Download presentation
Presentation is loading. Please wait.
1
Internet and Information Technology Law September 18 th – Privacy Law Allyson Whyte Nowak UVIC
2
A.Federal Privacy Act, R.S. 1985. c.P-21 Privacy Act, R.S. 1985. c.P-21 Personal Information Protection and Electronic Documents Act (PIPEDA), S.C.2000, c.5 Personal Information Protection and Electronic Documents Act (PIPEDA), S.C.2000, c.5 B.Provincial Personal Information Protection Act, S.B.C. 2003, c.63 (PIPA) Personal Information Protection Act, S.B.C. 2003, c.63 (PIPA) Freedom of Information and Protection of Privacy Act, R.S.B.C. 1996, c.165 (FIPPA) Freedom of Information and Protection of Privacy Act, R.S.B.C. 1996, c.165 (FIPPA) Privacy Legislation in Canada I.
3
The Privacy Act enacted July 1, 1983 enacted July 1, 1983 public sector legislation affecting federal government departments and agencies public sector legislation affecting federal government departments and agencies October 6, 2005 Privacy Commissioner’s 2004-2005 Annual Report criticized the Act October 6, 2005 Privacy Commissioner’s 2004-2005 Annual Report criticized the Act
4
PIPEDA Section 3: Purpose The balance between recognition of the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information.
5
PIPEDA: Statistics In the Annual Report to Parliament (2005), the Privacy Commissioner acknowledged: In the Annual Report to Parliament (2005), the Privacy Commissioner acknowledged: –there is a “significant backlog of complaints” –there was a “large drop” in 2005 in the number of complaints filed under PIPEDA
6
PIPEDA: Statistics In 2005 the largest number of complaints were against financial institutions BUT In 2005 the largest number of complaints were against financial institutions BUT The number of complaints was just over half of what they were in 2004 The number of complaints was just over half of what they were in 2004 In 2005 the most common complaints were with respect to the inappropriate use or disclosure of personal information (followed by refusals of access and inappropriate collection) In 2005 the most common complaints were with respect to the inappropriate use or disclosure of personal information (followed by refusals of access and inappropriate collection)
7
PIPEDA Section 4(1):PIPEDA applies to every organization in respect of personal information that, 4(1)(a) the organization “collects, uses or discloses” in the course of commercial activities 4(1)(b) is about an employee that an organization collects, uses or discloses in connection with the operation of a federal work, undertaking or business 4(1)(b) is about an employee that an organization collects, uses or discloses in connection with the operation of a federal work, undertaking or business
8
PIPEDA PIPEDA does not apply to: any government institution to which the Privacy Act applies any government institution to which the Privacy Act applies any individual in respect of personal information that the individual collects, uses or discloses for personal or domestic purposes and does not collect, use or disclose for any other purpose any individual in respect of personal information that the individual collects, uses or discloses for personal or domestic purposes and does not collect, use or disclose for any other purpose any organization in respect of personal information that the organization collects, uses or discloses for journalistic, artistic, or literary purposes (s.4(2)) any organization in respect of personal information that the organization collects, uses or discloses for journalistic, artistic, or literary purposes (s.4(2))
9
Substantially similar legislation (B.C., Alta, Quebec) Substantially similar legislation (B.C., Alta, Quebec) Sector-specific legislation (Alta, Sask, Mtba, Ontario) Sector-specific legislation (Alta, Sask, Mtba, Ontario) Provincial Human Rights legislation Provincial Human Rights legislation Common law right to privacy Common law right to privacy How are employees’ privacy rights protected in the private sector?
10
Statutory right to Privacy A statutory tort of invasion of privacy has been created in: A statutory tort of invasion of privacy has been created in: –B.C. –Saskatchewan –Manitoba –Newfoundland –Quebec
11
Common Law Ontario residents do not have a statutory remedy for unreasonable intrusion into an individual’s private affairs, BUT Ontario residents do not have a statutory remedy for unreasonable intrusion into an individual’s private affairs, BUT a recent decision recognized that the tort of invasion of privacy may exist: a recent decision recognized that the tort of invasion of privacy may exist: – Somwar v. McDonald’s (2006), 79 O.R. (3d) 172
12
i) EU Directive ii) Model Code iii) E-com Strategy iv) Bill C-54 v) OECD Guidelines A. Sources of PIPEDA
13
CUD CUD FWUB FWUB Personal Information Personal Information Organization Organization Commercial activity Commercial activity B. Definitions
14
defined to mean information about an identifiable individual defined to mean information about an identifiable individual exclusions: name, title, or business address or telephone number of an employee of an organization exclusions: name, title, or business address or telephone number of an employee of an organization “Personal Information” (s.2(1))
15
defined to include an association, a partnership, a person and a trade union defined to include an association, a partnership, a person and a trade union corporations are “persons” pursuant to s. 35(1) of the Interpretation Act corporations are “persons” pursuant to s. 35(1) of the Interpretation Act “organizations” (s.2(1))
16
definition: “means any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists”. definition: “means any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists”. “commercial activity” (s.2(1))
17
Protection of Personal Information Subsection 5(1): Subsection 5(1): “Subject to sections 6 to 9, every organization shall comply with the obligations set out in Schedule 1.” Schedule 1 enacts the 10 general principles and commentaries contained in the Model Code Schedule 1 enacts the 10 general principles and commentaries contained in the Model Code Subsection 5(2): mandatory obligations versus recommendations in Schedule 1 Subsection 5(2): mandatory obligations versus recommendations in Schedule 1 PIPEDA Part 1, Division 1 C.
18
1.Accountability 2.Identifying purposes 3.Consent 4.Limiting Collection 5.Limiting use, disclosure and retention 6.Accuracy 7.Safeguards 8.Openness 9.Individual access 10.Challenging compliance The 10 Principles
19
PIPEDA s.7(1): Collection without Knowledge or consent An organization may collect personal information without the knowledge or consent of the individual where, collection is clearly in the individual’s interest and consent cannot be obtained in a timely way (s.7(1)(a)) collection is clearly in the individual’s interest and consent cannot be obtained in a timely way (s.7(1)(a))
20
PIPEDA in the context of an investigation of a breach of an agreement or a contravention of the law, it is reasonable to expect that if knowledge or consent were obtained it would compromise the availability or the accuracy of the information (s.7(1)(b)) in the context of an investigation of a breach of an agreement or a contravention of the law, it is reasonable to expect that if knowledge or consent were obtained it would compromise the availability or the accuracy of the information (s.7(1)(b)) the collection is solely for journalistic, artistic or literary purposes (s.7(1)(c)) the collection is solely for journalistic, artistic or literary purposes (s.7(1)(c))
21
PIPEDA s.7(2): Use without Knowledge or Consent An organization may use personal information without the knowledge or consent of the individual only if, the organization reasonably believes the information could be useful in the investigation of a contravention of the laws of Canada, a province or a foreign jurisdiction (s.7(2)(a)) the organization reasonably believes the information could be useful in the investigation of a contravention of the laws of Canada, a province or a foreign jurisdiction (s.7(2)(a))
22
PIPEDA It is used for the purpose of acting in respect of an emergency that threatens the life, health, or security of an individual (s.7(2)(b)) It is used for the purpose of acting in respect of an emergency that threatens the life, health, or security of an individual (s.7(2)(b)) It is used for statistical, or scholarly study or research purposes where it is impracticable to obtain consent and where: confidentiality is maintained and the Commissioner is informed prior to its use (s.7(2)(c)) It is used for statistical, or scholarly study or research purposes where it is impracticable to obtain consent and where: confidentiality is maintained and the Commissioner is informed prior to its use (s.7(2)(c))
23
PIPEDA Subsection 7(3): Disclosure without Knowledge An organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is, made to a notary (Quebec) or lawyer representing the organization (s.7(3)(a)) made to a notary (Quebec) or lawyer representing the organization (s.7(3)(a)) for the purpose of collecting a debt owed (s.7(3)(b)) for the purpose of collecting a debt owed (s.7(3)(b)) compelled by law (s.7(3)(c)) compelled by law (s.7(3)(c))
24
Remedies filing of complaints (s.11) filing of complaints (s.11) the Commissioner’s powers (s.12) the Commissioner’s powers (s.12) the Commissioner’s Report (s.13) the Commissioner’s Report (s.13) application to the Federal Court (s.14) application to the Federal Court (s.14) PIPEDA Part 1, Division 2 D.
25
Complaints (s. 11) Individuals may complain to Individuals may complain to (a)the organization (b)the Office of the Privacy Commissioner the Commissioner may also initiate a complaint (“reasonable grounds”) the Commissioner may also initiate a complaint (“reasonable grounds”)
26
Types of Complaints an individual may complain to the Commissioner about any matter: an individual may complain to the Commissioner about any matter: (a) specified in sections 5 to 10 of the Act OR (b)in the recommendations OR obligations set out in Schedule 1.
27
Powers of the Privacy Commissioner (s. 12) PC obliged to investigate complaint (s.12(1)) PC obliged to investigate complaint (s.12(1)) PC must give notice to the organization complained of (s.11(4)) PC must give notice to the organization complained of (s.11(4)) Powers include: Powers include: (a)Summons to compel the giving of evidence under oath (b)Production of documents (c)Power of entry (d)Mediation/conciliation (e)Audits
28
The Commissioner’s Report (s.13) 1 year to prepare a written report 1 year to prepare a written report Confidentiality of the report Confidentiality of the report Where no report required Where no report required Disposition of complaints Disposition of complaints i)Not well founded ii)Well founded iii)Resolved iv)Discontinued
29
Broad investigatory powers vs. …. No power to compel compliance with PIPEDA (compare to B.C. PIPA, s. 58) No power to compel compliance with PIPEDA (compare to B.C. PIPA, s. 58) No sanctions for failing to follow recommendations No sanctions for failing to follow recommendations Only real power is the “power of embarrassment” Only real power is the “power of embarrassment” Fines for obstructing an investigation Fines for obstructing an investigation No power to order costs of the investigation No power to order costs of the investigation
30
Application to the Federal Court (s.14) Complainant or PC may apply Complainant or PC may apply Subject matter restricted but always open for parties (including the organization) to seek judicial review Subject matter restricted but always open for parties (including the organization) to seek judicial review Application must be made within 45 days after Report is sent Application must be made within 45 days after Report is sent Remedies more expansive Remedies more expansive
31
1.Outsourcing 2.M&A issues 3.Privacy in the workplace 4.Whistleblowing Key Issues in Privacy Law II.
32
no exemption for disclosure between subsidiary, affiliated, or related companies no exemption for disclosure between subsidiary, affiliated, or related companies Implications of the U.S. Patriot Act Implications of the U.S. Patriot Act The B.C. response (FIPPA) The B.C. response (FIPPA) PIPEDA case summary #313 PIPEDA case summary #313 Outsourcing
33
M&A Issues Asset sale = commercial activity Asset sale = commercial activity Solutions Solutions i)privacy policies need to address the possibility of a sale of the business ii)“anonymize” the information iii)contractual safeguards iv)review all personal information and disclose only what is “necessary” to close
34
Monitoring employees’ in the workplace Monitoring employees’ in the workplace –Biometric authentication devices –Video surveillance Employee complaints represent 20% of complaints filed in 2004 Employee complaints represent 20% of complaints filed in 2004 Privacy in the Workplace
35
(1)Is it demonstrably necessary to meet a specific need? (2)Is it effective in meeting that need? (3)Is the loss of privacy proportional to the benefit gained? (4)Are there less invasive alternatives? PCC’s 4-step analysis of a privacy-invasive measure
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.