Canada Legislates Electronic Privacy Protection Act

With the passing into law of the Personal Information Protection and Electronic Documents Act, Canada is leading the world in privacy legislation, according to Industry Canada.

Richard Simpson, director general of Industry Canada’s Electronic Commerce Task Force, helped write the Act and says recent U.S. legislation dealt only with children’s privacy, whereas Canada’s law has more far-reaching effect.

“We’re leading. In fact, there is no other country that is ahead of us with the passing of this bill, and it’s coming into force in January (2001),” he states.

The Act (previously known as Bill C-6 before its passage into law in April) will protect individuals’ personal information that is collected, used or disclosed in the private sector.

Previously, Canada had federal and provincial legislation to protect personal information collected and used by governments only. Quebec was the only province that had previously enacted privacy legislation that applied to the private sector.

However, according to Lawrence Weinberg, a partner with Toronto-based Cassels, Brock and Blackwell, the fact there was an American federal law on the books first makes it seem like Canada missed the boat and now has to swim.

“I think in the area of e-commerce, the generally held view is that Canada is playing catch up with everything. Whether it’s in availability of products or services, availability of start-up (funding)…or the adoption of laws recognizing e-commerce transactions, we’re behind all the way.”

Weinberg says the Act essentially says a business can collect personal information, but cannot do anything with that information until it has the individual’s permission.

“It’s viewed as a hurdle in the growth of e-commerce that people don’t want to give up their personal information or they are fearful of what’s happening to their information. Most legitimate retailers are going an extra mile,” Weinberg says. “They are saying, ‘We will not share or sell your information.’ They’re not looking for consent to do it, they’re saying, ‘We won’t do it.'”

Under the Act, most organizations cannot collect personal information without the individual’s knowledge or consent. Industry Canada’s Simpson notes the Act is based on the Canadian Standards Association’s Model Code for the Protection of Personal Information, which was developed by industry and is in practice.

“So we had the advantage of taking what was out there and making it into the legal umbrella for personal information protection,” Simpson says.

The CSA’s code consists of 10 principles that relate to: accountability, identifying purposes; consent; limiting collection; limiting use, disclosure and retention; accuracy; safeguards; openness; individual access; and challenging compliance.

The Act will be enforced by the privacy commissioner, who will audit businesses if complaints are filed against them.

“There are reporting requirements in the Act and there’s the opportunity for citizen complaint. If a citizen is denied access to his or her personal information, then the privacy commissioner is there to inquire into that,” Simpson explains.