1. No category

Rights and obligations of the players in

RIGHTS AND OBLIGATIONS OF THE PLAYERS IN ELECTRONIC COMMERCE
PROGRESSES IN PRIVACY RULES: A CANADIAN PERSPECTIVE
By : Karine Joizil, associate
FASKEN MARTINEAU DuMOULIN LLP
February 2004
Ms. Joizil would like to thank Ms. Charmaine Lyn, student at law at Fasken Martineau LLP for her great
contribution in the redaction of the following text
Table of contents
Page
Introduction .........................................................................................................
................................................................................................................. 3
I. The European Approach..................................................................................
................................................................................................................. 3
II. US Approach ...................................................................................................
................................................................................................................. 5
III. Canadian Approach to Privacy Protection...................................................
................................................................................................................. 6
A. Public Sector Data Protection .............................................................................
.................................................................................................................... 7
B. Private Sector Data Protection: ...........................................................................
.................................................................................................................... 7
(i) Coming into Effect and Application of PIPEDA....................................
........................................................................................................ 8
(ii) Provincial Private Sector Privacy Legislation .......................................
........................................................................................................ 8
C. Analysis of PIPEDA............................................................................................
.................................................................................................................. 12
(i) Striking a Balance: Individual right to privacy vs. business use of
personal information ........................................................................
...................................................................................................... 12
(ii) Application and interpretation ...............................................................
...................................................................................................... 12
(iii) CSA Code Principles ............................................................................
...................................................................................................... 13
(iv) Remedies ...............................................................................................
...................................................................................................... 19
(a) Recourse to the Privacy Commissioner......................................
.......................................................................................... 19
(b) Recourse to the Federal Court....................................................
.......................................................................................... 20
Conclusion...........................................................................................................
............................................................................................................... 21
2
Introduction
Electronic commerce is by its very nature trans-national, and the ever-increasing flow of
information between and across borders presents law and policy makers with challenging.
While this paper provides an overview of the legal framework of personal information
protection in Canada, such an analysis necessitates a contextual examination of privacy
regimes in other jurisdictions – particularly Europe and the United States.
Canadian lawmakers have recently introduced new personal information protection
legislation applicable to the private sector, which came fully into force on January 1,
2004.
The discourse around the protection of personal information of individuals is
characterized by a tension between the rights of such individuals to assert some level of
control over the collection, use, or disclosure of their personal information on the one
hand, and the need for businesses to conduct their affairs efficiently and profitably.
Simply put, this tension can be viewed as a conflict between individual rights to
protection of personal information and the commercial need for the use of such
information.
Indeed, attempts to regulate the protection of personal information– in various
jurisdictions –have been marked by these two competing interests.
It is possible to discern, in the European approach, a willingness to address the issue from
a rights-based perspective; in the United States, information technologies (direct
marketing, etc) have successfully swayed the American approach away from regulation.
In Canada, the approach has been to recognize the rights of individuals to control the
manner in which their personal information enters and moves about the electronic
marketplace. At the same time, the regulation of the private sector in this regard emerged
from a broad consultation with industry representatives.
I. The European Approach
The European approach to the protection of personal information can be characterized as
a pragmatic one, aimed at the attainment of a Single Market for the community. The
Council of Europe’s 1981 Convention on the Automated Processing of Personal Data1
requires signatories – that is, all EU Member States – to protect individual privacy rights
as well as facilitate a “common international standard of protection for individuals, with
1
Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, ETS
No. 108 (Strasbourg : Council of Europe, 1981), online : http://www.coe.fr/eng/legaltxt/108e.htm.
the aim that the free flow of information across boundaries could proceed without
disruption.” 2
In addressing the competing demands between individual privacy protection and the
commercial need for information flow, the EU has adopted a prescriptive, rules-based
model, which finds expression in Directive 95/46/EC on the protection of individuals
with regard to the processing of personal data and on the free movement of such data,
adopted by the European Parliament and Council on October 24, 19953.
The EU Directive emerged from lengthy and complex negotiations between member
states4. Its main purpose, according to one author, was to “harmonize the level of
protection afforded to personal data by the different Member States, in part to prevent the
erection of protectionist trading barriers nominally based on concern over personal data
privacy.”5. The Directive requires member states to either adopt national privacy
legislation, or to bring existing laws into conformity with the Directive’s terms6.
Importantly, the Directive provides that member states may not allow the transfer of
personal data to non-EU countries unless they provide an equivalent level of data
protection7.
In the context of data protection, characterized by conflicting interests of individual
privacy protection and the free flow of information, Article 1 of the EU Directive sets out
the object of the Directive as follows:
In accordance with this Directive, Member States shall protect the
fundamental rights and freedoms of natural persons, and in particular their
right to privacy with respect to the processing of personal data.
Despite the “very stark and unambiguous assertion of the human-rights based approach
envisaged by the European Union legislators”8 the nature of the “fundamental rights”
referred to by the drafters remains less than absolute. The protection afforded by the
Directive is only operative in respect of activities within the EU’s competence to act;
2
Andrew Charlesworth, “Data Privacy in Cyberspace: Not National vs. International but Commercial vs.
Individual” in Lilian Edwards & Charlotte Waelde, eds., Law and the Internet: A Framework for
Electronic Commerce, (Oxford: Hart Publishing, 2000), 79-122 at 85. It appears that the Council of
Europe Convention was developed from the the OECD’s Guidlelines on the Protection of Privacy and
Transborder Data Flows of Personal Data, 1980, infra, note 27, see Charlesworth, page 85, note 17.
3
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection
of individuals with regard to the processing of personal data and on the free movement of such data
(Official Journal, L 281, 23/11/1995 p. 0031), in Thomas Hoeren & Joechen Stauder, eds., International
Sources of Electronic Commerce Regulation (Münster, LIT Verlag, 2001) at 24, available online:
http://europa.eu.int/comm/internal_market/privacy/law_en.htm [hereinafter, the “EU Directive”].
4
Charlesworth, supra note 2 at 86.
5
Charlesworth, supra note 2 at note 21 and accompanying text.
6
Article 32, EU Directive.
7
Article 25, EU Directive.
8
Charlesworth, supra note 2 at 89.
4
there are wide exemptions in respect of the activities of government agencies as well as
in respect of third party processors9.
Nevertheless, according to one scholar:
The way in which the Directive is drafted demonstrates that the EU retains
the desire, not always readily apparent on the part of individual Member
States, actively to intercede in commercial activity by way of legal
regulation, and to make clear that it is doing so to protect the rights of the
individual. The drafters of the Directive are also clearly aware that, where
sufficient international consensus exists, whether on human rights
grounds, or for pragmatic economic reasons, it is possible, despite the
rhetoric of ungovernability surrounding the Internet, to exert control over
the content of cross-border data flows, and to subject multinational entities
to national and international regulation.10
II. US Approach
Unlike the European model, US legislators have adopted a more selective, sector-specific
approach to the regulation of data protection11.
While US law does not explicitly provide a constitutional basis for a right to privacy,
federal and state legislators have recognized the right “to be left alone”, but largely in
terms of physical privacy (e.g. freedom from government surveillance where one has a
reasonable expectation of privacy)12 and decisional privacy (a woman’s right to decide
whether or not to have an abortion)13.
Furthermore, constitutional law has been used as the basis to protect privacy rights only
in the exercise of those rights against government actors. While constitutional rights
prevent the government from interfering with an individual’s rights, “they do not require
the government to protect those rights against third parties.”14 Thus, according to one
author:
“Records held by third parties, such as financial records, rental records or
telephone records, are usually not protected unless a legislature has
enacted a specific law, and even then that law may be subject to challenge
9
Charlesworth supra note 2 at 89.
Charlesworth, supra note 2 at 90.
11
Patricia Wilson, “Privacy Law in Canada”, in Osler, Hoskin & Harcourt, LLP, Doing Business in
Canada (January 2003), online:
http://www.osler.com/index.asp?navid=1086&layid=1124&csid=3328&csid1=1299, at 50.
12
Charlesworth, supra note 2 at 92, citing Katz v. U.S., 386 US 954 (1967).
13
Ibid. note 2 at 90-92, and citing Roe v. Wade, 410 US 113 (1973).
14
Charlesworth, supra note 2 at note 53 and accompanying text, citing Fred. H. Cate, Privacy in the
Information Age (Washington, D.C.: Brookings Institution Press, 1997) at 99.
10
5
for infringing the First Amendment [freedom of expression] rights of those
wishing to hold or use those records.”15
The US approach, characterized by its patchwork of legislation has been summarized by
leading authors as follows:
The biggest problem with the statutory scheme is that there is no overall
privacy policy behind it. As even a partial list of privacy laws indicates,
they address a hodge-podge of individual concerns. The federal statutory
scheme most resembles a jigsaw puzzle in which the pieces do not fit.
That is because the scheme was put together backwards. Rather than
coming up with an overall picture and then breaking it up into smaller
pieces that mesh together, Congress has been sporadically creating
individual pieces of legislation that not only do not mesh neatly but also
leave gaping holes.16
In contrast to the EU approach described above, the US government has demonstrated an
unwillingness to “actively intercede in the commercial use of personal data…particularly
in the sphere of electronic commerce, where it has shown a great reluctance…to involve
itself in any form of regulatory behaviour, up to, and including, taxation.”17
A comparison of the US and EU approaches reveals that the two regimes reflect similar
concerns not to unnecessarily constrain commerce, or interfere with expression rights, or
unduly restrict law enforcement and regulatory bodies. Both systems require certain
minimum standards of personal data protection from commercial and private sectors, and
both consider certain types of data more sensitive than others, and thus deserving of an
elevated level of protection18. Given that the basic criteria for data management in the
public sector differs “surprisingly little” from that of the EU, it has been argued that it is
the “US treatment of the private sector as being the main obstacle to a convergence in
data privacy laws between the EU and the USA.”19. As one author puts it:
The key difference between the two approaches comes down to the fact
that the EU Directive provides for a legislatively backed data privacy
regime in its Member States, which applies to both public and private
sector, is overseen by national regulatory authorities and provides
remedies to individuals whose data privacy rights are breached.20
15
Charlesworth, supra note 2 at 92.
Charlesworth, supra note 2 at 93, citing Ellen Alderman & Caroline Kennedy, The Right to Privacy
(New York: Random House, 1997 at 330-331.
17
Charlesworth, supra note 2 at 94.
18
Ibid. at 95.
19
Ibid.
20
Ibid.
16
6
Resistance, on the part of US commercial enterprises, to a privacy regime like that
envisaged under the EU Directive may be linked to the fact that the EU approach requires
credible oversight and enforcement mechanisms, and legal redress for the individual.
“These are two things that are noticeably lacking from either existing US federal
legislation or the privacy policies currently being promoted by the new on-line industry
of self-regulatory bodies such as TRUSTe, the Online Privacy Alliance or BBBonline.”21
III. Canadian Approach to Privacy Protection
Against the backdrop of the EU and US approaches, the Canadian approach – as it finds
expression most recently in Canada’s new private sector privacy legislation – appears to
be an attempt to strike a meaningful balance between the competing interests of
individual privacy rights and commercial use of personal data. This section provides a
brief overview of the legislative framework for public and private sector privacy
protection in Canada; and then proceeds to a closer analysis of Canada’s new private
sector privacy law.
A. Public Sector Data Protection
Public sector management of personal information is governed by the Privacy Act22,
which took effect on July 1, 1983. The Privacy Act limits on the collection, use and
disclosure of the personal information of Canadians by some 150 federal government
departments and agencies.
At the provincial level, all but Newfoundland have enacted privacy legislation with
respect to the handling of personal information by government agencies. All jurisdictions
with data protection legislation provide Canadians with a general right to access and
correct their personal information, as is the case under the federal Privacy Act.
B. Private Sector Data Protection:
The Personal Information Protection and Electronic Documents Act23 (PIPEDA) is
Canada’s new federal private sector privacy legislation. In very general terms, PIPEDA
requires that a business wishing to collect, use or disclose personal information about
individuals first obtain the consent of the individual (subject to some limited exceptions).
Such personal information may be used or disclosed only for the purpose(s) for which the
individual gave consent. Even with consent, collection, use and disclosure of personal
information must be limited to purposes that a reasonable person would consider
appropriate under the circumstances.
Individuals have a general right of access to and the correction of personal information
that a business holds about them. As is the case with the Privacy Act, PIPEDA is
21
Ibid. at 104.
Privacy Act, R.S. 1985, chapter P-21.
23
Personal Information Protection and Electronic Documents Act, R.S. 2000. Chapter 5, [hereinafter,
“PIPEDA”].
22
7
overseen by the Privacy Commissioner of Canada, who is charged with ensuring respect
of the law, and redress if rights are violated.
On December 20, 2001, the European Commission issued an important decision
recognizing that the protection of personal data as set out in PIPEDA satisfies the
rigorous standards of the EU Directive 95/46/EC. Canada is the first non-European
country to be so recognized24. According to the Commission’s decision, “Canada is
considered as providing an adequate level of protection for personal data transferred from
the [European] Community to recipients subject to the Personal Information Protection
and Electronic Documents Act.”25
As mentioned above, the EU Directive precludes the transfer of personal information
from EU member states to non-EU countries that do not provide a level of protection for
personal data that meets EU standards.
(i) Coming into Effect and Application of PIPEDA
PIPEDA has come into effect across Canada in three major stages. First, as of January 1,
2001, PIPEDA has applied to personal information about customers or employees in the
federally regulated sector in the course of commercial activities. These sectors include
transportation, communications, broadcasting, and banking sectors, as well as businesses
in Canada’s three territories. PIPEDA also applies to information sold across provincial
and territorial boundaries.
Second, as of January 1, 2002, the Act has also applied to personal health information
collected, used or disclosed by these organizations.
Finally, on January 1, 2004, the Act came fully into effect, applying to all personal
information collected, used or disclosed in the course of commercial activity within a
province, including provincially regulated organizations.
The federal government may exempt organizations or activities in provinces that have
enacted privacy legislation that is deemed substantially similar to the federal Act.
(ii) Provincial Private Sector Privacy Legislation
The Province of Quebec has private sector data protection legislation in force. In fact, the
Act Respecting the Protection of Privacy in the Private Sector26 (ARPPPS) was enacted
in 1994, making Quebec the first Canadian jurisdiction to have introduced private sector
privacy legislation.
24
Industry Canada News Release, “European Commission Recognizes Canadian Legislated Privacy
Protection,” (January 14, 2002), comment by the Honourable Pierre Pettigrew, Canada’s Minister of
International Trade, online: http://www.ic.gc.ca/cmb/welcomeic.nsf/ICPages/NewsReleases.
25
European Commission Decision 2002/2/EC, available online under heading “Third Countries”, and subheading “Canada” at: http://europa.eu.int/comm/internal_market/privacy/adequacy_en.htm.
26
An Act Respecting the Protection of Personal Information in the Private Sector, R.S.Q., chapter P-39.1.
8
The Quebec Act is based on the “fair information principles” set out in the Organization
for Economic Cooperation and Development (OECD) “Guidelines on the Protection of
Privacy and Trans-border Flows of Personal Data,”27 to which Canada acceded in 1984.
The Quebec Act regulates the collection, use and disclosure of personal information of all
members of the public and of employees held by commercial enterprises in the
provincially regulated private sector. It also applies to private sector collection, use and
disclosure of personal health information. The Act is overseen by the provincial Privacy
Commissioner.
Under the Quebec Act, when collecting personal information, private sector enterprises
must:
§
have a serious and legitimate interest in constituting a file;
§
state why a file is being constituted by stipulating its object;
§
obtain the information from the person concerned, unless the person or the Act
authorizes the information to be collected from a third person;
§
collect only the information required for the stipulated object;
§
inform the person concerned of the object of the file, the use that will be made of
it, and the categories of people within the enterprise that will have access to it;
§
tell the person concerned where the file will be kept, and ensure that the person
understands his or her rights of access and correction.
When holding, using or communicating personal information, private sector enterprises
must:
§
introduce security measures to ensure that the information remains confidential;
§
ensure that the information is accurate and up-to-date when using it to make a
decision about the person concerned;
§
obtain the consent of the person concerned before using personal information:
§
27
·
if the information is not relevant to the object of the file;
·
to communicate personal information to another party;
ensure that the person's consent to use or communicate the information is
manifest, freely given, enlightened and given for a specific purpose, and that it
covers a limited period.
OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, available
online: http://www.oecd.org/document/18/0,2340,en_2649_34255_1815186_1_1_1_1,00.html
[hereinafter, “OECD Guidelines”], see Patricia Wilson, “Privacy Law in Canada”, in Osler, Hoskin &
Harcourt, LLP, Doing Business in Canada (January 2003), online:
http://www.osler.com/index.asp?navid=1086&layid=1124&csid=3328&csid1=1299, at 51.
9
Moreover, when communicating, outside Quebec, information relating to persons
residing in Quebec or entrusts a person outside Quebec or entrusts a person outside
Quebec with the task of holding using or communicating such information on his behalf,
every person carrying on an enterprise must take all reasonable steps to ensure:
(a)
that the information will not be used for purposes not relevant to the object
of the file or communicated to third persons without the consent of the
persons concerned; and
(b)
in the case of nominative lists28, that the persons concerned have a valid
opportunity to refuse that personal information concerning them be used
for purposes of commercial or philanthropic prospection, and if need be,
to have such information deleted form the list.
On November 19, 2003, Quebec’s private sector legislation was officially deemed to be
substantially similar to the federal law29. The effect of having been deemed substantially
similar is that Part 1 of the federal PIPEDA (Protection of Personal Information in the
Private Sector) will not apply to those organizations in the province of Quebec that are
subject to the private sector privacy legislation for the collection, use and disclosure of
personal information within the province.
PIPEDA will, however, continue to apply to federal works, undertakings and businesses
in the province of Quebec, as well as all trans-border collections, uses, and disclosures of
personal information in the course of commercial activity30.
The Quebec government is preparing a constitutional challenge against PIPEDA as it
believes that the federal government has overstepped its constitutional bounds. On
December 17, 2003, the government of Quebec issued an order to that effect31. It
appoints the Attorney General of Quebec to dispute the constitutional validity of the
Federal Act before the Court of Appeal of Quebec.
The following question will be addressed to the Court of Appeal for adjudication.
“Does Part 1 of the Personal Information Protection and Electronic
Documents Act exceed the legislative competence which the Constitution
Act of 1867 confers to the Parliament of Canada.”
Alberta and British Columbia also have privacy laws that came into force on January 1,
2004, but they have not yet been deemed substantially similar.
The Personal Information Protection Act (PIPA) of Alberta deals exclusively with issues
of privacy by granting rights to people in relation to their own personal information. It
28
A nominative list is a list of the names, addresses or telephone numbers of natural persons.
Privacy Commissioner of Canada, “Privacy Legislation in Canada”, online: http://privcom.gc.ca.
30
Organizations in the Province of Quebec Exemption Order, (2003) 137 Gaz. Can. II, 2917.
31
Décret 1368-2003, (2004) 2 G.O. II, 184.
29
10
does not grant access to the personal information of others or to an organization’s
confidential business information.
The Alberta government says that it drafted PIPA to take the needs of Alberta businesses
into account. Eighty-seven (87) Alberta industry associations were consulted prior to the
enacting of PIPA. The Act will not apply to non-profit or charitable organizations unless
they are carrying on commercial activities such as the sale of donor, membership or other
clients.
Under PIPA, businesses need to ask Albertans for their consent when collecting their
personal information. The consent can be verbal or in writing. Albertans must be told
how their personal information will be used and disclosed. They should also be provided
with a contact to call if they have questions.
Businesses have to limit the type of information which they collect to only what is
needed for specific transactions with their customers and employees, make reasonable
arrangements to prevent unauthorized access to information and store personal
information for only as long as it is reasonably required.
Albertans have the right to see the information held about them and are able to make
corrections to errors.
The Alberta legislation gives the Alberta’s Information and Privacy Commissioner
powers to monitor the Act, investigate complaints and issue orders.
Albertans can complain to the Information and Privacy Commissioner if they believe
their rights have been violated. Further to a determination by the Commissioner that the
Act has been breached, one can apply to the court to recover damages.
British Columbia’s Personal Information Protection Act applies to all provincially
regulated private sector organizations and describes how they must handle their
customers and employees personal information.
Contrary to Alberta, BC Act also applies to non-profit organizations.
Organizations are responsible for all information under their control including
information their contractors are using.
Consent to the collection of personal information from an individual or another source, its
use or disclosure is required. Consent is considered given when an individual, knowing
the purpose of the collection of this or her information, gives out the information.
However, the organization may decide whether expressed, written consent is desirable
depending on what it considers to be reasonable for the individual, the circumstances of
the collection, the proposed uses or disclosures of the information and the sensitivity of
the information.
11
BC Act has special rules for “employee personal information”. The organization may
collect, use and disclose employee’s personal information without consent if it is
reasonable for starting, managing or ending an employment relationship with the
individual involved. A notice to the employee or prospective employee is usually
needed.
The organization may collect personal information only for reasonable purposes and only
the amount and type of information reasonably needed to carry out the purposes for
which it is collected. Notice should be given to the individual as to the reason why the
information is collected prior to or at the time of the collection.
When buying or selling a business, one may collect, use and disclose information without
consent when those involved agree to do so only for the transaction and when they need
the information to decide whether to buy or sell. Once the transaction is completed, the
organization receiving the personal information may continue to use and disclose it, but
the information can only be used and disclosed for the purpose for which it was originally
collected. Furthermore, the information must relate solely for the purpose of the
business. If the transaction does not proceed, the organization which received the
personal information, must destroy or return it.
As well as in the other jurisdictions, BC Act provides that individuals have a right to be
given access to their own personal information, to know how their information is being
used or has been used, and also to know to whom and in what situation their information
has been disclosed.
C. Analysis of PIPEDA
(i) Striking a Balance: Individual right to privacy vs. business use of personal
information
The attempt to regulate the collection, use and disclosure of personal information
presents the legislature with a significant challenge: balancing the protection of the right
to privacy and the business use of personal information. These competing interests are
explicitly acknowledged in Part 1 of PIPEDA, which deals with the Protection of
Personal Information in the Private Sector, as follows:
The purpose of this Part is to establish, in an era in which technology
increasingly facilitates the circulation and exchange of information, rules
to govern the collection, use and disclosure of personal information in a
manner that recognizes the right of privacy of individuals with respect to
their personal information and the need of organizations to collect, use or
disclose personal information for purposes that a reasonable person would
consider appropriate in the circumstances.32
32
Section 3, PIPEDA.
12
The balancing of individual privacy and commercial use interests is also evident in
PIPEDA’s incorporation of the Canadian Standards Association Model Code for the
Protection of Personal Information33, which forms the substantive obligations with which
every organization must comply34 .
Notably, the CSA Code is the product of a collaborative effort on the part of
representatives of a range of groups, including federal and provincial governments,
financial services, telecommunications, cable television and direct marketing industries,
consumer advocates, organized labour, and experts in security and information
technology. The CSA Code was developed in response to the OECD Guidelines, which
continue to be regarded as the “touchstone of privacy discourse”35 since its adoption in
1980.
(ii) Application and interpretation
The provisions of Part 1 of PIPEDA apply to every organization in respect of personal
information that the organization collects, use or discloses in the course of commercial
activities, or is about an employee of the organization and that the organization collects,
uses or discloses in connection with the operation of a federal work, undertaking or
business36.
Some of the definitions set out in PIPEDA are noteworthy37: ‘commercial activity’ means
any particular transaction, act or conduct or any regular course of conduct that is of a
commercial character, including the selling, bartering, or leasing of donor, membership
or other fund-raising lists; an ‘organization’ includes an association, a partnership, a
person and a trade union; and ‘personal information’ is defined as information about an
identifiable individual, but does not include the name, title or business address or
telephone number of an employee of an organization.
The provisions of Part 1 of PIPEDA do not apply to any government institution to which
the Privacy Act applies; any individual in respect of information that the individual
collects, uses or discloses exclusively for personal or domestic purposes; or any
organization in respect of personal information collected, used or disclosed for
journalistic, artistic or literary purposes.38 This last exemption is also found in the EU
Directive39.
33
Canadian Standards Association Model Code for the Protection of Personal Information,
CAN/CSA\Q830-96 [hereinafter, “CSA Code”].
34
Section 5, PIPEDA, subject to sections 6 to 9.
35
LIM, Yee Fen, Cyberspace Law: Commentaries and Materials (Oxford: Oxford University Press, 2002)
at 132.
36
Section 4(1), PIPEDA.
37
Section 2, PIPEDA.
38
Section 4(2), PIPEDA.
39
Article 9, EU Directive.
13
(iii) CSA Code Principles
As mentioned above, the substantive obligations with which Canadian organizations must
now comply under PIPEDA are found in the CSA Code, incorporated as Schedule 1 to
the Act. The ten principles set out in the CSA Code can be summarized as follows:
Principle 1: Accountability – An organization is responsible for personal information
under its control and shall designate an individual or individuals who are accountable for
the organization’s compliance with the following principles40. In the context of ecommerce, the organization that mandates a third party to manage its website and
provides to that third party the relevant information shall take measures to ensure that the
third party comply with the principles stated in the CSA Code and with the Act. For
example, the contract between the organization and the third party should foresee
periodical due diligence or information audit in order to allow the organization to verify
that the third party do not use the personal information for other purposes than those for
which it was provided or that it does not communicate it to others.
The organization must establish measures to protect personal information and to form its
staff with respect to privacy.
The organization’s privacy policy shall be available on its website to allow the consumers
to acknowledge it as well as the complaint procedure.
Principle 2: Identifying Purposes – The purposes for which personal information is
collected shall be identified by the organization at or before the time the information is
collected41.
This principle is limited by the terms of section 5(3) of PIPEDA, which limits the
purposes for which personal information is collected, used, or disclosed to those that a
reasonable person would consider appropriate in the circumstances.
The rationale of the identifying purposes principle is to ensure that the collection, use, or
disclosure of personal information is limited to that which is really needed by the
organization. Furthermore, identifying the purpose(s) enables the individual whose
personal information is at issue to give her or his informed consent, which is required
under Principle 3 of the CSA Code. To that end, the purposes must be stated in a manner
that will allow the individual to reasonably understand how the information will be used
or disclosed42. Thus on screen or by a link to its privacy policy, the organization must
indicate to the individual the reasons that justify the collection of the personal
information.
40
Clause 4.1, Schedule 1, PIPEDA.
Clause 4.2, Schedule 1, PIPEDA.
42
Clause 4.3.2, Schedule 1, PIPEDA.
41
14
Principle 3: Consent – The knowledge and consent of the individual are required for the
collection, and subsequent use, or disclosure of personal information, except where
inappropriate43.
Consent may be express or implied, depending on the nature of the information in
question. Where information is likely to be considered sensitive, it is recommended that
the organization seek the express consent of the individual44. In general, financial
information and information about personal health, education, or employment should be
considered sensitive45. Consent may be given in many ways including by signing a form,
checking off a box, or verbally over the telephone46.
After agreeing to provide an electronical signature to indicate receipt of a delivery, an
individual discovered that his electronic signature had been posted in the tracking section
of the company website, along with his name and address and the delivery status of the
parcel. When he asked that his electronic signature be removed, he was told that it was
impossible.
On the matter of use the Commissioner determined as follows:
·
The company had not informed the complainants of, or sought consent for, any
use it intended to make of their electronic signatures beyond the immediate purpose
of indicating receipt.
·
Despite the requirement, there was no evidence that the company had ever made a
practice of obtaining consent for its further intention of placing electronic signatures
on its Web site and using them for the purpose of providing a tracking service to its
customers.
·
A reasonable person would not have considered such use appropriate in any
circumstances, especially given the demonstrated potential for unauthorized
disclosure of the signatures through simple manipulation of PINs.
On the matter of collection, the Commissioner determined as follows:
·
Despite the company's contention that the alternative of accepting paper
signatures had been covered under company policy at the time, there was no
evidence to suggest that any such aspect of policy had been widely understood or
implemented by the company's service representatives.
·
There was little doubt that electronic signing had been presented to the
complainants as their only option. The company had thus required the complainants
43
Clause 4.3, Schedule 1, PIPEDA.
Clause 4.3.6, Schedule 1, PIPEDA, compare with Article 8 of the EU Directive.
45
See, Canadian Standards Association, “Making the CSA Privacy Code Work for You – A Workbook on
applying the CSA Model Code for the Protection of Personal Information (CAN/CSA-Q830) to your
Organization”, December 1996.
46
Clause 4.3.7, Schedule 1, PIPEDA.
44
15
to consent to the collection of the electronic signatures as a condition of the supply
of service.
·
The next question to be considered was whether the collection had been required
to fulfil explicitly specified and legitimate purposes.
·
As suggested above, the purpose of placing electronic signatures on the company
Web site for use in tracking shipments was neither explicitly specified nor
legitimate. Furthermore, the ostensible and immediate purpose for the collection had
been to indicate receipt of a parcel, but that purpose could have been fulfilled by
other means – notably, a signature on paper.
·
An electronic signature could not then be said to have been a requirement for the
fulfilment of the purpose.
In sum, the Commissioner determined that the electronic signatures had not been required
to fulfill explicitly specified and legitimate purposes and that the company had therefore
not been justified in demanding them as a condition of service47.
PIPEDA sets out several situations in which personal information can be collected
without the knowledge or consent of the individual to whom the information relates.
These include: where collection is clearly in the interests of the individual and consent
cannot be obtained in a timely way48; where it is reasonable to expect that the collection
with the knowledge or consent of the individual would compromise the availability or the
accuracy of the information and the collection is reasonable for the purposes related to
investigating a breach of an agreement or a contravention of a federal or provincial law49;
where the collection is solely for journalistic, artistic or literary purposes50; or where the
information is publicly available and is specified in the regulations51.
An individual may also withdraw consent at any time, subject to legal or contractual
restrictions, and provided they give reasonable notice. Individuals shall be informed of
the implications of such withdrawal52.
An organization cannot refuse to offer a good or a service to a person simply because he
or she does not consent to the collection, use or communication of personal information
that are not necessary for the identified purposes.
The Privacy Commissioner of Canada found that the complaint of an individual about
airline’s use of “cookies” on its website was well founded. The complainant, who had
disabled permanent cookies, was unable to proceed to the home page because the website
47
On line : PIPED Act Case Summary #71, http://www.privcom.gc.ca/cf-dc/cf-dc_020905_e.asp
Section 7(1)(a), PIPEDA.
49
Section 7(1)(b), PIPEDA.
50
Section 7(1)(c), PIPEDA.
51
Section 7(1)(d), PIPEDA.
52
Clause 4.3.8, Schedule 1, PIPEDA.
48
16
was coded in such a way that it would not allow him to proceed until the cookie had been
stored53.
Principle 4: Limiting Collection – The collection of personal information shall be
limited to that which is necessary for the purposes identified by the organization.
Information shall be collected by fair and lawful means54.
The interpretation of this principle is closely tied to the obligation of organization’s to
identify the purposes for which personal information is collected, used, or disclosed.
Prior to offer online services, an organization shall determine whether the information
sought is really necessary. Moreover, if the organization has contractual agreement with
Internet intermediary (computer server, browser, search engine, etc.), it should advise its
clients of potential collection of their personal information and offer the possibility to opt
out.
Principle 5: Limiting Use, Disclosure, and Retention – Personal information shall not
be used or disclosed for purposes other than those for which it was collected, except with
the consent of the individual or as required by law. Personal information shall be retained
only as long as necessary for the fulfilment of those purposes55. For e-transaction, it
would be appropriate to indicate to clients for how long their information will be kept to
allow them to exercise their access and rectification rights. The personal information
should be kept for as long as possible because litigation could occur.
Section 7(2) of PIPEDA provides that an organization may use personal information
without the knowledge or consent of the individual when:
(a) in the course of its activities, the organization becomes aware of
information that it has reasonable grounds to believe could be useful in the
investigation of a contravention of the laws of Canada, a province or a
foreign jurisdiction that has been, is being or is about to be committed, and
the information is used for the purpose of investigating that contravention;
(b) it is used for the purpose of acting in respect of an emergency that
threatens the life, health or security of an individual;
(c) it is used for statistical, or scholarly study or research, purposes that
cannot be achieved without using the information, the information is used
in a manner that will ensure its confidentiality, it is impracticable to obtain
consent and the organization informs the Commissioner of the use before
the information is used;
(c.1) it is publicly available and is specified by the regulations; or
53
On line : PIPED Act Case Summary #162, http://www.privcom.gc.ca/cf-dc/2003/cf-dc_030416_7_e.asp
Clause 4.4, Schedule 1, PIPEDA.
55
Clause 4.5, Schedule 1, PIPEDA.
54
17
(d) it was collected in the interests of the individual and consent cannot be
obtained in a timely way; or the collection is reasonable for purposes
relating to investigating a breach of an agreement or a contravention of a
federal or provincial law and requiring consent would compromise the
availability or accuracy of the information.
Section 7(3) sets out circumstances in which organizations may disclose personal
information without the knowledge or consent of the individual. These situations can be
summarized as follows:
(a) disclosure to legal counsel representing the organization;
(b) disclosure for the purpose of collecting a debt;
(c) disclosure in order to comply with a subpoena or warrant;
(d) disclosure in response to a request from government or a government
institution pursuant to lawful authority for personal information in relation
to matters such as national security, law enforcement, or the
administration of any law of Canada or a province;
(e) disclosure at the initiative of the organization to an investigative body,
a government institution where the organization believes the information
relates to matters such as the breach of an agreement, a contravention of
the law, or national security;
(f) disclosure in an emergency threatening the life, health, or security of an
individual, with the proviso that the organization informs the individual
that the information is about without delay and in writing;
(g) disclosure for statistical, or scholarly study or research where it is
impracticable to obtain consent, providing that confidentiality is
maintained and the Commissioner is informed;
(h) disclosure to the archives;
(i) disclosure at the earlier of one hundred years after the record containing
the information was created or twenty years after the death of the
individual the information is about;
(j) disclosure of information that is publicly available and is specified in
the regulations;
(k) disclosure made by an investigative body where reasonable for
purposes relating to investigating a breach of an agreement or a
contravention of the laws of Canada or a province; or
18
(l) required by law.
Principle 6: Accuracy – Personal information shall be as accurate, complete, and up-todate as is necessary for the purposes for which it is to be used56.
Principle 7: Safeguards – Personal information shall be protected by security safeguards
appropriate to the sensitivity of the information57. Organizations offering goods and
services on the Internet shall take measures to secure the network they use such as
contractual agreement with their intermediaries.
A company accused of failing to safeguard information of online contest entrants was
held liable after an individual complained. Several participants in online contests run by
the company received calls from persons falsely claiming to represent the company. The
company had admitted that unauthorized persons had obtained personal information but
was unable to explain how.
Principle 8: Openness – An organization shall make readily available to individuals
specific information about its policies and practices relating to the management of
personal information58.
Principle 9: Individual Access – Upon request, an individual shall be informed of the
existence, use, and disclosure of her personal information and shall be given access to
that information. An individual shall be able to challenge the accuracy and completeness
of the information and have it amended as appropriate59.
Principle 10: Challenging Compliance – An individual shall be able to address a
challenge concerning compliance with the above principles to the designated individual
or individuals accountable for the organization’s compliance60.
(iv) Remedies
(a) Recourse to the Privacy Commissioner
Under PIPEDA, an individual may file with the Privacy Commissioner a written
complaint against an organization for the contravention or a provision, or for not
following a recommendation set out in Schedule 1. If the Commissioner is satisfied that
there are reasonable grounds to investigate, the Commissioner may initiate a complaint61.
In carrying out investigations, the Commissioner is vested with the powers to summon
and enforce appearance of persons and to compel them to give evidence on oath and
56
Clause 4.6, Schedule 1, PIPEDA.
Clause 4.7, Schedule 1, PIPEDA.
58
Clause 4.8, Schedule 1, PIPEDA.
59
Clause 4.9, Schedule 1, PIPEDA.
60
Clause 4.10, Schedule 1, PIPEDA.
61
Section 11, PIPEDA.
57
19
produce records in the same manner as a superior court of record62. The Commissioner
may administer oaths63; receive and accept evidence64; enter premises other than
dwelling-houses occupied by an organization to verify compliance with security
requirements65; converse in private with any person in any such premises66; and examine
or obtain copies of or extracts from records found in any such premises67. The
Commissioner may attempt to resolve complaints by means of dispute resolution
mechanisms such as mediation and conciliation68. The powers described herein may also
be delegated69.
The Commissioner must prepare a report in respect of complaints filed or initiated by the
Commissioner, but maintains the discretion not to prepare such a report if, for example a
more appropriate recourse is available70, or if the complaint is trivial, frivolous or
vexatious71. However, if no report is prepared, the Commissioner must inform the
complainant and the organization and give reasons72.
The Commissioner’s report contains the Commissioner’s findings and recommendations,
any settlement reached by the parties, a request, where appropriate, that the organization
submit to the Commissioner notice of any action to be taken to implement the
recommendations, and the recourse, if any to the Federal Court73.
It is clear from a reading of these provisions that the Commissioner is not empowered to
make binding orders, but simply recommendations. This ‘ombuds’ role is consistent with
the Commissioners powers as set out in the Privacy Act74.
(b) Recourse to the Federal Court
A complainant may apply to the Court for a hearing after having received the
Commissioner’s report75. The Commissioner may also apply to the Court with the
consent of the complainant76.
62
Section 12(1)(a), PIPEDA.
Section 12(1)(b), PIPEDA.
64
Section 12(1)(c), PIPEDA.
65
Section 12(1)(d), PIPEDA.
66
Section 12(1)(e), PIPEDA.
67
Section 12(1)(f), PIPEDA.
68
Section 12(2), PIPEDA.
69
Section 12(3), PIPEDA.
70
Section 13(2)(b), PIPEDA.
71
Section 13(2)(d), PIPEDA.
72
Section 13, in fine, PIPEDA.
73
Section 13, PIPEDA.
74
Robert H. Botterell et al, “Working with the new privacy rules”, The Continuing Legal Education
Society of British Columbia, online: http://www.cle.bc.ca/cle/analysis/collection/00-5020400-privacy.
75
Section 14(1), PIPEDA.
76
Section 15(a), PIPEDA.
63
20
There can be no application to the court if the Commissioner did not prepare a report. In
this case, the remedy would be an application for judicial review of the Commissioner’s
decision not to prepare a report77.
The Federal Court may hear matters in respect of the following provisions of Division 1
of Part 1 and Schedule 1 of the PIPEDA:
Schedule 1
Clause 4.1.3 – an organization is responsible for personal information in
its possession or custody, including that personal information transferred
to a third party for processing;
Clause 4.2 – an organization shall identify purposes of collection of
personal information.
Clause 4.3 as modified or clarified by Division 1 – an organization may
collect, use, or disclose personal information without the knowledge or
consent of individual only under the circumstances listed in sections 7(1),
(2), and (3) respectively;
Clause 4.3.3 – an organization shall not require consent as condition of
supply of product or service, beyond that required to fulfil specified &
legitimate purposes;
Clause 4.4 – the collection of personal information is limited to that
necessary for purposes identified; personal information may be collected
only by fair and lawful means;
Clause 4.5 as modified or clarified by Division 1 – an organization shall
not use or disclose personal information for purposes other those for
which it was collected, except with consent or as required by law or as
allowed by s. 7(4); an organization shall retain personal information only
as long as necessary for those purposes, subject to s. 8(8);
Clause 4.6 – personal information shall be as accurate, complete, and upto-date as necessary for purposes for which it is to be used;
Clause 4.7 – organizations shall protect personal information by
appropriate security safeguards;
Clause 4.8 – organizations shall make readily available to individuals
specific information about their policies and practices relating to personal
information
77
Botterell et al, supra note 74 at 17.
21
Clause 4.9 as modified or clarified by Division 1 – upon request,
individual shall be informed of existence, use, and disclosure of his/her
personal information, shall be given access to it, and be able to challenge
accuracy and completeness and have it amended, subject to ss. 8(1), 9(1),
9(2), 9(2.4), 9(3), 9(4), and 9(5)
Part 1 of Act
Section 5(3) – an organization may collect, use or disclose personal
information only for reasonably appropriate purposes
Section 8(6) – an organization may charge an individual for responding to
an access request only if the organization has informed the individual of
the approximate cost and the individual has advised that the request is not
withdrawn;
Section 8(7) – an organization must set out reasons in writing for refusing
an access request, along with recourse available to individual; and
Section 10 – an organization shall give access to personal information in
an alternative format if reasonable and necessary.
PIPEDA provides that the Federal Court may, in addition to any other remedies it may
give,
(a) order an organization to correct its practices in order to comply its
obligations;
(b) order an organization to publish a notice of any action taken or
proposed to be taken to correct its practices, whether or not ordered to
correct them under paragraph (a); and
(c) award damages to the complainant, including damages for any
humiliation that the complainant has suffered78.
Conclusion
Organizations doing business in Canada and more particularly those having commercial
activities through Internet must be aware of the Canadian legislation on privacy: PIPEDA
as well as ARPPPS of Quebec and PIPAs of Alberta and British-Columbia.
For Quebec organizations, the federal Act will apply for extraprovincial commercial
activities but when the commercial transaction solely occur in Quebec it’s the provincial
law that will govern the activity as Quebec Act is deemed substantially similar to
PIPEDA. As the Albertan and British Columbian acts have yet to be declared
78
Section 16, PIPEDA.
22
substantially similar to PIPEDA. Businesses in those two jurisdictions will have to
comply with PIPEDA and their provincial legislation.
The provincial acts and PIPEDA are essentially based on the same principles but some
differences exist for example implied consent is not authorized in the Quebec Act
contrary to what is provided in PIPEDA. Therefore, it is suggested that until the
Supreme Court of Canada determine the constitutional validity of PIPEDA and clarify
what piece of legislation should apply in the provincial territory, organizations comply
with the more restricted standards (irrespective of whether it is stated in the Federal or the
provincial acts.).
23

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz