profiling and Targeting and Cloud Computing demonstrate that, more often than not, the Commissioner is reasonable in working with an organization to bring them into compliance, and does not seem to be "heavyhanded" in either levying fines or referring matters to the Federal Court.
To read the remainder of this paper, please contact Rick Bortnick at firstname.lastname@example.org. A special thank you to our colleague Pamela Pengelley, who was instrumental in helping with the research and preparation of this paper. This publication would not have been written without her support.
Originally published on CyberInquirer.
Please add at the end of every article: www.cozen.com
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.