Apr 13, 2000
The New Canadian Privacy Legislation
by Gary Dunn

On April 4, 2000, the federal government of Canada finally passed Bill C-6, otherwise know as the Personal Information Protection and Electronic Documents Act. It is widely expected that Part I, dealing with personal privacy, will be proclaimed into law effective January 1, 2001, with the balance of the Act expected to come into force early in May of this year.

For a three-year period from the date the legislation comes into force, it will not apply to businesses under provincial jurisdiction, although the legislation purports to cover businesses engaged in the extra-provincial exportation of information. Provinces which enact similar legislation during the three-year period can expect to be exempted from the operation of the Act.

While billed as a necessary cornerstone to encourage use of the Internet by Canadians, the Act will also now place Canada firmly onside in compliance with the EC privacy directive of 1998 regulating the collection and export of personal data from the European Community.

Passage of the legislation furthers the federal government’s declared intention to establish Canada as a world leader in the use of electronic commerce through tax neutrality, cryptography, consumer protection, digital signatures, standards, secure electronic commerce, and privacy.

For the time being, privacy concerns have outweighed the convenience of government and business. The willingness of individuals to continue to sacrifice privacy for convenience remains a significant concern, however.

To the extent that the legislation is thought of as e-commerce enabling, the inclusion of Parts II and III dealing with electronic documents and amendments to the Canada Evidence Act can be rationalized. Part II facilitates the use of electronic alternatives to paper records and communications under federal laws. Regulations governing implementation of this part are required. Stay tuned for a future.

The Act effectively mandates a national standard for the protection of personal information. The foundation of the legislation is the Model Code for the Protection of Personal Information developed by the Canadian Standards Association (www.csa.org). The 10 principals of the code have been enshrined in the legislation as a schedule to it.

Briefly, the Model Code mandates:

1. Organizational accountability for compliance;
2. The need to specify the purposes for which information is being collected, before collection;
3. The requirement for personal knowledge and consent by persons to the collection of information;
4. That the collection of information must be limited to that necessary for the purposes identified by the organization;
5. That the information can only be used, disclosed and retained as long as necessary for the stated purposes
6. That the information must be accurate;
7. That safeguards appropriate to the sensitivity of the information be in place;
8. Open access to organization policies and practises relating to management of information;
9. Individual access to personal information; and
10. The right to challenge organizational compliance.

This legislation is not to be confused with various provincial statutes with titles such as the Freedom of Information and Protection of Privacy Act (British Columbia), the primary purpose of which is to mandate government disclosure of information it might otherwise keep secret. Sidebar - these statutes can have application to businesses contracting with government to the extent that the parties wish to keep their arrangements private. For example, the University of British Columbia has refused to provide details of an exclusive marketing arrangement with Coca-Cola. The case is now under appeal. Prudence dictates that contracts with government contemplate this legislation, in order to strengthen the claim that such arrangements should be kept confidential.

The possibility exists that substantial costs could be incurred in complying with the legislation. In light of the significant value associated with databases, compliance with the legislation can be argued to be a mandatory part of an organization’s business strategy in order to maintain the value of this asset. Organizations subject to the legislation would be wise to implement compliance procedures in anticipation of the January proclamation if they wish to be able to continue to collect and use the personal data that is at the heart of their business in a cost effective manner. Compliance items include:

1. Restrictions on the collection of personal information;
2. Restrictions on the use of personal information;
3. Restrictions on the disclosure of personal information.

The impact on small business (for implementation and administration) remains to be seen.

The Federal government is limited in its ability to pass privacy legislation to those matters coming within its legislative prerogative. These areas include telecommunications, banking, inter-provincial transportation, defence, implementation of treaty obligations, trade and commerce, immigration, criminal law, and intellectual property. There is some question about the constitutionality of the provisions mandating the application of the Act to areas of provincial jurisdiction if a province fails to enact similar legislation within three years of proclamation of the Act.

The Canadian Industrial Relations Board recently ruled that the ISP division of Island Tel (of the province of Prince Edward Island) was subject to federal regulation, effectively ensuring that ISP’s will be subject to the legislation immediately upon proclamation into force of the Act.

While public support for the legislation was almost unanimous, the Canadian Security Intelligence Service (CSIS) objected to the legislation for reasons of law enforcement. CSIS felt that the legislation could have “an undue impact” on “day-to-day” operations of the agency. As a result of its concerns, amendments provide that private sector organizations can still disclose personal information without consent to government agencies for law enforcement and national security purposes. And in a similar vein, agencies are not obligated to disclose personal information to persons under investigation.

The Canadian medical establishment also presented disparate views to parliament, with some groups arguing that the standard of consent required in the legislation is too soft, with other groups arguing that the need for consent will impede medical research and that the requirements of the legislation will greatly increase the costs of healthcare. The upshot is that the legislation will not apply to the healthcare industry for an additional one-year transitional period following its proclamation. Further exemptions are unlikely.

The Act relieves organizations from the obligation to disclose information in a select number of situations, such as where the disclosure would violate solicitor-client privilege, where to do so would reveal confidential commercial information, or where the disclosure of the information could endanger a person’s life. Additionally, there are safeguards in the Act for “whistleblowers” who complain about an organization’s failure to comply with the legislation.

For further reference, Industry Canada, a federal ministry, maintains a collection of information entitled The Privacy Pages (http://e-com.ic.gc.ca/English/privacy/632d.shtmll).

© 2000 Gary Dunn of Gary Dunn & Assoc., a Vancouver, B.C firm which confines its practice to Internet and technology law.