Nov 1, 1998
Privacy and The Internet, the Canadian Position
by Gary Dunn

PRIVACY AND THE INTERNET
THE CANADIAN POSITION

Executive Summary

"The right of individuals to control when, how and to what extent information about themselves is communicated to others".

Canadians have adopted this definition of privacy, which originated in the US.

Current Status

At the Federal level, Canada has public sector privacy legislation, and proposed private sector legislation.

At the provincial level, there is public sector privacy legislation, and in five provinces a tort remedy for privacy rights similar to personality rights. Additionally, Quebec is the only jurisdiction in Canada to have legislated personal information privacy protection.

A brief description of the provincial legislation is included in this memorandum in order to (1) give a picture of the state of privacy protection in Canada and (2) to clarify the purpose of legislation which appears to address privacy in the private sector, but which does not in fact apply to personal data.

There have also been a number of industry initiatives, notably from:

Canadian Standards Association
Canadian Bankers Association
Trust Companies Association of Canada
Insurance Industry Associations
Credit Union Central of Canada

Anticipated Developments

Canada, like the U.S.A., has to date implemented public sector privacy legislation while leaving the private sector (excluding Quebec) unregulated. Canada is now moving towards a hybrid system of data regulation that can best be characterized as falling somewhere between the US (and its preference for non-legislated private sector control) and the European Union (with its preference for a complete regulatory framework). Not everyone in government in Canada is convinced of the need for a legislative response to facilitate electronic commerce, although we expect this to change.

The European Union Privacy Directive, plus a Canadian public perception that privacy protection is necessary to facilitate electronic commerce, is driving the Federal government to take action in this area. In response, it recently introduced the Personal Information Protection and Electronic Documents Act, commonly referred to as Bill C-54. The expected result is that within the near term the provinces will be forced to declare their intentions with respect to private sector privacy. It appears that at least some of the provinces will respond with their own legislation to impose controls over the collection and management of personal information.

The privacy provisions of the Federal Bill are based on the Canadian Standards Association's Model Code for the Protection of Personal Information, proposed by the CSA as a national standard in 1996.

The proposed legislation will initially apply only to the federally regulated private sector. The Bill claims to apply (somewhat dubiously) to all personal information, including the provincially regulated sector, three years after implementation of the Act, unless a province has adopted substantially similar legislation.

MEMORANDUM

Uniform Law Conference

The Canadian Uniform Law Conference has existed for some 80 years, and is a consortium of federal, provincial and territorial justice ministries. Legislative enactment of proposed uniform acts is required in every case, with the resulting uncertainty that scrutiny by each level of government brings.

Since 1996, the conference has been working on a Uniform Data Protection Act. The uniform act is also modelled after the CSA Model Code.

The Act remains under revision, and was expected to be adopted by the Conference sometime in 1999. A government representative at the Conference has advised me that this has been put into question as a result of the Federal government's introduction of Bill C-54, which for the time being has pre-empted the work of the Conference beyond its mandate of harmonizing legislative responses among jurisdictions.

Federal Legislation

By way of background, the Federal government has the constitutional power to legislate with respect to matters such as defence, foreign affairs, international trade, intellectual property, criminal law, taxation, communications, and aboriginal affairs. The provinces, under the constitutional mandate of "property and civil rights", have the power to legislate with respect to matters dealing with the person, such as contracts (and the capacity to contract), real and personal property ownership, marriage, the administration of justice in the province and "generally all matters of a merely local or private nature in the province".

As a result, even though we naturally expect the Federal government to provide leadership in electronic commerce (for example in the context of international relations), it is the provinces that in fact have the constitutional power over the person and therefore over the collection and use of personal data. A comprehensive privacy regime in Canada will require legislation from all provinces as well as the Federal government in order to cover all powers of government contemplated by The Constitution Act, 1867.

Personal Information Protection and Electronic Documents Act

On October 1, 1998, the Federal government introduced the Bill C-54, the Personal Information Protection and Electronic Documents Act.

The legislation will initially apply to the federally﷓regulated private sector, including telecommunications; broadcasting; banking and inter-provincial transportation. The provisions are intended to apply to trade in personal information that occurs inter﷓provincially or internationally, although the constitutionality of this is uncertain.

Three years after Bill C-54 comes into effect, it will also apply more broadly to all personal information collected, used, or disclosed in the course of commercial activities. The constitutionality of this provision is also highly suspect.

As Quebec's existing privacy law is substantially similar to the Bill, the Federal Minister of Industry has indicated that Quebec will be exempted from its application.

Privacy Principles

The privacy provisions of the Bill are based on the Canadian Standards Association's Model Code for the Protection of Personal Information, proposed as a national standard in 1996. The Standard addresses the ways in which organizations collect, use and disclose personal information. The Code also addresses the rights of individuals to have access to their personal information and to have it corrected if necessary. The Bill acknowledges the distinction between those provisions that are obligatory ("shall") and those that are discretionary ("should"). The Bill also amends, in some instances, the Code - for example in the exemptions referred to below.

The Code's 10 principles (verbatim) are:

1. Accountability: An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization's compliance with the following principles.

2. Identifying Purposes: The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.

3. Consent: The knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except where inappropriate.

4. Limiting Collection: The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.

5. Limiting Use, Disclosure, and Retention: Personal information shall no be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by the law. Personal information shall be retained only as long as necessary for fulfilment of those purposes.

6. Accuracy: Personal information shall be as accurate, complete, and up﷓to﷓date as is necessary for the purposes for which it is to be used.

7. Safeguards: Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

8. Openness: An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.

9. Individual Access: Upon request, an individual shall be informed of the existence, use and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

10 Challenging Compliance: An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals for the organization's compliance.

These principles are elaborated in the detailed provisions of the Code. Data collection proposals must be evaluated in accordance with these detailed provisions on a fact specific basis.

The mandatory provisions of the Bill distinguish between code obligations (shall) and code recommendations (should).

To put the motivation for Bill C-54 in context, I have been advised by the lawyer responsible for a substantial part of the legislation that the privacy provisions were prepared under the joint direction of Industry Canada and the Department of Justice. The provisions relating to electronic documents were drafted independently by the Department of Justice. The two major parts of Bill C-54 were only combined at the last minute prior to their introduction to the House of Commons. The impact of this co-mingling on the likelihood of passage of the Bill is uncertain.

Exceptions

Certain exemptions from regulation are included in the Bill:

Personal information collected, used or disclosed solely for journalistic, artistic or literary purposes
1. if the action clearly benefits the individual or if obtaining permission could infringe on the information's accuracy
2. where such data can contribute to a legal investigation or aid in an emergency where people's lives and safety could be at stake
3. if disclosure aids, in times of emergency, matters of legal investigation, or facilitates the conservation of historically important records

Privacy Commissioner's Role

Complaints

Individuals will have the right to complain to the federal Privacy Commissioner about any aspect of an organization's compliance with the provisions relating to the protection of personal information. The Commissioner will have general powers to receive and investigate complaints, and to attempt dispute resolution. Unresolved disputes can only be resolved in the Federal Court. The Federal Court's power to review a privacy complaint will extend only to mandatory code obligations. In addition to its normal powers, the Court may order an organization to correct its practices and award damages to the complainant. Punitive damages may not exceed $20,000.

Public Information

The Privacy Commissioner will have a mandate to develop and conduct information programs to foster public understanding of the privacy provisions of the Act. The Privacy Commissioner will report annually on the application of the provisions on personal information and the extent to which the provinces have enacted legislation.

One Time Review

The privacy provisions of the Act will be reviewed five years after the coming into force of the legislation by a Committee of the House of Commons, or of both Houses of Parliament.

Quebec's Reaction

The Quebec reaction to Bill C-54 has been negative, centring on the failure of the Bill to grant statutory recognition of Quebec's compliance (and therefore its exclusion from) Bill C-54. Quebec's reaction could be categorized as a sovereignty issue.

British Columbia

Public Sector

Public sector privacy is regulated by the Freedom of Information and Protection of Privacy Act, enacted in October of 1993. The Act gives individuals a right of access to both personal and non-personal data held by the provincial public sector. Additionally, the Act regulates the collection, confidentiality, correction, disclosure, retention and use of the information. Since 1993, the Act has been extended to apply to local and regional governments, and as of November, 1995 to self-regulating bodies.

The Act is currently undergoing a legislative review, which is not expected to result in significant changes, other than to curtail access to government information. Lobbyists are pressing for private sector privacy rights, although this will likely result in separate legislation, yet to be announced.

Private Sector

The Privacy Act was enacted in 1968. The focus of this act is to limit eavesdropping, surveillance, the unauthorized use of the name or portrait of another. The Act creates a tort remedy for persons, without the need to prove damages. While there has been virtually no litigation arising out of this legislation, the Act prohibits without proof of damage the use of a portrait, a caricature or a disguise for the purpose of "advertising or promoting the sale of, or other trading in, property or services" without consent of the person.

The Privacy Act does not directly relate to the collection of personal data, and is unlikely to be interpreted as applying to such collection.

The provincial government can be expected to follow the lead of the Federal government in developing private sector legislation to mirror Bill C-54. When this might happen is uncertain, although some response is expected within the next six months.

Alberta

Public Sector

Public sector privacy is regulated by the Freedom of Information and Protection of Privacy Act, enacted in October of 1995. The Act gives individuals a right of access to both personal and non-personal data held by the provincial public sector. Additionally, the Act regulates the collection, confidentiality, correction, disclosure, retention and use of the information. The Act was extended to apply to school boards and health care bodies in the fall of 1998, and is scheduled to extend to universities in January, 1999, and to local and regional governments in October, 1999.

The province tabled the Health Information Privacy Act in June of 1997, by withdrew the legislation following public criticism.

Private Sector

There is no private sector privacy legislation. It is generally felt that this province will be slow to recognize a need for private sector legislation.

Saskatchewan

Public Sector

Public sector privacy is regulated by the Freedom of Information and Protection of Privacy Act, enacted in 1991. The Act gives individuals a right of access to both personal and non-personal data held by the provincial public sector. Additionally, the Act regulates the collection, confidentiality, correction, disclosure, retention and use of the information. Since 1993, the Local Freedom of Information and Protection of Privacy Act has regulated local and regional governments.

Saskatchewan has recently released a consultative paper relating to the privacy of health care information.

Private Sector

Like British Columbia, Saskatchewan has had a Privacy Act since 1979. Like British Columbia Act, the Act does not cover private data collection and it is of limited scope.

Saskatchewan is not expected to react as quickly as British Columbia to the Federal privacy initiatives, nor has the province declared its position on the issue.

Manitoba

Public Sector

Public sector privacy is regulated by the Freedom of Information and Protection of Privacy Act (1998), enacted originally in 1988. The Act gives individuals a right of access to both personal and non-personal data held by the provincial public sector. Additionally, the Act regulates the collection, confidentiality, correction, disclosure, retention and use of the information.

Since 1997, the Personal Health Information Act has regulated the collection, confidentiality, correction, disclosure, retention and use of personal health information by provincial health care organizations and other approved individuals and agencies.

Private Sector

Manitoba enacted a Privacy Act in 1987 in similar form to that of the Act in British Columbia. As in B.C., the Act does not apply to the collection of personal data.

There is no indication from Manitoba as to when it will respond to the Federal privacy initiatives.

Ontario

Public Sector

Public sector privacy is regulated by the Freedom of Information and Protection of Privacy Act, enacted in October of 1988. The Act gives individuals a right of access to both personal and non-personal data held by the provincial public sector. Additionally, the Act regulates the collection, confidentiality, correction, disclosure, retention and use of the information. In 1991, Ontario passed the Municipal Freedom of Information and Protection of Privacy Act to regulate local and regional governments.

Ontario has recently released a consultative document with respect to protecting health care information.

Indicative of current Ontario concerns, the Privacy Commissioner of Ontario has publicly expressed concern about the possibility of matching data from various government ministries.

Private Sector

There is no legislation comparable to the Privacy Act of British Columbia. In discussions with a source in the Attorney General's Ministry, I learned that there have been no significant public or private pronouncements regarding how Ontario will respond to Bill C-54, and that there are divergent views in Ontario as to the need for a legislated privacy policy.

Quebec

Public Sector

Quebec is a civil code jurisdiction, like Louisiana. Public sector privacy is regulated by the Act respecting Access to documents held by public bodies and the Protection of personal information, enacted in 1982. The Act gives individuals a right of access to both personal and non-personal data held by the provincial public sector, and to local and regional governments. Additionally, the Act regulates the collection, confidentiality, correction, disclosure, retention and use of the information.

Private Sector

Quebec stands alone in Canada in protecting personal privacy protection in the private sector. The Act Respecting the Protection of Personal Information in the Private Sector, R.S.Q., c. P-39 (1994). establishes rules relating to the exercise of the privacy rights conferred by articles 35 to 40 of the Civil Code of Quebec. The Act applies to all information relating to a natural person allowing that person to be identified, regardless of the medium, but does not apply to journalistic material collected for the purpose of informing the public.

When establishing a file on a person, the person must be informed of (1) the object of the file, (2) the use that will be made of the information, (3) the categories of persons in the business who will have access to it, (4) the place where the file will be kept and (5) the rights of access and rectification. Information may only be collected from the person concerned, unless the person consents. The law authorizes the collection of information from a third person if it is necessary to ensure the accuracy of the information, or the collection is in the best interests of the person and cannot be collected from the person in due time. Information may only be collected to the extent necessary for the object of the file.

The collector of the personal information must establish appropriate safety measures to ensure the confidentiality of the information. The information must only be used for the objectives of the file, and cannot be communicated to third parties without the consent of the person. To be valid, consent must be given for a specific purpose and limited to the length of time necessary to accomplish the purpose. Once the objective of the file has been achieved, the information cannot be used again without the consent of the person. Every person carrying on an enterprise in Quebec who communicates outside of Quebec must take reasonable steps to ensure that the information will not be used for purposes not relevant to the object of the file, or communicated to third persons without consent, and in the case of nominative lists, that the person concerned has the opportunity to refuse that personal information be used for commercial or philanthropic prospecting.

The Act contains a variety of permitted exceptions to the rule relating to communications to third parties, primarily relating to communications relating to health, crime prevention, safety, and with respect to nominative lists (lists of names, addresses or telephone numbers of natural persons) provided that the nominative lists are only used for commercial or philanthropic prospecting (subject to the right of the person to be given a prior right to refuse that the information be used by the third party).

The Act specifically authorizes an enterprise to use a nominative list of its clients, members and employees for commercial prospecting, provided that the enterprise using the list has granted the person a valid opportunity to refuse that the information be used by them for such purposes. The Act requires a person using such a list to follow a prescribed course of conduct when contacting the person being solicited. The person has a unilateral right to have information deleted from a nominative list.

The Act provides for access to information by persons concerned and establishes a protocol for doing so. The Act also created a Commission of Access to Information to examine and adjudicate disputes.

The Civil Code of Quebec (1994) also grants to provincial residents a civil right of privacy similar to that in British Columbia, and the Quebec Charter of Human Rights and Freedoms (1975) also enshrines a right of privacy for provincial residents.

New Brunswick

Public Sector

The Right to Information Act, enacted in 1978, gives individuals a right of access to non-personal data only and regulates the confidentiality of it. The Protection of Personal Information Act was enacted in 1998 (as yet un-proclaimed into law) to provide a right of access to personal data held by the public sector, and to govern the collection, confidentiality, correction, retention, disclosure and use of the personal information.

Private Sector

New Brunswick issued a Discussion Paper in June, 1998 that may lead to both a tort remedy for interference with personal privacy rights and to rules governing the private sectors' use of personal data.

Nova Scotia

Public Sector

Public sector privacy is regulated by the Freedom of Information and Protection of Privacy Act (1993), enacted originally in 1990. The Act gives individuals a right of access to both personal and non-personal data held by the provincial public sector. Additionally, the Act regulates the collection, confidentiality, correction, disclosure, retention and use of the information.

Private Sector

There is no private sector privacy legislation in Nova Scotia, nor is there any indication of when legislation might be expected.

Prince Edward Island

There is no public or private sector legislation in Prince Edward Island. The government tabled the Freedom of Information and Protection of Privacy Act in 1997, but as of this summer the Act had not received second reading.

Newfoundland

Public Sector

Public sector privacy is regulated by the Freedom of Information Act, enacted in 1982. The Act gives individuals a right of access to both personal and non-personal data held by the provincial public sector. Additionally, the Act regulates the collection, confidentiality, correction, disclosure, retention and use of the information.

Private Sector

Like British Columbia, Newfoundland has had a Privacy Act since 1981. This Act also does not cover private data collection and is of limited scope.

Yukon

Public Sector

Public sector privacy is regulated by the Access to Information Act and Protection of Privacy Act, enacted in 1996. The Act gives individuals a right of access to both personal and non-personal data held by the provincial public sector. Additionally, the Act regulates the collection, confidentiality, correction, disclosure, retention and use of the information.

Private Sector

There is no private sector privacy legislation in the Yukon.

Northwest Territories

Public Sector

Public sector privacy is regulated by the Access to Information Act and Protection of Privacy Act, enacted in 1997. The Act gives individuals a right of access to both personal and non-personal data held by the provincial public sector. Additionally, the Act regulates the collection, confidentiality, correction, disclosure, retention and use of the information.

Private Sector

There is no private sector privacy legislation.

Scope of Investigation

This report is current to November 1, 1998. It is confined to privacy rights with respect to collection and use of personal data. Rights of personality are excluded (except to the extent that such legislation has been referred to for the purpose of clarifying its purpose as distinct from data collection).