1 / 35

Internet and Information Technology Law September 18 th – Privacy Law Allyson Whyte Nowak

UVIC. Internet and Information Technology Law September 18 th – Privacy Law Allyson Whyte Nowak. I. Privacy Legislation in Canada. A. Federal Privacy Act , R.S. 1985. c.P-21 Personal Information Protection and Electronic Documents Act (PIPEDA) , S.C.2000, c.5 B. Provincial

lan
Download Presentation

Internet and Information Technology Law September 18 th – Privacy Law Allyson Whyte Nowak

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. UVIC Internet and Information Technology Law September 18th – Privacy Law Allyson Whyte Nowak

  2. I. Privacy Legislation in Canada A. Federal • Privacy Act, R.S. 1985. c.P-21 • Personal Information Protection and Electronic Documents Act (PIPEDA), S.C.2000, c.5 B. Provincial • Personal Information Protection Act, S.B.C. 2003, c.63 (PIPA) • Freedom of Information and Protection of Privacy Act, R.S.B.C. 1996, c.165 (FIPPA)

  3. The Privacy Act • enacted July 1, 1983 • public sector legislation affecting federal government departments and agencies • October 6, 2005 Privacy Commissioner’s 2004-2005 Annual Report criticized the Act

  4. PIPEDA Section 3: Purpose The balance between recognition of the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information.

  5. PIPEDA: Statistics • In the Annual Report to Parliament (2005), the Privacy Commissioner acknowledged: • there is a “significant backlog of complaints” • there was a “large drop” in 2005 in the number of complaints filed under PIPEDA

  6. PIPEDA: Statistics • In 2005 the largest number of complaints were against financial institutions BUT • The number of complaints was just over half of what they were in 2004 • In 2005 the most common complaints were with respectto the inappropriate use or disclosure of personal information (followed by refusals of access and inappropriate collection)

  7. PIPEDA Section 4(1):PIPEDA applies to every organization in respect of personal information that, 4(1)(a) the organization “collects, uses or discloses” in the course of commercial activities 4(1)(b) is about an employee that an organization collects, uses or discloses in connection with the operation of a federal work, undertaking or business

  8. PIPEDA PIPEDA does not apply to: • any government institution to which the Privacy Act applies • any individual in respect of personal information that the individual collects, uses or discloses for personal or domestic purposes and does not collect, use or disclose for any other purpose • any organization in respect of personal information that the organization collects, uses or discloses for journalistic, artistic, or literary purposes (s.4(2))

  9. How are employees’ privacy rights protected in the private sector? • Substantially similar legislation (B.C., Alta, Quebec) • Sector-specific legislation (Alta, Sask, Mtba, Ontario) • Provincial Human Rights legislation • Common law right to privacy

  10. Statutory right to Privacy • A statutory tort of invasion of privacy has been created in: • B.C. • Saskatchewan • Manitoba • Newfoundland • Quebec

  11. Common Law • Ontario residents do not have a statutory remedy for unreasonable intrusion into an individual’s private affairs, BUT • a recent decision recognized that the tort of invasion of privacy may exist: • Somwar v. McDonald’s (2006), 79 O.R. (3d) 172

  12. A. Sources of PIPEDA • EU Directive • Model Code • E-com Strategy • Bill C-54 • OECD Guidelines

  13. B. Definitions • CUD • FWUB • Personal Information • Organization • Commercial activity

  14. “Personal Information” (s.2(1)) • defined to mean information about an identifiable individual • exclusions: name, title, or business address or telephone number of an employee of an organization

  15. “organizations” (s.2(1)) • defined to include an association, a partnership, a person and a trade union • corporations are “persons” pursuant to s. 35(1) of the Interpretation Act

  16. “commercial activity” (s.2(1)) • definition: “means any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists”.

  17. C. PIPEDAPart 1, Division 1 Protection of Personal Information • Subsection 5(1): “Subject to sections 6 to 9, every organization shall comply with the obligations set out in Schedule 1.” • Schedule 1 enacts the 10 general principles and commentaries contained in the Model Code • Subsection 5(2): mandatory obligations versus recommendations in Schedule 1

  18. The 10 Principles 1. Accountability 2. Identifying purposes 3. Consent 4. Limiting Collection 5. Limiting use, disclosure and retention 6. Accuracy 7. Safeguards 8. Openness 9. Individual access 10. Challenging compliance

  19. PIPEDA s.7(1): Collection without Knowledge or consent An organization may collect personal information without the knowledge or consent of the individual where, • collection is clearly in the individual’s interest and consent cannot be obtained in a timely way (s.7(1)(a))

  20. PIPEDA • in the context of an investigation of a breach of an agreement or a contravention of the law, it is reasonable to expect that if knowledge or consent were obtained it would compromise the availability or the accuracy of the information (s.7(1)(b)) • the collection is solely for journalistic, artistic or literary purposes (s.7(1)(c))

  21. PIPEDA s.7(2): Use without Knowledge or Consent An organization may use personal information without the knowledge or consent of the individual only if, • the organization reasonably believes the information could be useful in the investigation of a contravention of the laws of Canada, a province or a foreign jurisdiction (s.7(2)(a))

  22. PIPEDA • It is used for the purpose of acting in respect of an emergency that threatens the life, health, or security of an individual (s.7(2)(b)) • It is used for statistical, or scholarly study or research purposes where it is impracticable to obtain consent and where: confidentiality is maintained and the Commissioner is informed prior to its use (s.7(2)(c))

  23. PIPEDA Subsection 7(3): Disclosure without Knowledge An organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is, • made to a notary (Quebec) or lawyer representing the organization (s.7(3)(a)) • for the purpose of collecting a debt owed (s.7(3)(b)) • compelled by law (s.7(3)(c))

  24. D. PIPEDAPart 1, Division 2 Remedies • filing of complaints (s.11) • the Commissioner’s powers (s.12) • the Commissioner’s Report (s.13) • application to the Federal Court (s.14)

  25. Complaints (s. 11) • Individuals may complain to • the organization • the Office of the Privacy Commissioner • the Commissioner may also initiate a complaint (“reasonable grounds”)

  26. Types of Complaints • an individual may complain to the Commissioner about any matter: (a) specified in sections 5 to 10 of the Act OR (b) in the recommendations OR obligations set out in Schedule 1.

  27. Powers of the Privacy Commissioner (s. 12) • PC obliged to investigate complaint (s.12(1)) • PC must give notice to the organization complained of (s.11(4)) • Powers include: • Summons to compel the giving of evidence under oath • Production of documents • Power of entry • Mediation/conciliation • Audits

  28. The Commissioner’s Report (s.13) • 1 year to prepare a written report • Confidentiality of the report • Where no report required • Disposition of complaints i) Not well founded ii) Well founded iii) Resolved iv) Discontinued

  29. Broad investigatory powers vs. …. • No power to compel compliance with PIPEDA (compare to B.C. PIPA, s. 58) • No sanctions for failing to follow recommendations • Only real power is the “power of embarrassment” • Fines for obstructing an investigation • No power to order costs of the investigation

  30. Application to the Federal Court (s.14) • Complainant or PC may apply • Subject matter restricted but always open for parties (including the organization) to seek judicial review • Application must be made within 45 days after Report is sent • Remedies more expansive

  31. Key Issues in Privacy Law II. 1. Outsourcing 2. M&A issues 3. Privacy in the workplace 4. Whistleblowing

  32. Outsourcing • no exemption for disclosure between subsidiary, affiliated, or related companies • Implications of the U.S. Patriot Act • The B.C. response (FIPPA) • PIPEDA case summary #313

  33. M&A Issues • Asset sale = commercial activity • Solutions i) privacy policies need to address the possibility of a sale of the business ii) “anonymize” the information iii) contractual safeguards iv) review all personal information and disclose only what is “necessary” to close

  34. Privacy in the Workplace • Monitoring employees’ in the workplace • Biometric authentication devices • Video surveillance • Employee complaints represent 20% of complaints filed in 2004

  35. PCC’s 4-step analysis of a privacy-invasive measure (1) Is it demonstrably necessary to meet a specific need? (2) Is it effective in meeting that need? (3) Is the loss of privacy proportional to the benefit gained? (4) Are there less invasive alternatives?

More Related