By Janet Steinman, CIPP/US
Canadian data protection law is essentially a combination of the laws of the rest of the world. It has strict definitions of personally identifiable information (PII), as the EU does, but it has more opt-out than opt-in requirements, the way the U.S. does. Like the U.S., it has local laws that govern data security and privacy; in Canada’s case, provincial laws. Of course, Quebec law is based on European code law while the rest of the provinces are based on English common law. When a provincial law should be applied rather than the federal law varies. Canadian courts have ruled that Canadian companies must be subject to the laws of other countries when its data is resident or processed in a foreign country. But Canada has been granted equivalency status by the EU. Canada has some of the lengthiest data protection laws in the world and, as in all common law countries, a large amount of diverse case law. Part of the Personal Information Protection and Electronic Documents Act (PIPEDA), which applies to the commercial sector, solely addresses electronic documents separate from any issues of data privacy. Plus there are laws regarding the public sector. Any applicable transactions, including drafting privacy policies and employee policies, regarding these laws are bound to be complicated.
Publications by the IAPP and Canada’s websites offer excellent places for a practitioner to begin. A Guide to the Personal Information Protection and Electronic Documents Act 2013 by Colin H. H. McNairn (published by Lexis/Nexis Canada, 2013, ISBN 978-0-433-47400-5) is unique in providing this vital information in an academic, scholarly format. The text of this book begins with explaining the background, purpose and structure of PIPEDA, an introductory factor that is too often lacking in many law books. A Guide to PIPEDA contains the full text of PIPEDA Parts 1 through 5, which include amendments current to February 21, 2013, and Regulations Pursuant to PIPEDA are current to the Canada Gazette of February 27, 2013. There is a table of cases before the text begins, as well as thorough footnotes, which point the reader in useful directions for more detailed sources and reasoning.
PIPEDA applies to the commercial private sector, with some exceptions being labor unions, federal work projects and banks. The Canadian Privacy Act regulates government and public sector organizations. The two laws have differing definitions of essential privacy law terms. The Canadian Standards Association prepared the Model Code for the Protection of Information (Model Code), which was presented to Parliament and passed as PIPEDA. McNairn’s book explains the anomalous situation where the Model Code was intended to be a voluntary national standard to provide a framework for industry groups. It was intended that businesses would adopt their own company codes. That hasn’t always happened. Enabling regulations have not been promulgated for much of PIPEDA despite the fact that the privacy commissioner, who handles complaints, enforces the law as mandatory. There is no definition of a “government institution.” Does it include provincial or foreign governments? Certain terms can only apply to the federal government, such as those regarding international relationships and the defense of Canada. A privacy practice can be investigated if there is even a small suspicion of a minor lack of compliance. A complaint can be pursued while civil litigation is in process. It has a strong commitment to openness for the owner of PII and well-reasoned case law, but PIPEDA is full of traps for the unwary.
Data protection laws by necessity intersect with many other laws, including child pornography laws, evidence, freedom of information laws, terrorist financing and a patient’s right to access. This book does an exceptional job of explaining these and the inevitable divergence for the enforcement of PIPEDA.
The electronic documents part of PIPEDA relates to the electronic means to record an action or a communication. It does not apply to data privacy. Its stated purpose is “to provide the use of electronic alternatives … where federal laws contemplate the use of paper to record or communicate information or transactions.” A consultation paper by the Department of Justice shows the intent to amend literally hundreds of laws at once so they did not have to be amended piecemeal. Like the earlier sections of PIPEDA, it began as advisory—in this case, as part of Canada’s Electronic Commerce Strategy. It clearly impacts many other laws, including contracts, property and other areas, that are governed by provincial law.
McNairn’s book sets forth a comprehensive, systematic explanation of PIPEDA, its real-world applications and the reasoning behind the interpretations of the law. As stated earlier, this book does an impressive job of listing and organizing laws, court opinions, advisory papers, rulings from the privacy commissioner, websites and the like, including in the footnotes. It is a more intellectual work than needed for practitioners beginning in the field of Canadian data protection. Strangely, there are a number of terms used in the book that are not listed in the index. If you are seeking to write a privacy statement or challenge a privacy ruling, while this will be useful to lawyers, you are much better off starting with IAPP publications and the Canadian government websites rather than with McNairn’s otherwise exemplary book.
Janet Steinman, JD, CIPP/US, is a member of the Harvard Law School Online Media Legal network and the American Bar Association Advisory Panel. She is experienced in laws on information technology, data licensing, e-commerce, computer technology, software development and licensing, U.S. and foreign data privacy and security laws including HIPAA and GLBA, among others.