Class Slides - Itlaw.com

dashingincestuousSecurity

Feb 22, 2014 (3 years and 3 months ago)

50 views

Internet and

Information Technology Law


September 18
th



Privacy Law

Allyson Whyte Nowak

UVIC

A.

Federal


Privacy Act
, R.S. 1985. c.P
-
21


Personal Information Protection and Electronic
Documents Act (PIPEDA)
, S.C.2000, c.5

B.

Provincial


Personal Information Protection Act
, S.B.C.
2003, c.63 (PIPA)


Freedom of Information and Protection of
Privacy Act
, R.S.B.C. 1996, c.165 (FIPPA)

Privacy Legislation
in Canada

I.

The
Privacy Act


enacted July 1, 1983


public sector legislation affecting
federal government departments
and agencies


October 6, 2005 Privacy
Commissioner’s 2004
-
2005 Annual
Report criticized the Act

PIPEDA

Section 3: Purpose



The balance between recognition of

the right of
privacy of individuals
with respect to their personal
information and the
need of organizations

to
collect, use or disclose personal information.

PIPEDA: Statistics


In the Annual Report to Parliament
(2005), the Privacy Commissioner
acknowledged:



there is a “significant backlog of
complaints”


there was a “large drop” in 2005 in the
number of complaints filed under PIPEDA

PIPEDA: Statistics


In 2005 the largest number of complaints were
against financial institutions BUT


The number of complaints was just over half of
what they were in 2004


In 2005 the most common complaints were with
respect

to the inappropriate use or disclosure of
personal information (followed by refusals of access
and inappropriate collection)


PIPEDA


Section 4(1)
:PIPEDA applies to
every

organization in respect of personal information
that,



4(1)(a)

the organization “collects, uses or
discloses” in the course of commercial activities



4(1)(b)
is about an employee that an
organization collects, uses or discloses in
connection with the operation of a federal
work, undertaking or business

PIPEDA

PIPEDA does not apply to:


any government institution to which the
Privacy Act
applies


any individual in respect of personal information
that the individual collects, uses or discloses for
personal or domestic purposes and does not collect,
use or disclose for any other purpose


any organization in respect of personal information
that the organization collects, uses or discloses for
journalistic, artistic, or literary purposes (s.4(2))



Substantially similar legislation (B.C.,
Alta, Quebec)


Sector
-
specific legislation (Alta, Sask,
Mtba, Ontario)


Provincial Human Rights legislation


Common law right to privacy

How are employees’ privacy rights
protected in the private sector?

Statutory right to Privacy



A statutory tort of invasion of privacy
has been created in:


B.C.


Saskatchewan


Manitoba


Newfoundland


Quebec

Common Law


Ontario residents do not have a
statutory remedy for unreasonable
intrusion into an individual’s private
affairs, BUT


a recent decision recognized that the
tort of invasion of privacy may exist:



Somwar v. McDonald’s

(2006), 79 O.R.
(3d) 172


i)
EU Directive

ii)
Model Code

iii)
E
-
com Strategy

iv)
Bill C
-
54

v)
OECD Guidelines

A. Sources of PIPEDA



CUD


FWUB


Personal Information


Organization


Commercial activity



B. Definitions



defined to mean information about an
identifiable individual



exclusions: name, title, or business
address or telephone number of an
employee of an organization

“Personal Information”
(s.2(1))




defined to include an association,
a partnership, a person and a
trade union



corporations are “persons”
pursuant to s. 35(1) of the
Interpretation Act

“organizations” (s.2(1))



definition: “means any particular
transaction, act or conduct or any
regular course of conduct that is of a
commercial character, including the
selling, bartering or leasing of donor,
membership or other fundraising lists”.

“commercial activity”
(s.2(1))

Protection of Personal Information


Subsection 5(1):


“Subject to sections 6 to 9, every
organization shall comply with the
obligations set out in Schedule 1.”


Schedule 1 enacts the 10 general principles and
commentaries contained in the
Model Code


Subsection 5(2): mandatory obligations

versus recommendations in Schedule 1

PIPEDA

Part 1, Division 1

C.

1.

Accountability

2.

Identifying purposes

3.

Consent

4.

Limiting Collection

5.

Limiting use, disclosure and retention

6.

Accuracy

7.

Safeguards

8.

Openness

9.

Individual access

10.

Challenging compliance

The 10 Principles

PIPEDA

s.7(1): Collection without Knowledge

or consent


An organization may collect personal
information without the knowledge or consent
of the individual where,



collection is clearly in the individual’s interest
and consent cannot be obtained in a timely
way (s.7(1)(a))

PIPEDA


in the context of an investigation of a
breach of an agreement or a contravention
of the law, it is reasonable to expect that if
knowledge or consent were obtained it
would compromise the availability or the
accuracy of the information (s.7(1)(b))


the collection is solely for journalistic,
artistic or literary purposes (s.7(1)(c))


PIPEDA

s.7(2): Use without Knowledge or Consent


An organization may use personal information
without the knowledge or consent of the
individual only if,



the organization reasonably believes the
information could be useful in the
investigation of a contravention of the laws

of Canada, a province or a foreign jurisdiction
(s.7(2)(a))

PIPEDA


It is used for the purpose of acting in
respect of an emergency that threatens the
life, health, or security of an individual
(s.7(2)(b))


It is used for statistical, or scholarly study or
research purposes where it is impracticable
to obtain consent and where: confidentiality
is maintained and the Commissioner is
informed prior to its use (s.7(2)(c))


PIPEDA

Subsection 7(3): Disclosure without Knowledge


An organization may disclose personal information
without the knowledge or consent of the individual
only if the disclosure is,


made to a notary (Quebec) or lawyer representing
the organization (s.7(3)(a))


for the purpose of collecting a debt owed (s.7(3)(b))


compelled by law (s.7(3)(c))


Remedies


filing of complaints (s.11)


the Commissioner’s powers (s.12)


the Commissioner’s Report (s.13)


application to the Federal Court (s.14)


PIPEDA

Part 1, Division 2

D.

Complaints (s. 11)


Individuals may complain to

(a)
the organization

(b)
the Office of the Privacy
Commissioner


the Commissioner may also initiate a
complaint (“reasonable grounds”)






Types of Complaints


an individual may complain to the
Commissioner about any matter:


(a) specified in sections 5 to 10 of the Act




OR


(b)

in the recommendations
OR

obligations
set out in Schedule 1.


Powers of the Privacy
Commissioner (s. 12)


PC obliged to investigate complaint (s.12(1))


PC must give notice to the organization
complained of (s.11(4))


Powers include:

(a)
Summons to compel the giving of
evidence under oath

(b)
Production of documents

(c)
Power of entry

(d)
Mediation/conciliation

(e)
Audits

The Commissioner’s Report
(s.13)


1 year to prepare a written report


Confidentiality of the report


Where no report required


Disposition of complaints

i)

Not well founded

ii)

Well founded

iii)

Resolved

iv)

Discontinued

Broad investigatory powers
vs. ….


No power to compel compliance with
PIPEDA (compare to B.C. PIPA, s. 58)


No sanctions for failing to follow
recommendations


Only real power is the “power of
embarrassment”


Fines for obstructing an investigation


No power to order costs of the investigation

Application to the
Federal Court (s.14)


Complainant or PC may apply


Subject matter restricted but always
open for parties (including the
organization) to seek judicial review


Application must be made within 45 days
after Report is sent


Remedies more expansive


1.

Outsourcing

2.

M&A issues

3.

Privacy in the workplace

4.

Whistleblowing


Key Issues in Privacy Law

II.



no exemption for disclosure between
subsidiary, affiliated, or related
companies


Implications of the U.S.
Patriot Act


The B.C. response (
FIPPA
)


PIPEDA case summary #313

Outsourcing

M&A Issues


Asset sale = commercial activity


Solutions

i)

privacy policies need to address the
possibility of a sale of the business

ii)

“anonymize” the information

iii)

contractual safeguards

iv)

review all personal information and
disclose only what is “necessary” to close


Monitoring employees’ in the workplace


Biometric authentication devices


Video surveillance


Employee complaints represent 20%

of complaints filed in 2004

Privacy in the Workplace

(1)

Is it demonstrably necessary to meet
a specific need?

(2)

Is it effective in meeting that need?

(3)

Is the loss of privacy proportional to
the benefit gained?

(4)

Are there less invasive alternatives?

PCC’s 4
-
step analysis of a
privacy
-
invasive measure