International In-house Counsel Journal Vol. 2, No. 7, Spring 2009, 1135–1146 Canadian Privacy Law: The Personal Information Protection and Electronic Documents Act (PIPEDA) DOMINIC JAAR PATRICK E. ZELLER Legal Counsel Vice President & Deputy General Counsel Ledjit Consulting, Inc. Guidance Software, Inc. Canada United States This white paper provides a general overview of the Personal Information Protection and Electronic Documents Act (“PIPEDA”), and discusses both the privacy requirements imposed by that Act as well as the rules governing the use of electronic documents that it sets out. Overview Introduction to PIPEDA PIPEDA is the federal legislative response to growing concerns over the protection and use of personal information that is accumulated by both public and private organizations in the course of their day-to-day operations.1 The Act sets out rules governing how such information should be handled by the organizations that collect it, and under what circumstances it may be disclosed, either to third parties or to the individual who is the subject of the information. The Act contains two main parts. The first part sets out the rules governing the collection, retention and disclosure of personal information, as well as the remedies available in the event of a suspected breach. In essence, this part of the Act establishes a framework which attempts to balance the privacy rights of individuals with the needs of organizations to collect, use, and disclose personal information in the course of commercial activities. This part of the Act is discussed in sections I and II of this document. The second part of the Act describes the circumstances in which electronic alternatives may be used to fulfill legal obligations, which, under federal laws, require the use of paper documents to record or communicate information or transactions. For example, this part includes provisions providing for the filing or retention of documents in electronic format, as well as the use of electronic documents as evidence in court proceedings. This part of the Act is discussed in section III of this document. The enactment of PIPEDA was motivated not only by the government’s concern with privacy issues within its borders, but also by privacy developments taking place in other countries with whom Canadians do business. For example, certain EU directives dealing with the protection of personal information impose restrictions on the flow of data into jurisdictions which do not have similar privacy protections in place. PIPEDA was 1 Personal Information Protection and Electronic Documents Act (“PIPEDA”), 2000 S.C., ch. 5 (Can.). International In-house Counsel Journal ISSN 1754-0607 print/ISSN 1754-0607 online 1136 Dominic Jaar and Patrick E. Zeller therefore necessary to satisfy the “adequacy” requirement of EU privacy laws and avoid the creation of non-tariff barriers to trade with EU nations.2 Scope of PIPEDA PIPEDA came into force on January 1, 2001 and was implemented in three stages. At each stage, the list of organizations required to comply with the privacy requirements of the Act expanded, with the final stage taking effect on January 1, 2004. The Act now applies to all organizations engaged in the collection, use, or disclosure of personal information in the course of any commercial activity within Canada. To better understand what this means, it is useful to refer to the definitions provided in the Act. The term “commercial activity” means “any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering, or leasing of donor, membership or other fundraising lists.”3 Early indications suggest that this term may be interpreted broadly. In one notable case, the Privacy Commissioner determined that a security company, Centurion4, who installed surveillance cameras in a public intersection, monitored the cameras, and reported incidents to the local police free of charge in an effort to generate business was engaged in a “commercial activity” for the purposes of PIPEDA compliance. The term “organization” covers everything from traditional “brick-and-mortar”-type businesses to e-commerce businesses and includes corporations, associations, partnerships, trade unions and persons.5 The application of PIPEDA also extends to certain public and government entities, provided that they are not already subject to the Privacy Act. The term “personal information” means any information about an identifiable individual, including, but not limited to: name, age, gender, race, marital status, home address, credit rating, medical history, criminal history, purchasing history, and even an image of a person.6 Personal information also includes information that, combined with other information available to the organization, can identify an individual, such as a table of customer ID numbers. Personal information does not include the name, title, or business address or telephone number of an employee of an organization.7 The term “record” is defined broadly under PIPEDA, and includes “any correspondence, memorandum, machine-readable record, or any other documentary material, regardless of physical form or characteristics, and any copy thereof.”8 Businesses must “monitor all of their files, regardless of the form of storage which may contain personal information.” In the Centurion case discussed above, the Privacy Commissioner determined that, although Centurion was not recording the surveillance camera images on a tape but was merely monitoring the cameras 24-hours a day, the images the camera displayed were “records” under PIPEDA. Finally, the “use” of information is defined as the “treatment and handling of personal information within an organization.” By contrast, “disclosure” refers to the transfer of 2 Council Directive 95/46/EC, art. 25, 1995 O.J. (L 281) 31-50. 3 PIPEDA, 2000 S.C., ch. 5, s. 2(1) (Can.). 4 Federal Privacy Commissioner says "no" to Street Surveillance Cameras (June 20, 2001), accessed at <http://www.priv.gc.ca/media/an/nt_010620_e.cfm> on May 7, 2009. 5 Id. 6 Id. 7 Id. 8 Id. Data Protection 1137 data outside the organization. It should be noted that collection, use, and disclosure of personal information are considered to be distinct events for purposes of the Act. Territorial Application Although PIPEDA is federal legislation with the force of law in all jurisdictions across Canada, the Act also permits the Privacy Commissioner to exempt a province from the application of PIPEDA where that province has enacted “substantially similar” provincial privacy legislation. In such a case, it is the provincial legislation that regulates the privacy obligations of an organization, and PIPEDA has no application. Currently, three jurisdictions have received exemptions from PIPEDA: Quebec, British Columbia, and Alberta. For the most part, the legislation in these provinces mirrors PIPEDA. However, any company engaging in personal information collection, use, or disclosure in any of these three provinces is strongly advised to consult the provincial legislation to ensure compliance with the specific privacy laws applicable in that jurisdiction. This latter advice is particularly important for companies operating in Quebec, where privacy obligations are more onerous than under PIPEDA. The legislative regime in that province is composed of two separate statutes, one governing privacy issues (An Act respecting the protection of personal information in the private sector9) and a second dealing with the use of electronic documents (An Act to establish a legal framework for information technology10). Together, these two statutes establish a framework similar to the two parts of PIPEDA. It should be noted, however, that organizations operating under the Quebec legislation are subject to more stringent requirements affecting not only the manner in which information must be recorded and stored and the protections that must be put in place by the organization, but also the manner and content of communications with the individual concerned by the information, his or her rights of access, and the limitations placed on use and disclosure. Organizations operating in Quebec should therefore avoid relying on their knowledge of PIPEDA in determining their policies and practices relating to that jurisdiction. With respect to international entities, PIPEDA does not specify the minimum level of connection that a company must have with Canada in order to be subject to its provisions. No language in PIPEDA limits its application to businesses with a physical presence in Canada, nor are its provisions explicitly limited to personal information collection, use, or disclosure occurring solely within Canada. Furthermore, the Act was enacted by Parliament partially to protect personal information in cyberspace and e-commerce transactions. Therefore, it is likely that a foreign company operating only marginally in Canada – for example, by hosting a website available to Canadian citizens or entities – will be subject to PIPEDA. Individual Rights An individual who feels that his rights under PIPEDA have not been respected has several recourses which he or she may use to challenge a company’s compliance with the Act: 9 R.S.Q. ch. P-39.1 (2006). 10 R.S.Q. ch. C-1.1 (2001). 1138 Dominic Jaar and Patrick E. Zeller By complaining directly to the company; By filing a written complaint with the Privacy Commissioner of Canada; By applying for a hearing in Federal Court, but only after receiving the Privacy Commissioner’s
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages12 Page
-
File Size-