Peter Ferguson

1
Living With New Private Sector Privacy Law

• Peter Ferguson
• Director, Electronic Commerce PolicyElectronic
  Commerce Branch
• Industry Canada

2
Contents

• Privacy Protection in Canada
• PIPEDA and Canadas Electronic Commerce Strategy
• Key Features of the Act
• PIPEDA Implementation
• Current issues
• Substantially Similar
• Quebec Constitutional Challenge
• Preparedness and compliance
• Information on the Act

3
Privacy Protection in Canada

• 1982 Federal Privacy Act
• 1984 Canada signs OECD Guidelines
• 1994 Quebec Private sector privacy law comes
  into force
• 1996 CSA Model Code for the Protection of
  Personal Information is released
• 1998 EU Directive on Data Flows comes into force
• 1998 C-54 (PIPEDA) is tabled
• 1999 Act is retabled as C-6
• 2000 Personal Information Protection and
  Electronic Documents Act receives Royal Assent
  (April 13, 2000)
• 2001 PIPEDA comes into force (January 1, 2001)

4
PIPEDA A Key Element of Canadas Electronic
Commerce Strategy

• Privacy protection essential for the growth of
  electronic commerce
• Consumer and business confidence relies on clear
  and consistent rules to protect personal data and
  ensure free flow of information based services
• The Personal Information Protection and
  Electronic Documents Act (PIPEDA), announced in
  October 1998, remains a central component of
  Canadas electronic commerce strategy
• The Strategy was designed to establish Canada as
  a global leader in the development and use of
  electronic commerce

5
PIPEDA - Key Features

• Sets rules that organizations must abide by when
  collecting, using or disclosing personal
  information in the course of commercial activity
• Based on and incorporates the privacy principles
  of the CSA Model Code for the Protection of
  Personal Information (Schedule 1 of the Act)
• Personal information must link to an identifiable
  individual. The Act applies to all forms of
  personal information electronic paper data,
  biological samples, etc.
• Rules are flexible, containing both obligations
  and recommendations

6
PIPEDA Privacy Principles (Schedule 1)CSA Model
Privacy Code

• 1. Accountability
• organization is accountable for personal
  information
• 2. Identifying Purposes
• purpose of collection must be identified
• 3. Consent
• individual has to give consent based on knowledge
  to collection, use, disclosure of personal
  information
• Act contains a number of exemptions from the
  consent requirement
• 4. Limiting Collection
• collect only information required for identified
  purpose
• 5. Limiting Use, Disclosure and Retention
• new consent required for each new purpose

7
PIPEDA Privacy Principles (Schedule 1)
contdCSA Model Privacy Code

• 6. Accuracy
• keep as accurate as necessary for identified
  purpose
• 7. Safeguards
• security safeguards for personal information
  required
• 8. Openness
• policies should be available, access facilitated
• 9. Individual Access
• personal information available upon request,
  inaccuracies may be corrected
• 10. Challenging Compliance
• ability to challenge compliance for all principles

8
PIPEDA - Key Features

• The Act does not apply to
• Any government institution which is subject to
  the federal Privacy Act (i.e. Federal public
  sector organizations)
• Employee records in the provincially-regulated
  private sector
• Non-commercial activities, non-personal
  information
• Individuals who collect, use or disclose personal
  information for personal or domestic purposes
  (e.g., Christmas card lists)
• Organizations that collect, use or disclose for
  journalistic, artistic or literary purposes

9
PIPEDA - Key Features

• Not based in criminal law
• No criminal sanctions
• Act provides oversight and redress mechanisms,
  through the Privacy Commissioner and the federal
  courts
• Broad-based application as of January 1, 2004
• all sectors
• all provinces and territories
• Use constitutional trade and commerce powers
  requires
• Coverage of all sectors of the economy
• Otherwise Act can only capture cross-border
  transactions and federal undertakings

10
PIPEDA Implementation

• January 1, 2001
• Captured Federal undertakings such as banks,
  airlines and telcos
• Also captured cross-border sale, lease or barter
  of personal information
• Parliament provides the provinces with a three
  year window to develop their own privacy
  legislation or to prepare for coverage by the
  federal Act
• January 1, 2004
• Act applies across the marketplace and to all
  cross-border transactions
• Organizations subject to substantially similar
  provincial laws are exempt from the PIPEDA for
  intra-provincial activity

11
Current Issues Substantially Similar

• Government policy and the Act encourage provinces
  to enact privacy legislation that meets the
  particular needs of their jusrisdiction and
  provides privacy protection that is substantially
  similar to PIPEDAs
• Governor-in-Council, by Order, exempts
  organizations subject to substantially similar
  provincial laws, based on a recommendation of
  the Minister of Industry
• Substantially similar provincial laws are not
  required to be identical to PIPEDA. Criteria
• 10 PIPEDA Principles must be represented
• Independent oversight and redress
• Collections, uses and disclosures to be
  restricted to appropriate purposes

12
Current Issues Substantially Similar

• Québec
• Order in Council came into force November 19,
  2003.
• Quebec privacy law, An Act Respecting the
  Protection of Personal Information in the Private
  Sector, is substantially similar to PIPEDA
• Organizations subject to Quebecs privacy law are
  exempt from the PIPEDA for intra-provincial
  transactions
• PIPEDA continues to apply to federal undertakings
  and to cross-border flows of personal information
  
• On December 17, 2003, Quebec issued an Order
  challenging the constitutionality of Part 1 of
  the PIPEDA (Privacy Protection)
• On December 23, 2003, a letter of intent is
  tabled with the Chief Justice of the Quebec Court
  of Appeal (Quebecs highest Court)
• Justice Canada to lead on litigation Industry
  Canada to continue to lead on implementation of
  the Act
• Business as usual PIPEDA continues to apply

13
Current Issues Preparedness and Compliance

• British Columbia and Alberta
• Both provinces have privacy legislation which
  came into force since January 1, 2004
• Department has begun a review of both laws to
  determine whether they are substantially similar
  to the PIPEDA
• Should determination be made, a recommendation to
  Governor in Council will be made to exempt from
  the federal Act, organizations subject to the
  provincial laws
• Dual application of law will briefly take place.
  Federal and provincial Privacy Commissioners are
  cooperating to address privacy-related complaints
  under the respective Acts

14
Current Issues Substantially Similar

• Media coverage notes a lack of awareness and
  preparedness respecting the PIPEDA
• Government has taken a number of steps to assist
  organizations prepare for compliance
• SME community provided with a separate website
  and information via a CCRA GST mail-out
• Healthcare sector provided with specific
  information on the application of the Act to the
  provision of healthcare services
• Adjustments are made to Industry Canada and
  Electronic Commerce websites
• Privacy Commissioner releases e-kit for
  businesses
• PIPEDA has been in effect for three years. There
  has been information available regarding its
  application and impact on a continuing basis.

15
For more information

• Privacy pages website at http//www.strategis.ic.g
  c.ca/privacy
• Industry Canada SME website at
• http//www.privacyforbusiness.ic.gc.ca
• Privacy Commissioner of Canada
• 1 800 282-1376
• www.privcom.gc.ca