Internet and Internet and Information Technology Information Technology
LawLaw
September 18September 18thth – Privacy Law – Privacy LawAllyson Whyte NowakAllyson Whyte Nowak
UVICUVIC
A.A. Federal Federal Privacy ActPrivacy Act, R.S. 1985. c.P-21, R.S. 1985. c.P-21
Personal Information Protection and Electronic Personal Information Protection and Electronic Documents Act (PIPEDA)Documents Act (PIPEDA), S.C.2000, c.5, S.C.2000, c.5
B.B. Provincial Provincial Personal Information Protection ActPersonal Information Protection Act, S.B.C. , S.B.C.
2003, c.63 (PIPA) 2003, c.63 (PIPA)
Freedom of Information and Protection of Freedom of Information and Protection of Privacy ActPrivacy Act, R.S.B.C. 1996, c.165 (FIPPA), R.S.B.C. 1996, c.165 (FIPPA)
Privacy Privacy Legislation in Legislation in CanadaCanada
I.I.
The The Privacy ActPrivacy Act
enacted July 1, 1983enacted July 1, 1983
public sector legislation public sector legislation affecting federal government affecting federal government departments and agenciesdepartments and agencies
October 6, 2005 Privacy October 6, 2005 Privacy Commissioner’s 2004-2005 Commissioner’s 2004-2005 Annual Report criticized the ActAnnual Report criticized the Act
PIPEDAPIPEDA
Section 3: PurposeSection 3: Purpose
The balance between recognition ofThe balance between recognition of the right the right of privacy of individuals of privacy of individuals with respect to their with respect to their personal information and the personal information and the need of need of organizationsorganizations to collect, use or disclose to collect, use or disclose personal information.personal information.
PIPEDA: StatisticsPIPEDA: Statistics
In the Annual Report to Parliament In the Annual Report to Parliament (2005), the Privacy Commissioner (2005), the Privacy Commissioner acknowledged:acknowledged:
– there is a “significant backlog of there is a “significant backlog of complaints”complaints”
– there was a “large drop” in 2005 in the there was a “large drop” in 2005 in the number of complaints filed under number of complaints filed under PIPEDA PIPEDA
PIPEDA: StatisticsPIPEDA: Statistics
In 2005 the largest number of complaints In 2005 the largest number of complaints were against financial institutions BUTwere against financial institutions BUT
The number of complaints was just over half The number of complaints was just over half of what they were in 2004of what they were in 2004
In 2005 the most common complaints were In 2005 the most common complaints were
with respectwith respect to the inappropriate use or to the inappropriate use or disclosure of personal information (followed disclosure of personal information (followed by refusals of access and inappropriate by refusals of access and inappropriate collection)collection)
PIPEDAPIPEDA
Section 4(1)Section 4(1):PIPEDA applies to :PIPEDA applies to everyevery organization in respect of personal information organization in respect of personal information that,that,
4(1)(a)4(1)(a) the organization “collects, uses or the organization “collects, uses or discloses” in the course of commercial activitiesdiscloses” in the course of commercial activities
4(1)(b) 4(1)(b) is about an employee that an is about an employee that an organization collects, uses or discloses in organization collects, uses or discloses in connection with the operation of a federal work, connection with the operation of a federal work, undertaking or businessundertaking or business
PIPEDAPIPEDA
PIPEDA does not apply to:PIPEDA does not apply to:
any government institution to which the any government institution to which the Privacy Privacy Act Act appliesapplies
any individual in respect of personal information any individual in respect of personal information that the individual collects, uses or discloses for that the individual collects, uses or discloses for personal or domestic purposes and does not personal or domestic purposes and does not collect, use or disclose for any other purposecollect, use or disclose for any other purpose
any organization in respect of personal information any organization in respect of personal information that the organization collects, uses or discloses for that the organization collects, uses or discloses for journalistic, artistic, or literary purposes (s.4(2))journalistic, artistic, or literary purposes (s.4(2))
Substantially similar legislation (B.C., Alta, Quebec)Substantially similar legislation (B.C., Alta, Quebec)
Sector-specific legislation (Alta, Sask, Mtba, Sector-specific legislation (Alta, Sask, Mtba, Ontario)Ontario)
Provincial Human Rights legislationProvincial Human Rights legislation
Common law right to privacyCommon law right to privacy
How are employees’ privacy How are employees’ privacy rights protected in the private rights protected in the private sector?sector?
Statutory right to PrivacyStatutory right to Privacy
A statutory tort of invasion of A statutory tort of invasion of privacy has been created in:privacy has been created in:– B.C.B.C.– SaskatchewanSaskatchewan– ManitobaManitoba– NewfoundlandNewfoundland– QuebecQuebec
Common LawCommon Law
Ontario residents do not have a Ontario residents do not have a statutory remedy for unreasonable statutory remedy for unreasonable intrusion into an individual’s private intrusion into an individual’s private affairs, BUTaffairs, BUT
a recent decision recognized that a recent decision recognized that the tort of invasion of privacy may the tort of invasion of privacy may exist:exist:– Somwar v. McDonald’sSomwar v. McDonald’s (2006), 79 O.R. (2006), 79 O.R.
(3d) 172(3d) 172
i)i) EU DirectiveEU Directive
ii)ii) Model CodeModel Code
iii)iii) E-com StrategyE-com Strategy
iv)iv) Bill C-54Bill C-54
v)v) OECD GuidelinesOECD Guidelines
A. Sources of PIPEDAA. Sources of PIPEDA
CUDCUD
FWUBFWUB
Personal InformationPersonal Information
OrganizationOrganization
Commercial activityCommercial activity
B. DefinitionsB. Definitions
defined to mean information about defined to mean information about an identifiable individualan identifiable individual
exclusions: name, title, or business exclusions: name, title, or business address or telephone number of an address or telephone number of an employee of an organizationemployee of an organization
““Personal Personal Information” (s.2(1))Information” (s.2(1))
defined to include an defined to include an association, a partnership, a association, a partnership, a person and a trade unionperson and a trade union
corporations are “persons” corporations are “persons” pursuant to s. 35(1) of the pursuant to s. 35(1) of the Interpretation ActInterpretation Act
““organizations” organizations” (s.2(1))(s.2(1))
definition: “means any particular definition: “means any particular transaction, act or conduct or any transaction, act or conduct or any regular course of conduct that is regular course of conduct that is of a commercial character, of a commercial character, including the selling, bartering or including the selling, bartering or leasing of donor, membership or leasing of donor, membership or other fundraising lists”.other fundraising lists”.
““commercial activity” commercial activity” (s.2(1))(s.2(1))
Protection of Personal InformationProtection of Personal Information
Subsection 5(1):Subsection 5(1):
““Subject to sections 6 to 9, every Subject to sections 6 to 9, every organization shall comply with the organization shall comply with the obligations set out in Schedule 1.”obligations set out in Schedule 1.”
Schedule 1 enacts the 10 general principles Schedule 1 enacts the 10 general principles and commentaries contained in the and commentaries contained in the Model CodeModel Code
Subsection 5(2): mandatory obligations Subsection 5(2): mandatory obligations versus recommendations in Schedule 1versus recommendations in Schedule 1
PIPEDAPIPEDAPart 1, Division 1Part 1, Division 1
C.C.
1.1. Accountability Accountability
2.2. Identifying purposesIdentifying purposes
3.3. ConsentConsent
4.4. Limiting CollectionLimiting Collection
5.5. Limiting use, disclosure and retentionLimiting use, disclosure and retention
6.6. AccuracyAccuracy
7.7. SafeguardsSafeguards
8.8. OpennessOpenness
9.9. Individual accessIndividual access
10.10. Challenging complianceChallenging compliance
The 10 PrinciplesThe 10 Principles
PIPEDAPIPEDA
s.7(1): Collection without Knowledge s.7(1): Collection without Knowledge or consentor consent
An organization may collect personal An organization may collect personal information without the knowledge or information without the knowledge or consent of the individual where,consent of the individual where,
collection is clearly in the individual’s collection is clearly in the individual’s interest and consent cannot be obtained interest and consent cannot be obtained in a timely way (s.7(1)(a))in a timely way (s.7(1)(a))
PIPEDAPIPEDA
in the context of an investigation of a in the context of an investigation of a breach of an agreement or a breach of an agreement or a contravention of the law, it is contravention of the law, it is reasonable to expect that if knowledge reasonable to expect that if knowledge or consent were obtained it would or consent were obtained it would compromise the availability or the compromise the availability or the accuracy of the information (s.7(1)(b))accuracy of the information (s.7(1)(b))
the collection is solely for journalistic, the collection is solely for journalistic, artistic or literary purposes (s.7(1)(c))artistic or literary purposes (s.7(1)(c))
PIPEDAPIPEDA
s.7(2): Use without Knowledge or Consents.7(2): Use without Knowledge or Consent
An organization may use personal An organization may use personal information without the knowledge or information without the knowledge or consent of the individual only if,consent of the individual only if,
the organization reasonably believes the the organization reasonably believes the information could be useful in the information could be useful in the investigation of a contravention of the laws investigation of a contravention of the laws of Canada, a province or a foreign jurisdiction of Canada, a province or a foreign jurisdiction (s.7(2)(a))(s.7(2)(a))
PIPEDAPIPEDA
It is used for the purpose of acting in It is used for the purpose of acting in respect of an emergency that threatens respect of an emergency that threatens the life, health, or security of an individual the life, health, or security of an individual (s.7(2)(b))(s.7(2)(b))
It is used for statistical, or scholarly study It is used for statistical, or scholarly study or research purposes where it is or research purposes where it is impracticable to obtain consent and impracticable to obtain consent and where: confidentiality is maintained and where: confidentiality is maintained and the Commissioner is informed prior to its the Commissioner is informed prior to its use (s.7(2)(c)) use (s.7(2)(c))
PIPEDAPIPEDA
Subsection 7(3): Disclosure without KnowledgeSubsection 7(3): Disclosure without Knowledge
An organization may disclose personal information An organization may disclose personal information without the knowledge or consent of the individual without the knowledge or consent of the individual only if the disclosure is,only if the disclosure is,
made to a notary (Quebec) or lawyer representing made to a notary (Quebec) or lawyer representing the organization (s.7(3)(a))the organization (s.7(3)(a))
for the purpose of collecting a debt owed (s.7(3)for the purpose of collecting a debt owed (s.7(3)(b))(b))
compelled by law (s.7(3)(c))compelled by law (s.7(3)(c))
RemediesRemedies
filing of complaints (s.11)filing of complaints (s.11)
the Commissioner’s powers (s.12)the Commissioner’s powers (s.12)
the Commissioner’s Report (s.13)the Commissioner’s Report (s.13)
application to the Federal Court (s.14)application to the Federal Court (s.14)
PIPEDAPIPEDAPart 1, Division 2Part 1, Division 2
D.D.
Complaints (s. 11)Complaints (s. 11)
Individuals may complain toIndividuals may complain to
(a)(a) the organizationthe organization
(b)(b) the Office of the Privacy the Office of the Privacy CommissionerCommissioner
the Commissioner may also initiate a the Commissioner may also initiate a complaint (“reasonable grounds”)complaint (“reasonable grounds”)
Types of ComplaintsTypes of Complaints
an individual may complain to the an individual may complain to the Commissioner about any matter:Commissioner about any matter:
(a) specified in sections 5 to 10 of the (a) specified in sections 5 to 10 of the Act Act OR OR
(b)(b) in the recommendations in the recommendations OROR obligations set out in Schedule 1.obligations set out in Schedule 1.
Powers of the Privacy Powers of the Privacy Commissioner (s. 12)Commissioner (s. 12) PC obliged to investigate complaint PC obliged to investigate complaint
(s.12(1))(s.12(1)) PC must give notice to the organization PC must give notice to the organization
complained of (s.11(4))complained of (s.11(4)) Powers include:Powers include:(a)(a) Summons to compel the giving of evidence Summons to compel the giving of evidence
under oathunder oath
(b)(b) Production of documentsProduction of documents
(c)(c) Power of entryPower of entry
(d)(d) Mediation/conciliationMediation/conciliation
(e)(e) AuditsAudits
The Commissioner’s The Commissioner’s Report (s.13)Report (s.13)
1 year to prepare a written report1 year to prepare a written report Confidentiality of the reportConfidentiality of the report Where no report requiredWhere no report required Disposition of complaintsDisposition of complaints
i)i) Not well foundedNot well founded
ii)ii) Well foundedWell founded
iii)iii) ResolvedResolved
iv)iv) DiscontinuedDiscontinued
Broad investigatory Broad investigatory powers vs. ….powers vs. …. No power to compel compliance with No power to compel compliance with
PIPEDA (compare to B.C. PIPA, s. 58)PIPEDA (compare to B.C. PIPA, s. 58)
No sanctions for failing to follow No sanctions for failing to follow recommendations recommendations
Only real power is the “power of Only real power is the “power of embarrassment”embarrassment”
Fines for obstructing an investigation Fines for obstructing an investigation
No power to order costs of the No power to order costs of the investigationinvestigation
Application to the Application to the Federal Court (s.14)Federal Court (s.14)
Complainant or PC may applyComplainant or PC may apply
Subject matter restricted but always Subject matter restricted but always open for parties (including the open for parties (including the organization) to seek judicial revieworganization) to seek judicial review
Application must be made within 45 Application must be made within 45 days after Report is sentdays after Report is sent
Remedies more expansiveRemedies more expansive
1.1. OutsourcingOutsourcing
2.2. M&A issuesM&A issues
3.3. Privacy in the workplacePrivacy in the workplace
4.4. WhistleblowingWhistleblowing
Key Issues in Privacy Key Issues in Privacy LawLawII.II.
no exemption for disclosure no exemption for disclosure between subsidiary, affiliated, or between subsidiary, affiliated, or related companiesrelated companies
Implications of the U.S. Implications of the U.S. Patriot ActPatriot Act
The B.C. response (The B.C. response (FIPPAFIPPA))
PIPEDA case summary #313PIPEDA case summary #313
OutsourcingOutsourcing
M&A IssuesM&A Issues
Asset sale = commercial activityAsset sale = commercial activity
SolutionsSolutionsi)i) privacy policies need to address the privacy policies need to address the
possibility of a sale of the businesspossibility of a sale of the business
ii)ii) “anonymize” the information“anonymize” the information
iii)iii) contractual safeguardscontractual safeguards
iv)iv) review all personal information and review all personal information and disclose only what is “necessary” to disclose only what is “necessary” to closeclose
Monitoring employees’ in the workplaceMonitoring employees’ in the workplace
– Biometric authentication devicesBiometric authentication devices
– Video surveillanceVideo surveillance
Employee complaints represent 20% Employee complaints represent 20% of complaints filed in 2004of complaints filed in 2004
Privacy in the Privacy in the WorkplaceWorkplace
(1)(1) Is it demonstrably necessary to meet Is it demonstrably necessary to meet a specific need?a specific need?
(2)(2) Is it effective in meeting that need?Is it effective in meeting that need?
(3)(3) Is the loss of privacy proportional to Is the loss of privacy proportional to the benefit gained?the benefit gained?
(4)(4) Are there less invasive alternatives?Are there less invasive alternatives?
PCC’s 4-step analysis PCC’s 4-step analysis of a privacy-invasive of a privacy-invasive measuremeasure
Top Related