After some delay, the federal government recently passed and proclaimed its privacy legislation. While the Personal Information Protection and Electronic Documents Act, as the federal privacy legislation is formally known, has many supporters, its critics are growing in number as the implications of its application to ordinary commercial transactions sinks in. Ordinarily, a statute of such political sensitivity is not a likely candidate for early amendment, but new developments on the provincial front may present an opportunity to force a rethinking of at least the most troublesome aspects of the federal legislation.
The new development is Ontario’s announcement of a consultative initiative for its own privacy legislation. From all indications, Ontario intends to move swiftly through the consultative process and the enactment of its own privacy legislation. Other provinces are expected to follow suit.
A multiplicity of rules governing privacy on the federal and provincial scene was always expected. The Ontario initiative reminds us that unless the provinces agree to cooperate and adopt some form of uniform act, we may be facing a patchwork of privacy legislation across Canada, where individuals and information-gathering organizations are confused about which of the rules apply to them.
While this is bad news, critics of the federal privacy legislation view the Ontario initiative as another opportunity to shine a light on the flaws of the federal act. The hope is that if the provinces adopt a more workable law, the feds will be forced to review the flaws in their own legislation. And flaws there are. They are fundamental and, unless they are fixed to bring a reasonable balance between business and private interests, these flaws will add a substantial impediment and cost to ordinary business transactions.
A GREAT THUD
With respect to the compliance rules in the federal legislation governing the collection of private information, few complaints have been heard. The feds adopted by reference the CSA Privacy Code. It seems to be simple enough and has been voluntarily followed by a number of industry sectors for some time.
But the federal privacy legislation also regulates the “use” and “transfer” of personal information, and this is the area where the other shoe is dropping, and with a great thud.
The federal legislation prohibits the transfer of personal information unless authorized by the person to whom it applies. In a corporate setting, this rule is much more far reaching than most anticipated. It prohibits, for example, the sharing of personal information between integrated business organizations which are, for tax or other reasons, structured to operate through affiliated corporations rather than operating divisions. The sharing of information between divisions of one corporation is not a transfer and therefore not caught by the federal legislation. The same activity by personnel of two affiliated corporations is a prohibited transfer without prior consent.
Similar difficulties in application arise in mergers and acquisition transactions. If the transaction is a share sale transaction it is not caught by the federal legislation because a share sale does not involve any conveyance of underlying assets. The same transaction, done by way of an asset transfer, triggers compliance with respect to the private information contained in the corporate databases.
These issues can be addressed going forward through appropriate consents as personal information is collected. But there is no easy solution for existing databases.
Why, you ask, is this a concern for legislation that has just been enacted? Well, and this is the kicker, the federal privacy legislation has a significant retroactive effect for databases containing personal information no matter how long ago it was collected. The use and transfer of that information is subject to the same rules as information collected after the law came into effect. Not surprisingly, few, if any, organizations will have the necessary consents to deal, in future transactions, with the old information.
While the lawyers try to figure out ways of dealing with the morass caused by this retroactivity, CIOs might be well advised to take steps to partition information gathered with consent, from that already collected. This way, if there is no relief from the prohibition on transfer, at least over time, the tainted databases will be replaced by those that are compliant. This need for segregation should offer an opportunity for systems vendors, at least in the near future.
But back to Ontario. Officials have indicated that they intend to move rapidly with the Ontario privacy initiative. The federal privacy legislation applies to all transfer of information across provincial boundaries, and the Ontario rules are expected to be applied only to transfers where both the transferor and the transferee are located in the Province. While the scope of the Ontario legislation will be relatively narrow, Ontario officials have asked for public input and should be receptive to suggestions to avoid the mistakes contained in the federal legislation. Even if the removal of the retroactivity is the only improvement in the Ontario legislation, a focus on that issue may force the federal administrators to take their own corrective action.
Gabe Takach is a partner at the Toronto law firm of Tory Tory, where he heads up the firm’s technology contracting practice. He can be reached at [email protected].