Personal Information in the Private Sector

AuthorBarbara Von Tigerstrom
Legislation governing personal information in the private sector com-
mercial and other private organizations is a relatively recent addition
to the Canadian legal landscape, as compared to public sector infor-
mation and privacy legislation. A unique combination of federal and
provincial legislation now covers this field across Canada. The federal
statute, the Personal Information Protection and Electronic Docume nts Act,
was enacted in 2000 and came into effect in stages beginning in 2001.1
Part 1 and Schedule 1 of this Act deal with personal information, while
the remaining parts deal with electronic documents. It was predated by
the Quebec Act respecting the protection of personal information in the pri-
vate sector (Quebec Private Sector Act, in force since 1994),2 and Alberta
and British Columbia passed private sector statutes, both titled the Pe r-
sonal Information Protection Act (PIPA ), a few years later (both enacted in
2003 and in force 1 January 2004).3 This chapter will focus prim arily on
1 SC 2000, c 5 [PIPEDA]. The Act’s application to p ersonal health infor mation was
deferred for a year: s s 30(1.1) and (2.1); for the first three year s it applied only to
collection, use, a nd disclosure of persona l information in connection w ith the
operation of a federal work , undertaking, or busine ss or disclosure outside th e
province for consider ation: ss 30(1) & (2).
2 CQLR c P-39.1 [Quebec Private Sector Ac t]. There are also relevant prov isions
in the Civil Code of Québec, CQLR , c CCQ-1991 [CCQ], and Charter of Huma n
Rights an d Freedoms, CQLR, c C -12 [Quebec Charter], discusse d in Chapter 2,
Section E.
3 Personal Information P rotection Act, SA 2003, c P-6.5 [AB PIPA]; Personal Informa-
tion Protection Act, SBC 2 003, c 63 [BC PIPA]. Man itoba passed private sector
the federal legislation, but include some discussion of important differ-
ences and useful examples from the provincial legislation.
The enactment of PIPEDA was part of the federal government’s strat-
egy to promote electronic commerce,4 but its immediate impetus was the
adoption of the European Union (EU) Data Protection Directive.5 This
Directive, which took effect in 1998, established data protection prin-
ciples to be implemented in EU member states and, most significantly
for non-members like Canada, required them to prevent transfers of
personal data to countr ies that did not provide adequate protection. In
the absence of any comprehensive Canadian laws governing personal
information in the private sector out side of Quebec this would
have meant significant impediments for cross-border transfers of infor-
mation and thus for Canadian organizations engaging in international
business. In 2001, following the enactment of PIPEDA, the European
Commission adopted a decision stating that “Canada is considered as
providing an adequate level of protection for personal data transferred
from the Community to recipients subject to [PIPEDA].”6 The adequacy
of PI PEDA and other Canadian legislation will need to be reassessed
under the new European General Data Protection Regulation (GDPR),
which took effect in 2018, and this will inf luence potential reforms
of the legislation.7 In the meantime, the adequacy decision relating to
PIPEDA remains in force until amended, replaced, or repealed.8
legislation i n 2013, but it h as not yet been brought into force: The Personal Infor-
mation Protection and Identity Theft Prevention Act, SM 2013, c 17.
4 See, for example, Teresa S cassa, “Text and Context: Mak ing Sense of Canad a’s New
Personal Infor mation Protection Legisl ation” (2000–2001) 32 Ottawa Law Revie w
1 at 3 [Scassa, “Text and Contex t”]; Chr istopher Berzins, “Protec ting Personal
Information i n Canada’s Private Sector: The Pr ice of Consensus Build ing” (2002)
27 Queen’s Law Journ al 609 at 622–25 [Berzins, “Protecti ng Personal Information”].
5 EC, Commission Directive 95/46/EC of the European Parliament a nd of the Council
of 24 October 1995 on the protection of individ uals with regard to the processing of
personal dat a and on the free movement of such da ta, [1995] OJ, L 281/31.
6 EC, Commission Deci sion of 20 December 2001 pursuant to Directive 95/46/EC of
the European Parliament and of th e Council on the adequate protectio n of personal
data provided b y the Canadian Personal Informati on Protection and Electronic
Documents Act, [2002] OJ, L2/13.
7 EC, Commission Regulatio n (EU) 2016/679 of th e European Parliament and of the
Council of 27 April 2016 on the protection of natural person s with regard to the pro-
cessing of personal da ta and on the free movement of such d ata, and repealing Dir-
ective 95/46/E C, [2016] OJ, L119/1 [GDPR]; Innovat ion, Science and Economic
Development Canad a, “Strengthening Pr ivacy for the Digital Age: Propos als
to Moderniz e the Personal Information Protection a nd Electronic Documents Act
(21 May 2019), online: /eic/site /062.nsf/eng /h_0 ml [ISE D,
PIPEDA Propos als”]. For further di scussion of the GDPR, see Chapte r 1, Section C(1).
8 GDPR, above note 7, a rt 45(9).
Personal Infor mation in the Private Sector 293
The federal private sector framework is rather complex and unusual
in several respect s, including its relationship with provincial legi slation.
In order to provide a harmonized environment for business in Canada
and to ensure an adequate level of protection for the purposes of the
EU Data Protection Directive, it was important to put in place uniform
protection for personal information across Canada. The enactment of
PIPEDA is generally understood to be an exercise of the federal govern-
ment’s trade and commerce power, but the governance of personal infor-
mation falls at least partly under provincial jurisdiction over property
and civil rights in the province and local and private matters.9 Particu-
larly given that Quebec had already adopted its own provincial pri-
vate sector legislation, any attempt by the federal government to assert
comprehensive and exclusive jurisdiction in this area would have been
controversial, to say the least. The resulting compromise is reflected in
PIPEDA’s scope of application and in provisions that allow it to be dis-
placed by “substantially similar” provincial legislation. As will be dis-
cussed below, PIPEDA applies to personal information th at is collected,
used, or disclosed in the course of commercial activities or in connec-
tion with the operation of a federal work, undertak ing, or business.10 By
order of the Governor in Council, however, an activity or organization
(or class of activities or organizations) can be exempted from the appli-
cation of Part 1 of PIPEDA in respect of collection, use, or disclosure
of personal information within a province where substantially similar
provincial legislat ion applies.11 Even with this explicit accommodation
of provincial governments’ role, questions about the constitutionality of
PIPEDA have been raised, although never conclusively decided.12
9 Constitution Act 1867 (UK), 30 & 32 Vict, c 3, reprinted i n RSC 1985, Appendix II,
No 5, ss 91(2) and 92(13) a nd (16). See House of Com mons, Standing Committe e
on Access to Infor mation, Privacy and Eth ics, Towards Privacy by De sign: Review
of the Personal In formation Protection and Elect ronic Documents Act (Februar y
2018) (Ch air: Bob Zimmer), online: www.ourcommon /Committee /
421/ ETH I/ Rep ort s/ RP9 690 701/et hi rp12 /eth ir p12-e .pd f at 13 [ETHI PIPEDA
Review]; Michel Basta rache, “The Constitutionalit y of PIPEDA: A Re-consider-
ation in the Wake of the Supreme C ourt of Canada’s Reference re Securit ies Act
(June 2012), online: http://accessprivacy.s3.amaz arache-June-
2012-Constitiut ionality-PI PEDA-Pa per-2 .pd f at 4.
10 PIPEDA , above note 1, s 4(1). Se e Section A, below in this ch apter.
11 Ibid, s 26(2)(b).
12 See, for example, Ba starache, above note 9; Mahmud Jam al, “Is PIPEDA Consti-
tutional?” (2006) 43 Canadian Bu siness Law Journal 434; Josh Nisker, “PIPEDA :
A Constitution al Analysis” (2006) 85 Canadian Bar Re view 317; State Farm
Mutual Automob ile Insurance Company v Canada (Privacy Commi ssioner), 2 010
FC 736 [State Fa rm]; Company’s Re-use of Millions of Canad ian Facebook User Pro-
files Violated Pr ivacy Law, PIPEDA Report of Findi ngs #2018 -002, 2018 CanLII

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT