This article has been written by Devagni Vatsaraj, pursuing a Diploma in International Data Protection and Privacy Laws from LawSikho. It has been edited by Prashant Baviskar (Associate, LawSikho) and Smriti Katiyar (Associate, LawSikho).
Table of Contents
Introduction
Concerns about personal data protection are in the spotlight all over the world. In recent years, stringent data protection and privacy legislation such as the General Data Protection Regulation (GDPR), Personal Information Protection and Electronic Documents Act (PIPEDA), California Consumer Protection Act (CCPA), Brazilian General Data Protection Law, etc. have been enacted and/or proposed. Canada has long been at the forefront of data protection with PIPEDA being enacted in the year 2000. The Model Care for the Protection of Personal Information in 1996 was based on the ten principles which included accountability, consent, and the limiting of data collection. The PIPEDA governs how private-sector organisations handle personal information.
Data protection legislations in Canada
Essentially, the private sector privacy statutes that govern the collection, use, disclosure, and management of personal information in Canada are the PIPEDA, the Alberta’s Personal Information Protection Act, 2003 (PIPA Alberta), and the British Columbia’s Personal Information Protection Act, 2003, (PIPA BC), and Quebec’s An Act Respecting the Protection of Personal Information in the Private Sector (Quebec Privacy Act.)
The Federal private sector law, PIPEDA, governs the interprovincial and international collection and processing of personal information. The application of PIPEDA extends to personal information held by banks, airlines, railways, telecommunications companies, and internet service providers, across the country; including employee information. For commercial activities within a province, which does not have a substantially similar legislation governing the sector; the PIPEDA generally applies.
The private sector privacy statutes in PIPA Alberta, PIPA BC, and Quebec Privacy Act have been deemed “substantially similar” to PIPEDA and, therefore, PIPEDA does not operate within those jurisdictions. The health privacy statutes in Ontario, New Brunswick, Newfoundland & Labrador, and Nova Scotia have also been deemed substantially similar to PIPEDA, and therefore, PIPEDA does not apply in respect of private health providers operating within those jurisdictions but continues to apply to other commercial activity therein.
The Privacy Act applies to the federal government departments and agencies and as such does not get covered under the ambit of the PIPEDA. The health data in four others, Ontario, New Brunswick, Newfoundland and Labrador, and Nova Scotia, are protected by local legislation and therefore the PIPEDA does not apply. However, once data crosses national borders, PIPEDA applies irrespective of whether such lateral legislation is in place or not in the country. Federal, provincial, and territorial laws govern all the public sector institutions within each of their respective jurisdictions.
General and sector-specific legislations impacting the protection of data
While the compliance of PIPEDA and the Privacy Act is overlooked by the Privacy Commissioner of Canada; the federal, provincial, and territorial jurisdiction in Canada have their own independent Information and Privacy Commissioner, who reports to their respective legislature and oversees the relevant data protection laws applicable in that jurisdiction. Further, certain offences can be prosecuted by the Attorney General. There are both general and sector-specific legislation across Canada that impact data protection.
General legislations
- Canada has enacted The Act to Promote the Efficiency and Adaptability of the Canadian Economy by Regulating Certain Activities that Discourage Reliance on Electronic Means of Carrying Out Commercial Activities, and to Amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, 2010 (CASL); which is the anti-spam legislation which addresses matters regarding the collection and use of email addresses and intrusion of computer devices;
- Quebec’s IT Act provides for protection of confidential information stored in electronic formats and lays down the regulations for the use, retention and transmission of electronic data;
- Quebec’s Civil Code vide its Section 35 governs an individuals’ right of reputation and privacy and protects them from unlawful invasion thereof;
- Quebec’s Charter for Human Rights and Freedom vide Section 5 enables an individual to demand a right to private life and vide Section 46 provides for right to fair and reasonable conditions of employment;
- Canadian provinces of British Columbia, Saskatchewan, Manitoba, Newfoundland and Labrador have each enacted statutory torts if an individual wilfully violates the privacy of another; and
- Canadian Criminal Code encompasses in itself various offences including mischief, fraud, hacking, identity theft and misuse of personal information.
Sector-specific legislations
- Specific regulators and/or industry associations have established guidelines that regulate the data protection for their sectors:
- Officer of Superintendent of Financial Institutions;
- Mutual Funds Dealers Association of Canada;
- Investment Industry Regulatory Organisation; and
- Canadian Securities Administrators.
- Apart from these industry regulators, as mentioned earlier herein, most provinces in Canada have their own legislations for processing of personal health information by some custodians such as hospitals, clinics and doctors’;
- Most provinces have consumer protection legislations in place that require the agencies to ensure accuracy of transactions, give data subjects access to their personal information, limit disclosure and ensure protection of consumers’ rights;
- The Federal Bank Act protects all registers and records, including customer records as specified in the act, in order to keep the data safe and secure.
Personal data under PIPEDA
Personal data containing any information, recorded or not, about an identifiable individual is protected by PIPEDA. It not only covers the Personally Identifiable Information (PII) such as name, age, sex, medical record, financial and employee records, etc. but also keeps a track of the individuals’ opinions, comments, and social status. However, personal information processed by federal government organisations that fall under the incidence of the Privacy Act, business contact information in respect to the employment or profession, an individual’s collection, use or disclosure of personal information strictly for personal purposes or an organisation’s collection, use or disclosure of personal information for journalistic, artistic or literary purposes, is not covered by the PIPEDA.
Key principles that apply to processing of data
Referred to as the fair information principles, these ten criteria represent the foundation of PIPEDA as well as the provincial legislations. Beyond them, organizations are responsible for the protection and fair handling of personal information at all times and are obligated to ensure that any collection, use, or disclosure of personal information is done only for purposes that a reasonable person would deem appropriate given the circumstances. These principles are:
- Lawful bases of processing:
Privacy statutes in Canada require organisations to obtain consent from the data subjects, for the collection and processing, i.e., for the use and disclosure of personal information, except for limited exceptions. Further, the consent so provided by the data subject must be informed and legitimate in nature, which means that the data subject must understand the nature, purpose, and consequences of providing such consent.
The form (express or implied) of consent may vary depending on the nature of the information and the reasonable expectations of the individual. The data subjects may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice.
- Transparency:
Under the Transparency principle, privacy statutes in Canada require organisations to record and give access to individuals’ their specific information regarding its policies and practices describing the administration of personal data, in a form that is generally understandable.
- Purpose limitation:
Before the collection of personal information, organisations must identify the purposes for which such data is collected. Such purposes must be documented in accordance with the principle of transparency. Personal information must not be used or disclosed for purposes other than those for which it was collected, except with the consent of the data subject or as required by law.
- Data minimisation:
Canadian legislations require that the collection and processing of personal data be limited to the extent to which it is necessary to fulfill the purposes recognized by the organisation. Further, it lays down that the personal information shall only be retained only for such time for which it is absolutely required, and then, such data must be deleted/destroyed.
- Proportionality:
The legislation sets out the dominant compulsion that organisations may collect and process the personal information/records of data subjects, only for purposes that can reasonably be considered appropriate in the situation. The safeguarding obligation imposed, is proportional to the level of sensitivity, which means that, more sensitive the information, the higher the level of protection will be required. The extent to which information shall be accurate depends upon the usage of the information and the interests of the data subject.
- Retention of data:
The privacy statutes in Canada impress that the organisation that collects and processes the data must retain the same, only until the purpose for which data was collected, is fulfilled and not any longer than that. Personal data which is no longer required must be destroyed, erased, or made anonymous.
- Accuracy:
Organisations are required to ensure that personal information collected and processed, which is stored in its records, is accurate, complete, and updated, especially when such personal information is used to make a decision or the same is to be disclosed to another organisation.
- Accountability:
Organisations are responsible not only for protecting the personal data under their control, but also for the data that they transfer to third parties for processing. Organisations must assign/appoint and identify an individual who would be accountable for the compliance with the privacy principles and who would frame as well as implement such policies and practices to ensure compliance with the privacy principles.
- Safeguarding:
Both federal and provincial statutes contain specific provisions relating to the safeguarding of personal data. These provisions require organisations to implement technical, physical, and administrative measures to protect data against theft, unauthorised access, copying, unlawful use, modification, or destruction of such personal data.
Treatment of individuals’ rights of data being processed under the Canadian legislation
There are various rights of data subjects like the right to access, the right to be forgotten, the right to file a complaint, etc. Similarly, there are various such rights that an individual is entitled to, in respect of the processing of their personal data. Following are some of such rights:
- Right to access data:
Under Canadian legislation, organisations, upon request (subject to exemptions) must inform the data subjects of the existence, use, and disclosure of their personal data and must give them access to that information, including if their data is shared with third-party marketing agencies or otherwise and must state the purpose to such sharing of data. There are some exemptions such as confidential information, information relating to other individuals, national privilege, etc, under which circumstances, the organisations may not provide access to such information to the data subject.
The data subjects’ requests must be specific to allow an organisation to identify their records and respond back within a prescribed time limit or within a reasonable period. Such response must be provided at minimal or no cost and an organisation must make the information available in a form that is generally understandable and acceptable throughout the industry. It is pertinent to note that the right to access data includes providing access to records at the organisations’ office and not handing over the data to the data subjects.
- Right to object processing of personal data:
There is no explicit mention that data subjects can object to the processing of personal data; however, the legislation does provide that an organisation must use the data collected only for the purpose for which an individual has consented, for objects specifically mentioned, for a legitimate purpose and under contractual obligations only.
- Right to withdraw consent:
Under the privacy policies prevailing in Canada, a data subject must be able to withdraw consent at any time, subject to exemptions including but not limited to, fulfillment of contractual obligations, legitimate purpose, legal requirements, etc. Further, prior to the data subject withdraws their consent, they must be informed of the implications of such withdrawal.
- Right to data portability:
The Canadian legislation does not include a right to data portability.
- Right to rectification of errors:
The privacy statutes in Canada require that when a data subject rings to the notice of an organisation, of inaccuracy and/or incompleteness of their personal data; such organisation must make a note of the same and/or rectify such error within a reasonable period, as the case may be.
- Right to be forgotten:
The Canadian privacy statutes provide data subjects with the right to withdraw their consent at any time, however, the statutes fail to provide data subjects with a remedy of right to be forgotten or getting their data deleted.
- Right to object to marketing:
When an organisation discloses personal information of data subjects to third parties for marketing purposes, the Canadian statutes provide that the data subjects must have a right to opt out. They highlight the fact that consent is of utmost importance and that the data subjects must be made aware of the marketing purpose before or at the time of collection of personal data, in an understandable and clear manner. The data subjects must be able to easily opt-out of the organisation using their personal data for marketing purposes and such opting-out must come to immediate effect and the personal data collected must be destroyed instantaneously.
- Right to file complaint:
Prior to data protection statutes coming into effect, the data subjects were to address their issues with the person concerned and accountable, within the organisation. It was the duty of an organisation to ensure that proper and simple procedures were in place to effectively address such complaints. The Canadian statutes protect the data subjects in a manner that it provides them with a right to make a complaint to the relevant data protection authority.
Appointment of Data Protection Officers
Organisations do not have a straight-jacket legal obligation to register with the relevant data protection regulatory authorities for their processing activities. However, organisations that desire to use or disclose personal information without the consent of the data subjects, for statistical, scholarly study. Research purposes must, before such use or disclosure, notify the Federal Privacy Commissioner. There may arise difficulties in processing personal data of the data subjects’ and therefore, the legislation provides that there be privacy officials that mitigate the risk.
PIPEDA, PIPA Alberta, and PIPA BC expressly state that organisations must appoint an individual who shall be in charge of ensuring compliance with the data protection obligations. Industry-wide, these individuals are referred to as the Privacy Officer, although there is no particular title mentioned in the statutes. While acting in good faith and based on a reasonable belief, if the privacy officer refuses to do something that will contravene the statute, or does something in an attempt to comply with the same; under such circumstances, such privacy officers enjoy immunity against disciplinary action from their employer.
The privacy regulators at British Columbia and Alberta describe the role of the Privacy Officer, stating that these individuals are designing, structuring, and managing programs, training, auditing, documentation, and follow-up. Depending on the type of organisation, these privacy regulators are expected to establish and implement programme controls, coordinate with appropriate persons within the organisation, represent the organisation in the event of a complaint or investigation by a Privacy Commissioner’s office; and promote privacy protection within the organisation.
Restriction on international data transfer
Generally, the organisations agree on entering into an arrangement when transferring data outside of Canada for processing purposes to ensure that the data transferred is provided with a reliable level of protection as is followed under that under Canadian Statutes. Moreover, the Office of Privacy Commissioner has laid down guidelines for processing personal information across borders. Osler, Hoskin & Harcourt LLP has published and reproduced the international comparative guide to data protection.
- Under PIPEDA, the organisations are responsible for personal information in their custody, along with the personal data transferred to third parties for processing. The Canadian legislations permit non-consensual transfer of personal data to third-party processors outside Canada, provided that such transferring organisation uses reasonable means and level of protection while the data is being processed by the processor overseas.
- In Alberta, if an organisation uses a service provider outside Canada to collect and process or eve store the personal data, the organisation must in its privacy policies, specify the jurisdictions in which it is transferred and the purpose for the collection, use, or storage of personal data in the servers overseas, has been authorised for.
Data breach and security
The PIPEDA was amended to include the requirements for the organisations to report to the Privacy Commissioner of any breach of security involving the personal information of data subjects, under its control if it is logical to believe that the breach would create significant harm to the subject (as is also required under PIPA Alberta). The reports to the Commissioner must include a description of the circumstances of the breach and, if known, the cause; the approximate day on which, or the period during which, the breach occurred or; description of breach and the number of individuals affected by the breach and steps that the organisation has taken to mitigate the risk. Moreover, the organisations are required to keep records of every breach of security involving personal information under its control, and to provide the Commissioner with a copy of such records on request.
Canadian Privacy Statutes have recognised the need to expressly specify the reporting of data breaches and consequences thereof; therefore, these statutes were amended in 2015, which came into effect in November 2018. The provisions now require organisations to implement technical and administrative measures to protect personal information against loss or theft, unauthorised access, and disclosure, copying, modification, or destruction. The safeguards must be appropriate to the sensitive information, i.e., the more sensitive the information, the higher the level of protection will be required. Further, an organisation shall be held responsible for protecting the personal information of data subjects, which is its possession, including the information that has been transferred to a third party for processing.
Enforcement and sanctions
There has been an escalating inclination towards initiating investigations under the privacy statutes of Canada. The regulators are adopting various innovative strategies through formal as well as the less formal, online privacy sweeps of the Global Privacy Enforcement Network; they are collaborating with national and international counterparts, to conduct joint investigations in accordance with the agreement entered into by and between them.
Powers of investigation:
The Privacy Commissioner shall investigate the complaint made by data subjects, under PIPEDA, subject to reasonable exceptions. Further, if the Privacy Commissioner has reasonable grounds that the complaint requires that an investigation is warranted, it has powers to initiate the same. During the investigation, the Commissioner can summon witnesses for evidence, inspect documents, compel the production of documents, and inspect premises (except dwelling houses.)
Under PIPA Alberta and PIPA BC, the Privacy Commissioners have similar powers of investigation. However, where a matter is not otherwise resolved, an investigation may be elevated to a formal inquiry.
Power of audit:
The Privacy Commissioner and the OIPC BC have the authority to audit the practices adhered to by the organisation with respect to dealing with personal information of data subjects if they have reasonable grounds that the organisation is contravening the Act. The results of the audit are made public.
Power of enforcement:
Upon concluding an investigation under PIPEDA, the Privacy Commissioner issues a report of findings and recommendations for compliance. The complainant or the Commissioner, with the data subjects’ consent, may apply to the Federal Court for a hearing. The Court has broad remedial powers to order correction of the organisation’s practices and award damages to the data subject so affected. The organisation may voluntarily comply and undertake to fulfill the recommendations made and bring itself into conformity with PIPEDA. If an organisation shows initiative and undertakes measures to be PIPEDA compliant, the Commissioner shall not apply to the Court and/or shall suspend any pending court application. If an organisation fails to adhere to its commitments in a compliance agreement, the Privacy Commissioner, after notifying the organisation, can apply to the Court for an order requiring the organisation to comply with the terms of the agreement. In Alberta and British Columbia, an inquiry may result in an enforceable order. Organisations are given a prescribed time limit, within which they are required to comply with the order or apply for judicial review. Similar is the regulation that must be followed in Quebec.
Sanctions:
In Quebec, Alberta, and British Columbia, statutory provisions if violated, would constitute an offence and result in fines of up to $10,000 for a first offence and $20,000 for a subsequent offence in Quebec, and up to $100,000 for an offence in Alberta and British Columbia. Under PIPEDA, the contravention of provisions may even result in criminal sanctions.
Concluding remarks
With the help of the Privacy Commissioner which has established four strategic privacy priorities, i.e., the economics of personal information; government surveillance; reputation and privacy; and the body as information; that guides the Office’s discretionary work, the courts continue to provide a better outlook and shape to the tort of invasion of privacy. Currently, it is focused on implementing its recommendations for enhanced (including but not limited to online) consent under PIPEDA. Further, the Office of the Privacy Commissioner continues to focus on reforming the national security in Canada and the relationship with data protection. It continues to shift its focus towards the issues and consequences of data sharing with its national and international counterparts. Their regulators are very alert and have been alarmed that it is the need of the hour that there be a shift, that what we need is the collaboration between the data protection and other sectors that administer the daily affairs of the data subjects.
References
- General Data Protection Regulation (GDPR) – Official Legal Text (gdpr-info.eu)
- PIPEDA in brief – Office of the Privacy Commissioner of Canada
- Codes Display Text (ca.gov)
- https://iapp.org/resources/article/brazilian-data-protection-law-lgpd-english-translation/
- Alberta Queen’s Printer:
- Personal Information Protection Act (gov.bc.ca)
- Légis Québec (gouv.qc.ca)
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:
https://t.me/joinchat/J_0YrBa4IBSHdpuTfQO_sA
Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.