There is no explicit right to privacy in Canada's Constitution and Charter of Rights and Freedoms.[785] However, in interpreting Section 8 of the Charter, which grants the right to be secure against unreasonable search or seizure, Canada's courts have recognized an individual's right to a reasonable expectation of privacy.[786]
Privacy is regulated at both the federal and provincial level. At the federal level, privacy is protected by two acts: the 1982 federal Privacy Act and the 2001 Personal Information and Electronic Documents Act (PIPEDA).
The federal Privacy Act of 1982 regulates the collection, use and disclosure of personal information held by federal public agencies and provides individuals a right of access to personal information held by those agencies, subject to some exceptions, including an exemption for court records.[787] Individuals can appeal to a federal court for review if access to their records is denied by an agency, but are not authorized to challenge the collection, use, or disclosure of information. In 1999, in order to tighten exemptions and loopholes, the Privacy Commissioner finished an extensive review of the Act and recommended over one hundred changes to the law to improve and update it. Some of the changes included giving the Commission primary authority over all information collected by the federal government, extending its coverage beyond "recorded" information, increasing notice of disclosures, expanding court reviews, creating rules on data matching, controlling "publicly available" information and expanding the mandate of the Privacy Commissioner.[788]
PIPEDA was approved by Parliament in April 2000.[789] The Act adopts the CSA International Privacy Code[790] into law for private sector organizations that process personal information "in the course of a commercial activity," and for federally regulated employers with respect to their employees. It does not apply to information collected for personal, journalistic, artistic, literary, or non-commercial purposes. Part 1 of the PIPEDA establishes the parameters for the collection, use, disclosure, retention, and disposal of personal information. It sets out ten privacy principles as standards that organizations must comply with when dealing with personal information including: accountability, purpose, openness, consent, limiting use and collection, disclosure, retention, individual access, safeguards, accuracy, and challenging compliance. Part 2 deals with the use of electronic transactions and documents to facilitate electronic commerce and electronic communication within judicial proceedings.
PIPEDA has a tiered implementation schedule. In January 2001, it went into effect for personal information, excluding health information, held by federally regulated private sector entities, such as telecommunications and broadcasting businesses, banks and airlines, or businesses and organizations that disclose personal information across provincial or national borders. Health information was excluded for one year as a last minute concession to a powerful health sector lobby. As of January 1, 2002, personal health information processed by the organizations outlined above is covered by the Act. In January 2004, the Act will finally extend to every organization that collects, uses, or discloses personal information in the course of a commercial activity, whether or not the organization is federally regulated. It will cover all commercial activity in provincially regulated sectors unless the province enacts "substantially similar" laws. Quebec is the only province to have implemented privacy laws considered substantially similar by the Privacy Commssion.
There are other federal acts that address personal information. The Telecommunications Act[791] has provisions to protect the privacy of individuals, including the regulation of unsolicited communications. Also, the Bank Act,[792] Insurance Companies Act,[793] and Trust and Loan Companies Act[794] permit regulations regarding the use of information provided by customers. However, with the implementation of PIPEDA, the regulation making power over personal information in these Acts is not relevant anymore.[795] PIPEDA has jurisdiction over all federal institutions including banks, and as of January 2004, over all provincial institutions as well. There are also additional personal information protections built into the Young Offenders Act[796] and the Corrections and Conditional Release Act.[797] The Young Offenders Actregulates the information that can be disclosed about offenders under the age of eighteen while the Corrections and Conditional Release Actspeaks to the information that can be disclosed to victims and their families.
In January 2001, the Data Protection Working Party of the European Commission issued a decision stating that PIPEDA provided an adequate level of protection for certain personal data transferred from the EU to Canada.[798] This will allow certain personal data to flow freely from the EU to recipients in Canada subject to PIPEDA without additional safeguards being needed to meet the requirements of the EU Data Protection Directive. However, the Commission's decision of adequacy does not cover any personal data held by the federal sector or provincial bodies or information held by personal organizations and used for non-commercial purposes, such as data handled by charities or collected in the context of an employment relationship.[799] Operators in the EU will have to put in place additional safeguards, such as the standard contractual clauses adopted by the Commission in June 2001 before exporting the data to these organizations.
Both the Privacy Act and PIPEDA are overseen by the independent Privacy Commissioner of Canada, an officer of Parliament.[800] Under the Privacy Act the Commissioner has the power to investigate, mediate, and make recommendations, but cannot issue orders or impose penalties. During the course of an investigation the Commissioner may subpoena witnesses and compel testimony, and enter premises in order to obtain documents and conduct interviews. The Commissioner is also charged with conducting periodic audits of federal institutions to determine compliance with the Privacy Act, and to recommend changes where necessary. The Commissioner can initiate a Federal Court review in limited circumstances relating to denial of access to records. The first test of these limits came in May 2003, when the Federal Court ruled that it has no jurisdiction to address a PIPEDA appeal of the Privacy Commissioner involving disclosure of employment information to a trade union. The court held that the appeal fell under the jurisdiction of a labor arbitration panel instead.[801]
Between April 1, 2001 and March 31, 2002, the office received a total of 1,213 complaints under the Privacy Act, a decrease of 500 complaints from the previous year.[802] The office closed 1,673 investigations, an increase of 8 percent from the previous year. 397 of these cases related to issues of collection, use, disclosure, or disposal, 703 related to access, and 571 to time limits.[803] Since November 2001, the office has received more than 8,047 requests for information concerning the Privacy Act.[804]
The Commissioner's powers under PIPEDA are very similar to those under the Privacy Act. Again, the Commissioner has powers of recommendation only with regard to complaints submitted under the Act. Once a complaint is received, the Commissioner assigns an investigator to look into the matter. The investigator then submits his findings to the Commissioner who then considers the case and issues a report with recommendations. He can also request the organization in question to submit, with a specified period of time, notice of any action taken, or proposed to be taken, to implement these recommendations.[805] However, if the Commissioner is satisfied that there are reasonable grounds to investigate a matter under the Act, he may initiate his own complaint.[806] Under PIPEDA the Commissioner is also authorized to conduct broad research into privacy issues and promote awareness and understanding of privacy issues among Canadians.
In June 2003, the Commissioner, George Radwanski, resigned following the release of a report by a Parliamentary committee alleging that he misled the committee on several issues relating to expenses.[807] A new Commissioner, Robert Marleau, was appointed in the interim until a permanent replacement is found.
The Office of the Privacy Commissioner began receiving complaints under PIPEDA on January 1, 2001. As of January 2002, the Office had received more than 13,401[808] requests for information concerning PIPEDA, 102 formal complaints,45 of which involved banks and 28 the telecommunications sector.[809] The Commissioner's office completed and issued findings and recommendations on 28 complaints in 2001.[810]
Under PIPEDA the Commissioner has investigated Air Canada for sharing its customers' personal and financial information with its partners;[811] a US-based international marketing firm that was disclosing personal information by gathering and selling data on physicians' prescribing patterns;[812] a Canadian bank for not adequately specifying when personal information may be used or disclosed for secondary marketing purposes;[813] a telecommunications company for improperly disclosing a subscriber's unlisted telephone number to a collection agency;[814] The Commissioner has also made several findings related to employee privacy. In three cases, employers were held to have improperly refused employees access to materials in their personnel files.[815]
In May 2002, Canada became the first national government to make privacy assessments by federal departments and agencies mandatory. The Privacy Impact Assessment Policy means that all new and existing federal programs and services with potential privacy risks will undergo a Privacy Impact Assessment (PIA). The goal is a comprehensive report that ensures that privacy protection is a core consideration in the initial framing of program or service objectives and in all subsequent activities. According to the policy, the Office of the Privacy Commission will review all PIAs and offer comments to departments at an early stage.[816]
Canada is a member of the Organization for Economic Cooperation and Development and relied on the OECD's 1980 Guidelines on the Protection of Privacy and Transborder Flows of Personal Data in the drafting of the federal Privacy Act of 1982.[817] Canada also has observer status at the Council of Europe and although it was not a member, it was a key player in the negotiations on the Cybercrime Convention. It has signed, but not yet ratified the Convention.[818]
Since 2001, the federal Privacy Commissioner has initiated important surveillance cases that have created much controversy in Canada. They are considered to be of national importance as they may set the standards for the future use of private and public surveillance cameras in Canada. The latest case to be investigated involved a complaint by a railway employee who was concerned that digital video recording cameras installed on company premises would collect the personal information of employees without consent, by recording their conduct and work performance. In February 2003, the Commissioner recommended that an employer refrain from video surveillance of his employees because the purpose of reducing theft did not justify the extra intrusion into employee privacy. [819]
In February 2001, the Royal Canadian Mountain Police (RCMP) began video surveillance of downtown Kelowna with the aim to prevent or deter crime. According to the Privacy Commissioner this kind of monitoring and recording was considered to be excessive of the legal requirement to collect only the minimal amount of personal information required for the intended purpose.[820] The RCMP Commissioner complied with the Privacy Commissioner's request to cease continuous recording except when a violation of the law is detected, in which case the area under surveillance will be videotaped. The Privacy Commissioner did not consider this an adequate response and in June 2002, announced the launch of a challenge to the RCMP's video surveillance activities as a contravention of the Canadian Charter of Rights and Freedoms, arguing the surveillance was excessive and intrusive. The Privacy Commissioner is concerned that there is no guarantee that the cameras are not recording at all times and that this case will lead to the proliferation of video surveillance cameras in public spaces as well as citizen profiling.[821] He based his complaint on an opinion by former Supreme Court Justice Gerard La Forest who argued that the practice was unconstitutional.[822] In March 2003, the Attorney General of Canada made a motion to dismiss the case, alleging that the Commissioner lacks standing because he is part of a statutory body created under the Privacy Act, and thus not able to initiate actions under the Charter.[823] In June 2003, the B.C. court dismissed the suit, ruling that the Commissioner has the right to investigate issues under the Privacy Act, but that his jurisdiction did not extend to bringing cases before the courts.[824] The case was appealed, but the new Privacy Commissioner has withdrawn the appeal stating that this action is not a "useful way of spending public funds."[825]
In June 2001, the Commissioner investigated a case concerning the installation of security cameras in the town of Yellowknife by a local security company, Centurion Security Services. The company installed surveillance cameras on the main street to monitor crimes as a marketing demonstration intended to generate business. The Commissioner issued a decision stating that both live video pictures and recorded video pictures of individuals would qualify as "personal information" under the Act and therefore could only be collected with consent of the individuals. The Commissioner also stated that since the company's video surveillance activity was a commercial activity, PIPEDA rules apply, and public places should only be monitored for public safety reasons where a demonstrated need had been shown, and not for commercial activities without individuals' consent.[826]
The Quebec government is also involved in surveillance issues. Quebec's privacy commission announced a public consultation in May 2003, aimed at fostering a debate on the issues surrounding video surveillance that will lead to a series of public hearings in the Fall of 2003. The commission has been active in advocating privacy standards for the use of surveillance cameras. In 2002, it released "Minimum Rules Applying to the Use of Surveillance Cameras", which outlines best practices for the use of surveillance equipment.[827]
Part VI of Canada's Criminal Code makes the unlawful interception of private communications a criminal offense.[828] Police are required to obtain a court order and interception is only authorized in cases "where other investigative procedures are unlikely to succeed." In December 2000, the Supreme Court of Canada clarified this requirement, stating that in order to obtain a wiretapping warrant police must submit documents showing that "there is no other reasonable alternative method of investigation." The Court stressed that it is not enough to show that wiretaps are simply the most efficient way to investigate a crime because this standard could threaten civil liberties.[829] Amendments to the Radiocommunication Act[830] also forbid the divulgence of intercepted radio-based telephone communications. The Canadian Security Intelligence Service Act[831] authorizes the interception of communications for national security reasons. A federal court in Ottawa ruled in 1997 that the Canadian Security Intelligence Service was required to obtain a warrant in all cases.[832]
In the summer of 2002, the Ministry of Justice and Industry Canada released a consultation document on implementing the Cybercrime Convention into Canadian law. The "Lawful Access Consultation" document proposed legislative amendments to various acts regulating lawful access in preparation for ratifying the Convention.[833] Both the federal Privacy Commissioner and his provincial counterparts have commented on the proposed amendments, and allege that they lack adequate privacy safeguards and grant law enforcement agencies excessive powers to intercept communications during investigations.[834] The commissioners have been joined by civil liberties organizations and industry groups who are worried about the effect of these amendments on consumers and businesses. A coalition of Quebec-based public interest groups launched a public campaign in January 2003 against the Lawful Access proposal without further public debate,[835] arguing that the case for increased surveillance powers for law enforcement and national security organizations has not yet been made.[836]
Canada is also preparing for closer cooperation with the European Police Office, an EU agency whose mandate is to improve police cooperation and move criminal intelligence between the EU Member States. In September 2002, the Council of the European Union released a data protection report on Canada, where it concluded that no obstacle exists for the Council to start negotiations in preparation of an agreement on the transmission of data from the European Police Office to Canada that would meet the EU's Data Protection standards.[837] The report noted that any agreement should bind both federal and provincial authorities in Canada.
In October 1998, Industry Minister John Manley announced a new Liberal government policy for encryption that allows for broad development, use, and dissemination of encryption products.[838] There are no restrictions on the private use of encryption in Canada.
The events of September 11, 2001, caused much concern in Canada about the need for government policy to protect against future terrorist activity. In response to public safety concerns, the government hastily introduced legislation, the Anti-Terrorism Act(Bill C-36), designed to institute the necessary procedures and mechanisms to deter terrorism at home and cooperate with other states abroad.[839]
As originally introduced, the bill ambiguously defined terrorist groups and terrorist activity; made it an offense to knowingly participate or facilitate, harbor, or fund terrorist activity; increased police electronic surveillance tools; limited disclosure of information and increased exemptions on access to subject data for national security reasons; required individuals with knowledge of a terrorist activity to be detained "preventively" and appear before a judge to offer information under the pretense of "investigative hearings"; and substantially enhanced the interception capabilities and investigative powers of security services. The bill would have also given the Attorney General of Canada the power to issue blanket certificates that prohibit the disclosure of any information for the purpose of protecting international relations, national defense, or security. Critics were concerned with the bill's limited oversight applications and sunset clauses, and with the possibility that the government, by issuing certificates, could render federal privacy law powerless, especially against the power of Canadian Security Intelligence Services (CSIS) and other security departments or agencies.
Due to widespread protest,[840] the bill was amended with provisions that preventative arrest and investigative hearing powers would sunset after five years unless the government extended them.[841] The bill also stated that ministers responsible for policing would now be required to report annually to Parliament on the use of preventative arrest and investigative hearing. Provisions dealing with Attorney General certificates would be amended so that the certificate could no longer be issued at any time, but only after an order or decision for disclosure has been made in a proceeding. The certificates would also be subject to review by a judge of the Federal Court of Appeal. A new interpretive clause was set which clarified that any political, religious, or ideological beliefs would not be considered a terrorist activity unless they specifically met the definition of "terrorist activity." Finally, some of the bill's measures would be subject to parliamentary review in three years. While the federal Privacy Commissioner George Radwanski was satisfied that these amendments would safeguard privacy rights, the Information Commissioner John Reid, among others, expressed concern that the amendments to the bill did not go far enough.[842] The Bill passed into law on December 2001.
Five weeks after tabling Bill C-36, the government introduced a complementary bill, the Public Safety Act (Bill C-42). The bill amended 19 existing acts and enacted new statutes to implement the Biological and Toxin Weapons Convention of 1975. Due to heavy criticism both within government and from the public, Bill C-42 was abandoned because it increased government surveillance power at the expense of civil liberties. The controversy centered around four provisions. The first allowed the Minister of National Defense to authorize the interception of private communication; the second gave the responsible minister the power to make interim orders in situations where immediate action is necessary; the third proposed information sharing among security agencies and federal departments to allow for screening of airline and travel agents' passenger information; and the fourth gave the Minister of National Defense the power to establish temporary military security zones for the protection of international relations, defense or security for up to a year, but which could be renewed.[843] Critics were concerned that this would allow the Minister to designate as a military security zone an area where an international summit meeting is taking place.[844]
The government next proposed Bill C-55, the Public Safety Act 2002, which included many of Bill C-42's controversial provisions, but also incorporated many amendments to improve the legislation.[845] Amendments include one that limits federal ministers' powers to suspend environmental, health, and other laws in emergencies; Bill C-42 stated that emergency suspensions must be approved by the full cabinet within 45 days. Provisions regarding the information-sharing of passenger lists were also amended to restrict information to a small group of security agencies and only for restricted purposes such as transportation security, warrants of arrest for serious offences, and counter-terrorism.[846] In June 2002, the Federal Privacy Commissioner publicly expressed his concern with this last provision, stating that it went far beyond the purported anti-terrorism and security aims of the legislation and would "strike unjustifiably" at Canadians' right to privacy and anonymity.[847] Finally, "military security zones" were replaced by "controlled access military zones" with amendments restricting time and renewal of zones and requiring public notification.[848]
In late 2002, the Public Safety Act was replaced yet again because of negative public feedback on C-55. Bill C-17 includes amendments to the Immigration and Refugee Protection Act and the Department of Citizenship and Immigration Act to allow data sharing; removes some of the purposes for which passenger list information can be accessed by the RCMP; and narrows the proposed "controlled access military zones" to better balance security needs of the army and the public interest. The Privacy Commissioner called the changes in Bill C-17 "minimal", and said that they do nothing to address one of the fundamental issues in Bill C-55, the mandatory identification of all travelers by the RCMP.[849] In a February 2003 appearance before a legislative committee on Bill C-17, the Commissioner argued that this provision would create a dangerous precedent for self-identification by police in all aspects of society.[850] The bill went through second reading in November 2002 and was reported amended by a legislative committee on May 7, 2003. It is now in the House of Commons at the reporting stage.[851]
In 2002 Canada Custom's and Revenue Agency (CCRA) released plans to establish an air traveler data base which would retain for six years the Advance Passenger Information/Passenger Name Record (API/PNR) information on every air traveller entering Canada. This database would be used to profile high-risk travellers, based on a wide variety of criteria such as racial or political affiliations, as well as travel information, The Minister in charge stated that the database would be a powerful weapon in the war against terrorism, and help catch criminals and tax evaders. Public interest groups and privacy commissioners have been critical of the initiatives, saying that it will violate both the Privacy Act and Charter of Rights and Freedoms and that the information contained in the database can be used for purposes unrelated to anti-terrorist security.[852]
The Commissioner sought legal opinions from a retired Supreme Court justice amongst other Canadian legal experts, who agree that this database would contravene the Charter. La Forest opined that the CCRA database engages a reasonable expectation of privacy and it implicates Section 8 of the Charter, which protects the right of every person to be "secure against unreasonable search or seizure."[853] He further explained that profiling based on such criteria and in the absence of individualized suspicion is antithetical to Canadian values of tolerance and non-discrimination.
In response to the criticism, the CCRA decided to change the database in March 2003 to reflect the criticisms. This was a big victory for privacy advocates.[854] Changes to the database include purging information not required for customs purposes, such as what people order to eat and health information. All information will be accessible to customs officers in the first seventy-two hours after it is collected and then become more restricted over time. Only a limited number of intelligence officers will have full access to the database. Law enforcement agencies will also need a warrant to access information except when dealing with an immediate situation at the border or where a "real or apprehended threat" to Canadian security exists.
The Federal Access to Information Act[855] provides individuals with a right of access to information held by the federal public sector. The Act gives Canadians and other individuals and corporations present in Canada the right to apply for and obtain copies of federal government records. "Records" include letters, memos, reports, photographs, films, microforms, plans, drawings, diagrams, maps, sound and video recordings, and machine-readable or computer files. About 12,000 requests are made annually for government records.[856] The Office of the Information Commissioner (OCC) can initiate a Federal Court review in limited circumstances relating to denial of access to records. The Information Commissioner can also investigate and issue recommendations, but does not have the power to issue binding orders. The Canadian Federal Court has ruled that the government has an obligation to answer all access requests regardless of the perceived motives of the requesters. Similarly, the Commissioner must investigate all complaints even if the government seeks to block him from so doing on the grounds that the complaints are made for an improper purpose. Each province also has its own freedom of information law.[857]
The OCC handled 956 complaints in 2002-2003; only two of which required the intervention of the courts. It also released report cards on several agencies and issued seven subpoenas to government officials. The majority of complaints were based on a refusal to disclose information (589 complaints in 2002-2003) and untimely delay in giving information (163 complaints). According to the OCC, the top five "complained against" institutions for which the Information Commissioner found the complaints to have merit include Citizenship and Immigration Canada (111 complaints, 56 with merit), National Defence (84 complaints, 50 with merit), Public Works and Government Services Canada (70 complaints, 53 with merit), Treasury Board of Canada (50 complaints, 44 with merit), and Canada Customs and Revenue Agency (54 complaints, 28 with merit).[858] The overall average turnaround time for a complaint in the 2002-2003 reporting period was 8.18 months, an increase from the average of 5.4 months in 2000-2001.[859]
One of the most interesting cases of 2002-2003, is a case where the issue was whether the Access Act gives a right of access to the Minister of Health's travel expense records, or whether access was dependent upon the willingness of the Minister to consent to disclosure. Previously the policy had been that there was a right to expense information, but this had been reversed by a Treasury Board Report, which informed departments that records of ministers' travel expenses were to be considered personal information and disclosure depended on the consent of the minister. Following negative media coverage of this case, the Prime Minister announced in Parliament that all ministers were to consent to the release of their travel expense records. Although the outcome to the complainant was favorable, the Commissioner reported that the government's decision to treat public access to these records as a "favor" rather than a "right" was unhealthy as it led to non-transparency of government actions.[860]
One of the most important issues facing the OCC in 2002-2003 was the public's access to information in light of new anti-terrorism legislation. The public's access to information has been restricted by the Anti-Terrorism Act, which gives the Minister of Justice the authority to issue a secrecy certificate concealing information related to terrorism, and terminating any ongoing investigations by the Information Commissioner related to such information. No secrecy certificates were issued under the terrorism legislation in 2002. The Ministry of Citizenship and Immigration has asked Cabinet to give it the power to restrict access to information from its intelligence and enforcement branch as an "investigative body" under the Access to Information Act. This is the first time a new application for investigative body status has been made in 20 years.
An example of a post-September 11, 2001 restriction to access of information was the refusal of Transport Canada to disclose information about tests of airport baggage and passenger screening. Partly in response, the Senate Committee released a report entitled "The Myth of Security at Canada's Airports," where it found that the government's refusal to release security-related information: "...acts against national security... [because] [i]t shields incompetence and inaction, at a time that competence and action are both badly needed."[861]
According to the Access to Information Review Task Force's June 2002 report, "Canadians are making relatively modest use of the Access to Information Act... After 20 years, the Act is still not well-understood by the public."[862] The report, moreover, goes on to state that the events of September 11, 2001 require one to balance the government's need to protect sensitive information with the public's right to access information and suggests 139 recommendations for modernizing access to information.[863]
There have been several highly public privacy blunders in Canada in 2003. In February 2003, copies of a patient's medical records were found on the back of a real estate newsletter. Reportedly the records were disclosed to a law firm who then recycled them. The law firm was chastised by the Ontario Privacy Commissioner who commented on the need for proper record handling and destruction.[864] Also in February, a computer hard drive was stolen which allegedly contained personal information of a medical, financial and tax nature on hundreds of thousands of customers of an insurance company, prompting significant privacy and identity theft concerns.[865] The hard drive was recovered after a week and a class action was launched, but it was uncertain how this personal information was used and whether it was disclosed. In June 2003, public computers terminals at courthouses in British Columbia were shut down for several weeks because a visitor was able to access information about court cases that was not supposed to be released to the public. The public information system was shut down as a precaution against any further access.[866]
Privacy legislation on a provincial level is separated into three categories: (a) public sector (data protection) law, (b) private sector law and (c) sector-specific laws. Public sector legislation covering government bodies exists in almost all provinces and territories.[867] Nearly every province has some sort of oversight body, but they vary in their powers and scope of regulation. New Brunswick and Prince Edward Island were the last provincial governments to introduce provincial public sector legislation. With the passing of these two acts, every territory and province in Canada, except Newfoundland and Labrador, will have statutory protection for personal information held by government agencies. Most provinces address both access to information and privacy issues in the same legislation.
With respect to provincial sector-specific legislation, many provinces have specific laws to protect personal information, including health-specific privacy laws, consumer credit reporting laws, laws regulating information from credit unions, and legislation imposing restrictions on the disclosure of personal information held by private investigators and other professionals. Alberta, Manitoba, and Saskatchewan have all passed health-specific privacy legislation, which sets rules for the collection, use, and disclosure of personal health information. These laws apply to personal health information held by hospitals, government ministries, regulated health professionals, and other health care facilities.
As of January 1, 2004, the federal PIPEDA will apply to all commercial activity in provinces unless the province enacts "substantially similar" laws. In May 2002, the Federal Privacy Commissioner sent a report to Parliament concerning the substantial similarity of provincial legislation. According to the Commissioner's report, every province has passed comprehensive privacy legislation for the public sector, while Quebec also has substantially similar legislation for the private sector through its Respecting the Protection of Personal Information in the Private Sector legislation.[868] However the final determination of whether other provincial privacy bills are substantially similar will be made by the government, through the Ministry of Industry (Industry Canada), and not the Privacy Commissioner who can only give his assessment of the bills. Industry Canada may base its determination on the similarity of broad legislative objectives, and not on the similarity of content as the Commissioner has done.
In Quebec the fundamental character of the right to privacy is held in its Charter of Rights and Freedomsand its Civil Code. More detailed requirements aimed at the public sector are found in legislation adopted in 1982, while Quebec enacted the first piece of legislation covering the entire private sector in North America in 1994. The latter regulates the collection, confidentiality, correction, disclosure, retention and use of personal information by these businesses. It also provides individuals with a right of access and correction. The Quebec Commission D'Accès à L'Information has broad powers over the public and private sectors.
In light of the 2004 PIPEDA deadline, other provinces are under pressure from their constituents to enact substantially similar private sector laws in order to ensure that the federal law does not apply to provincially regulated entities. Alberta and British Columbia (B.C.) both introduced their own private sector legislation for first reading in spring of 2003.[869] Ontario released a draft privacy act for consultation in early 2002. The provincial bills are reflecting concerns about PIPEDA, such as the lack of specific legislation in areas such as employee personal information, and the lack of clear definitions and business-friendly plain language.
Both the British Columbia and Alberta Acts will apply to personal information collected, used and disclosed by all businesses and non-profit organizations that are not covered by public sector acts. However, the Alberta Act does not apply to health information which is covered by theHealth Information Act.[870] The Acts will not apply to federally regulated companies covered by PIPEDA or when provincial organizations carry out business involving the movement of personal information across provincial borders.
There are significant differences between PIPEDA and the Alberta and British Columbia (B.C.) Acts. The main difference being that PIPEDA's regulations are based on a general principle of consent; while the provincial acts go one step further to carve out consent obligations in specific areas such as employee information and business transactions. Unlike PIPEDA, the B.C. and Alberta Acts contain a grandfathering provision which provides that information collected by the private sector before the Act comes into force does not need consent. In PIPEDA, all personal information collected by a business needs consent. A B.C. public interest organization suggested that the government should compromise on the grandfathering clause by giving companies one year to get consent for previously collected information.[871] The Acts also allow the collection, use and disclosure of an employee's personal information without consent as long it is done for 'reasonable' purposes, while PIPEDA makes no distinction between personal information collected for employment or commercial activities. An employee under the proposed Alberta Act includes students, volunteers or those with an agency relationship, and has provisions for destroying personal information collected during the recruitment stage. The provincial acts also allow the provincial privacy commissioners to issue binding ordersto settle disputes; the federal commissioner is restricted to making recommendations.
Some of the provisions of the B.C. and Alberta Acts are inadequate according to the federal Privacy Commissioner who claims that provisions such as the grandfathering clause and the "reasonable purposes" test for collecting non-consented to employee information makes the Act not "substantially similar" to PIPEDA. The Commissioner has also stated that various definitions, such as an "investigatio" are too open-ended and can lead to the erosion of privacy protection.[872] In a second report on what is considered to be substantially similar legislation, the Commissioner stated, "the [B.C.] Bill is clearly inferior to PIPEDA with regard to the concept of consent, which is at the heart of any statute purporting to protect privacy."[873] The Alberta Bill has "several serious deficiencies" that would "make it impossible" for it to be substantially similar to PIPEDA.[874]
In Ontario, a draft privacy act was released for consultation to stakeholder groups in early 2002. The draft was expected to be similar to PIPEDA, as well as include health privacy provisions. The government did not introduce the legislation in the fall of 2002, as expected, and as of May 2003 there has been no move to introduce such legislation. It is not expected that the legislation will move forward until after the next provincial election as the government is worried that the issue will not be popular amongst the electorate.[875]
Although the privacy law framework in Canada has received much media attention, a recent study from the Alberta Information and Privacy Commission found that there is a low level of awareness of current privacy laws: sixty percent of respondents were unaware of Canadian laws that protected their personal information. Out of 1,004 Canadians surveyed, only six could cite PIPEDA.[876] There was also a low level of awareness about Alberta's Health Information Act - only fifty-three percent of Albertans had heard of it.