Home | Databases | WorldLII | Search | Feedback Privacy Laws and Business International Report

Canada extends privacy protection to private sector [2000] PLBIRp 22; (2000) 54 Privacy Laws and Business International Report 3

Canada extends privacy protection to private sector

A report by Colin Bennett

THE PERSONAL INFORMATION PROTECTION and Electronic Documents Act, adopted on 4th April, is Canada's answer to data protection in the private sector. After three years, the law will apply to all private sector organisations.

On 1st January 2001, Bill C-6, the Personal Information Protection and Electronic Documents Act (PIPEDA) comes into force in Canada.^[1] With this legislation, Canada has taken a significant step towards providing a more complete set of privacy rights for its citizens. This law fills in some very important gaps in the existing patchwork of federal and provincial statutes passed over the last thirty years or so.

LAW WILL EVENTUALLY COVER THE WHOLE PRIVATE SECTOR

It is important for overseas observers to understand that Canada's federal Constitution, which devolves some very important powers on the provinces and territories, influences any public policy initiative, including privacy protection. This new law, therefore, does not and cannot regulate the entire Canadian private sector. On 1st January 2001 only businesses in the following sectors will be obliged to comply: banking, telecommunications, broadcasting, airlines and inter-provincial transportation. The law will further apply to any business that transfers personal information across provincial or international borders in the course of its commercial activities.

After three years, the law will apply to the entire private sector, including companies under provincial or territorial jurisdiction, unless they are covered by "substantially similar" provincial or territorial law. The federal government has already declared the 1993 private sector legislation in Quebec as meeting this standard. So, if the provinces and territories fail to pass "substantially similar" legislation in the next three years, Bill C-6 will apply by default to the retail sector, the manufacturing sector, some financial institutions, video-rental outlets, and indeed to most businesses that have face-to-face relations with consumers.

Thus the provincial governments are now deciding whether they want to pass their own statutes, or to do nothing and surrender an important constitutional power to the federal government, a decision that would possibly have implications for wider issues of federal/provincial relations.

EMPLOYEE RECORDS EXEMPT

Bill C-6 does not apply to areas under exclusive provincial jurisdiction, such as provincial governments, municipalities, universities, school and hospitals, most of which are already covered by public sector legislation, nor to any government institution to which the federal Privacy Act applies. It is also important to note that the legislation will not cover employee records held by the provincially regulated private sector. So, the consumer mailing lists of a big retail chain will be covered, but the information held on employees will not.

I do not expect overseas observers to understand these complexities; most Canadian experts are still quite confused. But much of this confusion is not the fault of the government. It results from the need to apply the Canadian federal Constitution to the regulation of a resource (personal information) that does not know the difference between Ontario, Quebec and B.C., nor for that matter between Canada and the United States. The passage of this law has, therefore, been accompanied by some strident exhortations on the part of privacy advocates and officials for the private sector to ignore the tricky jurisdictional questions, and to "get with the programme" - i.e. comply now.

LAW IS BASED ON THE CSA MODEL CODE

"Getting with the programme" means, in essence, adopting the ten principles that form the basis of the Canadian Standards Association's Model Code for the Protection of Personal Information. This standard was passed back in 1996 with wide- spread support from many stakeholders within the private sector. That level of broad support then convinced the federal government to base Bill C-6 on this existing consensus.

The standard is reproduced in Schedule 1 of the Bill, and the most important provision of the entire legislation states that "subject to Sections 6 to 9, every organisation shall comply with the obligations set out in Schedule 1." ^[2]

Sections 6 to 9 then attempt to clarify and reinforce the language of the CSA standard, some of which is quite vague. For example, Principle 3 of the standard states that "the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate."

SITUATIONS WHERE CONSENT IS NOT REQUIRED

Section 7 of the legislation tries to define the circumstances under which collection without consent would be appropriate: where the collection is clearly in the interests of the individual; where it is reasonable to expect that the collection with the knowledge or consent of the individual would compromise the availability or the accuracy of the information and the collection is reasonable for purposes related to investigating a contravention of a law of Canada; where the collection is solely for journalistic, artistic or literary purposes; or where the information is publicly available and is specified by the regulations.^[3]

This is an exhaustive set of exceptions. By inference, every other form of collection would require both the knowledge and consent of the individual. A similar set of requirements are provided for both the use and disclosure of information without consent.^[4] Principle 9 of the standard, on individual access and correction, is similarly given greater precision by Section 8 of the legislation. Therefore, in order to understand the full requirements of this legislation, one needs to comprehend the obligations in both the standard and the law.

COMMISSIONER'S WIDE INVESTIGATIVE POWERS

Oversight of the legislation is given to the federal Office of the Privacy Commissioner, the agency established in the late 1970's to oversee the Federal Privacy Act. Bill C-6, like the Privacy Act, is based on a complaints- driven, or ombudsman, model. The Privacy Commissioner is therefore given extensive powers to investigate complaints, call witnesses, compel evidence and inspect business premises.

He is also empowered to audit an organisation's practices on "reasonable grounds" and to make recommendations. He has the power to make his findings public if he believes it would promote the public interest, arguably a significant threat for a private business. He is also able to undertake public education and awareness programs, but he has no binding powers. He must apply to the federal court for enforcement, which can impose penalties and award punitive damages, with no upward limit.

This legislation relies substantially on processes of mediation and conciliation. In his initial comments on C-6, the current Commissioner, Bruce Phillips, has been very careful to stress that neither he nor his staff want powers of enforcement: "The 15 years of experience that my office has had with an ombuds role for complaint investigation has shown that heavy-fisted enforcement is not necessary to secure the privacy rights of Canadians. Rather than emphasising confrontation, the ombudsman's role emphasises resolving complaints. Perhaps ultimately more important, it emphasises correcting the underlying problems that lead to those complaints."^[5]

PROBLEMS ASSOCIATED WITH BUILDING ON THE CSA CODE

Bill C-6 has been long in the making. In retrospect, one can discern a clear national strategy for privacy protection that goes back to the mid-1980's: an encouragement of self-regulation based on the OECD Guidelines; a harmonization and updating of those codes through the Canadian Standards Association; and an embodiment of the result (the 1996 Model Code for the Protection of Personal Information) in federal law.

Employing a bottom-up approach to the privacy problem, this law builds upon the existing attempts to encourage self-regulation. This process has, however, produced some distinctive legacies, which in turn will pose some future challenges for implementation.

First, basing the legislation on the standard has produced what some consider a quite cumbersome statute. The drafters have tried to clarify the words of the standard, but there are still many grey areas. Moreover, the major trade associations, such as the Canadian Bankers Association, the Canadian Direct Marketing Association, and the Insurance Bureau of Canada have already adopted codes of practice based on the standard.

There will undoubtedly be a temptation for member companies to argue that they are in compliance with the sectoral code, which is in turn based on the CSA standard, which in turn forms the basis of the legislation. The prior efforts at selfregulation have undoubtedly forced the more responsible companies in Canada to pursue higher standards of privacy protection. But there will undoubtedly be discrepancies between the law and those earlier codes. The Privacy Commissioner and his staff will need to be very vigilant of attempts by associations and companies to use compliance with the standard as leverage with consumers and regulators.

HEALTH DATA ENJOYS A LONGER TRANSITIONAL PERIOD

A second issue has arisen with regard to personal health information. The passage of C-6 was characterised by a highly politicised conflict over the application of the law to health institutions and health information. Overseas observers might find this dispute very strange, given the general agreement in Canada and elsewhere that health information can be extraordinarily sensitive and therefore deserving of very high standards of protection.

The lobbying against C-6 by healthcare stakeholders focused on an attempt to provide an exemption for health information on the grounds that healthcare is a provincial responsibility. ^[6] Moreover, it was pointed out that the CSA standard was negotiated with little input from the health care community, and with the general expectation that the standard was really more applicable to consumer information, than health information.

This lobbying produced a highly politicised dispute in the Senate, characterised by unnecessary and exaggerated rhetoric from all sides, and arguments over the interpretation of competing legal opinions. In the end the Senate amended the House version of the bill to give the health sector a further year to comply with the legislation. The Industry Minister reluctantly accepted this amendment for fear that a further debate in the House of Commons would exhaust available parliamentary time.

NOT AN INTERNET-FOCUSED LAW

A third legacy stems from the government's explicit attempt to link privacy protection to its more general effort to promote electronic commerce. On passage, Industry Minister Manley claimed that "the new law provides the privacy protection that is the foundation of electronic commerce, moving Canada to the forefront of the digital economy... It will help build trust in electronic commerce with its assurance of pro- tection for personal information in digital form."^[7]

There is no doubt that private sector privacy protection would not have reached the federal agenda without the advent of the Internet and associated information transactions. The unintended consequence of this strategy, however, is that many people (including some in the media) have received the impression that C-6 is solely an internet-related bill. In fact, C-6 makes no distinctions on the basis of the technology with which personal information is collected.

Some critics have also adopted the position that C-6 is not really a privacy protection law at all, but merely a "data protection" statute designed to support and legitimise existing business practices. This view has motivated one Canadian Senator to introduce a "Privacy Rights Charter" which would, in her opinion, emphasise the importance of privacy as a human right, and serve as an overarching framework for other legislation, including C-6.^[8]

WILL PROVINCES FOLLOW SUIT?

Finally, there is a lingering possibility of a constitutional challenge to C-6 in the courts. Whether this occurs will likely have more to do with larger issues in Canadian politics than privacy. But some provinces do resent the attempt by the federal government to force their hand on this issue.

Some constitutional experts have testified that C-6 is unprecedented in setting a time limit within which provincial governments would be expected to pass similar legislation. As a strategy to build a more complete set of privacy rights in Canada, however, the law is having its desired effect, as there have already been consultation exercises in some provinces, including British Columbia and New Brunswick.

CONCLUSIONS

When the Canadian Justice Minister announced in Ottawa at the 1996 Annual Meeting of the Privacy Commissioners that the government would have a private sector privacy law in place by the year 2000, many, including myself, were sceptical that they would meet that deadline. But the federal government, and Industry Canada in particular, has worked very hard to pass this legislation.

It would have been nice to have been able to construct a Canadian privacy statute without having regard to federalism, and without having to worry about existing regulatory and self-regulatory mechanisms. But there is never a blank slate. Given the existing landscape, the government has perhaps done as well might be expected. They have created a quite distinctive law, which has much of the same content as data protection statutes in Europe, but which is embedded within the Canadian administrative culture and privacy tradition.

But C-6 is very much a beginning rather than a conclusion. Responsibility now lies with the Canadian provinces to pass their own laws, with the federal Privacy Commissioner to educate, mediate and investigate, and with the private sector to "get with the programme."

More about the Privacy Rights Charter on p. 21.

This report was written for Privacy Laws & Business by Colin J. Bennett Department of Political Science University of Victoria PO Box 3050 Victoria BC, V8W 3P5, Canada. Tel: + 1 250 721 7495 Fax: + 1 250 721 7485 e-mail: cjb@uvic.ca http://www.cous.uvic.ca/poli/bennett The text of the new law is available at Canada's Privacy Commissioner's website http://www.privcom.gc.ca

Footnotes

[1] See http://e-com.ic.gc.ca for a copy of the legislation and related official documents and news releases.

[2] Personal Information Protection and Electronic Documents Act, Section 5(1). Only Part I of this legislation pertains to privacy and data protection. The government, for reasons pertaining to available parliamentary time, included also provisions on electronic documents in Part II.

[3] Ibid. Section 7(1).

[4] Ibid. Sections 7(2) and 7(3)

[5] Speech to the Centrum Conference on Bill C-6, Toronto, 10th December 1999. http://www.privcom.gc.ca/ english/02_05_a_991210_e.htm

[6] Several provinces (including Manitoba, Saskatchewan and Alberta) have already passed specific legislation pertaining to health information.

[7] News release, 13th April 2000. http://www.e-com.ic.gc.ca/english/ releases/41d13.html

[8] Senate of Canada, Charting Our Future Together: Consultation on a Draft Charter of Privacy Rights, 3rd March 2000.