Protection of Privacy
(This Client Guide provides general information and is made available to provide a general description of the privacy legislation in Canada. This has been modified from a paper of the title set out below presented by Brian R. Fraser at the September, 2001 INSIGHT conference, "INTERNET LAW Emerging On-Line Trends and Legal Implications" in Toronto, Canada. This is not intended to constitute legal advice, which by its nature is situation specific. If you have questions about a specific legal problem, you should consult a lawyer who will provide legal advice only after reviewing all the facts relevant to your situation, rather than relying on the general information provided in this Guide.)
CANADA'S PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT ("PIPEDA"): ESTABLISHING A "CONSTITUTION" IN THE NEW FRONTIER
I Federal Legislation - The Personal Information Protection and Electronic Documents Act
Concerns about the protection of the privacy of individuals and the confidentiality of their sensitive personal information are not new, and in many ways have grown in tandem with the growth of increasingly sophisticated technologies for information gathering. The legislative response to date in Canada to this increased capacity to collect and record information has included, for example, Criminal Code prohibitions against wiretapping, legislation governing the collection and use of credit information and legislation governing the accessibility of information about individuals collected by, or in the possession of, federal and provincial governments.
The more direct legislative history of the federal Personal Information Protection and Electronic Documents Act ("PIPEDA"), which came into force as of January 1, 2001, can be traced to the development, beginning in the late 1970's, by the Organization for Economic Co-operation and Development ("OECD") of certain established principles for the protection of privacy in the private sector. The work of the OECD members culminated in 1980 in the issuance by the OECD of its Guidelines on the Protection of Privacy and Transborder Data Flows of Personal Information (the "OECD Guidelines"). In 1984, Canada formally subscribed to the OECD Guidelines and began to encourage private industry to bring its practices for collection and use of personal information into line with the OECD Guidelines. The Canadian Standards Association (now known as "CSA International") developed and published, in 1996, a detailed voluntary privacy code (the "CSA Model Code") and the banking industry and direct mail industry also produced their own industry codes. The CSA Model Code now forms the backbone of PIPEDA and is attached as Schedule 1 to the legislation.
2. Scope of the Legislation - What, When and to Whom it Applies
Broadly speaking, the legislation will ultimately apply to the collection, use and disclosure of "personal information", both by federally-regulated private sector organizations and by all organizations collecting, using or disclosing such information in the course of commercial activities within a province.
The Act will be phased-in, in three stages:
(i) As of January 1, 2001, the Act applies to personal information (except personal health information) that is collected, used or disclosed in the course of "commercial activities" carried on by the federally-regulated private sector, including for example, organizations involved in banking, telecommunications, broadcasting, air travel and interprovincial transportation of goods;
(ii) As of January 1, 2002, the Act will extend to personal health information for those organizations and activities covered in the first stage; and
(iii) As of January 1, 2004, the Act will extend to the collection, use or disclosure of personal information in the course of any commercial activity within a province (except for provincially-regulated organizations in provinces which have adopted "substantially similar" privacy legislation.
For the purposes of PIPEDA, "personal information" means information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization and "commercial activity" means any particular transaction, act or conduct or any course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.
3. The Ten Basic Principles
As noted above, the core prescriptive provisions of PIPEDA are those found in the CSA Model Code, which is appended as Schedule 1 to the Act. Section 5(1) of PIPEDA provides that, subject to certain modifications stipulated in the Act, every organization shall comply with the obligations set out in Schedule 1 (to the extent, however, that the word "should" is used in Schedule 1, it indicates a recommendation that does not impose an obligation).
Schedule 1 sets out each of the ten governing principles with a preliminary statement of the principle, followed by a series of provisions elaborating on the basic obligation. The ten basic principles are as follows:
1. Principle 1 - Accountability:
An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organizations' compliance with the specified principles of accountability.
2. Principle 2 - Identifying Purposes:
The purpose for which personal information is collected shall be identified by the organization at or before the time the information is collected.
3. Principle 3 - Consent:
The knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except where inappropriate.
4. Principle 4 - Limiting Collection:
The collection of personal information shall be limited to that which is necessary for the purposed identified by the organization. Information shall be collected by fair and lawful means.
5. Principle 5 - Limiting Use, Disclosure, and Retention:
Personal information shall not be used or disclosed for purposes other than those for which it was collected, except for the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.
6. Principle 6 - Accuracy:
Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.
7. Principle 7 - Safeguards:
Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
8. Principle 8 - Openness:
An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.
9. Principle 9 - Individual Access:
Upon request an individual should be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
10. Principle 10 - Challenging Compliance:
An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organizations' compliance.
3. Some General Comments
The Schedule itself is appended as Appendix I, and should be reviewed in its entirety. Both the Schedule and the legislation itself provide a further gloss on the application of these ten principles and, in some cases, provide certain limited exemptions.
For example, although one of the basis principles of PIPEDA is the requirement to obtain consent for the collection, use or disclosure information, section 7 of the legislation provides that an organization may collect personal information without the knowledge or consent of the individual if (and only if):
(a) the collection is clearly in the interests of the individual and consent cannot be obtained in a timely way;
(b) it is reasonable to expect that the collection with the knowledge or the consent of the individual would compromise the availability or the accuracy of the information and the collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or of province;
(c) the collection is solely for journalistic, artistic or literary purposes; or
(d) the information is publicly available (as specified by regulations).
Sections 7(2) and (3) prescribe certain other limited circumstances in which the organization may use or disclose, respectively, the personal information.
The Governor in Council also has the power to order that an organization, class of organizations, an activity or a class of activities are exempt from the application of the privacy provisions of PIPEDA in respect of the collection, use or disclosure of personal information that occurs within a particular province, where the Governor in Council is satisfied that that province has legislation which is "substantially similar" to the relevant provisions of PIPEDA.
As discussed below, at present Quebec is the only province that has to date passed legislation dealing with personal information in the private sector that the federal government has acknowledged is "substantially similar". Accordingly, the federal government has indicated that activities and organizations which are subject to the Quebec legislation will be exempted from PIPEDA in that province.
5. Complaints and Enforcement
Under the provisions of PIPEDA, the Privacy Commissioner (an office previously created pursuant to the federal Privacy Act) is expected to play an active role not only in policing compliance with the Act, but also in educating the public as to its provisions. Concerns regarding a particular organization's compliance with the legislation may arise by way of individual complaint, or by action initiated by the Commissioner himself. Individuals have the right to file a complaint with the Commissioner regarding not only an alleged contravention of the Act, but even for an alleged failure by an organization to follow a recommendation set out in Schedule 1. The Commissioner may also, however, on his own initiative, investigate a matter and commence a complaint "on reasonable grounds". Complaints regarding the refusal of an organization to permit an individual to have access to his or her personal information must be filed within six (6) months (or a longer period permitted by the Commissioner) after the refusal or after the expiry of the time limit for responding to the request.
Where the Commissioner conducts an investigation in respect of a complaint, he has broad powers to summon witnesses, administer oaths, enter premises, receive and accept evidence, carry on private conversations or conduct inquiries and examine or take copies of records found in any premises which may be entered in the process.
Within one year after a complaint is filed (or initiated by the Commissioner), the Commissioner must prepare a report with his findings and recommendations. The report will also contain any settlement reached between the parties, if appropriate a request that the organization give the Commissioner within the specified time notice of any action taken or proposed to be taken to implement the recommendations contained in the report or reasons why notice of such action has been or proposes to be taken and the recourse if any available to the court.
In certain circumstances, the Commissioner is required to prepare a report.
After receiving the Commissioner's report, a complainant may apply to the court for a hearing to deal with certain aspects of the complaint. Such an application must be made within 45 days after the report is sent (unless the court allows a longer time). Similarly, the Commissioner (where he did not initiate the complaint) may apply to the court for a hearing.
The court has the power to:
(i) Order an organization to correct its practices in order to comply with sections 5 to 10 of the legislation;
(ii) Order an organization to publish a notice of action to be taken or proposed to be taken to correct its practices (whether or not ordered to correct them by the court); and
(iii) Award damages to the complainant, including damages for any humiliation the complainant has suffered.
In addition, the Commissioner has the power to audit the personal information management practices of organization where the Commissioner has reasonable grounds to believe that the organization is not complying with the legislation. Again, for the purposes of conducting the audit, the Commissioner has broad powers. The audit report prepared by the Commissioner may be included in the annual report which the Commissioner is required to submit to parliament at the end of each calendar year.
In addition to the procedures and powers reviewed above, the Act also contains a provision which makes it an offence, punishable on summary conviction to a fine not exceeding $10,000 or on indictment to a fine not exceeding $100,000, to knowingly contravene certain provisions of the Act or taking disciplinary action against employees who provide information to the Commissioner regarding possible contraventions of the Act or who, in good faith, insist on complying with or not breaching, the provisions of PIPEDA. Similarly, it is an offence to obstruct the Commissioner or his delegates in the investigation of complaints or conducting an audit under the legislation.
II Provincial Initiatives
As noted above, the Governor in Council may exempt an organization, activity or class of activities from the application of the legislation where there is legislation in effect in that province that is substantially similar to PIPEDA.
To date, only the province of Quebec has enacted legislation which may be said to be "substantially similarly" to PIPEDA in terms of the collection, use and disclosure of personal information by the private sector. Although the thrust of the legislation is obviously very much the same, there are some differences in the legislative language used to express some of the relevant principles and some differences in the degree of its specificity, in terms of how those basic principles are translated into legislative obligations. For example, in some respects, the Quebec legislation is more prescriptive with respect to how the "file" of information concerning a person is established and recorded, and as to the precise circumstances in which information may be collected from third parties, or otherwise without consent of the individual involved. The Quebec legislation also contains specific provisions dealing with so called "nominative lists" - being lists of the name, address or telephone numbers of natural persons. In certain circumstances, these nominative lists may be used for commercial or philanthropic prospection or disclosed to third persons.
I do not propose to deal with the provisions of the Quebec legislation in any detail here. However, it is clear that any commercial enterprise soliciting personal information from Quebec, whether operating within the Province or (subject to the usual jurisdictional questions regarding extra-territoriality) via a website, should carefully review the provisions legislation to ensure compliance, where it is intended or expected that Quebec residents will be providing personal information.
British Columbia and Ontario are also in the process of developing privacy legislation intended to be substantially similar to PIPEDA. It remains to be seen whether the final versions of the legislation will, as in the case of the Quebec legislation, diverge significantly enough from the provisions of PIPEDA so that further layer of legislative scrutiny will be required. In other words, will it be good enough for organizations offering goods or services operating a website, or running promotions, directed at a national audience merely to satisfy themselves that they have complied with PIPEDA?
For example, while I do not propose to review the provincial proposals in detail here, there is some question as to whether the legislative proposals developed to date by Ontario will be even more stringent on the question of informed consent than is PIPEDA. For discussion of the proposed Ontario Privacy Act, see Ontario's consultation paper at www.cbs.gov.on.ca/mcbs/english/2766_b1A.htm .
A number of provinces (British Columbia, Saskatchewan, Manitoba, Quebec and Newfoundland - New Brunswick is in the process of developing such legislation) also have in place existing "privacy" legislation intended to address a different kind of concern. This legislation is principally directed to establishing a tort of invasion of privacy (for example, the unauthorized use of such indicia of on individual's personality as name, photograph, likeness, etc. in advertising or for other commercial purposes). Although it is conceivable that a "wrongful dissemination of information about an individual" might amount to the tort of invasion of privacy, for the most part this legislation is intended to address different concerns and would not likely be considered as "substantially similar" to PIPEDA.
It is to be expected that in time many, if not all, of the provinces will develop their own legislative initiatives addressing the collection, use and disclosure of personal information. It will then be a question of whether the federal government is satisfied that the provincial legislation is "substantially similar" to the provisions of PIPEDA.
III U.S. and International Perspectives
1. Council of Europe: Convention 108
On January 28, 1981, the Council of Europe (an international body, not to be confused with the European Council, which brings together the Heads of State or the Governments of the 15 member states of the European Union and the President of the European Commission) opened for signature the "Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data", sometimes referred to as "Convention 108". This Convention has been signed by more than thirty countries, although it has not been ratified by all signatories, nor have all signatories yet passed national legislation implementing its provisions.
This Convention is still the world's only binding international legal instrument in the area of privacy protection for personal data and is open to signature by any country, including those which are not members of the Council of Europe.
The Convention sets out a number of principles for the fair and lawful collection of data. In particular, it provides that data can only be collected for a specific purpose and may not be used for any other reason. It must be accurate, adequate for the stated purpose and stored only for such a period of time as is necessary in order to serve that purpose. It also establishes rights of access to, and correction of, the collected data by those individuals whose data has been collected and contains provisions requiring a special level of protection for data of a sensitive nature, such as data concerning religion, political beliefs, sexual orientation, genetics or medical information.
The intention of the convention is for all state signatories to enact national legislation incorporating these basic principles in respect of the collection and use of the personal data of persons resident in their territory and, on the basis of this common level of protection, to permit a free flow of personal data between states who are parties to the convention.
Potential problems arise with respect to the transfer of data to states who are not a party to the convention, or from one state who offers a certain level of protection for personal data to a state which offers a lesser level of protection. In order to address these concerns, the Consultative Committee of the Convention developed a form of model contract for use by private enterprise.
2. Charter of Fundamental Rights of the European Union
The Charter of Fundamental Rights of the European Union, signed on December 7, 2000 by the member states of the European Union, contains in Article 8 a broad recognition of the importance of the protection of personal data. It provides as follows:
Protection of Personal Data
Everyone has the right to the protection of personal data concerning him or her.
Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected by him or her, and the right to have it rectified.
Compliance with these rules shall be subject to control by an independent authority.
3. European Union Directives
(a) Directive 95/46/EC
On October 24, 1995, the European Parliament and Council passed Directive 95/46/EC on the Protection of Individuals with Regards to the Processing of Personal Data and on the Free Movement on Such Data. Consistent with the provisions of Convention 108, Directive 95/46/EC is intended to result in the implementation, through the passage of national laws in each of the member states of the European Community, a standard set of rules governing the collection, use and disclosure of personal information, whether by governments or private industry.
The essential thrust of the principles outlined in the Directive is much the same as that reflected in PIPEDA.
The Directive recognizes that the principles should not extend to the collection of personal data for all purposes and in all contexts. For example, the Directive specifically acknowledges that the processing of "personal data" in the course of activities falling outside the scope of European Community law or in respect of matters of public security, defense, state security and criminal law should not be governed by the Directive, nor should data processing by individuals in the course of purely personal or household activity.
Among the central principles enshrined in the Directive are that member states ensure that "personal data" must be processed fairly and lawfully and collected for specified, explicit and legitimate purposes and not be further processed in a way compatible with those purposes.
Except with the explicit consent of the person involved, or in limited circumstances and/or with suitable safeguards, member states are directed to prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership and the processing of data concerning health or sex life. The principles outlined in the Directive also require the person collecting the information to provide certain information to the subject from whom the data is collected, including the identity of the collector, the purposes of the processing for which the data are intended and any further information such as the recipients or categories of the recipients of the data, whether replies to the questions are obligatory or voluntary, as well as the possible consequences of a failure to reply to any questions that are necessary to guarantee fair processing of the information.
The Directive, like PIPEDA, also requires that individuals be given the right to ascertain whether information concerning them is being processed to obtain access to the data and to effect a rectification, erasure or blocking of any processing of that data does not comply with the provisions of the Directive.
The Directive also requires member states to enact provisions to ensure adequate protection and security of the data and to provide remedies, including a right to seek damages, against persons who process data in violation of the Directive.
As well, as discussed below, the Directive addresses the issue of transfers of personal data to a third country, in order to assure that the third country recipient provides an adequate level of protection for the information, as a pre-condition to transfer. The Directive may be viewed at http://europa.eu.int/eur-lex/en/lif/dat/1995/en_395L0046.html .
(b) Directive 97/66/EC
This Directive, passed on December 15, 1997, is intended to "particularize and compliment" Directive 95/46/EC with respect to the processing of personal data in the telecommunication sector in particular and to ensure the free movement of data and of telecommunication and services within the European Community. It applies to ISDN and public digital mobile networks, as well as to subscribers to lines connected to digital exchanges, and (if it does not require a disproportionate economic effort) to subscribers to lines connected to analogue exchanges. Among other things, it requires the providers of publicly-available telecommunication services to take appropriate technical and organizational measures to safeguard the security of their services. It addresses confidentiality of communication via a public telecommunications network - specifically prohibiting listening, taping, wiretapping or any other kind of interception or surveillance of communications by others without consent. It also addresses unsolicited calls and telefaxes, presentation and certification of calling-line and connected line identification, and subscriber directories.
IV Adequacy of PIPEDA and U.S. "Safe Harbour" Rules for Purposes of EU Directive
As noted above, pursuant to Directive 95/46/EC, EC member states agreed to provide that the transfer of personal data to a third country may take place only if the third country in question ensures an "adequate level of protection" and the member state's laws implementing other provisions of the directive are respected prior to the transfer.
If the Commission finds that the third country ensures an adequate level of protection personal data may be transferred from the members without additional guarantee from the third country being necessary.
The EU Article 29 Working Party (data protection) has published an opinion regarding the adequacy of PIPEDA for purposes of compliance with the Directive. It expresses a number of concerns regarding the adequacy of PIPEDA for these purposes, including concerns regarding the delay in the implementation period to all commercial activity (until January 1, 2004). The limitation of PIPEDA to the collection, use and disclosure of personal information in the course of "commercial activities" only, and the lack of clarity concerning what is considered "sensitive" personal information for purposes of PIPEDA, were identified as other potential areas of concern.
B. U.S. "Safe Harbour" Principles
As expressed by the U.S. Department of Commerce (see www.export.gov/safeharbor), the United States takes an approach to privacy which is different to that taken by the European Union - the U.S. uses a "sectoral approach" that relies on a mix of legislation, regulation and self-regulation.
Because of the importance of European - U.S. transatlantic data transactions, the U.S. and the European Commission worked together to develop a "safe harbour" framework in order to bridge any gap between the two different approaches to the protection of privacy. This "safe harbour" approach was approved by the European Union in July of 2000.
Essentially, the framework operates on the basis of a "self-certification" process, where U.S. organizations enter the "safe harbour" entirely voluntarily. In order to participate in the safe harbour, however, they must comply with seven safe harbour principles, which are summarized as follows:
· Essentially, organizations must notify individuals about the purposes for which they collect and use information about them;
· Organizations must give the individuals the opportunity to chose (opt-out) whether their personal information will be disclosed to a third party of used for a purpose incompatible with the purpose in which it was originally collected or subsequently authorized;
3. Onward Transfer (Transfers to Third Parties)
· In order to transfer information to a third party, the organization must ensure that the third party subscribes to the safe harbour principles or be subject to the Directive or otherwise be considered "adequate" for Directive purposes;
· Individuals must have access to personal information about them and be able to correct, amend or delete that information where it is inaccurate, except in limited circumstances;
· Organizations must take reasonable precautions to protect personal information;
6. Data Integrity
· The personal information must be relevant for the purposes for which it is to be used and the organization must take reasonable steps to ensure that the data is reliable for its intended use, and that it is accurate, complete and current; and
· In order to ensure compliance with the safe harbour principles, there must be a) readily available and affordable independent recourse mechanisms for investigation and resolution of disputes; b) procedures for verifying that organizations have complied with their commitments to adhere to the safe harbour principles; and c) obligations to remedy problems arising out of a failure to comply with the principles.
C. Children's Online Privacy
In 1998, U.S. passed the Children's Online Privacy Protection Act ("COPPA"), which became effective April 21, 2000.
Since COPPA and the FTC's Children's Online Privacy Protection Rule (the "COPPA Rule") are dealt with in considerable detail in other materials that will be presented at this conference, this paper will not review the provisions of COPPA and the COPPA Rule in any depth. Operators of Canadian websites that collect information from children under the age of 13 are advised to carefully review the provisions of both COPPA and the COPPA Rule, however, particularly if their websites are expected to be accessed by U.S. residents. Essentially, the legislation and rule require that website operators who operate websites directed to children under 13 or websites in respect of which the operators have actual knowledge are collecting information from children under 13, must post a link to a notice of their information practices on the homepage of the website or online service and at each area where personal information is collected from children. COPPA and the COPPA Rule also prescribe when and how website operators must seek "verifiable consent" from a parent before collecting personal information from a child and establish what responsibilities an operator has to protect children's privacy and safety online.
D. Gramm-Leach-Bliley Act
Another recent U.S. legislative initiative is the passage of Gramm-Leach-Bliley Act in November of 1999. This Act specifically addresses privacy of information collected and used by the financial services sector. It applies broadly to all "financial institutions", which includes any institution the business of which is engaging in any activity which is of financial nature or incidental to a financial activity and is therefore potentially very broad. Some of the Act's key requirements are that financial institutions must provide to their customers notice of their privacy policies and practices and that financial institutions are prohibited from disclosing "non-public personal information" about a consumer to a non-affiliated third parties unless the institution satisfies various notice and opt-out requirements, and the consumer has not elected to opt-out of the disclosure.
The Act also imposes criminal penalties for the use of false pretences to obtain information obtained by or for a financial institution which is derived from the customer's relationship with the financial institution. Federal financial regulatory authorities, as well as the Securities and Exchange Commission, Federal Trade Commission and certain State agencies, are given jurisdiction to prescribe such regulations as are necessary to carry out, in prescriptive form, the provisions of legislation. A number of such final rules have been passed, including by a number of the federal financial regulatory authorities and the FTC.
E. Other U.S. Laws Touching on Privacy
As is the case in Canada, the U.S. also has other existing legislation of more general application that touches on privacy of personal information, including credit reporting legislating, such as the Federal Fair Credit and Reporting Act and legislation touching on privacy on personal health information, such as the Health Information Portability and Accountability Act.
As discussed more fully below, the FTC also has demonstrated that it is prepared to bring an enforcement action against the companies under its jurisdiction to prosecute misleading advertising offences, where companies fail to comply with their posted privacy policies.
V Privacy Cases
Because PIPEDA is new legislation and it will take some time before a body of decisions by the Privacy Commissioner or the courts builds up, it may be instructive to some degree to review some developments on the privacy front in the two major legal jurisdictions whose influence on the development of Canadian jurisprudence is traditionally strongest - the United States and the United Kingdom.
(a) United States
As discussed above in reference to the "safe harbour" principles, the U.S. has not yet adopted a single, comprehensive piece of federal legislation dealing with the collection, use and exposure of personal information in the private sector. Nonetheless, both the Federal Trade Commission and private individuals, often by a class action, have already taken action to challenge some of the information collection and disclosure practices of commercial enterprises.
The first FTC case involving internet privacy was the Geo Cities case (for a discussion of the case, see www.ftc.gov/opa/1998/9808/geocitie.htm), which involved a complaint by the FTC alleging that Geo Cities' misrepresented to its customers, both children and adults, that the personal identifying information collected through the membership application form was used only to provide numbers with the specific advertising offers and products for services they requested and that "optional information" (such as education level, income, marital status, occupation, and interest) would not be released to anyone without the member's permission. The FTC alleged that, in fact, this information was disclosed by Geo Cities to third parties who used it to target Geo Cities members for solicitations beyond those agreed to by the member. Among the provisions of the settlement was a prohibition against Geo Cities misrepresenting the purpose for which it collected or used its personal information, a requirement that the company post on its website a clear and prominent privacy notice, a prohibition against Geo Cities misrepresenting either the identity of the party collecting any personal identifying information or the sponsorship of any activity on this website and, to ensure parental control, a requirement that Geo Cities obtain parental consent before collecting personal identifying information from children 12 and under.
In July of 2000, the FTC announced that it has agreed to settle the charges under terms prohibiting Toysmart selling the customers as a stand-alone asset. The settlement would permit the sale of the lists only as a package which included the entire website and only to a qualified buyer who agreed to abide by the terms of the Toysmart privacy statement. The FTC also amended its original charges to include the allegation that Toysmart collected information from children in violation of COPPA , the first such complaint by the FTC under COPPA.
Not all private plaintiffs have been as successful as the FTC. In March of 2001, a New York Federal District Courtin the U.S. dismissed a class action lawsuit against Double Click, Inc. which alleged violations of three federal statutes, the Electronics Communications Privacy Act, the Wiretap Act and the Computer Fraud and Abuse Act. The court rejected the plaintiffs' contention that there had been a violation of any of the three federal statutes. As to the allegations under the Electronic Communications Privacy Act, the court held that there was no evidence to support the allegation that Double Click's access to the plaintiff's computer wasn't authorized, since the court took the view that a visit to a website effectively constituted authorization. The court further found, in relation to the Wiretap Act, that the company did not possess the necessary tortious intent to be found liable under the statute. Lastly, with respect to the allegations of violation of the Computer Fraud and Abuse Act, the court held that the plaintiffs had suffered no damage, a requirement of the statute.
In Convoy v. AT & T Corporation, the U.S. Court of Appeals for the Second Circuit considered a class action case involving allegations that a long distance service provider and its related credit card company violated the provisions of a number of statutes, including the Telecommunications Act of 1996, the Federal Trade Communication Commissions regulations passed under that Act and the Fair Debt Collection Practices Act. The essence of the complaint was that the long distance service provider had improperly disseminated information contained in the long distance bills of the plaintiffs for the purposes of collecting credit card debt. In this regard, the plaintiffs also alleged that AT & T's affiliated credit card company had violated New York's general business law and New York's common law prohibiting intentional infliction of emotional distress. Ultimately, the court concluded that, in each case, the plaintiffs had either failed to establish an appropriate remedy under the specific legislation cited (such as a failure to show that the legislation permitted a private right of action for damages or injunctive) or that the plaintiffs could not establish an appropriate cause of action under the legislation. The court, in reaching its decision, suggested that the appropriate remedy for the plaintiffs was to file a complaint with the Federal Communications Commission.
There are numerous other U.S. federal and state decisions that impact in some way upon the issue of the privacy of personal information of consumers. For an interesting review of some of this caselaw, see www.perkinscoie.com/casedigest.
(b) United Kingdom
In 1998, the U.K. implemented its Data Protection Act, 1998, giving effect in the U.K. to EC directive 94/46/EC. In fashion not dissimilar to PIPEDA, the U.K. Act establishes a core set of data protection principles (in this case, eight principles), which define the scope of the protection for personal information. The Act, when fully implemented, replaces the Data Protection Act 1984. The Act contemplates a period of transition so that the new data processing requirements will only apply from October 24, 2001 to data processing that was already under way.
In addition, the Act spells out a series of offences in relation to the obtaining, disclosing or procuring the disclosure of, personal information. For example, it is an offence under the legislation for a person, without the requisite consent, to obtain or disclose personal data or the information contained in personal data or procure the disclosure to another person of the information contained in the personal data. The Act also prohibits the sale of personal data, which has been obtained without the requisite consent. The annual report published by the U.K. Data Protection Commissioner contains some interesting case summaries, both of convictions for offences under the legislation and resolution of cases involving breaches of the eight principles of data protection dealt with by the Data Protection Commissioner. These may be viewed at www.dataprotection.gov.uk/ar2001/annrep. Although the eight data protection principles are not identical to the ten principles set out in the Model CSA Code attached as Schedule 1 to PIPEDA, the thrust of many of the principles is clearly the same and an examination of some of the situations which have arisen in the U.K. may be instructive in a Canadian context.
For example, "Case 5" described in the Data Protection Commissioner's Annual Report for 2001 involved a complainant who applied for both a current account and a mortgage with a leading U.K. bank. Although the mortgage was granted, the current account was declined. The bank advised the complainant that he should re-submit his application for the current account when his mortgage had been arranged, as preference was given to people with mortgages. Unfortunately, at the time he did so, the complainant had moved to a new house so the address details on the application form were incorrect. The bank in question also conducted three credit reference checks, on two occasions using different periods for length of time at a particular address. A fraud prevention database spotted this anomaly and the file was passed on to a fraud investigator. Apparently several "procedural errors" then took place, the result of which was the addition of a "marker" indicating possible fraud. This marker appeared when a credit reference check was made. The complainant worked within the financial services sector and believed that the marker prevented him from obtaining employment in this industry.
After an assessment by the Data Protection Commissioner, it was determined that the way in which this personal information had been processed breached the first, third and forth data protection principles. The bank was therefore required to review all of its relevant procedures, plus implement additional data protection training for its staff at branch level.
In another case involving a bank, a customer entered a branch of the bank to conduct a particular business transaction and, as part of that procedure, was required to give some personal details. Later, the customer received an anonymous telephone call in which a specific accusation was made. The customer concluded that the caller must have been associated with the branch of the bank visited earlier, as the personal details given at the time were the only likely source of the information used to make the call. The customer returned to the bank for an explanation. There, it was claimed that branch/management sanctioned the use of the personal data previously given in confidence, to make the call.
The Data Protection Commissioner determined that there was no justification for the use made of the data by the bank. The bank accepted that the branch level actions were regrettable and acknowledged that the use of the customer's personal data was outside the purpose for which it had been obtained. Accordingly, the case had implications both as to the security of the personal data provided and also as to whether the data was being processed both fairly and for limited purposes to the customer. The bank was advised to take steps to ensure that all of its staff were aware of their responsibilities under the Data Protection Act and to ensure that they act accordingly.
Another case which indicates the dangers of the inadvertent misuse of information and databases involved a woman who had recently left the employment of a local authority's Social Service Department. Apparently there were some "outstanding administrative issues" surrounding her departure. The local council intended to make a note to this effect on one of their systems. Unfortunately, through clerical error, the woman's name was instead entered onto a list of the department's clients. This database was accessible by a number of the complainant's ex-colleagues, one of whom brought this fact to her attention.
It was determined that the council at the relevant time had no procedure in place to notify data subjects that they were to be included in on such a register. Accordingly, action was required to be taken by the council to rectify the situation.
VI Some General Steps to Follow in Ensuring Compliance with PIPEDA and other Relevant Privacy Legislation
Although PIPEDA does not yet extend to all commercial enterprises currently collecting personal information, a number of organizations operating within federally-regulated industries, such as the banking, telecommunications and transportation sectors, are already under a legal obligation to comply with the legislation. By January 1, 2004, effectively all commercial enterprises who collect personal information as part of their business operations will need to comply with PIPEDA. Accordingly, many non-federally regulated businesses are already, wisely, reviewing their information practices in light of the requirements of PIPEDA
The common areas where the "rubber hits the road" for businesses in this area are the operation of websites, including the establishment of appropriate privacy policies, the processing of online orders for products and services, the solicitation of consumer information in connection with online and other contests and promotions; the collection of consumer information in connection with applications for the supply of products and services; and the collection of consumer survey data for use in product improvement and/or direct marketing.
Good examples of comprehensive privacy policies of this type may be found in the banking, telecommunications and broadcasting sectors. See, for example,
www.royalbank.com, www.bell.ca/cn/legal/privacy/cpp.asp and
In establishing such a policy, the following steps should be helpful:
1. Start by asking what personal information your organization really needs to collect and why;
2. Carefully review sections 1 to 10 of PIPEDA and Schedule 1;
3. Consider whether the provisions of a provincial privacy statute are applicable (eg. does the organization expect to collect information from residents from Quebec?) and review the provisions of such provincial legislation carefully to identify any potential additional considerations, beyond those addressed by compliance with PIPEDA;
4. Consider the extent to which the provisions of other applicable regimes may apply, (eg. the EU Directives or the specific national legislation of other countries important to your organization's data collection activities). In particular, is it anticipated or known that information will be collected from children under the age of 13? If so, ensure that you review the provisions of COPPA and the COPPA Rule; and
5. Review the privacy policies of organizations carrying on similar businesses in similar jurisdictions.
Once the information has been collected, the organization needs to be cognizant of its obligations to ensure the accuracy of, access to and the security of, this information as required by the legislation. This will involve the appointment of an individual or individuals who are specifically given the responsibility (and allocated the appropriate resources) to ensure compliance by the organization with its obligations.
The landscape in the world of privacy protection is likely to shift and evolve for some time to come, but its rough outlines are already taking shape and PIPEDA is a seminal Canadian part of the process. It behooves all Canadian businesses to become familiar with its provisions and, to the extent not already subject to it, to use the remaining time to build, and test, information gathering and protection practices that both enhance their business and respect the law.
If you have any questions or wish further information on privacy protection matters, please contact:
Brian R. Fraser (416) 362-3005 (Direct Dial and Phonemail) or
E-mail to: firstname.lastname@example.org
Mission / Services / People / Library / Positions
History / Whimsy / Legal / Site Map / Front Page