Privacy Law and Policy Reporter
Canadian privacy laws: recent milestones
Jonathan A Blakey STIKEMAN ELLIOTT LLP
Like Australia, Canada must deal with the complexities of privacy laws in different jurisdictions in a federal system. Recent Canadian developments involved complex interactions between different levels of legislation and government — General Editor.
The last few months have brought significant changes for businesses in Canada that collect, use or disclose personal information. The following four important milestones occurred during this period.
• In November 2003, an order was issued by the Federal Governor in Council (Cabinet) exempting most businesses in Québec from the application of Canada’s Federal private sector privacy law, known as the Personal Information Protection and Electronic Documents Act (PIPEDA) due to the existence of a substantially similar piece of Québec legislation, An Act Respecting the Protection of Personal Information in the Private Sector (the PPIPS Act).
• In December 2003, an order was issued by the Québec Government authorising Québec’s Attorney-General to launch a constitutional challenge of PIPEDA in the Québec Court of Appeal.
• On 1 January 2004, the PIPEDA’s scope of application was extended to the collection, use or disclosure of personal information in the course of commercial activities by an organisation within a single Province.
• Also on 1 January 2004, of two new identically named Provincial privacy laws, the Personal Information Protection Acts (singularly PIPA, collectively PIPAs), came into force in British Columbia and Alberta, respectively.
As indicated above, there are now four private sector privacy laws of general application1 in force within Canada: the Federal PIPEDA, the Québec PPIPS Act, and the British Columbia and Alberta PIPAs. The following section outlines the types of organisations and information to which each law applies, and where. A table summarising this information is provided on the opposite page.
PIPEDA applies to personal information collected, use or disclosed, in whole or in part within Canada, by the following three types of organisations:
• Federal works, undertakings or businesses — PIPEDA applies both to commercial personal information (for example, customers’ personal information) and the personal information of employees of these organisations;
• organisations that collect, use or disclose information in one Province and disclose it outside that Province (inside or outside of Canada) for a fee — in practice, this usually means personal information of customers, as few businesses sell their employees’ personal information out of Province;
• organisations that collect, use or disclose information in the course of commercial activities within a single Province. However, as a result of the Québec exemption order, PIPEDA does not apply to most organisations in respect of personal information that is collected, used or disclosed entirely within Québec.
PIPEDA allows the Federal Cabinet to exempt organisations within any Province that enacts a Provincial privacy law that the Cabinet considers to be ‘substantially similar’ to PIPEDA from the application of PIPEDA. This provision was designed to encourage harmonisation of legislation protecting Canadians’ personal information across the country. To date, only one such exemption order has been issued, namely in respect of Québec’s PPIPS Act. The default situation is that PIPEDA will apply, unless or until a Province enacts its own substantially similar legislation. If the Federal Cabinet is satisfied that the Provincial legislation is substantially similar, the Federal Government will defer to the Provincial legislation, and exempt PIPEDA from application to personal information collected, used or disclosed solely within that Province. However, where a Province has enacted its own Provincial privacy legislation that has not been found comparable to PIPEDA, there is the potential for both PIPEDA and the Provincial legislation to apply to the collection, use or disclosure of a given piece of personal information.
Québec privacy law — the PPIPS Act
On 19 November 2003, the Federal Cabinet issued an exemption order which, in essence, confirmed its determination that Québec’s 10 year old Provincial private sector privacy law, the PPIPS Act, is substantially similar to PIPEDA. The Québec exemption order means that PIPEDA does not apply to the collection, use or disclosure of personal information by most organisations that carry on business in Québec. Instead, these organisations continue to be subject to the PPIPS Act when the collection, use or disclosure occurs solely within Québec. PIPEDA will apply, however, where the collection, use or disclosure of personal information crosses Québec’s borders (either within or outside Canada).
The PPIPS Act applies to personal information collected, used or disclosed by entities ‘carrying on an enterprise’ within Québec. This has been interpreted to mean that a business must have a physical presence in Québec, (that is, it rents or owns physical space from which it conducts its business, or employs staff). The PPIPS Act applies both to the use of personal information within Québec, and for those entities that carry on an enterprise within Québec, to the disclosure or transfer of personal information relating to Québec residents outside of Québec. Québec organisations transferring personal information out of the Province must ensure that the personal information is used for purposes relevant to the purpose for which it was collected and obtain the individual’s consent before disclosing it. Because PIPEDA also applies to inter-Provincial transfers of personal information, it is conceivable that an organisation that collects personal information about Québec residents in Québec and sells this information out of the Province could be subject both to PIPEDA and the PPIPS Act.
Alberta privacy law — PIPA
On 1 January 2004, private sector privacy legislation enacted by the Province of Alberta, known as the Personal Information Protection Act (PIPA), came into force. Alberta’s PIPA applies to the collection, use or disclosure of personal information within Alberta in the context of commercial activities — both commercial personal information (that is, customer information) and employee personal information. As of 12 February 2004, Alberta’s PIPA has not been declared substantially similar to PIPEDA by the Federal Cabinet. Accordingly, both PIPEDA and the Alberta PIPA apply within Alberta.
British Columbia privacy law — PIPA
On 1 January 2004, private sector privacy legislation enacted by the Province of British Columbia, known as the Personal Information Protection Act (PIPA), came into force. British Columbia’s PIPA applies to the collection, use or disclosure of personal information within British Columbia. However, British Columbia’s PIPA is unique amongst the Provincial private sector privacy laws in that it contains a provision stating that the law does not apply to the collection, use or disclosure of personal information that is subject to PIPEDA. Because, as of 12 February 2004, British Columbia’s PIPA has not been declared substantially similar to PIPEDA, PIPEDA now applies to the collection, use or disclosure of personal information by the three types of organisations noted above in the summary of PIPEDA, when this activity occurs within British Columbia. As a result, the British Columbia PIPA currently applies solely to the collection, use or disclosure of Provincially regulated employee personal information within British Columbia.
Differences between PIPEDA and Provincial privacy laws
There are two key differences between PIPEDA and the various Provincial privacy laws. The first concerns the issue of consent. PIPEDA requires express (opt-in) consent when the personal information collected, used or disclosed is sensitive, such as in the case of a person’s health or financial information. Implied (opt-out) consent is permissible under PIPEDA where the personal information is not sensitive (that is, a person’s mailing address in the case of a mainstream magazine subscription). By contrast, Québec’s PPIPS Act generally requires express consent, regardless of the type of personal information involved. On the other hand, the British Columbia and Alberta PIPAs allow for implied consent if:
• the organisation provides reasonable notice and a reasonable opportunity for the individual to decline the collection, use or disclosure;
• the individual does not decline; and
• the collection, use or disclosure is reasonable in the circumstances.
A second key difference between PIPEDA and the PPIPS Act on the one hand, and the two PIPAs on the other, is an exemption within the British Columbia and Alberta PIPAs allowing for the collection, use or disclosure of personal information (including that of employees, customers, directors and officers) by an organisation in the case of a business transaction, including a purchase, sale or lease, merger or amalgamation, involving that organisation.
Québec’s Constitutional Challenge of PIPEDA
On 17 December 2003, only 28 days after the Federal Cabinet issued its first exemption order (in respect of most Québec organisations) under PIPEDA, the Québec Provincial Government laid the legal framework for a constitutional challenge of PIPEDA, by issuing an order authorising Québec’s Attorney-General to refer the constitutionality of Pt I of PIPEDA (that is, the provisions relating to the collection, use or disclosure of personal information in the private sector) to the Québec Court of Appeal. The order contains the gist of Québec’s objections to PIPEDA. Essentially, Québec’s view is that regulation of the collection, use or disclosure of personal information is a matter of Provincial jurisdiction under Canada’s constitution, and that the power PIPEDA gives to the Federal Cabinet to review Provincial privacy laws for similarity with PIPEDA is incompatible with Canadian federalism. It is expected that Québec’s reference will not be heard until the Canadian Autumn of 2004. Regardless of the outcome, many observers expect the Supreme Court of Canada will ultimately decide the constitutionality of PIPEDA.
The coming year promises to be a busy one in Canadian privacy law and significant events are anticipated, including decisions by the Federal Cabinet as to whether the British Columbia and Alberta PIPAs are substantially similar to PIPEDA, and the outcome of Québec’s constitutional challenge to PIPEDA. l
Jonathan A Blakey, Information Technology and Communications Lawyer, Stikeman Elliott LLP, Ottawa, Canada, <JBlakey@stikeman.com>.
. Alberta, Saskatchewan and Manitoba have also enacted privacy legislation specifically targeted at the protection of personal health information.
. The Quebec exemption order does not apply to federal works, undertakings or businesses as defined under PIPEDA. Such entities include federally regulated businesses, such as telephone companies, airlines, shippers, banks and broadcasters. In effect, Québec based federal works, undertakings or businesses are subject both to PIPEDA and the PPIPS Act.