This article has been revised and updated from a presentation to the 2001 Annual Conference of the Canadian Council of Christian Charities.
I. Introduction
Globalization, the increased use of computers, and the dramatic rise of e-commerce have created heightened awareness and concerns regarding information collected and its use. Notwithstanding the close relationship that many religious and charitable organizations have with their members, concerns about the collection, use, and disclosure of personal information of members and others will have to be taken into account by such organizations in the future.
By the very nature of such organizations all personal information collected may be considered “sensitive” personal information, not just in Canada, but in many other countries. Some countries specifically restrict the collection of information regarding religious beliefs. This means that extra precautions will have to be taken when collecting, using, storing or disclosing any information about members of religious organizations.
Such concerns about the impact of technology on private life are not new. In a previous time of technological change, two leading American jurists expressed their concerns as follows:
Recent inventions and business methods call attention to the next step which must be taken for the protection of the person, and for securing to the individual what Judge Cooley calls the right “to be let alone”. Instantaneous photographs and newspaper enterprise have invaded the sacred precincts of private and domestic life; and numerous mechanical devices threaten to make good the prediction that “what is whispered in the closet shall be proclaimed from the house tops”.1
Concerns regarding the use of computers to maintain files on individuals are also not new. The first law attempting to regulate the collection and use of personal information in computer files was adopted by the German state of Hesse in 1970 (now part of Hessisches Daterschutzgesetz (HDSG) in den Fassung vom 7 Januar 1999). The first national law was adopted by Sweden in 1973.2 This was followed bya law in France3 and thedevelopment of the OECD Guidelines.4
In 1995 the European Union adopted what has come to be known as the E.U. Data Directive5 to harmonize the national provisions within the European Union in order to facilitate transborder data flows within the Union. To ensure that the E.U. Data Directive would be effective, it provided that the transmission of personal information outside of the E.U. was only possible to countries where the law afforded similar protection to personal information. Procedures were also set out in the Directive for approving countries that had adequate data protection laws or for approving transfers on a case by case basis where data protection would be ensured by contract. As these provisions have significant implications for countries trading with the E.U., the adoption of the Directive has accelerated the adoption of privacy laws around the world, including in Canada.
Although the common law in the United States long ago developed the tort of invasion of privacy, the federal government in the United States has not yet moved to codify general principles for the protection of personal information. The United States is the centre of the global internet industry and many internet companies are concerned about the effect that such laws might have on their ability to develop e-commerce and internet marketing. Accordingly, while the U.S. Federal Trade Commission reversed itself in May of 20006 and recommended that Congress enact legislation to ensure the adequate protection of consumer privacy online because voluntary codes were not seen to be working, a deadlock developed in Congress over the type of consent that should be required for the use of personal information for marketing purposes and the degree of access to be afforded to consumers.
In the meantime, there have been laws passed in the United States to protect personal information in areas where it appears to be particularly sensitive, such as video rentals,7 children,8 financial information,9 and health care information,10 and the U.S. Federal Trade Commission has developed a voluntary standard for privacy policies described as “Notice, Choice, Access and Security”. The FTC has also prosecuted several internet companies under Section 5 of the Federal Trade Commission Act for failing to comply with their own written privacy policies as posted on their websites.
Some Americans have regarded the E.U. Data Directive as an attack on the sovereignty of the United States because of the pressure that it brings to bear on the United States government to resolve its internal debate regarding privacy rules in a particular way. To avoid this result, the U.S. Government negotiated a “safe harbour” accord with the European Union. Companies that chose to adhere to the Safe Harbour rules would be considered to afford similar protection to that found in the E.U. Data Directive. As of June 1, 2003, only about 353 companies had chosen to use the negotiated Safe Harbour.
II. Canada’s Privacy Laws
Unlike the U.S. but like most of the other countries in the world, Canada has chosen to implement a general personal information protection law, the federal Personal Information Protection and Electronic Documents Act11 (also known as PIPEDA). The objectives of the federal government were to strengthen e-commerce in Canada and to provide a legal framework that would comply with the E.U. Data Directive. Canadian companies did not appear to have the same concerns as their American counterparts, possibly because many already adhered to a voluntary code developed by the direct marketing industry and others in conjunction with the Canadian Standards Association12 (CSA Model Code) and because Québec has had European style privacy protection since 1994.
Because of Canada’s constitutional division of powers the federal government was limited in the scope of the privacy law that it could enact. (The provinces have exclusive jurisdiction over matters of private property and civil rights, while the federal government has a general power to regulate trade and commerce.) As will be discussed later, this has led to numerous questions as to which organizations PIPEDA actually applies to, and to different answers. This confusion will remain in place until the various provinces decide if they wish to pass their own privacy laws or are content to have PIPEDA become the effective law in their provinces on January 1, 2004.
As of June 2003, Ontario appears to have abandoned the second draft of its proposed Privacy of Personal Information Act, 2002. British Columbia has issued a consultation paper13 and introduced Bill 38, The Personal Information Protection Act. Alberta has introduced Bill 44, the Personal Information Protection Act which exempts the non-commercial activities of nonprofit organizations from the application of the proposed legislation; however, the Privacy Commissioner of Canada has released letters criticizing both Bills and saying that, in his opinion, they are not substantially similar to PIPEDA. Saskatchewan, Manitoba, New Brunswick, Nova Scotia, Prince Edward Island, and Newfoundland, are said to have indicated verbally that they do not intend to proceed with their privacy legislation and will allow PIPEDA to apply to transactions within their provinces as of January 1, 2004.
If, in fact, these provinces do not adopt their own privacy legislation, charitable organizations in those provinces will have to determine which of their activities fall within the federal trade and commerce power and are thus subject to PIPEDA.
1. Québec
Québec follows the French civil code model and the Code civil du Québec,14 Article 35 provides as follows:
Art. 35 Toute personne a droit au respect de sa réputation et de sa vie privée.
Nulle atteinte ne peut être portée à la vie privée d’une personne sans que celle-ci ou ses héritiers y consentent ou sans que la loi l’autorise.
Article 36 goes on to illustrate items that might be considered as an invasion of the privacy of a person. They include entering or taking anything in a person’s dwelling; intentionally intercepting or using the person’s private communications; appropriating or using the person’s image or voice while the person is in private premises; keeping the person’s private life under observation by any means; using the person’s name, image, likeness, or voice for a purpose other than providing legitimate information to the public; or using the person’s correspondence, manuscripts or other personal documents.
To expand the provisions of the Code civil, in 1993 Québec also passed the Loi sur la protection des renseignements personnels dans le secteur privée.15
Under this law, there is no obligation to obtain a licence to collect personal information; however, pursuant to Section 70 of the law, every personal information agent, being the person who, on a commercial basis, personally or through a representative, establishes files on other persons, must register with the Commission d’accès à l’information du Québec. The law does set the standards with respect to the collection and use of personal information, including having a defined purpose or object; collecting only the necessary information; informing the person about whom the file is established; and obtaining consent for transferring such a file to a third party.
In the event of a dispute, persons may submit applications to the Commission d’accès à l’information du Québec. Appeals from the decisions of the Commission are to a judge of the Cour de Québec. The Commission also deals with the public sector under a separate law. Since the law governing private sector collection of personal information came into force on January 1, 1994, the Commission and the courts have rendered over 1,200 decisions on privacy matters. There is a quarterly bulletin and an annual review of the decisions concerning privacy and since October, 2000, decisions have been available online at www.cai.gouv.qc.ca. It is generally considered that the Québec law is working well. In May 2002, the Privacy Commissioner of Canada submitted a report to Parliament pursuant to Section 26(2)(b) of PIPEDA advising that he considered Québec’s privacy legislation to be substantially similar to PIPEDA.16
2. Personal Information Protection and Electronic Documents Act
(PIPEDA)
English Canada does not have a tradition of protecting privacy. In contrast to the protections developed in civil law countries such as France, in the United Kingdom the basic common law principle was that there is no right to privacy nor any action for invasion of privacy per se. In Canada, while the courts have never specifically stated the English position, they have been reluctant to find liability on a privacy right alone. Often, the issue has been avoided by the use of more established categories of torts.
To develop a national privacy law, the federal government turned to the CSA Model Code, the voluntary code that had been developed by the industry. However, the CSA Model Code was not drafted with the precision expected in a statute. To deal with this problem, the federal government attached the CSA Model Code, without any changes or amendments, as a schedule (the Schedule) to PIPEDA, and then included sections in PIPEDA that dealt with issues such as the application of the law, and amended the Schedule by including sections in PIPEDA that override specific provisions of the CSA Model Code.
As a result, PIPEDA is unusually difficult to interpret. The language of the CSA Model Code, as a voluntary industry standard, is inherently vague. While some provisions, most notably the exceptions for obtaining consent, have been clarified, other important concepts, such as what is “sensitive” information, are left to the courts to determine. Even the process for seeking remedies is not clear, making it difficult to assess the risks of noncompliance. Ultimately clients will have to determine their own comfort level in difficult areas.
a) Application of PIPEDA to Charities
The application provisions of PIPEDA are one of the more difficult areas to interpret. Charitable organizations may ultimately have to make their own decisions on whether to comply with PIPEDA on other grounds besides a strictly legal interpretation.
Section 4(1) of PIPEDA provides that PIPEDA applies to personal information that:
i) the organization collects, uses or discloses in the course of commercial activities; or ii) is about an employee of the organization and that the organization collects, uses or discloses in connection with the operation of a federal work, undertaking or business.
The definition of the second group of organizations to which PIPEDA applies, federal works or undertakings, is borrowed from the Canada Labour Code, and there is a significant body of case law determining whether federal or provincial labour laws apply to a particular group of employees. A quick test as to whether an organization falls into this group is to ask whether its employees are governed by federal or provincial labour law.
Determining the boundaries of the first group, organizations that undertake “commercial activities” is more difficult. PIPEDA defines this term as follows:
…commercial activity means any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.
The definition appears to have been broadly drafted to specifically catch nonprofit and charitable organizations trading in membership or fundraising lists. This is not surprising when it is realized that the only reason that PIPEDA does not apply to charities is Canada’s constitutional structure. PIPEDA is based on the federal trade and commerce power. Neither the E.U. Directive nor Québec’s privacy legislation distinguish between commercial and noncommercial uses of personal information.
One option for the interpretation of the term “commercial activities” is to review how the term has been interpreted in other statutes. A problem in using this method, however, is that such words are used in different statutes for the purposes of the particular statute, which may not be similar to the purposes of PIPEDA. Another problem is distinguishing between the overall purposes of charitable organizations, which are definitely not “commercial”, and the purpose of the particular activity under discussion.
The Income Tax Act expressly permits charitable organizations and public foundations (but not private foundations) to carry on a related business.17 Such commercial activities are seen as means for the fulfillment of the noncommercial purposes of the charitable organization and the overall characterization of the organization as “charitable” is thus not considered to be threatened by such activities. “Related businesses” are interpreted as being those that do not amount to a substantial commercial enterprise and those where the funds generated by such activities are used exclusively for charitable purposes.18 As these activities retain their “commercial” character, based on the wording used in the Income Tax Act, notwithstanding the fact that they are operated by charitable organizations, it would appear that having charitable purposes and registration under the Income Tax Act may not be a bar to the application of PIPEDA to the activities of charitable organizations.
Another line of cases that may be helpful in better understanding the concept of “commercial activity” in PIPEDA are those under the Excise Tax Act19 with respect to whether an organization is entitled to an input tax credit with respect to GST for the delivery of a taxable supply during the course of a commercial activity.20 For the purposes of GST input tax credits, it is not necessary that the corporation carrying on the “commercial activity” have a reasonable expectation of profit, but to qualify for input tax credits the commercial activities must be for consideration, i.e., there must be an exchange of value between the corporation and its third party customers. The expenses incurred must have been those that would not have been incurred in the course of the other activities of the organization.
The Federal Court of Appeal in 398722 Alberta Ltd. v. R.21 narrowed considerably the scope of the “intention” that is required for the characterization of a particular activity. Instead of considering the broad purpose of building certain rental housing in Banff (which was to provide scarce accommodation for employees), the Court notionally severed this activity in determining whether input tax credits were available. The application of the principles of these cases to the characterization, for the purposes of PIPEDA, of the activities of a charitable organization would suggest that PIPEDA may apply to any specific activity in which there is an exchange of value (such as a fundraising dinner) that would require the charitable organization to incur expenses that would not be incurred in otherwise carrying out its activities, notwithstanding the fact that the commercial activity is part of a fundraising activity that arises directly from the primary purpose of the charitable organization.
Another approach to try to determine if PIPEDA applies to charities is to determine the limits on the power of the federal government in the area of privacy or the protection of personal information. Irrespective of whether or not an organization is conducting a “commercial activity”, can the federal government constitutionally legislate with respect to such matters?
Unfortunately privacy and personal information are not mentioned in the Constitution Act 1867. While this would suggest that they are residually provincial matters,22 with today’s technology much information is transferred electronically across provincial or national boundaries, which provides a basis for federal jurisdiction. Personal information and privacy are thus areas where there are often clearly overlapping federal and provincial jurisdictions or concurrency. So long as there is no conflict between the federal and provincial laws in this area, and organizations can comply with both laws, there may be no constitutional issues.
The federal government has relied in part on its trade and commerce power in adopting PIPEDA, hence the reliance on the definition of “commercial activity”. However this power is in an inherent conflict with the provincial jurisdiction over property and civil rights within a province. Initially the courts narrowed the federal trade and commerce power23 but more recently in General Motors v. City National Leasing24 the Supreme Court established a new test for determining the appropriate exercise of the trade and commerce power by the federal government. The elements of the test were:
1) the presence of a general regulatory scheme;
2) the oversight of a regulatory agency;
3) a concern with trade as a whole, rather than with a particular industry;
4) the legislation should be of a nature that the provinces jointly or severally would be constitutionally incapable of enacting;
5) the failure to include one or more provinces or localities in a legislative scheme would jeopardize the successful operation of the scheme in other parts of the country.
As was illustrated by the concerns of the European Union (the possible avoidance of the personal information protection provided by E.U. Data Directive by the transfer of personal information outside the E.U.), privacy protection in the age of computers and the internet requires legislation that deals with interprovincial and international transfers, which are the exclusive jurisdiction of the federal government. Thus condition four is satisfied, and possibly condition five. The drafting of PIPEDA and the role of the Privacy Commissioner have satisfied the other conditions. The operation of PIPEDA with respect to trade and commerce appears to be within the federal jurisdiction.
This does not answer the question of the applicability of PIPEDA to the ancillary commercial activities that charities are permitted to undertake. Under the Constitution Act, 1867 the regulation of charities is expressly reserved to the provinces.25 This does not preclude the federal government from also de facto regulating charities by reason of its taxation power and by the provisions of the Income Tax Act. Why not apply PIPEDA in the same way? This again raises the question of whether the ancillary commercial activities of charities can be notionally severed from the preponderant purposes of the charitable organizations when determining whether PIPEDA applies to such activities. The Ontario Court of Appeal initially ruled in 1974 that a local nonprofit real estate board did carry on “truly” commercial activities and was therefore subject to business taxes.26 In doing so the Ontario Court of Appeal rejected the previously used “preponderant purpose” test.
Later the Supreme Court of Canada overturned the Ontario Court of Appeal decision and upheld the preponderant purpose test27 for purposes of deciding whether or not any activity may be classed as a “business” under Ontario’s Assessment Act, because the commercial activity test alone was too indefinite to allow consistent application.28 There was concern that the application of this test for property tax purposes might lead to charities being classed and taxed as businesses. Some suggest that the Supreme Court’s concern in this case will be a guide as to how cases will be decided that attempt to have PIPEDA apply to the commercial activities of charities.29
On the other hand these cases must always be evaluated with reference to the substantive terms of the legislation that is being considered. Applying a business tax to a charitable or nonprofit organization to some extent frustrates the fulfillment of the charitable objects for the benefit of the community and the general public policy of encouraging such activities. To some people, holding charities exempt from privacy and personal information protection rules is improper in light of the sensitivity of the information that they hold.
Further the application of PIPEDA to charities and nonprofits would not be directly at odds with their fundamental purposes. Ontario’s consultation paper for a proposed privacy law30 specifically cites the failure of PIPEDA to protect the personal information that nonprofit and charitable organizations use for noncommercial purposes as a reason for adopting a provincial law.31 One of the concerns is that nonprofit groups trade or rent donor lists.32 On the other hand, many charities regard privacy legislation as an impediment to their fundraising activities.
It is therefore not certain how a court will view the application of PIPEDA to charities. Will the noncommercial preponderant purpose of charities be determinative or will the commercial activities be notionally severed so that PIPEDA applies?
The initial consultation draft of Ontario’s Privacy of Personal Information Act, 2002, Section 26 provides that:
26. An organization shall not use or disclose personal information about an individual for the purpose of fundraising activities unless the individual consents, except as provided in the regulations.33
While there has been considerable discussion about the possible effect of this provision and whether it means that charitable organizations may not rely on implied consent, it is clear that Ontario intended that its privacy laws will apply to charitable and religious organizations.
In discussing the application of PIPEDA to charities, it should be noted that PIPEDA comes into effect in stages, which has led to further debates about interpretation. PIPEDA did not apply to personal health information in general until January 1, 2002. And until January 1, 2004, it does not apply to any organization in respect of personal information that it collects, uses, or discloses within a province, unless the organization is a federal work or undertaking, or the organization discloses the information outside of the province for consideration, i.e., it trades or sells the information.34
b) Overview of the Personal Information Protection Rules
If the application of PIPEDA to charities is currently legally uncertain in most provinces, another way for the board and senior management of a charity to determine how to approach the issue is to review the provisions of PIPEDA to consider whether they should feel morally bound, in any event, by the standard for personal privacy that has been established by PIPEDA and other similar privacy and personal information protection legislation, and to determine the costs and operational implications of adhering to such standards.
To evaluate costs it is necessary not only to look at the steps that will be required to comply with PIPEDA’s privacy principles but also to look at the costs that may be incurred by not complying with the privacy principles. In other words what are the remedies afforded to an individual whose privacy rights, as set out in PIPEDA, have been breached? Unfortunately, this is another area where there are differing opinions as to the options. (These will be discussed later in this article.)
Different governments have developed different sets of privacy principles. As noted, the U.S. Federal Trade Commission uses four: “Notice, Choice, Access, and Security”. In the United Kingdom the provisions of the E.U. Data Directive were summarized in eight data protection principles.35 Canada has 10 principles in the Schedule to PIPEDA. Despite the differences the core of most privacy protection rules can be summarized as follows:
1. Individuals must be given notice of the proposed collection, including use and disclosure, and the specific purposes.
2. In order for the data to be collected, used, or disclosed, appropriate consent must be obtained with respect to the specified purposes.
3. The data collected must be protected by appropriate security.
4. The individual must have access to the data collected and to details of its use and disclosure.
Simple as the ideas may appear, implementing them can lead to considerable costs, depending upon the preparedness of the organization. The cost of compliance with the financial privacy legislation in the United States has varied widely from institution to institution. Institutions that were the product of mergers and therefore had incompatible data storage systems within the same institution, found it expensive and difficult to comply with various requirements, and particularly with the requirements for access to the files and records of use.
Principle 1—Accountability
This principle generally requires the designation of an individual or individuals who are accountable for the organization’s compliance with PIPEDA. The organization is specifically held responsible for information that has been transferred to a third party for processing, which must be protected by contractual means. Organizations are required to implement policies and practices, including staff training, to give effect to the principles. This principle remains as set out in the CSA Model Code and has not been modified by PIPEDA.
Principle 2—Identifying Purposes
The purposes for which personal information is collected must be identified to the individual at, or before, the time that it is collected. Once this has been done the information cannot be used for a new or further purpose without the consent of the individual.
Section 5(3) of PIPEDA provides that “An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances”. The Privacy Commissioner sees this Section as providing an outer limit to the purposes that may be used by an organization to justify data collection, use or disclosure. Obtaining the consent of the individual for the collection of personal information outside of these limits may be insufficient for compliance.
This principle is also modified by principles 4 and 5 limiting collection, use, disclosure, and retention.
Principle 3—Consent
This principle is generally regarded as the key to the protections in PIPEDA
and will be further discussed later in this article.
Generally speaking, personal information cannot be collected, used or disclosed without the knowledge or consent of the individual, unless there is a specific exemption provided for in PIPEDA. An organization may not, as a condition of the supply of a product or service, require such consent beyond what is required for a legitimate fulfillment of the transaction. The form of consent may be explicit or implicit, or “opt in” or “opt out”, depending upon the sensitivity of the information. The concept of “sensitivity” presents something of a problem and its implications for charitable organizations will be discussed in the next section. Because of this it is always more prudent to try to obtain written consent. Finally, consent can be withdrawn at any time, subject to legal or contractual restrictions and reasonable notice.
The federal Privacy Commissioner has made his antipathy to opt-out consent abundantly clear in his findings regarding Air Canada’s Aeroplan Frequent Flyer Program, released March 20, 2002:
I should begin by making it clear that, like most other privacy advocates, I have a very low opinion of opt out consent, which I consider to be a weak form of consent reflecting at best a mere token observance of what is perhaps the most fundamental principle of privacy protection. Opt out consent is in effect the presumption of consent
– the individual is presumed to give consent unless he or she takes action to negate it. I share the view that such presumption tends to put the responsibility on the wrong party. I am also of the view that inviting people to opt in to a thing, as opposed to putting them into the position of having to opt out of it or suffer the consequences, is simply a matter of basic human decency.
Accordingly, while acknowledging that the Act does provide for the use of opt out consent in some circumstances, I intend, in this and all future deliberations on matters of consent, to ensure that such circumstances remain limited, with due regard both to the sensitivity of the information at issue and to the reasonable expectations of the individual. In other words, in interpreting Principle 4.3.7, I intend always to give full force to other relevant provisions of the Act, notably 4.3.4, 4.3.5 and 4.3.6 and section
Opt-out consent has been used in the United States with respect to the requirements of the Gramm Leach Bliley Act. There has been considerable discussion of the difficulty in reading the privacy notices and suggestions that, with opt-out consent, it is not in the interest of the organizations to provide easy-toread notices.
(For further discussion of issues surrounding consent, see Paul Jones, “Please Add Me to Your Mail List: Building Customer Databases under Canada’s New Privacy Laws”, a presentation to Insight’s Fifth Annual Marketing and Law Conference, February 19, 2003. For the first judicial review of a decision of the Privacy Commissioner see Diane L’Ecuye c. aéroports de Montréal, 2003 cfpi 573 (Federal Court Trial Division, May13, 2003. The Court disagreed with the Privacy Commissioner’s finding that there was no implied consent.)
Care must be taken in reading the specific sections of this principle in the Schedule because it is extensively revised by Section 7 of PIPEDA, which provides the specific and only exceptions from obtaining consent for the collection, use, and disclosure of personal information.
Principle 4—Limiting Collection
This principle provides that the collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Purposes need to be reasonably specific. Information must be collected by fair and lawful means.
This principle is not modified by PIPEDA.
Principle 5—Limiting Use, Disclosure and Retention
This principle provides that personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as it is necessary for the fulfillment of those purposes. Organizations must develop guidelines with maximum and minimum retention periods.
This principle is also modified by Section 7 of PIPEDA.
Principle 6—Accuracy
Personal information shall be as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used.
However, the extent to which this must be implemented depends upon the use of the information, taking account of the interests of the individual. While this principle is vaguely worded, it is relevant mainly to organizations that collect information to make decisions that may affect the subject individual adversely.
This principle is not modified by PIPEDA.
Principle 7—Safeguards
Personal information is to be protected by security safeguards appropriate to the sensitivity of the information. As with Principle 3—Consent, “sensitivity” is a key concept. The purpose of the safeguards is not just to protect against theft, but also to protect against unauthorized access, disclosure, copying or use. The methods of protection should include physical measures, such as locked filing cabinets and restricted access; organizational measures, such as security clearances and access on a “need to know” basis; and technological measures such as passwords and encryptions. How many charitable organizations currently maintain such safeguards? How many think they should? What would be the cost of implementation?
Principle 8—Openness
An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information. This principle effectively requires the use of privacy statements by organizations operating in Canada, on websites, or on other material, including printed material, through which they collect personal information. It also requires that the private policy developed pursuant to Principle 1 be made available to individuals. Specifically the information to be made available shall include:
a) the name or title, and the address, of the person who is accountable pursuant to Principle 1;
b) the means of gaining access to personal information held by the organization;
c) a description of the type of personal information held by the organization, including a general account of its use;
d) a copy of any brochure or other information that explains the organization’s policies, standards or codes; and
e) what personal information is made available to related organizations such as subsidiaries.
Principle 9—Individual Access
Upon request, an individual shall be informed of the existence, use and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
This right of access is limited by the provisions of Sections 8 and 9 of PIPEDA, which set the terms for requesting access and prescribe when access is prohibited36 or may be refused by the organization holding the information.37
In the United States the principle of access is one of the major concerns of those opposed to privacy legislation, because of the anticipated cost of complying with requests. Experience with privacy legislation in the United Kingdom tends to suggest that estimates of a deluge of requests, many of which could be frivolous, are quite unfounded. But based on the experience in Québec, requests to see personal information are now an expected part of a dispute with an employee or other individual.
In PIPEDA such disclosure includes an account of the use that has been made of the information and an account of the third parties to which the information has been disclosed. Such disclosure can be expensive to make if the files containing such information have not been properly structured in advance to record and summarize such information as use occurs.
The full cost of making such disclosure cannot be recovered from the person making the request. Paragraph 4.9.4 of this principle provides that responses are to be at minimal or no cost to the individual.38 Section 8(6) further specifies that the individual may be required to pay only if he or she is notified in advance of the approximate cost and agrees to pay.
Principle 10—Challenging Compliance
Any individual shall be able to address a challenge concerning compliance to the individual accountable for the organization’s personal information.
c) Remedies
In evaluating the costs of complying with a law, it is generally useful to examine the remedies available for breaches of the law, in order better to understand the risks associated with the various steps required for compliance. Certainly in previous Canadian efforts to provide some degree of privacy protection, the costs associated with enforcing privacy rights have proved to be a significant deterrent to the enforcement and development of the law.
To generally assist the development of a common law tort of invasion of privacy, four Canadian provinces39 have passed legislation simply providing that it is “…a tort, actionable without proof of damage, for a person, willfully and without a claim of right, to violate the privacy of an individual”. However, these statutes have been rarely used. One of the reasons for this may be that in each province actions for invasion of privacy must be brought in the superior trial court of the province, which requires significant initial expenditure by the complainant.40 On the other hand, damages in privacy actions are uncertain. Damages are dependent on the facts in each particular case and precise calculations in advance may be impossible.
One possible remedy for this problem would be class action suits but these have only recently become available in some provinces41 and lawyers in these provinces are still learning how to organize, finance and run these actions.42
Partly for these reasons, and to comply with the requirements of the E.U. Data Directive, PIPEDA provides that individuals seeking remedies under the legislation may complain to the Privacy Commissioner who must take action
(subject to certain exceptions) and provide a report within one year. The Privacy Commissioner may also attempt to mediate the dispute. However, the Commissioner has no power to make any decision that is binding on the parties and in that sense may not adjudicate the dispute. The role of the Commissioner is that of an advocate for the protection of personal information and privacy in Canada and not that of a dispassionate or specialized adjudicator.43 For this reason organizations should carefully weigh the interpretations and pronouncements of the Privacy Commissioner.
If the complainant is still not satisfied with the results obtained by the Privacy Commissioner, or if the Privacy Commissioner is not satisfied, either may apply to the Federal Court for a hearing in respect of the matter. The Federal Court is authorized specifically to:
a) order an organization to correct its practices;
b) order an organization to publish a notice of any action taken or proposed to be taken to correct its practices;
c) award damages to the complainant, including damages for any humiliation that the complainant has suffered.
The Federal Court now has rules of procedure that specifically permit class actions. (Rules Amending the Federal Court Rules came into force as of November 21, 2002, SOR/2002-417.) Further, the Federal Court, and the Privacy Commissioner have not been given exclusive jurisdiction in PIPEDA matters and therefore complainants retain the option of bringing a class action in one of the provinces where they are permitted,44 as a common law tort. In the four provinces with privacy acts, recognition of the claim is assured and PIPEDA will provide a standard for determining whether the defendant’s conduct amounted to a tort.
With respect to damages, some guidelines are beginning to develop. For example, in one case the Supreme Court upheld humiliation damages of $2,000 for the publication of a photograph without consent.45 Two years ago a settlement was reached in one of the internet unauthorized cookie tracking cases that provided for potential payments of up to $US40 to each individual. The total payments were capped at $US1,900,000.46
In summary, although some organizations may consider the remedies provided by PIPEDA to have limited effect, complainants do have other more effective options now and may have more in the near future. A particularly egregious or sensitive breach of the privacy protection standards set out in PIPEDA may result in a group of complainants testing these other options.
d) Charitable Organizations and the Concept of “Sensitive Information”
The concept of “sensitive information” is important for determining the appropriate form of consent to be obtained, and the nature of the security to be used, to protect the personal information. Obtaining the appropriate form of consent, either explicit or implicit, is the key to compliance with PIPEDA. If the consent is defective, then all uses of the personal information, whether it is properly protected or not, are a breach of the legislation. Further, security measures are among the more expensive requirements of PIPEDA. The choice of inappropriate provisions for security may lead to costly upgrading.
The concept of “sensitive information” is not defined in PIPEDA. However, Paragraph 4.3.4 of the Schedule states that:
Although some information (for example, medical records and income records) is almost always considered to be sensitive, any information can be sensitive, depending on the context.
The next paragraph goes on to specify that the “reasonable expectations of the individual” are also relevant in obtaining consent, concerns about the sensitivity of different types of information vary with the culture. Differences between the attitudes of Europeans and Americans to the role of government in their lives exacerbated the negotiations over the Safe Harbour proposal for American compliance with the E.U. Data Directive. While Europeans believe that government has a duty to protect the privacy of its citizens, they find questions regarding political affiliation or ethnicity objectionable. Americans answer these questions regularly, but are sensitive about financial disclosure and have an inherent distrust of government’s ability to protect their rights.
Other jurisdictions have generally specified certain types of information as being generally “sensitive” and have built in protections, such as requirements for explicit consent or special handling. For example, the United Kingdom’s Data Protection Act, 1998 in Section 2 defines “sensitive personal data” to mean personal data consisting of information as to:
(a) the racial or ethnic origin of the data subject; (b) his political opinions;
(c) his religious believes or other beliefs of a similar nature;
(d) whether he is a member of a trade union (within the meaning of the Trade Union and Labour Relations Consolidation Act 1992); (e) his physical or mental health or condition;
(f) his sexual life;
(g) the commission or alleged commission by him of any offense; or
(h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.
Section 4 of the Data Protection Act, 1998, then refers to data protection principles that are set out in schedules. Schedule 3 applies only to sensitive personal data and requires that the data subject have given explicit consent to the processing of such data.
Australia has a similar list of prescribed types of sensitive information that also includes information about the individual’s “…lifestyle, character or reputation.”47 Organizations are prohibited from collecting such information unless they obtain consent. However, there is an exemption for nonprofit organizations that have only racial, ethnic, political, religious, philosophical, professional, trade, or trade union aims. These organizations may collect sensitive information about their members or other individuals with which they have regular contact if, prior to collecting the information, the organization undertakes to the individual that the information will not be disclosed without the individual’s consent.
In the Spanish Ley Organica 15/1999,48 Article 7 sets out what are “specially protected” data. In this statute, the list is first divided according to those items, such as ideology, religion or beliefs, which are protected under the Constitution. These require the highest level of explicit consent. There is then a further category which includes data that will reveal ideology, union affiliation, religion or beliefs, for which there are certain exceptions for the maintenance of lists by unions, political parties, churches and other such groups. Personal information having reference to racial origin, health and sexual life can only be collected when, for reasons of public policy, it is made possible by a law or by express consent. Finally, it is prohibited to create data files for the exclusive purpose of revealing the ideology, union affiliation, religion, beliefs, racial or ethnic origin, or sexual life of an individual.
Similarly, the French Loi No. 78-17 du 6 janvier 1978 relative à l’informatique, aux fichiers et aux libertés in Article 31 prohibits maintenance of data files that will reveal racial origins, religious, philosophical or political opinions or union affiliations, or “…les moeurs…” of individuals without the express agreement of the individual. However, the maintenance of membership lists by groups such as churches, political parties and unions is specifically allowed.
Section 28 of Germany’s Bundesdatenschutzgesetz49 sets out certain conditions for the storage, communication and use of data for an organization’s own purposes. Previously some protection was given to sensitive personal information such as health matters, criminal offences, administrative offences, religious or political views and trade union status. Effective May 23, 2001 the Bundesdatenschutzgesetz was amended to include all of the categories of sensitive information contained in Article 8 of the E.U. Data Directive.50 Now the collection of such data must be expressly approved by the data subject and its processing requires a prior review by a data protection official.
From this simple survey, it is clear that many democratic countries regard information about an individual’s religious, political or philosophical beliefs as being sensitive, and restrict its collection, use and disclosure.
Similar generally sensitive areas may be inferred in Canada from an examination of those rights and values that are specifically protected by law. If such rights and values have been given special protection, the collection of information about the exercise of that right or expression of that value may inhibit the exercise of the right or expression of the value. Accordingly, the information may be considered “sensitive” as that term is used in PIPEDA. For example, to safeguard the freedom to vote according to one’s own belief or conscience,51 Canada uses secret ballots. Privacy or secrecy is considered crucial to the protection of the right to vote according to one’s own conscience. The collection of information on how people actually voted may be considered sensitive and require consent.
Section 2 of the Canadian Charter of Rights and Freedoms52 provides a list of fundamental freedoms:
(a) freedom of conscience and religion;
(b) freedom of thought, belief, opinion and expression, including freedom of the press and other media of communication;
(c) freedom of peaceful assembly; and
(d) freedom of association.
Further, Section 15(1) provides that every individual is equal before and under the law, without discrimination, including discrimination based on: race, national or ethnic origin, colour, religion, gender, age or mental or physical disability.
Any collection, use or disclosure of personal information dealing with these characteristics will most likely be regarded as sensitive because, if the information is used for the wrong purpose, such use would most likely violate the freedoms or rights that the individual has under the Charter.
Not all the rights provided in the Charter will be equally sensitive. It is posited that “sensitivity” will be based on the ability of others to use such information to take any action harmful to the interests of the individual. For example, usually the gender of a person can be determined by simple observation, or inferred from the name. Therefore, a list of names identifying such persons as male or female may not be considered particularly sensitive.
However, a list of the names and addresses of the attendees at a local synagogue or mosque, or of the members of the Catholic Church that are also active in Campaign Life, would most likely be considered much more sensitive. For these reasons almost all information collected by religious charitable organizations in Canada would most likely be considered, to some degree, “sensitive information” within the meaning of PIPEDA. Thus, such organizations should consider collecting, using and disclosing all of their membership and other information only with the explicit, specific, and written consent of the individual concerned and with the purposes for which such information will be used or disclosed clearly identified.
III. Strategies for Compliance
Charitable organizations should first make a decision at the board level as to any proposed strategy for compliance with privacy principles in general, and/or with PIPEDA. While it is not clear that PIPEDA will apply to charitable organizations, even if the organization has ancillary “commercial” activities, there are several reasons why a board may consider it prudent and appropriate to proceed with compliance at this time:
In summary:
1. Individuals are concerned about their privacy, and out of respect for their concerns, steps should be taken to comply with privacy standards.
2. There is a risk that PIPEDA applies now to the organization as the organization transfers the personal information interprovincially or internationally.
3. PIPEDA and/or a provincial law may or will apply in the near future and there are generally no provisions allowing the use of personal information already collected. It is better to start collecting from members and others now.
4. Compliance costs are generally lower if the files on each individual are set up in advance to capture efficiently the information on use and disclosure that must be provided to fulfill an access request.
The reasons for not complying now, if the organization has a choice, are usually related to the cost of implementing the measures set out below, and/or the restrictions on certain types of fundraising or other activities that may result.
Commercial organizations in Canada have shown a tendency to turn the matter over to their law firms or legal departments. American firms appear to have more experience with respect to compliance strategies (despite the fact that there is no general privacy law in the United States), because of their experiences with the Children’s Online Privacy Protection Act in 2000 and with the Gramm Leach Bliley Act in 2001. A 2001 article53 warned American lawyers that when preparing a privacy compliance strategy, the first step is not to pull up a precedent policy, or talk to the managers, but to talk to the people who actually collect the information. In an e-commerce business that is usually the engineers or the web site managers:
…the business side may not be aware that the company is collecting far more information from customers than it uses or needs—just because it can. Fashioning a privacy policy based solely on what company managers think is being collected may lead to an inaccurate privacy statement.54
To assist organizations in complying with PIPEDA, the Office of the Privacy Commissioner has prepared various guides,55 some of which can be downloaded from their website at www.privcom.qc.ca. Although Ontario has not yet passed a private sector privacy law, the Office of the Information and Privacy Commissioner/Ontario has developed a Privacy Diagnostic Tool (PDT) Version 1.0 Workbook that is available on their website at www.ipc.on.ca. Of course, many law firms and other consultants have also developed guides.
Set out below are some suggestions on how to proceed after the decision to comply has been made.
1. Appoint a Compliance Officer
The first step is to put someone in charge of the process, or at least to choose a co-ordinator and have that person be the compliance officer required by Principle 1 of the Schedule to PIPEDA. The compliance officer should obtain copies of the relevant legislation and regulations and establish knowledgeable legal and other support. The compliance officer may then assemble a team to oversee and/or conduct the audit and the implementation steps that will be described in the next sections. The compliance officer and his/her team should then develop a draft plan to implement policies and practices for compliance, that will be finalized after the conduct of the audit.
The plan should address:
a) implementing procedures to protect personal information;
b) establishing procedures to receive and respond to complaints and enquiries;
c) training staff and communicating to staff information about the organization’s policies and practices;
d) developing information to explain the organization’s policies and procedures; and
e) ensuring the accuracy of the personal information held by the organization and updating or establishing retention policies.
2. Conduct a Privacy Audit
The purpose of the audit is to establish what personal information is currently being collected, used or held, or disclosed by the organization, and how it is currently stored and protected. To perform the audit the organization’s staff will have become familiar with some of the problems with the definition of “personal information”. One area of concern is whether information produced by an individual performing a job function for an organization is personal information. In some European countries the answer is definitely “yes”. In Canada the answer appears to depend upon the balancing of the individual’s right to privacy and the needs of organizations, as set out in Section 3 of PIPEDA.56
The audit should also identify all jurisdictions where personal information is being collected, as it may be necessary to comply with privacy laws in other provinces or countries. For commercial organizations, privacy issues arise in the following operational areas:
• marketing and sales
• human resources
• online operations (items such as cookies)
• government relations (lobbying)
• client or customer files
• security services
Particular care should be taken to identify personal information that is disclosed to subcontractors, e.g., employee information to payroll services, marketing information to ad agencies, information submitted online to service fulfillment providers or data analyzers, lobbying information to trade associations, and mailing information to outside mailing firms. Copies of the contracts with each subcontractor should be reviewed with respect to privacy protection.
Charitable organizations may have special problems in conducting the audit. When is a fundraising activity wholly charitable and when is it commercial? One guide to answering this question may be whether or not a charitable receipt may be given for the activity, for example, for the nonmeal portion of a fundraising dinner. Another issue is the linking or combining of personal information from more than one list, or with demographic data. This may increase the sensitivity of the personal information as the Privacy Commissioner found in his Air Canada decision. And, of course, if fundraising lists are to be traded, the organization will need to know more about the purposes for which the other organization will use the personal information in order to prepare a consent form.
3. Develop a List of Approved Purposes
After having conducted the audit, the organization should then examine the purposes for which it is collected and the nature of the information collected, to determine the organization’s long-term policy as to purposes and the type of information that is truly necessary to fulfill those purposes. Many organizations have discovered that they are collecting more information than is reasonably necessary.
This information will not only become the basis for the drafting of the official privacy policies and guidelines but also the various consent forms that will be used or other methods of collection.
In Québec such purposes or “objects” are required to be kept in each individual’s file and under PIPEDA, if new purposes are added, additional consents must be obtained.
4. Prepare Privacy Policies, Brochures and Consent Forms
Having made decisions about the overall purposes for which the organization will collect personal information, the next step is to implement the decision by preparing the organization’s privacy policies and guidelines. The privacy brochures mentioned in Paragraph 4.8.2 of the Schedule to PIPEDA must also be prepared, as well as the privacy statements necessary to comply with PIPEDA. The preparation of consent forms or other collection methods will require decisions as to the degree of consent and disclosure required based on the sensitivity of the personal information being collected. Will explicit or implicit consent be used? How will the privacy policy be positioned on the home page of your website? Will a “click through” consent be required?
5. Consider a New Filing System
Experience in many jurisdictions, such as Québec, has shown that one of the keys to low-cost compliance with access requests is having a filing system that segregates personal information with respect to each individual according to the purpose for which the information was collected, yet has links and controls on the setting up of new files with respect to any individual. If files are computerized, this generally means that the databases in membership and other areas should be linked. As well, noted earlier, experience in the United States with respect to the Gramm Leach Bliley Act has suggested that where this linking is not done, or cannot be done, compliance will be lower and costs will be higher.
Not all purposes require the collection of equally sensitive personal information and, if all information regarding an individual is in one file, then that file must have safeguards appropriate to the most sensitive aspect of the file. If an access request is made, and there are grounds for denying access to one portion of the file, then the file will have to be reviewed item by item to determine what must be severed, and what may be disclosed to the individual.
6. Initiate the Privacy Plan
Obviously the decisions mentioned earlier will have to be implemented. The implementation is often co-ordinated so that the organization is comfortable that from a certain date forward, it generally complies with the privacy requirements. It is also necessary to review existing files containing personal information and to either ensure that there is appropriate consent for the retention and use of the information, or that the information is safely deleted.
This often requires a mailing to, or other communication with the individuals concerned, to announce and explain the new privacy policy and obtain the new consent.
Implementation may also require changes to any websites that the organization has to ensure, among other things, that persons using the website have access to a copy of the privacy policy or statement every time personal information is submitted. At this point the required safeguards for the personal information should be in place, whether physical, technological or in staff policies regarding employee access. The policy regarding the handling of complaints should be ready, as well as the policy on whether to charge any amount to individuals requesting access. Contracts with subcontractors should clearly spell out the compliance measures necessary on their part and provide the providing organization with a right of audit.
7. Maintaining Compliance
Set out below are some of the things to be considered after implementation to maintain compliance with PIPEDA and other privacy standards:
a) Policies should be developed to ensure that evidence and documentation exist to demonstrate:
(i) each individual’s consent for each database and purpose;
(ii) that all uses of, or disclosures from, each database are properly recorded and protected, and are in accordance with the purposes;
(iii) reviews of the databases for accuracy in accordance with the sensitivity of the information.
b) Responsibility for compliance may be better separated from responsibility for collection, use and disclosure. Collecting, use, and disclosure should not be able to proceed without authorization from the Compliance Officer.
c) Provisions should be made for the regular training of new staff and for regular review and update of the policies.
d) The development and application of provincial laws should be monitored.
e) Transactions with persons outside Canada should be monitored for potential breaches of foreign privacy laws.
f) A response plan in the event of allegations of a privacy breach should be developed.
g) Provisions should be made for internal or external compliance audits.
IV. Conclusion
Because Canada has not had a tradition of enforcing privacy rights, it is likely that both government and individual enforcement will be initially slow to develop and discrepancies between the law and practice may be significant. Charities, and in particular religious charities, should not be lulled into complacency. Many charities by their nature and purposes represent the exercise by individuals of rights guaranteed to Canadians in the Charter, making any personal information that they collect sensitive to a significant degree.
FOOTNOTES
1. Samuel D. Warren and Louis D. Brandeis, “The Right to Privacy”, Harvard Law Review, Vol. IV, No. 5, December 15, 1890.
2. Datalagen, SFS 1973:289.
3. Loi No. 78 17 de 6 janvier 1978 relative à l’informatique, aux fichiers et aux libertés.
4. “Guidelines on the Protection of Privacy and Transborder Flows of Personal Data” as adopted by the Council of the Organization of Economic Co-operation and Development in September 23, 1980. Available online at www.oecd.org/dsti/sti/it/seur/prod/PRIV EN.HIM.
5. Directive 95/46/EC of the European Parliament and of the Council of 24 October, 1995, available online at http://europa.eu.int/eur-lex/en/lif/dat/1995/en_595L0046.htm l.
6. See Federal Trade Commission, Privacy Online: Fair Information Practices in the Electronic Marketplace—A Report to Congress (Washington, DC, Federal Trade Commission, May 22, 2000).
7. Video Privacy Protection Act of 1988 (the Bork Bill), 18 USC S.2710.
8. Children’s Online Privacy Protection Act, (COPPA), 15 U.S.C. §§6501–6506, 6502(c) and 6505(d), and the Children’s Online Privacy Protection Rule, 16 C.F.R. Part 312, in effect April, 2000.
9. Gramm Leach Bliley Act, also known as the Financial Services Modernization Act of 1999,
Pub. L. No. 106–102, 113 Stat. 1338 (1999), which became effective July 1, 2001.
10. Health Insurance Portability and Accountability Act of 1996 and the Standards for Privacy of Individually Identifiable Health Information (the Privacy Rule) promulgated by the U.S. Department of Health and Human Services as 45 CFR, Parts 160 and 164, for compliance by April 14, 2003.
11. S.C. 2000, c.5, as amended by S.C. 2000, c.17, s.97.
12. The Code is now Schedule 1 of PIPEDA—“Principles Set Out in the National Standards of Canada Entitled Model Code for the Protection of Personal Information”, CAN/CSA-Q-830–96.
13. Privacy Protection in the Private Sector: British Columbia Consultation Paper, Ministry of Management Services, Corporate Privacy and Information Access Branch, June 2002.
14. L.Q. 1991, c.64.
15. L.R.Q., c. P-39.1. On December 19, 2001 Bill 75, an Act to amend the Act respecting the protection of personal information in the private sector, was introduced in the National
Assembly to allow the Commission to authorize the communication of information relating to professional activities while ensuring the confidentiality of personal information. It is said that this is a response to the activities of IMS Health.
16. Privacy Commissioner of Canada, Report to Parliament Concerning Substantially Similar Provincial Legislation, May 2002, available online at www.privcom.gc.ca/legislation/legrp_e.asp.
17. See paras. 149.1(2)(a) and (3)(a) and Christina Medland, “Limitations on Charities under the Income Tax Act” (1992), 44 E.T.R. 111, p. 131.
18. Ibid., Medland, p. 140.
19. R.S.C. 1985, c. E-15.
20. See Saskatchewan Pesticide Container Management Association Inc. v. R., 2000 G.T.C.
697 (Tax Court of Canada); 398722 Alberta Ltd. v. R., 2000 G.T.C. 4091, 257 N.R. 71 (Federal Court of Appeal); Midland Hutterian Brethern v. R., 2001 G.T.C. 3462, 265 N.R.
185, 195 D.L.R. (4th) 450 (Federal Court of Appeal).
21. Ibid., 398722 Alberta Ltd.
22. See Barbara MacIsaac, Rick Shields and Kris Klein, The Law of Privacy in Canada
(Toronto; Carswell, 2000) pp. 1–32.
23. Citizen’s Insurance Co. v. Parsons (1881), 7 App. Cas. 96. See Peter W. Hogg, Constitutional Law of Canada—Looseleaf Edition (Toronto: Carswell, 1997) pp. 20–22 for a discussion of this case.
24. [1989] 1 S.C.R. 641.
25. See Sec.92(7) which specifically identifies the “Establishment, Maintenance and Management of Charities”.
26. Windsor Essex County Real Estate Board v. Windsor (City) (1974), 6 O.R. (2d) 21 (C.A.); leave to appeal refused (February 13, 1976) (S.C.C.).
27. Ontario Regional Assessment Commissioner v. Caisse populaire de Hearst Ltée., [1983]
1 S.C.R. 57.
28. Ibid., at 70.
29. Supra, footnote 22, pp. 4–6.
30. Ministry of Consumer and Commercial Relations (now the Ministry of Consumer and
Business Services), “A Consultation Paper: Proposed Ontario Privacy Act”, July, 2000.
31. Ibid., p. 3.
32. Ibid., p. 1.
33. “A Consultation on the Draft Privacy of Personal Information Act, 2002” proposed by the Ministry of Consumer and Business Services, released February, 2002.
34. See Section 30.
35. See Schedule 1 of the Data Protection Act 1998 (Chapter 29, London: The Stationery Office Ltd.). The eight principles are: 1) personal data shall be processed fairly and lawfully; 2) personal data shall be obtained for lawful and specified purposes; 3) personal data shall be adequate, relevant and not excessive to the purposes; 4) personal data shall be relevant and kept up to date; 5) personal data shall not be retained for longer than is necessary; 6) personal data are to be processed in accordance with the rights in the legislation; 7) security measures shall be implemented; 8) personal data shall not be transferred outside the E.U. unless adequate protection is afforded.
36. See Section 9(1) of PIPEDA.
37. Ibid., Section 9(3).
38. For a discussion of the interpretation of the provisions regarding costs see Paul Jones, Privacy Law: A New Era, a paper presented to the 12th Annual Meeting of the Canadian Corporate Counsel Association in Halifax, August 21–22, 2000, pp. 16 and 17.
39. British Columbia in 1968, see the Privacy Act, R.S.B.C. 1979, c.336; Manitoba in 1970, see The Privacy Act, R.S.M. 1970, c.74; Saskatchewan in 1974, see The Privacy Act, R.S.S. 1978, c.P.24; and Newfoundland in 1981, see the Privacy Act, R.S.N. 1998, c.P-22. These were based in part on Sections 50 and 51 of the New York Civil Rights Law.
40. See G.H.L. Fridman, The Law of Torts in Canada, Volume 2 (Toronto: Carswell, 1990) pp.
200–201 and Burns, The Law and Privacy: The Canadian Experience (1976), 54 C.B.R. 1, p. 38.
41. Ontario: Class Proceedings Act, S.O. 1992, c.6; Québec: Code de procedure civile, L.R.Q., c.C-25, b.IX; British Columbia: Class Proceedings Act, R.S.B.C. 1996, c.50; Newfoundland: Class Actions Act. S.N.L. 2001, c.C-18.1; Manitoba: the Class Proceedings Act, CCSM, c.C130 (assented to July 25, 2002); P.E.I.: Rules of Civil Procedure, Rule 12; Nova Scotia: Civil Procedures Rules, Rule 5.09; New Brunswick: Rules of Court of New Brunswick, Rule 14.01. Alberta has introduced Bill 25 of 2003, the Class Proceedings Act, and it is being considered in Committee. Canada’s first class action based on a breach of privacy was filed in Saskatchewan in February of 2003, arising out of the disappearance of a computer hard drive containing personal information on approximately one million individuals.
42. See Peter Bakogeorge, “Making a class action plan”, Law Times, September 10, 2001, p.15.
43. See for example Sections 18, 20(2) and 24 of PIPEDA.
44. It should be noted that with its decision in Western Canadian Shopping Centres v. Duton, 2001 SCC 46, released July 13, 2001, the Supreme Court has allowed a broad interpretation of the representative action provisions in Alberta’s Rules of Court that may expedite the bringing of class actions in most provinces.
45. Aubry c. Les Éditions Vice Versa inc. [1991] R.R.A. 421 (Cour du Québec); (1996), 71
C.P.R. (3d) 59 (Québec Court of Appeal); [1998] 1 S.C.R. 591 (Supreme Court of Canada). A professional photographer had taken a photograph of a young woman sitting on some steps in a public place in Montreal. The photograph was used, without her consent, to illustrate an article in a literary magazine. The courts at all levels found that the photograph was in no way derogatory or humiliating to the individual per se, neither in the way the individual was portrayed, nor in any relationship that it had to the text. Damages of $2,000 were awarded at trial. In the Supreme Court the issue was whether there had been sufficient evidence of humiliation damages arising out of the invasion of privacy in order to support the action in tort. There was dissent and, although the award of damages was considered high, the award was upheld. The only evidence of damages was that the young woman had testified briefly that she had some difficulties at school because her friends teased her.
46. Reuters, “Amazon unit settles lawsuit”, Silicon Valley.com, April 30, 2001.
47. Privacy Amendment (Private Sector) Act 2000, Act No. 155 of 2000, that came into force on December 21, 2001.
48. Ley Orgánica 15/1999, de 13 diciembre, de Protección de Datos de Carácter Personal.
49. Vom 20.12.1990, BGBI. IS. 2594.
50. Gesetz zur Anderung des Bundesdatenschutzgesetzes und anderer Gesetze, BGBI vom
22.05.2001 S.904.
51. As expressed in Sec. 3 of the Canadian Charter of Rights and Freedoms, Part I of the Constitution Act, 1982, being Schedule B to the Canada Act, 1982 (U.K.), 1982, c.11.
52. Ibid.
53. Kate Marquess, “Private Property: In today’s ‘e-economy’ most every company needs a concise, workable policy regarding customer data”, 87 ABA Journal 52, September 2001.
54. Ibid., pp. 54–55.
55. See, for example, Office of the Privacy Commissioner, Your Privacy Responsibilities: A Guide for Business and Organizations (Ottawa: Office of the Privacy Commissioner, 2000).
56. The Privacy Commissioner of Canada first applied this test in his findings regarding the collection by IMS Health of information regarding the prescribing habits of doctors without the doctors’ consent. For a critique of his use of the balance test in that specific case, see Paul Jones, “Striking the right balance”, Law Times, December 19, 2001, p. 7.
PAUL JONES
Miller Thomson LLP, Barristers and Solicitors, Toronto