UVIC – Internet and Information Technology Law
Download
Report
Transcript UVIC – Internet and Information Technology Law
UVIC
Internet and
Information Technology Law
September 18th – Privacy Law
Allyson Whyte Nowak
I. Privacy Legislation
in Canada
A. Federal
Privacy Act, R.S. 1985. c.P-21
Personal Information Protection and Electronic
Documents Act (PIPEDA), S.C.2000, c.5
B. Provincial
Personal Information Protection Act, S.B.C.
2003, c.63 (PIPA)
Freedom of Information and Protection of
Privacy Act, R.S.B.C. 1996, c.165 (FIPPA)
The Privacy Act
enacted July 1, 1983
public sector legislation affecting
federal government departments
and agencies
October 6, 2005 Privacy
Commissioner’s 2004-2005 Annual
Report criticized the Act
PIPEDA
Section 3: Purpose
The balance between recognition of the right of
privacy of individuals with respect to their personal
information and the need of organizations to
collect, use or disclose personal information.
PIPEDA: Statistics
In the Annual Report to Parliament
(2005), the Privacy Commissioner
acknowledged:
– there is a “significant backlog of
complaints”
– there was a “large drop” in 2005 in the
number of complaints filed under PIPEDA
PIPEDA: Statistics
In 2005 the largest number of complaints were
against financial institutions BUT
The number of complaints was just over half of
what they were in 2004
In 2005 the most common complaints were with
respect to the inappropriate use or disclosure of
personal information (followed by refusals of access
and inappropriate collection)
PIPEDA
Section 4(1):PIPEDA applies to every
organization in respect of personal information
that,
4(1)(a) the organization “collects, uses or
discloses” in the course of commercial activities
4(1)(b) is about an employee that an
organization collects, uses or discloses in
connection with the operation of a federal
work, undertaking or business
PIPEDA
PIPEDA does not apply to:
any government institution to which the Privacy Act
applies
any individual in respect of personal information
that the individual collects, uses or discloses for
personal or domestic purposes and does not collect,
use or disclose for any other purpose
any organization in respect of personal information
that the organization collects, uses or discloses for
journalistic, artistic, or literary purposes (s.4(2))
How are employees’ privacy rights
protected in the private sector?
Substantially similar legislation (B.C.,
Alta, Quebec)
Sector-specific legislation (Alta, Sask,
Mtba, Ontario)
Provincial Human Rights legislation
Common law right to privacy
Statutory right to Privacy
A statutory tort of invasion of privacy
has been created in:
– B.C.
– Saskatchewan
– Manitoba
– Newfoundland
– Quebec
Common Law
Ontario residents do not have a
statutory remedy for unreasonable
intrusion into an individual’s private
affairs, BUT
a recent decision recognized that the
tort of invasion of privacy may exist:
– Somwar v. McDonald’s (2006), 79 O.R.
(3d) 172
A. Sources of PIPEDA
i)
EU Directive
ii)
Model Code
iii)
E-com Strategy
iv)
Bill C-54
v)
OECD Guidelines
B. Definitions
CUD
FWUB
Personal Information
Organization
Commercial activity
“Personal Information”
(s.2(1))
defined to mean information about an
identifiable individual
exclusions: name, title, or business
address or telephone number of an
employee of an organization
“organizations” (s.2(1))
defined to include an association,
a partnership, a person and a
trade union
corporations are “persons”
pursuant to s. 35(1) of the
Interpretation Act
“commercial activity”
(s.2(1))
definition: “means any particular
transaction, act or conduct or any
regular course of conduct that is of a
commercial character, including the
selling, bartering or leasing of donor,
membership or other fundraising lists”.
C. PIPEDA
Part 1, Division 1
Protection of Personal Information
Subsection 5(1):
“Subject to sections 6 to 9, every
organization shall comply with the
obligations set out in Schedule 1.”
Schedule 1 enacts the 10 general principles and
commentaries contained in the Model Code
Subsection 5(2): mandatory obligations
versus recommendations in Schedule 1
The 10 Principles
1.
2.
3.
4.
Accountability
Identifying purposes
Consent
Limiting Collection
5.
6.
7.
Limiting use, disclosure and retention
Accuracy
Safeguards
8. Openness
9. Individual access
10. Challenging compliance
PIPEDA
s.7(1): Collection without Knowledge
or consent
An organization may collect personal
information without the knowledge or consent
of the individual where,
collection is clearly in the individual’s interest
and consent cannot be obtained in a timely
way (s.7(1)(a))
PIPEDA
in the context of an investigation of a
breach of an agreement or a contravention
of the law, it is reasonable to expect that if
knowledge or consent were obtained it
would compromise the availability or the
accuracy of the information (s.7(1)(b))
the collection is solely for journalistic,
artistic or literary purposes (s.7(1)(c))
PIPEDA
s.7(2): Use without Knowledge or Consent
An organization may use personal information
without the knowledge or consent of the
individual only if,
the organization reasonably believes the
information could be useful in the
investigation of a contravention of the laws
of Canada, a province or a foreign jurisdiction
(s.7(2)(a))
PIPEDA
It is used for the purpose of acting in
respect of an emergency that threatens the
life, health, or security of an individual
(s.7(2)(b))
It is used for statistical, or scholarly study or
research purposes where it is impracticable
to obtain consent and where: confidentiality
is maintained and the Commissioner is
informed prior to its use (s.7(2)(c))
PIPEDA
Subsection 7(3): Disclosure without Knowledge
An organization may disclose personal information
without the knowledge or consent of the individual
only if the disclosure is,
made to a notary (Quebec) or lawyer representing
the organization (s.7(3)(a))
for the purpose of collecting a debt owed (s.7(3)(b))
compelled by law (s.7(3)(c))
D. PIPEDA
Part 1, Division 2
Remedies
filing of complaints (s.11)
the Commissioner’s powers (s.12)
the Commissioner’s Report (s.13)
application to the Federal Court (s.14)
Complaints (s. 11)
Individuals may complain to
(a)
the organization
(b)
the Office of the Privacy
Commissioner
the Commissioner may also initiate a
complaint (“reasonable grounds”)
Types of Complaints
an individual may complain to the
Commissioner about any matter:
(a) specified in sections 5 to 10 of the Act
OR
(b) in the recommendations OR obligations
set out in Schedule 1.
Powers of the Privacy
Commissioner (s. 12)
PC obliged to investigate complaint (s.12(1))
PC must give notice to the organization
complained of (s.11(4))
Powers include:
(a) Summons to compel the giving of
evidence under oath
(b) Production of documents
(c) Power of entry
(d) Mediation/conciliation
(e) Audits
The Commissioner’s Report
(s.13)
1 year to prepare a written report
Confidentiality of the report
Where no report required
Disposition of complaints
i)
ii)
iii)
iv)
Not well founded
Well founded
Resolved
Discontinued
Broad investigatory powers
vs. ….
No power to compel compliance with
PIPEDA (compare to B.C. PIPA, s. 58)
No sanctions for failing to follow
recommendations
Only real power is the “power of
embarrassment”
Fines for obstructing an investigation
No power to order costs of the investigation
Application to the
Federal Court (s.14)
Complainant or PC may apply
Subject matter restricted but always
open for parties (including the
organization) to seek judicial review
Application must be made within 45 days
after Report is sent
Remedies more expansive
II. Key Issues in Privacy Law
1.
Outsourcing
2.
M&A issues
3.
Privacy in the workplace
4.
Whistleblowing
Outsourcing
no exemption for disclosure between
subsidiary, affiliated, or related
companies
Implications of the U.S. Patriot Act
The B.C. response (FIPPA)
PIPEDA case summary #313
M&A Issues
Asset sale = commercial activity
Solutions
i)
privacy policies need to address the
possibility of a sale of the business
ii) “anonymize” the information
iii) contractual safeguards
iv) review all personal information and
disclose only what is “necessary” to close
Privacy in the Workplace
Monitoring employees’ in the workplace
– Biometric authentication devices
– Video surveillance
Employee complaints represent 20%
of complaints filed in 2004
PCC’s 4-step analysis of a
privacy-invasive measure
(1)
Is it demonstrably necessary to meet
a specific need?
(2)
Is it effective in meeting that need?
(3)
Is the loss of privacy proportional to
the benefit gained?
(4)
Are there less invasive alternatives?