The Implementation of PIPEDA

1
The Personal Information Protection and
Electronic Documents Act

• The Implementation of PIPEDA
• Access and Privacy in E-Government Conference
• February 13, 2002
• Richard Simpson, DG Electronic Commerce Branch
• Industry Canada

2
The Implementation of PIPEDAOutline

• PIPEDA - Key Features Implementation
• Federal - Provincial Harmonization
• Process for determining Substantially Similar
  Privacy Legislation
• International Harmonization
• European Data Protection Directive recognition
  of PIPEDA
• Regulations Specifying Investigative Bodies

3
PIPEDA - Key Features

• Broad-based application
• all sectors
• all provinces and territories
• Through constitutional trade and commerce powers
• coverage of all sectors of the economy essential
  to provide level playing field across all
  industries, provinces
• Promotes harmonization of privacy laws
• encourages provinces and territories to legislate
  in their own areas of jurisdiction

4
Implementation Schedule

• January 1, 2001
• applies to federally regulated organizations and
  cross-border disclosures of personal information
  for consideration (information is sold, leased,
  bartered)
• January 1, 2002
• application extended to personal health
  information in federally regulated organizations
  cross-border disclosures for consideration
• January 1, 2004
• the Act will apply to all private sector
  organizations and all cross-border flows of
  information
• Organizations located in provinces or territories
  that have substantially similar private sector
  privacy legislation will be exempt from PIPEDA
  for intra-provincial transactions

5
Exemption of Substantially Similar Laws
Paragraph 26(2)(b) of the PIPEDA gives the
Governor in Council the power to exempt from the
Act any collection, use and disclosure of
personal information occurring within a province,
which is subject to "the legislation of a
province that is substantially similar" to the
federal law.

• Aims to harmonize private sector privacy
  legislation across Canada
• Promotes equivalent privacy protection in all
  areas of the economy
• eg.employee information, healthcare, credit
  reporting
• Minimizes duplication of legislative regimes
• avoids two-tiered regulation
• Provides greater certainty

6
Development of Substantially Similar Process

• Informal consultations with federal and
  provincial departments/agencies and with ad-hoc
  business advisory group
• Formal consultations through publication of
  proposed process in Part 1 of Canada Gazette on
  September 22, 2001
• Comments received from ten organizations

7
Scope of Exemption

• A substantially similar exemption can
• apply to an organization, an activity or a class
• capture various levels of legislation
• sector-specific legislation
• the legislative regime of an entire province or
  territory
• a single comprehensive privacy law (e.g. Quebec)
• multiple provincial/territorial laws within or
  across jurisdictions (eg. credit reporting)

8
Determination of Substantially Similar

• Determination can be triggered by a province, a
  territory or organization.
• a province/territory can advise Industry Canada
  of provincial/territorial privacy legislation
  that may be substantially similar
• the Minister can also act of his own initiative
• Minister of Industry informs the Privacy
  Commissioner of request for exemption - seeks his
  views
• Request published in Canada Gazette and public
  comments invited

9
Determination of Substantially Similar

• Minister consults relevant provinces, territories
  and federal departments and agencies
• Minister considers and includes opinion of
  federal Privacy Commissioner
• Analysis and recommendations finalized
• Minister makes a recommendation to the Governor
  in Council
• Determination made by Governor in Council

10
Determination of Substantially Similar

• Provincial/territorial legislation should
  incorporate
• Principles found in Schedule 1 of PIPEDA
• 10 principles must be represented
• distinct and separate enumeration not necessary
• special emphasis on consent, access and
  correction rights
• Independent oversight and redress
• including powers to investigate
• Collections, uses and disclosures to be
  restricted to appropriate purposes
• reasonable person test

11
EU Recognition of PIPEDA

• EU Data Protection Directive requires that data
  about Europeans may only be transferred to
  countries that provide privacy protection
  equivalent to that in EU
• Canada and EU have been collaborating since 2000
  to recognize the equivalency of the privacy
  protection regimes in both jurisdictions
• Unanimous EU Decision regarding Canadian
  equivalency allows continued data flows between
  EU countries and Canada
• Canada is the first non-European nation to be
  recognized as providing legislated privacy
  protection equivalent to that in EU

12
Regulations specifying Investigative Bodies

• Many fraud investigations are initially
  undertaken by private sector organizations by way
  of an independent, non-governmental investigative
  body

• PIPEDA regulation specifying investigative bodies
  allows
• Organizations captured by PIPEDA to disclose
  information to the investigative body without the
  knowledge or consent of the individual involved.
• Investigative body to report its finding back to
  the organizations
• Two bodies currently listed as investigative
  bodies
• Insurance Crime Prevention Bureau
• Bank Crime Prevention and Investigation Office of
  the Canadian Bankers Association

13
Regulations specifying Investigative Bodies

• Currently examining investigative activities
  surrounding
• forensic accounting and auditing
• law societies (investigations of professional
  misconduct and unauthorized practice of law)
• private investigators
• Expect to publish regulation proposals in second
  quarter of 2002
• Canada Gazette Part 1
• Due to the phased-in application of the Act,
  other candidate investigative bodies are yet to
  emerge
• Future regulation will be considered on a case by
  case basis.