Internet and Internet and Information Technology Information Technology

LawLaw

September 18September 18thth – Privacy Law – Privacy LawAllyson Whyte NowakAllyson Whyte Nowak

UVICUVIC

A.A. Federal Federal Privacy ActPrivacy Act, R.S. 1985. c.P-21, R.S. 1985. c.P-21

Personal Information Protection and Electronic Personal Information Protection and Electronic Documents Act (PIPEDA)Documents Act (PIPEDA), S.C.2000, c.5, S.C.2000, c.5

B.B. Provincial Provincial Personal Information Protection ActPersonal Information Protection Act, S.B.C. , S.B.C.

2003, c.63 (PIPA) 2003, c.63 (PIPA)

Freedom of Information and Protection of Freedom of Information and Protection of Privacy ActPrivacy Act, R.S.B.C. 1996, c.165 (FIPPA), R.S.B.C. 1996, c.165 (FIPPA)

Privacy Privacy Legislation in Legislation in CanadaCanada

I.I.

The The Privacy ActPrivacy Act

enacted July 1, 1983enacted July 1, 1983

public sector legislation public sector legislation affecting federal government affecting federal government departments and agenciesdepartments and agencies

October 6, 2005 Privacy October 6, 2005 Privacy Commissioner’s 2004-2005 Commissioner’s 2004-2005 Annual Report criticized the ActAnnual Report criticized the Act

PIPEDAPIPEDA

Section 3: PurposeSection 3: Purpose

The balance between recognition ofThe balance between recognition of the right the right of privacy of individuals of privacy of individuals with respect to their with respect to their personal information and the personal information and the need of need of organizationsorganizations to collect, use or disclose to collect, use or disclose personal information.personal information.

PIPEDA: StatisticsPIPEDA: Statistics

In the Annual Report to Parliament In the Annual Report to Parliament (2005), the Privacy Commissioner (2005), the Privacy Commissioner acknowledged:acknowledged:

– there is a “significant backlog of there is a “significant backlog of complaints”complaints”

– there was a “large drop” in 2005 in the there was a “large drop” in 2005 in the number of complaints filed under number of complaints filed under PIPEDA PIPEDA

PIPEDA: StatisticsPIPEDA: Statistics

In 2005 the largest number of complaints In 2005 the largest number of complaints were against financial institutions BUTwere against financial institutions BUT

The number of complaints was just over half The number of complaints was just over half of what they were in 2004of what they were in 2004

In 2005 the most common complaints were In 2005 the most common complaints were

with respectwith respect to the inappropriate use or to the inappropriate use or disclosure of personal information (followed disclosure of personal information (followed by refusals of access and inappropriate by refusals of access and inappropriate collection)collection)

PIPEDAPIPEDA

Section 4(1)Section 4(1):PIPEDA applies to :PIPEDA applies to everyevery organization in respect of personal information organization in respect of personal information that,that,

4(1)(a)4(1)(a) the organization “collects, uses or the organization “collects, uses or discloses” in the course of commercial activitiesdiscloses” in the course of commercial activities

4(1)(b) 4(1)(b) is about an employee that an is about an employee that an organization collects, uses or discloses in organization collects, uses or discloses in connection with the operation of a federal work, connection with the operation of a federal work, undertaking or businessundertaking or business

PIPEDAPIPEDA

PIPEDA does not apply to:PIPEDA does not apply to:

any government institution to which the any government institution to which the Privacy Privacy Act Act appliesapplies

any individual in respect of personal information any individual in respect of personal information that the individual collects, uses or discloses for that the individual collects, uses or discloses for personal or domestic purposes and does not personal or domestic purposes and does not collect, use or disclose for any other purposecollect, use or disclose for any other purpose

any organization in respect of personal information any organization in respect of personal information that the organization collects, uses or discloses for that the organization collects, uses or discloses for journalistic, artistic, or literary purposes (s.4(2))journalistic, artistic, or literary purposes (s.4(2))

Substantially similar legislation (B.C., Alta, Quebec)Substantially similar legislation (B.C., Alta, Quebec)

Sector-specific legislation (Alta, Sask, Mtba, Sector-specific legislation (Alta, Sask, Mtba, Ontario)Ontario)

Provincial Human Rights legislationProvincial Human Rights legislation

Common law right to privacyCommon law right to privacy

How are employees’ privacy How are employees’ privacy rights protected in the private rights protected in the private sector?sector?

Statutory right to PrivacyStatutory right to Privacy

A statutory tort of invasion of A statutory tort of invasion of privacy has been created in:privacy has been created in:– B.C.B.C.– SaskatchewanSaskatchewan– ManitobaManitoba– NewfoundlandNewfoundland– QuebecQuebec

Common LawCommon Law

Ontario residents do not have a Ontario residents do not have a statutory remedy for unreasonable statutory remedy for unreasonable intrusion into an individual’s private intrusion into an individual’s private affairs, BUTaffairs, BUT

a recent decision recognized that a recent decision recognized that the tort of invasion of privacy may the tort of invasion of privacy may exist:exist:– Somwar v. McDonald’sSomwar v. McDonald’s (2006), 79 O.R. (2006), 79 O.R.

(3d) 172(3d) 172

i)i) EU DirectiveEU Directive

ii)ii) Model CodeModel Code

iii)iii) E-com StrategyE-com Strategy

iv)iv) Bill C-54Bill C-54

v)v) OECD GuidelinesOECD Guidelines

A. Sources of PIPEDAA. Sources of PIPEDA

CUDCUD

FWUBFWUB

Personal InformationPersonal Information

OrganizationOrganization

Commercial activityCommercial activity

B. DefinitionsB. Definitions

defined to mean information about defined to mean information about an identifiable individualan identifiable individual

exclusions: name, title, or business exclusions: name, title, or business address or telephone number of an address or telephone number of an employee of an organizationemployee of an organization

““Personal Personal Information” (s.2(1))Information” (s.2(1))

defined to include an defined to include an association, a partnership, a association, a partnership, a person and a trade unionperson and a trade union

corporations are “persons” corporations are “persons” pursuant to s. 35(1) of the pursuant to s. 35(1) of the Interpretation ActInterpretation Act

““organizations” organizations” (s.2(1))(s.2(1))

definition: “means any particular definition: “means any particular transaction, act or conduct or any transaction, act or conduct or any regular course of conduct that is regular course of conduct that is of a commercial character, of a commercial character, including the selling, bartering or including the selling, bartering or leasing of donor, membership or leasing of donor, membership or other fundraising lists”.other fundraising lists”.

““commercial activity” commercial activity” (s.2(1))(s.2(1))

Protection of Personal InformationProtection of Personal Information

Subsection 5(1):Subsection 5(1):

““Subject to sections 6 to 9, every Subject to sections 6 to 9, every organization shall comply with the organization shall comply with the obligations set out in Schedule 1.”obligations set out in Schedule 1.”

Schedule 1 enacts the 10 general principles Schedule 1 enacts the 10 general principles and commentaries contained in the and commentaries contained in the Model CodeModel Code

Subsection 5(2): mandatory obligations Subsection 5(2): mandatory obligations versus recommendations in Schedule 1versus recommendations in Schedule 1

PIPEDAPIPEDAPart 1, Division 1Part 1, Division 1

C.C.

1.1. Accountability Accountability

2.2. Identifying purposesIdentifying purposes

3.3. ConsentConsent

4.4. Limiting CollectionLimiting Collection

5.5. Limiting use, disclosure and retentionLimiting use, disclosure and retention

6.6. AccuracyAccuracy

7.7. SafeguardsSafeguards

8.8. OpennessOpenness

9.9. Individual accessIndividual access

10.10. Challenging complianceChallenging compliance

The 10 PrinciplesThe 10 Principles

PIPEDAPIPEDA

s.7(1): Collection without Knowledge s.7(1): Collection without Knowledge or consentor consent

An organization may collect personal An organization may collect personal information without the knowledge or information without the knowledge or consent of the individual where,consent of the individual where,

collection is clearly in the individual’s collection is clearly in the individual’s interest and consent cannot be obtained interest and consent cannot be obtained in a timely way (s.7(1)(a))in a timely way (s.7(1)(a))

PIPEDAPIPEDA

in the context of an investigation of a in the context of an investigation of a breach of an agreement or a breach of an agreement or a contravention of the law, it is contravention of the law, it is reasonable to expect that if knowledge reasonable to expect that if knowledge or consent were obtained it would or consent were obtained it would compromise the availability or the compromise the availability or the accuracy of the information (s.7(1)(b))accuracy of the information (s.7(1)(b))

the collection is solely for journalistic, the collection is solely for journalistic, artistic or literary purposes (s.7(1)(c))artistic or literary purposes (s.7(1)(c))

PIPEDAPIPEDA

s.7(2): Use without Knowledge or Consents.7(2): Use without Knowledge or Consent

An organization may use personal An organization may use personal information without the knowledge or information without the knowledge or consent of the individual only if,consent of the individual only if,

the organization reasonably believes the the organization reasonably believes the information could be useful in the information could be useful in the investigation of a contravention of the laws investigation of a contravention of the laws of Canada, a province or a foreign jurisdiction of Canada, a province or a foreign jurisdiction (s.7(2)(a))(s.7(2)(a))

PIPEDAPIPEDA

It is used for the purpose of acting in It is used for the purpose of acting in respect of an emergency that threatens respect of an emergency that threatens the life, health, or security of an individual the life, health, or security of an individual (s.7(2)(b))(s.7(2)(b))

It is used for statistical, or scholarly study It is used for statistical, or scholarly study or research purposes where it is or research purposes where it is impracticable to obtain consent and impracticable to obtain consent and where: confidentiality is maintained and where: confidentiality is maintained and the Commissioner is informed prior to its the Commissioner is informed prior to its use (s.7(2)(c)) use (s.7(2)(c))

PIPEDAPIPEDA

Subsection 7(3): Disclosure without KnowledgeSubsection 7(3): Disclosure without Knowledge

An organization may disclose personal information An organization may disclose personal information without the knowledge or consent of the individual without the knowledge or consent of the individual only if the disclosure is,only if the disclosure is,

made to a notary (Quebec) or lawyer representing made to a notary (Quebec) or lawyer representing the organization (s.7(3)(a))the organization (s.7(3)(a))

for the purpose of collecting a debt owed (s.7(3)for the purpose of collecting a debt owed (s.7(3)(b))(b))

compelled by law (s.7(3)(c))compelled by law (s.7(3)(c))

RemediesRemedies

filing of complaints (s.11)filing of complaints (s.11)

the Commissioner’s powers (s.12)the Commissioner’s powers (s.12)

the Commissioner’s Report (s.13)the Commissioner’s Report (s.13)

application to the Federal Court (s.14)application to the Federal Court (s.14)

PIPEDAPIPEDAPart 1, Division 2Part 1, Division 2

D.D.

Complaints (s. 11)Complaints (s. 11)

Individuals may complain toIndividuals may complain to

(a)(a) the organizationthe organization

(b)(b) the Office of the Privacy the Office of the Privacy CommissionerCommissioner

the Commissioner may also initiate a the Commissioner may also initiate a complaint (“reasonable grounds”)complaint (“reasonable grounds”)

Types of ComplaintsTypes of Complaints

an individual may complain to the an individual may complain to the Commissioner about any matter:Commissioner about any matter:

(a) specified in sections 5 to 10 of the (a) specified in sections 5 to 10 of the Act Act OR OR

(b)(b) in the recommendations in the recommendations OROR obligations set out in Schedule 1.obligations set out in Schedule 1.

Powers of the Privacy Powers of the Privacy Commissioner (s. 12)Commissioner (s. 12) PC obliged to investigate complaint PC obliged to investigate complaint

(s.12(1))(s.12(1)) PC must give notice to the organization PC must give notice to the organization

complained of (s.11(4))complained of (s.11(4)) Powers include:Powers include:(a)(a) Summons to compel the giving of evidence Summons to compel the giving of evidence

under oathunder oath

(b)(b) Production of documentsProduction of documents

(c)(c) Power of entryPower of entry

(d)(d) Mediation/conciliationMediation/conciliation

(e)(e) AuditsAudits

The Commissioner’s The Commissioner’s Report (s.13)Report (s.13)

1 year to prepare a written report1 year to prepare a written report Confidentiality of the reportConfidentiality of the report Where no report requiredWhere no report required Disposition of complaintsDisposition of complaints

i)i) Not well foundedNot well founded

ii)ii) Well foundedWell founded

iii)iii) ResolvedResolved

iv)iv) DiscontinuedDiscontinued

Broad investigatory Broad investigatory powers vs. ….powers vs. …. No power to compel compliance with No power to compel compliance with

PIPEDA (compare to B.C. PIPA, s. 58)PIPEDA (compare to B.C. PIPA, s. 58)

No sanctions for failing to follow No sanctions for failing to follow recommendations recommendations

Only real power is the “power of Only real power is the “power of embarrassment”embarrassment”

Fines for obstructing an investigation Fines for obstructing an investigation

No power to order costs of the No power to order costs of the investigationinvestigation

Application to the Application to the Federal Court (s.14)Federal Court (s.14)

Complainant or PC may applyComplainant or PC may apply

Subject matter restricted but always Subject matter restricted but always open for parties (including the open for parties (including the organization) to seek judicial revieworganization) to seek judicial review

Application must be made within 45 Application must be made within 45 days after Report is sentdays after Report is sent

Remedies more expansiveRemedies more expansive

1.1. OutsourcingOutsourcing

2.2. M&A issuesM&A issues

3.3. Privacy in the workplacePrivacy in the workplace

4.4. WhistleblowingWhistleblowing

Key Issues in Privacy Key Issues in Privacy LawLawII.II.

no exemption for disclosure no exemption for disclosure between subsidiary, affiliated, or between subsidiary, affiliated, or related companiesrelated companies

Implications of the U.S. Implications of the U.S. Patriot ActPatriot Act

The B.C. response (The B.C. response (FIPPAFIPPA))

PIPEDA case summary #313PIPEDA case summary #313

OutsourcingOutsourcing

M&A IssuesM&A Issues

Asset sale = commercial activityAsset sale = commercial activity

SolutionsSolutionsi)i) privacy policies need to address the privacy policies need to address the

possibility of a sale of the businesspossibility of a sale of the business

ii)ii) “anonymize” the information“anonymize” the information

iii)iii) contractual safeguardscontractual safeguards

iv)iv) review all personal information and review all personal information and disclose only what is “necessary” to disclose only what is “necessary” to closeclose

Monitoring employees’ in the workplaceMonitoring employees’ in the workplace

– Biometric authentication devicesBiometric authentication devices

– Video surveillanceVideo surveillance

Employee complaints represent 20% Employee complaints represent 20% of complaints filed in 2004of complaints filed in 2004

Privacy in the Privacy in the WorkplaceWorkplace

(1)(1) Is it demonstrably necessary to meet Is it demonstrably necessary to meet a specific need?a specific need?

(2)(2) Is it effective in meeting that need?Is it effective in meeting that need?

(3)(3) Is the loss of privacy proportional to Is the loss of privacy proportional to the benefit gained?the benefit gained?

(4)(4) Are there less invasive alternatives?Are there less invasive alternatives?

PCC’s 4-step analysis PCC’s 4-step analysis of a privacy-invasive of a privacy-invasive measuremeasure