House of Commons

1
Privacy Protection in Canada and the PIPEDA Review

• House of Commons
• Standing Committee on Access to Information,
  Privacy and Ethics
• November 20, 2006

1
2
Privacy Protection and the Online Economy

• Evolution of electronic networks and databases
  continuously presents new challenges to the
  protection of privacy
• PIPEDA was developed as a central component of
  Canadas Electronic Commerce Strategy, designed
  to establish Canada as a global leader in the
  development and use of electronic commerce
• The continued growth of electronic commerce
  across the economy depends on building business
  confidence and consumer trust.
• The protection of personal information is the
  most important factor for ensuring a high level
  of consumer trust.
• Consistent, economy-wide groundrules for privacy
  protection are necessary for business certainty
  and confidence

Value of Canadas Total Internet Sales 1999
2005 (billions)
Source Survey of Electronic Commerce and
Technology 2005, Daily April 20 2006, Statistics
Canada
3
Privacy Protection in Canada A Chronology

• 1982 Federal Privacy Act comes into force
• 1984 Canada signs OECD Guidelines on the
  Protection of Privacy and Transborder Flows of
  Personal Data
• 1996 CSA Model Code for the Protection of
  Personal Information is released Jointly
  developed by private sector, government and
  consumer/privacy advocates
• 1998 EU Data Protection Directive comes into
  force
• 1998 C-54 - Personal Information Protection and
  Electronic Documents Act (PIPEDA) is tabled
  (re-tabled as C-6 in 1999)
• January 2001 PIPEDA initially comes into force
  (Federally regulated undertakings only)
• December 2001 PIPEDA deemed as providing
  adequate privacy protection for European
  Citizens by the European Commission
• January 2004 PIPEDA comes into full force
• 2006 PIPEDA Review mandated to begin

4
PIPEDA Building Trust in the Online Marketplace
and Clarifying Rules for Digital Signatures

• Part 1 (Privacy)
• Sets rules for the protection of personal
  information that is collected, used or disclosed
  by organizations in the course of commercial
  activity
• Parts 2-5 (Electronic documents)
• Recognizes electronic signatures and provides an
  electronic alternative for doing business with
  the federal government. Amends the Canada
  Evidence Act, the Statutory Instruments Act and
  the Statute Revision Act

5
Purpose of Part 1

• S.3 to establish, in an era in which
  technology increasingly facilitates the
  circulation and exchange of information, rules to
  govern the collection, use and disclosure of
  personal information in a manner that recognizes
  the right of privacy of individuals with respect
  to their personal information and the need of
  organizations to collect, use or disclose
  personal information for purposes that a
  reasonable person would consider appropriate in
  the circumstances.

6
PIPEDA Key Features

• Applies to organizations collecting, using and
  disclosing personal information in the course of
  commercial activity
• Built on a self-regulatory initiative it is
  based on and incorporates the 10 privacy
  principles established by the National Standard
  of Canada entitled Model Code for the Protection
  of Personal Information (CAN/CSA-Q830-96)
• Model Code drafted jointly by private sector,
  consumer groups and government
• Technology neutral - protects personal
  information in all formats
• Applies across the broad marketplace
• Not based in criminal law
• Provides oversight and redress mechanisms,
  through the Privacy Commissioner of Canada and
  the Federal Court

7
PIPEDA Key Features

• Does not apply to
• Non-commercial activities, non-personal
  information
• Any government institution subject to the federal
  Privacy Act (i.e. Federal public sector
  organizations)
• Employee records in the provincially-regulated
  private sector
• Individuals who collect, use or disclose personal
  information for personal or domestic purposes
  (e.g., Christmas card lists)
• Organizations that collect, use or disclose
  personal information for journalistic, artistic
  or literary purposes

8
PIPEDA Privacy Requirements

• Organizations must comply with obligations set
  out in Schedule 1 (CSA Model Code for the
  Protection of Personal Information)
• Collection, use and disclosure subject to
  umbrella of reasonable purpose s.5(3)
• Exemptions to Schedule 1 are located in the body
  of the Act

9
PIPEDA Exemptions to Consent and Access

• Consent - s. 7
• Health/life threatening situations
• Crime/fraud investigation
• Law enforcement, national security, international
  affairs
• Debt collection
• Compliance with subpoena, warrant or court order
• Statistical, scholarly study
• Conservation of archival or historical records
• Required by law
• Access s. 9
• Reveals third party information
• Solicitor-client privilege
• Confidential commercial information
• Threat to life or security of others
• Law enforcement, national security, international
  affairs
• Information generated during dispute resolution
  process

10
PIPEDA Oversight and Redress

• Role of the Privacy Commissioner
• Commissioner is an ombudsman - cannot make
  binding orders
• Investigates received complaints or acts on own
  initiative (s.11)
• May call witnesses, compel evidence, enter
  business premises
• Mediates and conciliates disputes (s.12(2))
• May audit an organization on own initiative
  (s.18)
• Publishes complaint findings and an Annual Report
  (s.25)
• Promotes the Act and educates the public

11
PIPEDA Oversight and Redress

• Role of the Federal Court
• Any matter related to a complaint or a finding
  may be taken to Federal Court (s.14)
• By the complainant or the Privacy Commissioner
• The Court may
• order an organization to comply with the Act
• order organizations to publish notice of any
  action taken to correct its practices
• award damages, including punitive damages.

12
Offences

• The following are offences under PIPEDA s. 28
• Taking action against an employee who -
  s.27.1(1)
• Is a whistleblower
• Has refused to contravene the Act
• Is taking action to ensure that the Act is not
  contravened
• Destruction of information that is the object of
  an access request prior to recourse being
  exhausted - s.8(8)
• Obstructing Privacy Commissioner in an audit or
  investigation s.28
• Fines
• on summary conviction up to 10,000 - s.28(a)
• on indictment to a maximum of 100,000 s.28(b)

13
Regulations and Orders in Council

• Governor in Council may make regulations
• Specifying Investigative Bodies
• Regulation in force January 1, 2001
• Regulation amended March 30, 2004,
  February 8, 2005 and June 23, 2006
• Specifying publicly available information
• Regulation in force January 1, 2001
• Governor in Council may, by order
• Bind Agents of the Crown to the Act
• Order in force January 1, 2001
• Amended August 31, 2001
• Exempt from the Act organizations subject to
  substantially similar provincial privacy laws
• Policy published in Canada Gazette on August 3,
  2002

14
PIPEDA A National Standard for Privacy
Protection

• PIPEDA relies on the Constitutional Trade and
  Commerce power (s.91(2), Constitution Act, 1867)
  to establish an economy-wide set of principles
  for the protection of personal information.
• PIPEDA works in concert with provincial privacy
  laws, where they exist, to provide clear and
  consistent rules that apply evenly across the
  economy as a whole
• Encourages provinces to develop laws that
  establish privacy protection that is
  substantially similar to PIPEDA - s.26(2)(b)
• Substantially similar provincial privacy laws are
  required to incorporate the CSA Codes 10
  principles as in PIPEDA the same rules apply
  to businesses regardless of location or
  jurisdiction.
• Organizations subject to substantially similar
  provincial privacy laws are exempt from PIPEDA
• Quebec, 2003
• Alberta, 2004
• British Columbia, 2004
• Ontario (Personal Health Information Protection
  Act), 2005

15
Quebec Constitutional Reference

• November 19, 2003 Quebecs private sector
  privacy law deemed substantially similar to
  PIPEDA by Order in Council
• December 17, 2003 Quebec submits a reference to
  Quebec Court of Appeal on the constitutionality
  of Part 1 of PIPEDA
• Challenges the federal governments use of the
  trade and commerce power in relation to the
  collection, use and disclosure of personal
  information in the course of commercial activity.
  
• Claims
• PIPEDA infringes on Quebecs jurisdiction over
  property and civil rights.
• PIPEDAs substantially similar provisions give
  the federal government legal authority over the
  content of Quebec law
• As substantially similar to PIPEDA, the Quebec
  privacy law continues to apply within the
  province (business as usual)
• Decision will clarify the federal Trade and
  Commerce power in relation to provincial
  jurisdiction over property and civil rights.

16
Modifications to PIPEDA since 2001

• Anti-Terrorism Strategy
• Modifications to Aeronautics Act (December 18,
  2001)
• Allow airlines to disclose personal information
  to foreign states about persons aboard aircraft
• Anti-Terrorism Act (December 24, 2001)
• Expands PIPEDA restrictions to individuals right
  of access
• Public Safety Act, 2002, (Royal Assent May 6,
  2004)
• Amends PIPEDA to expand the ability of private
  sector to collect personal information on behalf
  of national security and law enforcement agencies
• Other Laws
• Public Servants Disclosure Protection Act (Royal
  Assent November 25, 2005)
• Amends PIPEDA to strengthen the protection of the
  identity of parties in wrongdoing disclosures
• Federal Accountability Act (Tabled April 11,
  2006)
• Modifies the Public Servants Disclosure
  Protection Acts changes to PIPEDA

17
Mandatory Parliamentary Review of PIPEDA
18
PIPEDA Review

• S.29(1) The administration of this Part shall,
  every five years after this Part comes into
  force, be reviewed by the committee of the House
  of Commons, or of both Houses of Parliament, that
  may be designated or established by Parliament
  for that purpose.
• First opportunity for a comprehensive assessment
  with participation from government, Privacy
  Commissioners Office, and other stakeholders
• The Department looks forward to the Committee
  report and recommendations

19
Initial Stakeholder Consultations

• Discussions with stakeholders began in June 2005
• Overall our discussions indicate that the Act is
  working well
• PIPEDA is regarded internationally as a
  successful model
• that balances various legislative approaches.
• Information Technology Association of Canada,
  November 22, 2005
• Banks are of the view that the Act has served
  Canadians well in protecting the personal
  information collected used and disclosed about
  them by private sector organizations
• Canadian Bankers Association, November 1,
  2005
• Some minor amendments suggested

20
Initial Stakeholder Consultations Comments

• Oversight and Redress
• Some concern expressed about the effectiveness of
  the Ombudsman-based oversight model and use of
  Federal Court as a redress mechanism
• Appreciation expressed by private sector for the
  flexibility of the Acts dispute-resolution
  approach
• Transborder Data Flows
• Requests to strengthen the Act to increase the
  protection of personal information outsourced to
  foreign jurisdictions
• Concerns that restrictions on outsourcing could
  reduce the competitiveness of Canadian business
• Technical/Definitional Issues
• Proposals to address specific issues of
  application
• Eg. Access to ones own personal information,
  consent

21
Initial Stakeholder Consultations Comments

• Employee-Employer Relationship
• Concerns expressed that PIPEDA may not adequately
  recognize the flows of information necessary to
  maintain the employee-employer relationship
• Calls to remove the privacy protection for
  employee email and fax numbers
• Mergers and Acquisitions/Business Transactions
• Requests for amendments to PIPEDAs consent
  requirements to facilitate due diligence
• Work Product
• Requests to remove privacy protection for
  information generated through the exercise of
  individuals professional responsibilities
• Eg. physicians prescribing patterns

22
Private Sector Support for Canadas Approach to
Privacy Protection

• One of the benefits that Canada enjoys is that
  in some respects, the legislation in Canada was
  created by business. Businesses had a clear and
  early stake in designing what ultimately became
  the legislation.
• (Peter Cullen, Chief Privacy Strategist,
  Microsoft Corp. February 8, 2005)
• It is heartening to note that Canada has
  already enacted such national privacy
  legislation, and I hope that the Canadian
  experience will prove to be a useful guide and
  inspiration for American legislators who are
  working on the issue in Congress.
• (Peter Cullen, Chief Privacy Strategist,
  Microsoft Corp. May, 2006)
• "The federal personal information privacy
  legislation, also known as PIPEDA, is among the
  best in the world."
• (Ray Protti, President, Canadian Bankers
  Association, Tuesday, May 9, 2006)