Canadians may not yet be aware of it but when the real new millennium came into being on Jan. 1, 2001, so too did the federal government’s Personal Information Protection and Electronic Documents Act (PIPED), formerly called Bill C-54.
It’s Ottawa’s tentative, first step towards showing some guidance in the face of the new economy with regards to the collection, storage and transmission of personal information by organizations involved in commercial activities. For now, the law applies to personal information of clients and employees in the federally-regulated private sector, such as airlines, banking, broadcasting, interprovincial transportation and telecommunications. The law will also apply to all organizations that disclose personal information for consideration outside a province or the country. Come Jan. 1, 2002, the PIPED Act will also apply to personal health information.
“This is a very important step for protecting the privacy rights of Canadians,” remarked George Radwanski, Canada’s Privacy Commissioner in Ottawa. “It’s of tremendous importance as privacy issues will be the defining issue in this decade.”
Radwanski praised Canada and the Act in the global context of privacy laws. Although no official comparisons have been drawn to other nations, he reverted to that by which all Canadians rate either their patriotism or national accomplishments: the American measuring stick.
“The U.S. doesn’t have anything quite like this,” he said. “I’m sure some countries have either stronger or weaker laws…this moves us a great distance forward.”
At the root of the first phase of the Act is the basis for private citizens to have the right to know why a business or organization is collecting, using or disclosing their personal information, such as name, age, medical records, income, spending habits, DNA code and marital status. Moreover, any individual has the right to check this information for inaccuracies and correct them. The Act defines personal information as being any information about an identifiable individual whether recorded or not. It further defines organizations as being “associations, partnerships, persons and trade unions.” Bricks-and-mortar enterprises and e-businesses are also covered by the Act. In January 2004, the Act will extend itself to cover the collection, use and disclosure of personal information by any organization in the course of commercial activity within a province, as well as interprovincial and international transactions.
Say the magic word
According to the Act, businesses must obtain an individual’s consent when they collect or otherwise use their private particulars. The only exception to this is an emergency or a criminal investigation where lives or safety are at risk.
“It used to be that privacy was protected by default,” Radwanski mused. “Now, literally by the click of a keyboard, an organization can compile an extensive set of information about you. [Society] has to go to considerable trouble to protect that privacy. I wish to be as proactive as I can as an individual in this regard.”
The Act does not apply to any federal government institution subject to the Privacy Act, personal information collected and/or used for household reasons, personal information collected and/or used for journalistic, artistic, or literary purposes, and the name, title, business address or telephone number of any employee of an organization.
Michael Geist, a law professor at the University of Ottawa, said the Act is a proactive step for Canada even if there are some shortcomings.
“There’s some obvious holes in the law with regards to jurisdiction issues, but it’s better than not having any legislation at all,” he remarked. “If you look at it from an international context, there’s a worldwide trend towards privacy legislation and this law will see Canada at least ride that wave of increased privacy legislation.”
Geist – whose course of instruction centres on Internet and e-commerce law – said Ottawa has concocted a foundation for privacy legislation in Canada, a foundation that the provinces are free to expand upon.
“The provincial role is important as they are free to extend coverage to where the law doesn’t apply, while also initiating their own enforcement mechanisms,” he explained. “Ottawa has created the minimum standards.”
To give the Act teeth, Ottawa set fines ranging from $10,000 to $100,000 that can be levied against any person convicted of destroying personal information that an individual has requested; retaliating against an employee who has complained to the Privacy Commissioner; or who obstructs a complaint investigation or an audit by the Privacy Commissioner or a delegate.
Radwanski insisted Ottawa has armed Canadian citizens with a number of legal avenues to pursue a complaint against an organization. For instance, individuals may obtain information about themselves held by an organization and can request that inaccurate or incomplete information be corrected. The only exceptions to that rule involve matters such as national security, solicitor-client privileges and threats to the safety of others. Otherwise, dissatisfied people can file complaints with the Privacy Commissioner. In the event people are not pleased with the Privacy Commission’s results, they can apply to the Federal Court of Canada for a hearing. The Federal Court can award damages to an individual (including damages for humiliation) and can order an organization to correct its practices.
“I can go public and identify a company as not respecting the law,” Radwanski said. “I can go to federal court and order the organization in question to cease and desist. A company that violates privacy rights [can expect] damage settlements to be fairly substantial.”
But according to the Public Interest Advocacy Centre (PIAC) in Ottawa, the PIPED Act puts all the onus on the individual and not the government or businesses to remedy a complaint.
“Ultimately, the burden of enforcement falls to the individual, ” charged Philippa Lawson, counsel for PIAC, a non-profit organization representing consumer rights in Canada since the mid-70s. “From a process standpoint, our main concern is in order for any kind of binding order to be enforced, an individual has to take their case before the Federal Court and that’s a huge, onerous proposition that costs time and money.”
Geist said it isn’t the role of government to fund multiple appeals on privacy in court. “The individual will receive the free opportunity to be heard and have their complaint addressed by the Privacy Commissioner,” he said. “The Privacy Commissioner does have the power to conduct an audit independent of any complaint.”
Protection for whom?
Lawson further alleged the Act does not go far enough in providing meaningful protection for citizens after they’ve granted an organization consent to use their information.
“Businesses might comply in a technical sense but not in a meaningful sense,” she said. “The Act permits [businesses] to do a broad number of things with your information (once consent is granted). It should be time-limited and it shouldn’t be so broad.”
Geist, on the other hand, pondered aloud the practicality of forcing businesses to seek permission from an individual every 90 days.
“The individual still has control over the information and they can rescind it at anytime,” he said. “It would be onerous if businesses had to come back to ask for permission again.”
What remains to be seen is how the Act will pertain to wireless devices. Radwanski admitted the wireless Internet is a tricky issue that’s yet to be addressed.
Geist – who pens a monthly column on cyberlaw for The Globe And Mail – said the wireless issue will take centre stage.
“Wireless presents a particularly thorny privacy concern because mobile phones and wireless e-mail devices reveal information about where we are, as well as who we are,” he wrote on Jan. 4.
Lawson acknowledged the Act is a good start for Canada, but she criticized Ottawa’s inability to address privacy issues surrounding health information.
“The one-year extension for health…was done for no good reason. Health information crosses borders and/or falls inside the federal sphere,” she said. “Hospitals, pharmacists and the health industry see this as a potential growth area with a huge profit centre, so they became quite upset with the constraints of the Act. On the other hand, physicians and dentists don’t think the Act goes far enough to protect patients’ rights. With a polarized health industry entering the fray, the government opted to delay implementing the Act in that area for one year.”
Radwanski said the health industry was granted an additional 12 months to sort out issues surrounding the gathering of information for research purposes.
Geist played a part in the Senate hearings that led to Bill C-54 being adopted in the House of Commons. He agreed with PIAC that the health industry was a little late coming forward with its concerns, describing the whole affair as “an odd situation.” But he also said he doesn’t believe the implications facing the health industry will be settled within 12 months.