[Home] [Databases] [WorldLII] [Search] [Feedback] EPIC --- Privacy and Human Rights Report

EPIC --- Privacy and Human Rights Report 2006

Canada

Constitutional Privacy Framework

Canada's Charter of Rights and Freedoms (the Charter)[1547] does not provide a guaranteed right to privacy. Despite the lack of an explicit constitutional right to privacy, Canada's courts have recognized an individual's right to a reasonable expectation of privacy as part of the Charter right to be secure against unreasonable search or seizure (Section 8).[1548] The degree of privacy protection under Section 8 depends on the reasonable expectations of the individual in the circumstances.[1549] In R. v. Edwards, the Supreme Court of Canada identified several factors that define "reasonable expectations" in this context.[1550]

Courts have also suggested that the individual has a right to privacy as part of the right to "life, liberty and security of the person" under Section 7 of the Charter. The Supreme Court of Canada has suggested that there may be a Section 7 right to privacy when dealing with medical records,[1551] the physical integrity of the person[1552] and decisions that are intensely personal.[1553] The Federal Court of Appeal has also noted the emerging view that Section 7's liberty interest includes a right to privacy, based again on reasonable expectations and the degree of potential infringement.[1554]

Statutory Rules on Privacy

Privacy is regulated in both the public and private sectors in Canada, and at both federal and provincial levels. The Privacy Act[1555] regulates the federal public sector, while provincial and territorial statutes offer public sector privacy protection in those jurisdictions. The Personal Information Protection and Electronic Documents Act (PIPEDA)[1556] applies to private sector commercial activities throughout the country, with the exception of three provinces (Alberta, British Columbia and Quebec) that have enacted "substantially similar" provincial legislation of their own. Four provinces have passed legislation for the protection of information in the health sector.[1557]

Public Sector Privacy Protection

The federal Privacy Act has been in force in Canada since 1983, protecting the personal information of individuals held by federal government institutions. It governs the collection, use and disclosure of personal information held by most federal public agencies and provides individuals with a right of access to personal information held by those agencies, subject to some exceptions.[1558] The Act also sets out the mandate and duties of the federal Privacy Commissioner, who is responsible for investigating and resolving complaints under the Act, conducting audits of federal agencies, making recommendations for changes in governmental data management practices, and reporting annually to Parliament. The Commissioner does not have order-making powers under this Act.

In June 2006, the Privacy Commissioner of Canada released “Government Accountability for Personal Information,” suggestions on reforming the Privacy Act.[1559] The document urges government to address the problem of trans-border data flows; reconsider the Act’s disclosure standard; increase accountability of government institutions in outsourcing of personal information; ensure greater transparency, accountability and oversight over the activities of national security agencies, including more stringent reporting requirements to Parliament; and expand the scope of privacy rights and incorporate more robust privacy principles. A review by the government has yet to take place.

Data protection legislation covering government bodies also exists in all 10 provinces and three territories.[1560] In most cases, provincial legislation covers access to information rights (i.e., rights to access government information) as well as data protection in the public sector. In two cases, (Quebec and New Brunswick), data protection and access to information are covered in separate statutes.

Federal Private Sector Privacy Protection

The Personal Information Protection and Electronic Documents Act (PIPEDA) was approved by the federal Parliament in April 2000.[1561] The Act deals with protection of data that is collected, used or disclosed in the course of commercial activity. The Act applies to every private sector organization (federally regulated and most provincially regulated organizations) that collects, uses or discloses personal information, as well as to federally regulated employers with respect to their employees. The purpose clause of the Act[1562] recognizes not only individual rights to data protection, but also "the needs of organizations to collect, use and disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances." The Act incorporates a private sector Code for the Protection of Personal Information[1563] that was developed by a multi-stakeholder committee of the Canadian Standards Association (CSA). The CSA Code sets out 10 privacy principles: accountability, purpose, openness, consent, limiting use and collection, disclosure, retention, individual access, safeguards, accuracy, and challenging compliance. Specific exceptions to the general requirement for knowledge and consent to any collection, use or disclosure are set out in Section 7 of the Act.

While the Act applies to provincially regulated private organizations, it does not apply to provincially regulated organizations in provinces that have enacted their own privacy legislation deemed to be "substantially similar" by the federal government. Presently, provinces that have enacted "substantially similar" private sector privacy legislation are Alberta,[1564] British Columbia[1565] and Quebec.[1566]

In 2006, the House of Commons Standing Committee on Access to Information, Privacy and Ethics conducted PIPEDA’s Section 29-mandated five-year review. The Committee produced the “Fourth Report of the Standing Committee on Access to Information, Privacy and Ethics,” which contains twenty-five recommendations.[1567] Main recommendations include: distinguishing when express, implied or deemed/opt-out consent are required;[1568] clarifying the “disclosure without consent” exceptions;[1569] inclusion of a data breach notification requirement whereby the Privacy Commissioner would be notified and would determine whether further notification is necessary.[1570]

The Committee recommended against any amendments to PIPEDA with respect to transborder flows of personal information.[1571] It further suggested that the Commissioner not be given order-making powers at this time.[1572] Critics doubt the ability of the Act to meet and adapt to the changing needs of information technology. “...[B]y issuing a tepid report that rejects the changes that many privacy advocates believe are necessary to improve the effectiveness of the current legal framework”, observed Michael Geist, “[m]ost of the major issues presented to the Committee, including beefing up the Privacy Commissioner's powers, adopting a ’name and shame’ approach for privacy violators, and safeguarding Canadian data that is outsourced to other jurisdictions, were met with indifference, as the Committee recommended no further reforms.”[1573] The data breach notification requirement was not as robust as it could have been, as notification is directed to the Privacy Commissioner rather than to affected individuals. The issue of transborder data flows received little attention in the review, despite a recent decision of the Supreme Court affirming the Commissioner’s jurisdiction to investigate transborder data flows.[1574]

Provincial Private Sector Privacy Protection

Quebec's Act Respecting the Protection of Personal Information in the Private Sector came into effect in 1994, long before PIPEDA. It regulates the collection, confidentiality, correction, disclosure, retention and use of personal information by businesses in that province. It also provides individuals with a right of access and correction. The British Columbia and Alberta Acts both came into effect on January 1, 2004. They apply to personal information collected, used and disclosed by all businesses and non-profit organizations in those provinces that are not covered by public sector statutes.

Although considered "substantially similar" by the federal government, there are significant differences between PIPEDA and the provincial Acts. First, PIPEDA's rules are based on a general principle of consent; the provincial Acts go one step further to carve out consent obligations in specific areas such as employee information and business transactions. Unlike PIPEDA, the British Columbia and Alberta Acts contain a grandfathering provision, which provides that information collected by the private sector before the Act comes into force does not need consent. The British Columbia and Alberta Acts also allow the collection, use and disclosure of an employee's personal information without consent as long it is done for "reasonable" purposes, while PIPEDA makes no distinction between personal information collected for employment or commercial activities. The provincial acts also allow the provincial Privacy Commissioners to issue binding orders to settle disputes; the federal Privacy Commissioner is restricted to making recommendations.

In addition to statutes cited above, four provinces (British Columbia, Saskatchewan, Manitoba, and Newfoundland) have legislation creating a statutory tort of invasion of privacy of a person. Quebec's Civil Code includes several provisions that create causes of action based on invasion of an individual's privacy.

Sector-Specific Privacy Legislation

A number of other federal statutes address the privacy of personal information in specific sectors. For example, the Bank Act,[1575] Insurance Companies Act,[1576] and Trust and Loan Companies Act[1577] permit regulations regarding the use of information provided by customers. Under the Telecommunications Act,[1578] the Canadian Radio-Television and Telecommunications Commission (CRTC) is mandated to regulate telecommunications companies so as "to protect the privacy of persons," among other policy objectives. It has done so mainly through regulations governing the confidentiality of customer records, the ability of customers to block the display of their names and numbers on the telephone sets of people and to regulate unsolicited communications by rules governing telemarketing (but not spam).

Additional privacy protections are built into the Young Offenders Act[1579] and the Corrections and Conditional Release Act.[1580] The Young Offenders Act regulates the information that can be disclosed about offenders under the age of 18, while the Corrections and Conditional Release Act speaks to the information that can be disclosed to victims and their families.

Some provinces also have sector-specific laws to protect personal information, including health-specific privacy laws, consumer credit reporting laws, laws regulating information from credit unions, and legislation imposing restrictions on the disclosure of personal information held by private investigators and other professionals. Ontario,[1581] Alberta,[1582] Manitoba,[1583] and Saskatchewan[1584] have all passed health privacy legislation, which sets rules for the collection, use, and disclosure of personal health information. These laws apply to personal health information held by hospitals, government ministries, regulated health professionals, and other health care facilities or information custodians.

Supervisory Authorities for Privacy Laws

Both the Privacy Act and PIPEDA are overseen by the independent federal Privacy Commissioner of Canada, an officer of Parliament who is appointed by, and reports directly to, the Parliament of Canada.[1585] The federal Office of the Privacy Commissioner (OPC) is charged with investigating complaints, promoting public awareness of privacy issues and researching privacy issues. Provincial and Territorial privacy legislation is overseen by provincial oversight bodies. In most cases, the relevant authority is an Information and Privacy Commissioner, responsible for the administration of both privacy laws and access to information laws. In a few cases (Manitoba, New Brunswick, and Yukon Territory), an Ombudsman has powers to investigate matters relating to privacy as well as other matters.[1586] These oversight bodies vary significantly in their powers and scope of regulation.

The federal Privacy Commissioner receives complaints, conducts investigations and issues findings on matters related to both the public sector (Privacy Act) and the private sector (PIPEDA). Under both of these Acts, the Commissioner has the power to make recommendations; however, she cannot issue orders or impose penalties. Also under both statutes, the Commissioner has broad investigatory powers, including the power to subpoena witnesses and compel testimony, to enter premises in order to obtain documents and to conduct interviews. The Commissioner is also charged with conducting periodic audits of both federal institutions and private organizations to determine their compliance with the Privacy Act and PIPEDA, respectively. The Supreme Court of Canada recently granted leave to appeal a Federal Court of Appeal’s decision that stated that the Privacy Commissioner cannot, in the course of an investigation, compel the production of documents allegedly protected by solicitor-client privilege. The Court of Appeal held that only express language in the statute would be capable of overriding the general rule of solicitor-client privilege, and no such language exists in PIPEDA.[1587]

While not binding, the Privacy Commissioner's decisions are considered to be of national importance. In a 2004 Federal Court decision involving a Privacy Commissioner finding, the court did not hesitate to classify PIPEDA as a fundamental law of Canada.[1588] It was also determined that the Privacy Commissioner could be granted a degree of deference with regards to his or her expertise, but not to findings of fact.[1589]

In 2005-2006, the Privacy Commissioner received 1,028 complaints, nearly 35% less then the previous year. Quebec topped the list with 249, followed by Ontario with 225, while Yukon Territory recorded the lowest, with only 2 complaints.[1590] Under PIPEDA, the Privacy Commissioner received 424 complaints in 2006, compared with 400 in 2005 while 6,050 inquiries, compared with 5,685 in 2005. The noticeable decline in inquires from 12,312 in 2003 to 6050 in 2006 is an indication that “Canadian organizations and individuals are becoming more familiar with the legislation.”[1591]

Anyone can complain to the Commissioner about an alleged violation of PIPEDA. If the Commissioner is satisfied that there are reasonable grounds to investigate a matter under the Act, she may initiate her own complaint.[1592] Once a complaint is received, the Commissioner assigns an investigator to look into the matter. The investigator then submits his findings to the Commissioner, who considers the case and issues a report with recommendations. Reports must be issued within one year of the complaint. The Commissioner can also request the organization in question to submit, within a specified period of time, notice of any action taken, or proposal to be taken, to implement her recommendations.[1593]

In 2007, the Privacy Commissioner reached a “landmark in supporting Canadian privacy research by pledging $258,000 CDN in research grants to six innovative organizations.”[1594] The research program is in its fourth year and has awarded more than $1,000,000 CDN in grants covering more than 30 privacy research projects in Canada.

Some provincial Privacy Commissioners also engage in significant research, advocacy and public education. The Privacy Commissioners of British Columbia,[1595] Ontario,[1596] and Quebec[1597] all provide extensive information on privacy issues on their websites and have been active on a number of current privacy issues. For example, in 2004, British Columbia’s Privacy Commissioner launched an investigation to determine if the USA Patriot Act applies to the personal information of Canadians that has been outsourced for processing to US companies.[1598] This investigation was sparked by public concerns about the British Columbia’s government's proposal for contracting the administration of the provincial medical services plan to a Canadian subsidiary of an American company. The federal Privacy Commissioner was among many individuals and organizations who contributed a submission to the investigation.[1599] The final result of that inquiry lead to a comprehensive Federal strategy.[1600]

Surveillance

Canada's Criminal Code makes the interception of private communications a criminal offense.[1601] Police are required to obtain a court order and interception is only authorized in cases "where other investigative procedures are unlikely to succeed." The Supreme Court of Canada clarified this requirement, stating that in order to obtain a wiretapping warrant police must submit documents showing that "there is no other reasonable alternative method of investigation." The Court stressed that it is not enough to show that wiretaps are simply the most efficient way to investigate a crime, because this standard could threaten civil liberties.[1602] Amendments to the Radio Communication Act[1603] also forbid the divulgence of intercepted radio-based telephone communications. The Canadian Security Intelligence Service Act[1604] authorizes the interception of communications for national security reasons. The federal court ruled in 1997 that the Canadian Security Intelligence Service was required to obtain a warrant in all cases.[1605]

The federal Privacy Commissioner has stated that both live video pictures and recorded video pictures of individuals qualify as "personal information" and that where such surveillance takes place in a commercial context, it falls under PIPEDA.[1606] In such circumstances, video images can only be collected with consent of the individuals. The Commissioner also stated that public places should only be monitored for public safety reasons where a demonstrated need is shown. Municipal police forces in a number of Canadian cities have indicated an interest in installing public video surveillance systems, and have moved forward with such systems in some cases.

In March 2006, the Privacy Commissioner issued guidelines for the use of video surveillance.[1607] The Guidelines were developed in consultation with the RCMP and other stakeholders. The Guidelines respond to the widespread police use of video surveillance in public spaces and the potentially chilling effect on privacy, The Guidelines “help define and circumscribe the use” of the video surveillance by setting out 15 principles for evaluating whether video surveillance is necessary and for ensuring that, if it is conducted, it is done in a way that minimizes the impact on privacy. Video surveillance should only be deployed to address a real, pressing and substantial problem, should be viewed as an exceptional step. An impact assessment is required before deployment and there should be public consultation and evaluation of conformity with applicable laws.

The Federal Court held that an employer’s use of biometric voice recognition technology called E-Speak, a voice “nuance verifier” or authenticator used for logging work-related information and absence reporting, was reasonable in the circumstances.[1608] The federal Court of Appeal affirmed this decision, but clarified that the employer was required to get permission from employees. Whether employees may be disciplined for refusing to consent is still an open question.[1609]

The use of infrared technology to gather evidence of potential criminal activity was addressed by the Supreme Court of Canada in a 2004 case called R. v. Tessling.[1610] The Court concluded that the use of FLIR (Forward Looking Infra-Red) aerial cameras did not violate the individual’s Section 8 Charter right against unreasonable search or seizure by the state, because the individual has no reasonable expectation of privacy with regards to the external surfaces of his or her home. The Court further reasoned that FLIR does not offer insight into an individual’s private life, nor does it reveal anything about the individual’s "biographical core of personal information." While this decision is consistent with some previous lower court decisions,[1611] it reversed the Ontario Court of Appeal ruling from which it was appealed.

Legislative and Policy Responses to Terrorism

The Anti-Terrorism Act, passed in 2001, was designed to institute the necessary procedures and mechanisms to deter terrorism at home and cooperate with other states abroad.[1612] The Act makes it an offense to to knowingly participate or facilitate, harbor, or fund terrorist activity. It increased police electronic surveillance tools and interception capabilities, limited disclosure of information and increased exemptions on access to subject data for national security reasons. The Act further requires individuals with knowledge of a terrorist activity to be detained "preventively" and appear before a judge to offer information under the pretense of "investigative hearings." However, due to widespread protest,[1613] the Act included sunset provisions for the preventative arrest and investigative hearing powers, and in February 2007, the Parliament voted not to extend the provisions.[1614]

The Act also gave the Attorney General of Canada the power to issue blanket certificates that prohibit the disclosure of any information for the purpose of protecting international relations, national defense, or security, The certificates are subject to judicial review by the Federal Court of Appeal. Political, religious, or ideological beliefs are not considered to be terrorist activity unless they specifically met the definition of "terrorist activity." In 2007, in a unanimous decision, the Supreme Court of Canada declared that it is unconstitutional to detain people based on secret evidence, as is the situation with security certificates, and vacated that provision of the Act. Parliament now has one year to draft new legislation. Judges must now review detentions within 48 hours, and not four months after a security certificate is ruled "reasonable" by a judge. Judges must now consider how long suspects have been detained when weighing if they still pose a threat.[1615]

In a highly publicized case, a Canadian named Maher Arar brought the dangers of excessive security measures to Canadians' attention. In September 2002, Mr. Arar was detained, interrogated and imprisoned for 12 days in the US while en route home from a family holiday in Tunisia. He was then handcuffed and shackled, put on a private jet, and flown to Syria where he was subjected to intense interrogation and locked in a tiny, grave-like cell for more than 10 months. In October 2003, he was finally released and sent back to Canada. After extensive public pressure, the Canadian government agreed in January 2004 to an inquiry into the Arar affair.[1616] The Commission of Inquiry into the Actions of Canadian Officials in Relation to Maher Arar began its work in the spring of 2004.[1617]

In 2006, the Commission of Inquiry Judge Dennis O’Connor, who led the inquiry, released two reports. The first recommended a review of information sharing practices between the RCMP and other departments and agencies; a centralized oversight unit with expertise in national security; arm’s length review of information sharing practices and arrangements, including sharing arrangements between countries. The second report, set out Further recommendations for arm’s length review of law enforcement’s extended powers.[1618]

Since 2004, the government has been developing a National Security Policy to prepare for “current and future threats.”[1619] The Policy includes an "Integrated Threat Assessment Centre" to collect and analyze intelligence regarding national security, a Cyber-Security Task Force; and a Real Time Identification (RTID) Project for fingerprint identification. It also includes a cross-cultural Roundtable on Security, composed of persons from ethnic and religious minorities in Canada. The latest June 2007 initiative, The Passenger Protect Program, by the Transport Canada is described as “an aviation security initiative aimed at keeping people who may pose an immediate threat to aviation security from boarding a flight,” and includes four key elements, namely, identity screening regulations, specified persons list, reconsideration and appeals, privacy and human rights. [1620]

The Passenger Protect Program has been severely criticized; in June 2007, a joint statement by the federal and all provincial and territorial Privacy Commissioners called on the federal government to “suspend the new no-fly list program, Passenger Protect, until it can be overhauled to ensure strong privacy protections for Canadians, ... [as it i]nvolves the secretive use of personal information in a way that will profoundly impact privacy and other related human rights such as freedom of association and expression and the right to mobility.”[1621] The Commissioners also ask for an assurance that names of individuals identified on its no-fly list will not be shared with other countries.[1622]

Presently, the Passport Office is working on e-passport, a new international standard in travel documents embedded with an electronic chip. The chip will contain the bearer’s biography and photograph that will secure it from forgery or other tampering activities. The Passport Offices is targeting to introduce the e-passports in 2007.[1623]

Online Privacy

In May 2005, the Federal Court of Appeal ruled on the Canadian Recording Industry Association's (CRIA's) request to have Internet Service Providers (ISPs) reveal the identities of subscribers who had allegedly infringed copyright law by sharing music online.[1624] In BMG Canada Inc. v. John Doe,[1625] the Court recognized the importance of online privacy, and set out a test that plaintiffs must meet in order to obtain court orders for the disclosure of subscriber identities.[1626]

In January 2006, class actions were launched against SONY BMG in Ontario, Quebec and British Columbia for the use of DRM technologies, such as the notorious “rootkit,” on some of its CDs. In September, SONY BMG reached settlements in each jurisdiction. Included in the settlement were several terms aimed at addressing DRM-related privacy issues, though mainly, requiring a guarantee that settlement class members will not have to provide any personal data in order to use the uninstaller software provided by SONY; that SONY BMG will take commercially reasonable steps to destroy the data it collects to provide enhanced CD functionality, including logs of IP addresses; and that privacy audits are to be performed by independent third parties in 2006 and 2007.[1627]

Voting Privacy

In Canada, those 18 years or older may vote, but it is not mandatory.[1628] In 1997, Canada moved to create a centralized national voter registration database. The proposed centralization of voter registration into a national database raised privacy concerns.[1629] Canadians who are outside of the country and wish to vote must attach copies of government identity documents, which expose them to the possibility of identity theft and threatening the secrecy of their ballot.[1630] A Bill currently pending would amend the Canada Elections Act increase the amount of personal information included in the electors’ list, which is provided to political parties, Members of Parliament and candidates for fundraising purposes. In particular the Bill would add a randomly generated unique identifier and date of birth to this list.[1631]

Internet voting has been available in select locations in Ontario since November 2003. Privacy concerns with Internet voting exist in the link between the voter's computer and the ISP. Once the computer is linked to the ISP, "hackers" could access and manipulate election results.[1632]

Access to Information

Access to information (both general information and personal information) held by government is governed by statutes at both the federal and provincial levels in Canada. The federal Access to Information Act is administered by a full time Information Commissioner. Each province has its own freedom of information law, administered by an Information Commissioner or other public official.[1633]

The federal Access to Information Act[1634] provides individuals with a right of access to information held by the federal public sector. The Act gives Canadians and other individuals and corporations present in Canada the right to apply for and obtain copies of federal government records. "Records" include letters, memos, reports, photographs, films, microforms, plans, drawings, diagrams, maps, sound and video recordings, and machine-readable or computer files. The Federal Court ruled that the government has an obligation to answer all access requests regardless of the perceived motives of the requesters.

The Office of the Information Commissioner of Canada (OICC) can initiate a Federal Court review in limited circumstances relating to denial of access to records. The Information Commissioner can also investigate and issue recommendations, but does not have the power to issue binding orders. The Commissioner must investigate all complaints even if the government seeks to block him or her from so doing on the grounds that the complaints are made for an improper purpose. After numerous legal challenges brought by the federal government, it is now established that the Commissioner has authority to compel records from the Prime Minister's and ministers' offices. The OICC received 3500 complaints in 2005-2006. Out of those, the OICC completed 1,863 investigations and reviews. It carried 1,417 complaints from individuals, 237 systemic complaints over into 2007.[1635]

In May 2005, the results of a national access-to-information audit were released.[1636] The audit was conducted by 89 reporters from 45 newspapers across Canada, under the umbrella of the Canadian Newspaper Association. Reporters made access requests of several government offices to determine how well government officials are obeying access-to-information laws. The results indicated a wide range of disclosure practices, from poor compliance in Prince Edward Island to a compliance score of 93 percent in Alberta. The federal government scored only 25 percent. The report cites problems of red tape, poor disclosure, prohibitive fees, and incompliance with statutory time limits for responses across all levels of government. Information that is free of charge in some provinces and municipalities, and can cost thousands of dollars in others.

International Obligations

Canada is a member of the Organization for Economic Cooperation and Development (OECD) and relied on the OECD's 1980 Guidelines on the Protection of Privacy and Transborder Flows of Personal Data in the drafting of the federal Privacy Act of 1982.[1637] Canada also has observer status at the Council of Europe and although it is not a member, it was a key player in the negotiations on the Cybercrime Convention. It has signed, but not yet ratified the Convention.[1638]

Canada is a member of the Asia-Pacific Economic Community, and participates in the Electronic Commerce Steering Group‘s Data Privacy Subgroup. The Privacy Subgroup developed the APEC Privacy Framework, which outlines nine privacy principles including the prevention of harm, notice, collection limitation, uses of personal information, choice, integrity of personal information, security safeguards, access and correction, and accountability. APEC adopted the Privacy Framework in 2004, and member countries’ endorsement of the Framework means that they will continue efforts to develop a “consistent approach to information privacy protection across APEC member economies, while also avoiding the creation of unnecessary barriers to information flows.”[1639]

[1547] Canadian Charter of Rights and Freedoms, Part I of the Constitution Act, 1982, being Schedule B to the Canada Act 1982 (United Kingdom), 1982, c. 11, s. 8, available at <http://laws.justice.gc.ca/en/charter/>.
[1548] Hunter v. Southam, 2 S.C.R. 145, 159-60 (1984), available at <http://www.lexum.umontreal.ca/csc-scc/en/pub/1984/vol2/html/1984scr2_0145.html>.
[1549] R. v. Wise, [1992] 1 S.C.R. 527, R.v. M. (M.R.), [1998] 3 S.C.R. 393, available at <http://www.lexum.umontreal.ca/csc-scc/en/pub/2003/vol1/html/2003scr1_0003.html>.
[1550] [1996] 1 S.C.R. 128, available at <http://www.lexum.umontreal.ca/csc-scc/en/pub/1996/vol1/html/1996scr1_0128.html>.

[1551] L’Heureux-Dubé, in dissenting judgment but with agreement of the Court on her views of privacy, R.v. O’Connor, [1995] 4 S.C.R. 411, 1995 CarswellBC 1098, 1995 CarswellBC 1151; Canadian AIDS Society v. Ontario (1995), 25, O.R. (3d) 388 (Gen. Div); affirmed (1996), 31 O.R. (3d) 798 (C.A.), leave to appeal refused (1997), 216 N.R. 159 (note) (S.C.C.); M, (A.) v. Ryan, [1997] 1 S.C.R. 157.
[1552] Rodriguez v. British Columbia (Attorney General), [1993] 3 S.C.R. 519, available at <http://www.lexum.umontreal.ca/csc-scc/en/pub/1993/vol3/html/1993scr3_0519.html>.
[1553] R. v. Morgentaler (No. 2), [1988] 1 S.C.R. 30, available at <http://www.lexum.umontreal.ca/csc-scc/en/pub/1988/vol1/html/1988scr1_0030.html>.
[1554] Ruby v. Canada (Attorney General), [2000] 3 F.C. 589 (Fed. C.A.), available at <http://www.canlii.org/ca/cas/fca/2000/2000fca10500.html>.

[1555] Privacy Act, R.S. 1985, c. P-2, available at <http://laws.justice.gc.ca/en/P-21/index.html>.
[1556] Personal Information Protection and Electronic Documents Act, 2000, c.5, available at <http://laws.justice.gc.ca/en/P-8.6/93196.html>.
[1557] Ontario (Personal Health Information Protection Act, 2004), Manitoba (Personal Health Information Act), Saskatchewan (Health Information Protection Act) and Alberta (Health Information Act).

[1558] Privacy Act at c. P-21, supra, available at <http://canada.justice.gc.ca/stable/EN/Laws/Chap/P/P-21.html>.

[1559] Office of the Privacy Commissioner, Government Accountability for Personal Information, available at
<http://www.privcom.gc.ca/information/pub/pa_reform_060605_e.asp#002>.

[1560] A list of provincial and territory privacy laws and commissions is available at <http://canada.justice.gc.ca/en/ps/atip/provte.html>.

[1561] PIPEDA, supra. The province of Quebec has launched a constitutional challenge to PIPEDA, arguing that the federal government exceeded its jurisdiction in enacting such legislation. This case is expected to be heard by the Quebec courts in late 2005 or early 2006. Tyler Hamilton, "Privacy Law Faces Legal Challenge," The Toronto Star, December 30, 2003, available at <http://pqasb.pqarchiver.com/thestar/access/517737781.html?dids=517737781:517737781&FMT=ABS&FMTS=ABS:FT&date=Dec+30%2C+2003&author=Tyler+Hamilton&pub=Toronto+Star&edition=&startpage=A.01&desc=Federal+privacy+law+to+face+legal+challenge>.
[1562] PIPEDA at s.3, supra.
[1563] A national standard: CAN/CSA-Q830-96.

[1564] Personal Information Protection Act, S.A. 2003, c. P-6.5, available at <http://www.qp.gov.ab.ca/documents/Acts/P06P5.cfm?frm_isbn=0779726316>.
[1565] Personal Information Protection Act, S.B.C. 2003, c. 63, available at <http://www.oipc.bc.ca/legislation/PIPA2003%20(2004).pdf>.
[1566] Act respecting the protection of personal information in the private sector, R.S.Q., c. P-39.1 available at <http://www2.publicationsduquebec.gouv.qc.ca/dynamicSearch/telecharge.php?type=2&file=/P_39_1/P39_1_A.html>.

[1567] See Statutory Review of the Personal Information Protection and Electronic Documents Act (PIPEDA), Fourth Report of the Standing Committee on Access to Information, Privacy and Ethics, available at
<http://cmte.parl.gc.ca/cmte/CommitteePublication.aspx?SourceId=204322>.
[1568] Id. at Recommendation 4.
[1569] Id. at Recommendation 14.
[1570] Id. at Recommendation 23-25.

[1571] Id. at Recommendation 16.
[1572] Id. at Recommendation 18-19.
[1573] Michael Geist, “There Will Be No Privacy Reform. Get Over It”, Webblog, <http://www.michaelgeist.ca/content/view/1970/135/>.

[1574] Lawson v. Accusearch Inc., 2007 FC 125, available at <http://www.canlii.org/eliisa/highlight.do?language=en&searchTitle=
Federal+-+Federal+Court+of+Canada&path=/en/ca/fct/doc/2007/2007fc125/2007fc125.html>. The judicial review sought after the refusal from the Office of the Privacy Commissioner to initiate an investigation of the activities of a U.S. corporation called Accusearch Inc. on ground of extraterritorial effect. The Supreme Court held that “the Commissioner had jurisdiction to investigate, and that such an investigation was not contingent upon Parliament having legislated extraterritorially...” and that “PIPEDA gives the Privacy Commissioner jurisdiction to investigate complaints relating to the transborder flow or personal information” (at paras. 43 and 51).

[1575] Bank Act, c. 46, ss. 242, 244, 459, available at <http://www.canlii.org/ca/sta/b-1.01/>.
[1576] Insurance Companies Act, s. 489, s. 607, available at <http://www.canlii.org/ca/sta/i-11.8/>.
[1577] Trust and Loan Companies Act, s. 444, available at <http://www.canlii.org/ca/sta/t-19.8/>.
[1578] Telecommunications Act, 1993, c. 38, s. 39, s. 41, available at <http://www.canlii.org/ca/sta/t-3.4/>.

[1579] Young Offenders Act, C. Y-1, s. 38.
[1580] Corrections and Conditional Release Act, 1992, c. 20, s. 26, 142, available at <http://www.canlii.org/ca/sta/c-44.6/>.

[1581] Personal Health Information Protection Act, S.O. 2004, c. 3, Sched. 1, available at <http://www.canlii.org/on/laws/sta/2004c.3sch.a/20050511/whole.html>.
[1582] Health Information Act, H-5 RSA 2000, available at <http://www.qp.gov.ab.ca/Documents/acts/H05.CFM>.
[1583] Personal Health Information Act, S.M. 1997, c. 51 [C.C.S.M., c. P33.5] as am. S.M. 1998, c. 45, s. 14 (Fr.); 2001, c. 18, s. 18; 2004, c. 36, available at <http://web2.gov.mb.ca/laws/statutes/ccsm/p033-5e.php>.
[1584] Health Information Protection Act, S.S. 1999, c. H-0.021 [ss. 17(1), 18(2), (4), 69 not in force at date of publication.] as am. S.S. 2002, c. R-8.2, s. 77 [s. 77(2)(f), 77(4) not in force as date of publication; s. 77(4) repealed 2003, c. 25, s. 19.]; 2003, c. 25, ss.1-18; 2004, c. A-26.1, s.37; 2004, c. 65, s. 11, available at <http://www.qp.gov.sk.ca/documents/english/chapters/1999/H0-021.pdf>.

[1585] Privacy Commissioner of Canada Homepage (PCO), available at <http://www.privcom.gc.ca>.
[1586] Privacy Commissioner of Canada website <http://www.privcom.gc.ca/information/comms_e.asp#013>.

[1587] Blood Tribe Department of Health v. Privacy Commissioner of Canada, 2006 FCA 334, available at

<http://cases-dossiers.scc-csc.gc.ca/information/cms/docket_e.asp?31755>.

[1588] Eastmond v. Canadian Pacific Railway, 2004 F.T.R. 169, 2004 CF 852. 33 C.P.R. (4th) 1, 16 Admin. L.R. (4th) 275, 2004 F.C. 852 (F.C.), available at <http://www.canlii.org/ca/cas/fct/2004/2004fc852.html>.
[1589] Id.

[1590] Office of the Privacy Commissioner, Annual Report to Parliament, 2005-2006, Report on Privacy Act, available at
<http://www.privcom.gc.ca/information/ar/200607/2006_pipeda_e.asp#051>.
[1591] Id.

[1592] Stephanie Perrin, Heather Black, David Flaherty & T. Murray Rankin, The Personal Information Protection and Electronic Documents Act: An Annotated Guide (Toronto, 2001).
[1593] See generally, "Your Privacy Responsibilities: A Guide for Business and Organizations," Office of the Privacy Commissioner of Canada, December 2000.

[1594] OPC, News Release, June 27,2007, available at <http://www.privcom.gc.ca/media/nr-c/2007/nr-c_070627_e.asp>.

[1595] Office of the Information and Privacy Commissioner for British Columbia, available at <http://www.oipc.bc.ca/>.
[1596] Office of the Information and Privacy Commissioner of Ontario, available at <http://www.ipc.on.ca/>.
[1597] Commission d'accès à l'information du Québec, available at <http://www.cai.gouv.qc.ca/index-en.html>.

[1598] Information & Privacy Commissioner for British Columbia, available at <www.oipcbc.org/sector_public/ usa_patriot_act/pdfs/report/privacy-final.pdf>.

[1599] Office of Privacy Commissioner of Canada, "Transferring Personal Information about Canadians across Borders- Implications of the USA Patriot Act,: submitted to the Office of the Information and BC Privacy Commissioner for British Columbia, available at <http://www.privcom.gc.ca/media/nr-c/2004/sub_usapa_040818_e.pdf>.

[1600] The Treasury Board of Canada Secretariat, Privacy Matters: The Federal Strategy to Address Concerns About the USA PATRIOT Act and Transborder Data Flow, available at <http://www.tbs-sct.gc.ca/pubs_pol/gospubs/TBM_128/pm-prp/pm-prp_e.asp.>.

[1601] Criminal Code, c. C-46. ss. 184, 184.5, 193, 193.1 available at <http://www.canlii.org/ca/sta/c-46/>.
[1602] Janice Tibbetts, "Top Court Sets Ground Rules For Wiretaps," The Ottawa Citizen, December 15, 2000.
[1603] Radiocommunication Act, R.S.C. 1985, c. R-2, s. 9, available at <http://www.canlii.org/ca/sta/r-2/>.
[1604] Canadian Security Intelligence Service Act, Chapter C-23, available at
<http://www.parl.gc.ca/information/library/PRBpubs/8427-e.htm>.
[1605] "CSIS Has Wiretap Green light," The Hamilton Spectator, October 1, 1997.

[1606] News Release, Office of the Privacy Commissioner, June 20, 2001, available at <http://www.privcom.gc.ca/media/nr-c/nt_010620_e.asp>, and the finding is available at <http://www.privcom.gc.ca/cf-dc/cf-dc_010615_e.asp>. The case concerned the installation of security cameras in the town of Yellowknife by a local security company, Centurion Security Services. The company had installed surveillance cameras on the main street to monitor crimes as a marketing demonstration intended to generate business.

[1607] Office of the Privacy Commissioner, “Guidelines for the Use of Video Surveillance of Public Places by Police and Law Enforcement Authorities”, March 2006. available at <http://www.privcom.gc.ca/information/guide/vs_060301_e.asp>.

[1608] Turner v. Telus Communications Inc., 2005 FC 1601, available at <http://decisions.fct-cf.gc.ca/en/2005/2005fc1601/2005fc1601.html>.
[1609] Wansink v. Telus Communications Inc., 2007 FCA 21, available at <http://decisions.fca-caf.gc.ca/en/2007/2007fca21/2007fca21.html>.

[1610] R. v. Tessling, [2004] S.C.J. No. 63, 244 D.L.R. (4th) 541, 2004 S.C.C. 67, 189 C.C.C. (3d) 129, 23 C.R. (6th) 207, available at <http://www.canlii.org/ca/cas/scc/2004/2004scc67.html>.
[1611] R. v. Hutchings, 111 C.C.C. (3rd) 215, 39 C.R.R. (2d) 309 (B.C.C.A.), leave to appeal refused [1977] 2 S.C.R. x (S.C.C.). 44 C.R.R. (2d) 188 (note), available at <http://www.canlii.org/bc/cas/bcca/1996/1996bcca527.html>.

[1612] Department of Justice Press Release, "Government of Canada introduces Anti-Terrorist Act," October 15, 2001, available at <http://canada.justice.gc.ca/en/news/nr/2001/doc_27785.html>.
[1613] This was the general consensus at the University of Toronto Law School's conference "The Security of Freedom," in November 2001, where law faculty and leading experts in criminology and political science analyzed Bill C-36 and questioned the government's efforts to expand its powers at the expense of civil rights and liberties. The presenters called for increased ''democratic deliberation" and were skeptical not only of the transfer of emergency powers to the state, but were also concerned whether these new criminal laws and tougher penalties would prevent such crimes in the future. There were concerns regarding the Bill's expansion of information gathering and information suppressing powers, which could threaten citizens' privacy and lead to information warehousing, profiling, or the monitoring of legitimate political protests and the stifling of legitimate speech. Finally there were concerns with the Bill's excessive preventative arrest provisions and limited safeguards, sunset clauses, and oversight measures. Ronald Daniels, Patrick Macklem, & Kent Roach (Eds.), The Security of Freedom: Essays on Canada's Anti-Terrorism Bill (Toronto 2001).
[1614] News Release, Department of Justice. Amendments to Bill C-36. available at <http://canada.justice.gc.ca/en/news/nr/2001/doc_27902.html>. David Ljunggren, “Canada Scraps Two Anti-Terror Measures,” National Post, March 1, 2007, available at <http://www.canada.com/nationalpost/news/story.html?id=c49fa70e-8e68-489e-b18b-0478819c20bd&k=25951&p=1>.

[1615] Michelle Shephard and Tonda MacCharles, “Man Denied Fair Hearing, Court Rules,” The Toronto Star, February 24, 2007, available at <http://www.thestar.com/News/article/185343>.

[1616] British Columbia Civil Liberties Association website <http://www.bccla.org/pressreleases/04arar.htm>.
[1617] Commission of Inquiry into the Actions of Canadian Officials in Relation to Maher Arar <http://www.ararcommission.ca/eng/>.

[1618] Commission of Inquiry into the Actions of Canadian Officials in relation to Maher Arar, A New Review Mechanism for the RCMP’s National Security Activities, available at <http://www.ararcommission.ca/eng/EnglishReportDec122006.pdf>.

[1619] Securing an Open Society: Canada's National Security Policy, April 2004, available at <http://www.pco-bcp.gc.ca/default.asp?Language=E&Page=publications&Sub=natsecurnat&Doc=natsecurnat_e.htm>.
[1620] Transport Canada, Passenger Project, available at <http://www.passengerprotect.gc.ca/home.html>.

[1621] Office of the Privacy Commissioner, Passenger Protect Program, News Release, June 28, 2007, available at
<http://www.privcom.gc.ca/media/nr-c/2007/nr-c_070628_e.asp>.
[1622] Id.

[1623] Passport Canada, Annual Report 2006, Success Through Partnerships, available at
<http://www.ppt.gc.ca/publications/pdfs/ar_05_e.pdf>.

[1624] CRIA argued for documents to be disclosed but they were relying on a rule that did not compel the creation of documents that did not already exist. Several of the ISPs noted that it would be too costly for them to keep the type of records that CRIA sought. Furthermore, there was no foolproof way for CRIA to demonstrate that the filesharers' Kazaa usernames would not be linked to an innocent subscribers' identity.
[1625] BMG Canada Inc. v. John Doe, 2005 FCA 193, available at
<http://decisions.fca-caf.gc.ca/en/2005/2005fca193/2005fca193.html>.
[1626] Noting that the need of plaintiffs to be able to sue those who are harming them through illegal activities must be balanced against the private rights of individuals, the court set out a test that requires a bona fide claim of illegal behavior, admissible and timely evidence linking the IP address in question to the impugned behavior, clear evidence that the information cannot be obtained from another source, and the collection of no more information than necessary for the purposes of the civil suit. In order to make out a bona fide claim, plaintiffs must show that they intend to bring an action for copyright protection based on the personal information that they obtain and that there is no other improper purpose for Seeking the identity of these persons. As well, the court stated that, "caution must be exercised by the courts in ordering such disclosure, to make sure that privacy rights are invaded in the most minimal way". In particular, if a disclosure order is granted, specific directions should be given as to the type of information disclosed and the manner in which it can be used. In addition, courts should consider making a confidentiality order or identifying the defendant by initials only.

[1627] The settlement documents, available at <http://cdtechsettlement.sonybmg.ca/en/>; the detail discussion of the case is available at<http://www.cippic.ca/en/projects-cases/privacy/pipeda-complaints/>.

[1628] CIA Country Fact Book, available at <http://www.cia.gov/cia/publications/factbook/geos/af.html#Govt>.
[1629] Jean-Pierre Kingsley, Chief Electoral Officer, Canada, Statement before the House of Commons on Bill C-63, available at <http://www.elections.ca/content.asp?section=med&dir=spe&document=oct3096&lang=e&textonly=false>.
[1630] Canada's Absentee Voting website
<http://www.elections.ca/content.asp?section=ins&document=index&dir=ire&lang=e&textonly=false>.

[1631] Bill C-31, An Act to Amend the Canada Elections Act and the Public Service Employment Act, available at

<http://www.parl.gc.ca/common/bills_ls.asp?lang=E&ls=c31&source=library_prb&Parl=39&Ses=1>.

[1632] Id.

[1633] See Alasdair Roberts, Limited Access: Assessing the Health of Canada's Freedom of Information Laws, April 1998, available at <http://qsilver.queensu.ca/~foi/foi.pdf>.

[1634] Access to Information Act, C. A-1, available at <http://www.canlii.org/ca/sta/a-1/>.

[1635] The Office of the Information Commissioner of Canada, Annual Report 2006-2007, available at
<http://www.infocom.gc.ca/reports/2006-2007t-e.asp>.

[1636] Canadian Newspaper Association, News Release, May 28, 2005, available at <http://www.cna-acj.ca/client/CNA/cna.nsf/web/Public's+right+to+know+in+failing+health>.

[1637] Stephanie Perrin et al., The Personal Information Protection and Electronic Documents Act: An Annotated Guide (Toronto 2001).
[1638] Council of Europe Cybercrime Convention, available at <http://conventions.coe.int/Treaty/EN/Treaties/HTML/185.htm>.

[1639] APEC Privacy Framework, 2004, available at <http://www.apec.org/apec/news___media/2004_media_releases/201104_apecminsendorseprivacyfrmwk.MedialibDownload.v1.html?url=/etc/medialib/apec_media_library/downloads/ministerial/annual/2004.Par.0015.File.v1.1>. See also APEC Media Release,
“APEC Ministers Endorse the APEC Privacy Framework,” November 20, 2004, available at <http://www.apec.org/apec/news___media/2004_media_releases/201104_apecminsendorseprivacyfrmwk.html>.