Internet and Internet and Information Technology Information Technology

LawLawSeptember 18September 18thth – Privacy Law – Privacy Law

Allyson Whyte NowakAllyson Whyte Nowak

UVICUVIC

A.A. Federal Federal Privacy ActPrivacy Act, R.S. 1985. c.P-21, R.S. 1985. c.P-21 Personal Information Protection and Electronic Personal Information Protection and Electronic

Documents Act (PIPEDA)Documents Act (PIPEDA), S.C.2000, c.5, S.C.2000, c.5B.B. Provincial Provincial

Personal Information Protection ActPersonal Information Protection Act, S.B.C. , S.B.C. 2003, c.63 (PIPA) 2003, c.63 (PIPA)

Freedom of Information and Protection of Freedom of Information and Protection of Privacy ActPrivacy Act, R.S.B.C. 1996, c.165 (FIPPA), R.S.B.C. 1996, c.165 (FIPPA)

Privacy Privacy Legislation in Legislation in CanadaCanada

I.I.

The The Privacy ActPrivacy Act

enacted July 1, 1983enacted July 1, 1983 public sector legislation public sector legislation

affecting federal government affecting federal government departments and agenciesdepartments and agencies

October 6, 2005 Privacy October 6, 2005 Privacy Commissioner’s 2004-2005 Commissioner’s 2004-2005 Annual Report criticized the ActAnnual Report criticized the Act

PIPEDAPIPEDA

Section 3: PurposeSection 3: Purpose

The balance between recognition ofThe balance between recognition of the right the right of privacy of individuals of privacy of individuals with respect to their with respect to their personal information and the personal information and the need of need of organizationsorganizations to collect, use or disclose to collect, use or disclose personal information.personal information.

PIPEDA: StatisticsPIPEDA: Statistics In the Annual Report to Parliament In the Annual Report to Parliament

(2005), the Privacy Commissioner (2005), the Privacy Commissioner acknowledged:acknowledged:

– there is a “significant backlog of there is a “significant backlog of complaints”complaints”

– there was a “large drop” in 2005 in the there was a “large drop” in 2005 in the number of complaints filed under number of complaints filed under PIPEDA PIPEDA

PIPEDA: StatisticsPIPEDA: Statistics In 2005 the largest number of complaints In 2005 the largest number of complaints

were against financial institutions BUTwere against financial institutions BUT The number of complaints was just over half The number of complaints was just over half

of what they were in 2004of what they were in 2004 In 2005 the most common complaints were In 2005 the most common complaints were

with respectwith respect to the inappropriate use or to the inappropriate use or disclosure of personal information (followed disclosure of personal information (followed by refusals of access and inappropriate by refusals of access and inappropriate collection)collection)

PIPEDAPIPEDASection 4(1)Section 4(1):PIPEDA applies to :PIPEDA applies to everyevery organization in respect of personal information organization in respect of personal information that,that,4(1)(a)4(1)(a) the organization “collects, uses or the organization “collects, uses or discloses” in the course of commercial activitiesdiscloses” in the course of commercial activities

4(1)(b) 4(1)(b) is about an employee that an is about an employee that an organization collects, uses or discloses in organization collects, uses or discloses in connection with the operation of a federal work, connection with the operation of a federal work, undertaking or businessundertaking or business

PIPEDAPIPEDAPIPEDA does not apply to:PIPEDA does not apply to: any government institution to which the any government institution to which the Privacy Act Privacy Act

appliesapplies any individual in respect of personal information any individual in respect of personal information

that the individual collects, uses or discloses for that the individual collects, uses or discloses for personal or domestic purposes and does not personal or domestic purposes and does not collect, use or disclose for any other purposecollect, use or disclose for any other purpose

any organization in respect of personal information any organization in respect of personal information that the organization collects, uses or discloses for that the organization collects, uses or discloses for journalistic, artistic, or literary purposes (s.4(2))journalistic, artistic, or literary purposes (s.4(2))

Substantially similar legislation (B.C., Alta, Quebec)Substantially similar legislation (B.C., Alta, Quebec) Sector-specific legislation (Alta, Sask, Mtba, Sector-specific legislation (Alta, Sask, Mtba,

Ontario)Ontario) Provincial Human Rights legislationProvincial Human Rights legislation Common law right to privacyCommon law right to privacy

How are employees’ privacy How are employees’ privacy rights protected in the private rights protected in the private sector?sector?

Statutory right to PrivacyStatutory right to Privacy

A statutory tort of invasion of A statutory tort of invasion of privacy has been created in:privacy has been created in:– B.C.B.C.– SaskatchewanSaskatchewan– ManitobaManitoba– NewfoundlandNewfoundland– QuebecQuebec

Common LawCommon Law Ontario residents do not have a Ontario residents do not have a

statutory remedy for unreasonable statutory remedy for unreasonable intrusion into an individual’s private intrusion into an individual’s private affairs, BUTaffairs, BUT

a recent decision recognized that the a recent decision recognized that the tort of invasion of privacy may exist:tort of invasion of privacy may exist:– Somwar v. McDonald’sSomwar v. McDonald’s (2006), 79 O.R. (2006), 79 O.R.

(3d) 172(3d) 172

i)i) EU DirectiveEU Directiveii)ii) Model CodeModel Codeiii)iii) E-com StrategyE-com Strategyiv)iv) Bill C-54Bill C-54v)v) OECD GuidelinesOECD Guidelines

A. Sources of PIPEDAA. Sources of PIPEDA

CUDCUD FWUBFWUB Personal InformationPersonal Information OrganizationOrganization Commercial activityCommercial activity

B. DefinitionsB. Definitions

defined to mean information about defined to mean information about an identifiable individualan identifiable individual

exclusions: name, title, or business exclusions: name, title, or business address or telephone number of an address or telephone number of an employee of an organizationemployee of an organization

““Personal Personal Information” (s.2(1))Information” (s.2(1))

defined to include an defined to include an association, a partnership, a association, a partnership, a person and a trade unionperson and a trade union

corporations are “persons” corporations are “persons” pursuant to s. 35(1) of the pursuant to s. 35(1) of the Interpretation ActInterpretation Act

““organizations” organizations” (s.2(1))(s.2(1))

definition: “means any particular definition: “means any particular transaction, act or conduct or any transaction, act or conduct or any regular course of conduct that is regular course of conduct that is of a commercial character, of a commercial character, including the selling, bartering or including the selling, bartering or leasing of donor, membership or leasing of donor, membership or other fundraising lists”.other fundraising lists”.

““commercial activity” commercial activity” (s.2(1))(s.2(1))

Protection of Personal InformationProtection of Personal Information Subsection 5(1):Subsection 5(1):

““Subject to sections 6 to 9, every Subject to sections 6 to 9, every organization shall comply with the obligations organization shall comply with the obligations set out in Schedule 1.”set out in Schedule 1.”

Schedule 1 enacts the 10 general principles and Schedule 1 enacts the 10 general principles and commentaries contained in the commentaries contained in the Model CodeModel Code

Subsection 5(2): mandatory obligations Subsection 5(2): mandatory obligations versus recommendations in Schedule 1versus recommendations in Schedule 1

PIPEDAPIPEDAPart 1, Division 1Part 1, Division 1

C.C.

1.1. Accountability Accountability 2.2. Identifying purposesIdentifying purposes3.3. ConsentConsent4.4. Limiting CollectionLimiting Collection5.5. Limiting use, disclosure and retentionLimiting use, disclosure and retention6.6. AccuracyAccuracy7.7. SafeguardsSafeguards8.8. OpennessOpenness9.9. Individual accessIndividual access10.10. Challenging complianceChallenging compliance

The 10 PrinciplesThe 10 Principles

PIPEDAPIPEDA

s.7(1): Collection without Knowledge s.7(1): Collection without Knowledge or consentor consentAn organization may collect personal An organization may collect personal information without the knowledge or information without the knowledge or consent of the individual where,consent of the individual where,

collection is clearly in the individual’s collection is clearly in the individual’s interest and consent cannot be obtained interest and consent cannot be obtained in a timely way (s.7(1)(a))in a timely way (s.7(1)(a))

PIPEDAPIPEDA

in the context of an investigation of a in the context of an investigation of a breach of an agreement or a breach of an agreement or a contravention of the law, it is contravention of the law, it is reasonable to expect that if knowledge reasonable to expect that if knowledge or consent were obtained it would or consent were obtained it would compromise the availability or the compromise the availability or the accuracy of the information (s.7(1)(b))accuracy of the information (s.7(1)(b))

the collection is solely for journalistic, the collection is solely for journalistic, artistic or literary purposes (s.7(1)(c))artistic or literary purposes (s.7(1)(c))

PIPEDAPIPEDAs.7(2): Use without Knowledge or Consents.7(2): Use without Knowledge or Consent

An organization may use personal An organization may use personal information without the knowledge or information without the knowledge or consent of the individual only if,consent of the individual only if,

the organization reasonably believes the the organization reasonably believes the information could be useful in the information could be useful in the investigation of a contravention of the laws investigation of a contravention of the laws of Canada, a province or a foreign jurisdiction of Canada, a province or a foreign jurisdiction (s.7(2)(a))(s.7(2)(a))

PIPEDAPIPEDA It is used for the purpose of acting in It is used for the purpose of acting in

respect of an emergency that threatens the respect of an emergency that threatens the life, health, or security of an individual life, health, or security of an individual (s.7(2)(b))(s.7(2)(b))

It is used for statistical, or scholarly study or It is used for statistical, or scholarly study or research purposes where it is impracticable research purposes where it is impracticable to obtain consent and where: confidentiality to obtain consent and where: confidentiality is maintained and the Commissioner is is maintained and the Commissioner is informed prior to its use (s.7(2)(c)) informed prior to its use (s.7(2)(c))

PIPEDAPIPEDASubsection 7(3): Disclosure without KnowledgeSubsection 7(3): Disclosure without Knowledge

An organization may disclose personal information An organization may disclose personal information without the knowledge or consent of the individual without the knowledge or consent of the individual only if the disclosure is,only if the disclosure is,

made to a notary (Quebec) or lawyer representing made to a notary (Quebec) or lawyer representing the organization (s.7(3)(a))the organization (s.7(3)(a))

for the purpose of collecting a debt owed (s.7(3)for the purpose of collecting a debt owed (s.7(3)(b))(b))

compelled by law (s.7(3)(c))compelled by law (s.7(3)(c))

RemediesRemedies filing of complaints (s.11)filing of complaints (s.11) the Commissioner’s powers (s.12)the Commissioner’s powers (s.12) the Commissioner’s Report (s.13)the Commissioner’s Report (s.13) application to the Federal Court (s.14)application to the Federal Court (s.14)

PIPEDAPIPEDAPart 1, Division 2Part 1, Division 2

D.D.

Complaints (s. 11)Complaints (s. 11)

Individuals may complain toIndividuals may complain to(a)(a) the organizationthe organization(b)(b) the Office of the Privacy the Office of the Privacy

CommissionerCommissioner the Commissioner may also initiate a the Commissioner may also initiate a

complaint (“reasonable grounds”)complaint (“reasonable grounds”)

Types of ComplaintsTypes of Complaints

an individual may complain to the an individual may complain to the Commissioner about any matter:Commissioner about any matter:(a) specified in sections 5 to 10 of the (a) specified in sections 5 to 10 of the Act Act OR OR(b)(b) in the recommendations in the recommendations OROR obligations set out in Schedule 1.obligations set out in Schedule 1.

Powers of the Privacy Powers of the Privacy Commissioner (s. 12)Commissioner (s. 12) PC obliged to investigate complaint PC obliged to investigate complaint

(s.12(1))(s.12(1)) PC must give notice to the organization PC must give notice to the organization

complained of (s.11(4))complained of (s.11(4)) Powers include:Powers include:(a)(a) Summons to compel the giving of evidence under Summons to compel the giving of evidence under

oathoath(b)(b) Production of documentsProduction of documents(c)(c) Power of entryPower of entry(d)(d) Mediation/conciliationMediation/conciliation(e)(e) AuditsAudits

The Commissioner’s The Commissioner’s Report (s.13)Report (s.13)

1 year to prepare a written report1 year to prepare a written report Confidentiality of the reportConfidentiality of the report Where no report requiredWhere no report required Disposition of complaintsDisposition of complaints

i)i) Not well foundedNot well foundedii)ii) Well foundedWell foundediii)iii) ResolvedResolvediv)iv) DiscontinuedDiscontinued

Broad investigatory Broad investigatory powers vs. ….powers vs. …. No power to compel compliance with No power to compel compliance with

PIPEDA (compare to B.C. PIPA, s. 58)PIPEDA (compare to B.C. PIPA, s. 58) No sanctions for failing to follow No sanctions for failing to follow

recommendations recommendations Only real power is the “power of Only real power is the “power of

embarrassment”embarrassment” Fines for obstructing an investigation Fines for obstructing an investigation No power to order costs of the investigationNo power to order costs of the investigation

Application to the Application to the Federal Court (s.14)Federal Court (s.14)

Complainant or PC may applyComplainant or PC may apply Subject matter restricted but always Subject matter restricted but always

open for parties (including the open for parties (including the organization) to seek judicial revieworganization) to seek judicial review

Application must be made within 45 Application must be made within 45 days after Report is sentdays after Report is sent

Remedies more expansiveRemedies more expansive

1.1. OutsourcingOutsourcing2.2. M&A issuesM&A issues3.3. Privacy in the workplacePrivacy in the workplace4.4. WhistleblowingWhistleblowing

Key Issues in Privacy Key Issues in Privacy LawLawII.II.

no exemption for disclosure no exemption for disclosure between subsidiary, affiliated, or between subsidiary, affiliated, or related companiesrelated companies

Implications of the U.S. Implications of the U.S. Patriot ActPatriot Act The B.C. response (The B.C. response (FIPPAFIPPA)) PIPEDA case summary #313PIPEDA case summary #313

OutsourcingOutsourcing

M&A IssuesM&A Issues Asset sale = commercial activityAsset sale = commercial activity SolutionsSolutions

i)i) privacy policies need to address the privacy policies need to address the possibility of a sale of the businesspossibility of a sale of the business

ii)ii) “anonymize” the information“anonymize” the informationiii)iii) contractual safeguardscontractual safeguardsiv)iv) review all personal information and review all personal information and

disclose only what is “necessary” to disclose only what is “necessary” to closeclose

Monitoring employees’ in the workplaceMonitoring employees’ in the workplace– Biometric authentication devicesBiometric authentication devices– Video surveillanceVideo surveillance

Employee complaints represent 20% Employee complaints represent 20% of complaints filed in 2004of complaints filed in 2004

Privacy in the Privacy in the WorkplaceWorkplace

(1)(1) Is it demonstrably necessary to meet Is it demonstrably necessary to meet a specific need?a specific need?

(2)(2) Is it effective in meeting that need?Is it effective in meeting that need?(3)(3) Is the loss of privacy proportional to Is the loss of privacy proportional to

the benefit gained?the benefit gained?(4)(4) Are there less invasive alternatives?Are there less invasive alternatives?

PCC’s 4-step analysis PCC’s 4-step analysis of a privacy-invasive of a privacy-invasive measuremeasure