I. Legal framework
Constitutional privacy framework
Canada's Charter of Rights and Freedoms (the Charter)1 does not provide a guaranteed right to privacy. Despite the lack of an explicit constitutional right to privacy, Canada's courts have recognized an individual's right to a reasonable expectation of privacy as part of the Charter right to be secure against unreasonable search or seizure (Section 8).2 The degree of privacy protection under Section 8 depends on the reasonable expectations of the individual in the circumstances.3 In R. v. Edwards, the Supreme Court of Canada identified several factors that define "reasonable expectations" in this context.4
Courts have also suggested that the individual has a right to privacy as part of the right to "life, liberty and security of the person" under Section 7 of the Charter. The Supreme Court of Canada has suggested that there may be a Section 7 right to privacy when dealing with medical records,5 the physical integrity of the person6 and decisions that are intensely personal.7 The Federal Court of Appeal has also noted the emerging view that Section 7's liberty interest includes a right to privacy, based again on reasonable expectations and the degree of potential infringement.8
Statutory rules on privacy
Privacy is regulated in both the public and private sectors in Canada, and at both federal and provincial levels. The Privacy Act9 regulates the federal public sector, while provincial and territorial statutes offer public sector privacy protection in those jurisdictions. The Personal Information Protection and Electronic Documents Act (PIPEDA)10 applies to private sector commercial activities throughout the country, with the exception of three provinces (Alberta, British Columbia and Quebec) that have enacted "substantially similar" provincial legislation of their own. Four provinces have passed legislation for the protection of information in the health sector.11
Public sector privacy protection
The federal Privacy Act has been in force in Canada since 1983, protecting the personal information of individuals held by federal government institutions. It governs the collection, use and disclosure of personal information held by most federal public agencies and provides individuals with a right of access to personal information held by those agencies, subject to some exceptions.12 The Act also sets out the mandate and duties of the federal Privacy Commissioner, who is responsible for investigating and resolving complaints under the Act, conducting audits of federal agencies, making recommendations for changes in governmental data management practices, and reporting annually to Parliament. The Commissioner does not have order-making powers under this Act.
In June 2006, the Privacy Commissioner of Canada released "Government Accountability for Personal Information," suggestions on reforming the Privacy Act.13 The document urges government to address the problem of trans-border data flows; reconsider the Act’s disclosure standard; increase accountability of government institutions in outsourcing of personal information; ensure greater transparency, accountability and oversight over the activities of national security agencies, including more stringent reporting requirements to Parliament; and expand the scope of privacy rights and incorporate more robust privacy principles. A review by the government has yet to take place.
Data protection legislation covering government bodies also exists in all 10 provinces and three territories.14 In most cases, provincial legislation covers access to information rights (i.e., rights to access government information) as well as data protection in the public sector. In two cases, (Quebec and New Brunswick), data protection and access to information are covered in separate statutes.
Federal privacy protection
The Personal Information Protection and Electronic Documents Act (PIPEDA) was approved by the federal Parliament in April 2000.15 The Act deals with protection of data that is collected, used or disclosed in the course of commercial activity. The Act applies to every private sector organization (federally regulated and most provincially regulated organizations) that collects, uses or discloses personal information, as well as to federally regulated employers with respect to their employees. The purpose clause of the Act16 recognizes not only individual rights to data protection, but also "the needs of organizations to collect, use and disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances." The Act incorporates a private sector Code for the Protection of Personal Information17 that was developed by a multi-stakeholder committee of the Canadian Standards Association (CSA). The CSA Code sets out 10 privacy principles: accountability, purpose, openness, consent, limiting use and collection, disclosure, retention, individual access, safeguards, accuracy, and challenging compliance. Specific exceptions to the general requirement for knowledge and consent to any collection, use or disclosure are set out in Section 7 of the Act.
While the Act applies to provincially regulated private organizations, it does not apply to provincially regulated organizations in provinces that have enacted their own privacy legislation deemed to be "substantially similar" by the federal government. Presently, provinces that have enacted "substantially similar" private sector privacy legislation are Alberta,18 British Columbia19 and Quebec.20
In 2006, the House of Commons Standing Committee on Access to Information, Privacy and Ethics conducted PIPEDA’s Section 29-mandated five-year review. The Committee produced the "Fourth Report of the Standing Committee on Access to Information, Privacy and Ethics," which contains twenty-five recommendations.21 Main recommendations include: distinguishing when express, implied or deemed/opt-out consent are required;22 clarifying the "disclosure without consent" exceptions;23 inclusion of a data breach notification requirement whereby the Privacy Commissioner would be notified and would determine whether further notification is necessary.24
The Committee recommended against any amendments to PIPEDA with respect to transborder flows of personal information.25 It further suggested that the Commissioner not be given order-making powers at this time.26 Critics doubt the ability of the Act to meet and adapt to the changing needs of information technology. "…[B]y issuing a tepid report that rejects the changes that many privacy advocates believe are necessary to improve the effectiveness of the current legal framework", observed Michael Geist, "[m]ost of the major issues presented to the Committee, including beefing up the Privacy Commissioner's powers, adopting a ’name and shame’ approach for privacy violators, and safeguarding Canadian data that is outsourced to other jurisdictions, were met with indifference, as the Committee recommended no further reforms."27 The data breach notification requirement was not as robust as it could have been, as notification is directed to the Privacy Commissioner rather than to affected individuals. The issue of transborder data flows received little attention in the review, despite a recent decision of the Supreme Court affirming the Commissioner’s jurisdiction to investigate transborder data flows.28
Provincial privacy protection
Quebec's Act Respecting the Protection of Personal Information in the Private Sector came into effect in 1994, long before PIPEDA. It regulates the collection, confidentiality, correction, disclosure, retention and use of personal information by businesses in that province. It also provides individuals with a right of access and correction. The British Columbia and Alberta Acts both came into effect on January 1, 2004. They apply to personal information collected, used and disclosed by all businesses and non-profit organizations in those provinces that are not covered by public sector statutes.
Although considered "substantially similar" by the federal government, there are significant differences between PIPEDA and the provincial Acts. First, PIPEDA's rules are based on a general principle of consent; the provincial Acts go one step further to carve out consent obligations in specific areas such as employee information and business transactions. Unlike PIPEDA, the British Columbia and Alberta Acts contain a grandfathering provision, which provides that information collected by the private sector before the Act comes into force does not need consent. The British Columbia and Alberta Acts also allow the collection, use and disclosure of an employee's personal information without consent as long it is done for "reasonable" purposes, while PIPEDA makes no distinction between personal information collected for employment or commercial activities. The provincial acts also allow the provincial Privacy Commissioners to issue binding orders to settle disputes; the federal Privacy Commissioner is restricted to making recommendations.
In addition to statutes cited above, four provinces (British Columbia, Saskatchewan, Manitoba, and Newfoundland) have legislation creating a statutory tort of invasion of privacy of a person. Quebec's Civil Code includes several provisions that create causes of action based on invasion of an individual's privacy.
Sector-specific privacy legislation
A number of other federal statutes address the privacy of personal information in specific sectors. For example, the Bank Act,29 Insurance Companies Act,30 and Trust and Loan Companies Act31 permit regulations regarding the use of information provided by customers. Under the Telecommunications Act,32 the Canadian Radio-Television and Telecommunications Commission (CRTC) is mandated to regulate telecommunications companies so as "to protect the privacy of persons," among other policy objectives. It has done so mainly through regulations governing the confidentiality of customer records, the ability of customers to block the display of their names and numbers on the telephone sets of people and to regulate unsolicited communications by rules governing telemarketing (but not spam).
Additional privacy protections are built into the Young Offenders Act33 and the Corrections and Conditional Release Act.34 The Young Offenders Act regulates the information that can be disclosed about offenders under the age of 18, while the Corrections and Conditional Release Act speaks to the information that can be disclosed to victims and their families.
Some provinces also have sector-specific laws to protect personal information, including health-specific privacy laws, consumer credit reporting laws, laws regulating information from credit unions, and legislation imposing restrictions on the disclosure of personal information held by private investigators and other professionals. Ontario,35 Alberta,36 Manitoba,37 and Saskatchewan38 have all passed health privacy legislation, which sets rules for the collection, use, and disclosure of personal health information. These laws apply to personal health information held by hospitals, government ministries, regulated health professionals, and other health care facilities or information custodians.
Both the Privacy Act and PIPEDA are overseen by the independent federal Privacy Commissioner of Canada, an officer of Parliament who is appointed by, and reports directly to, the Parliament of Canada.39 The federal Office of the Privacy Commissioner (OPC) is charged with investigating complaints, promoting public awareness of privacy issues and researching privacy issues. Provincial and Territorial privacy legislation is overseen by provincial oversight bodies. In most cases, the relevant authority is an Information and Privacy Commissioner, responsible for the administration of both privacy laws and access to information laws. In a few cases (Manitoba, New Brunswick, and Yukon Territory), an Ombudsman has powers to investigate matters relating to privacy as well as other matters.40 These oversight bodies vary significantly in their powers and scope of regulation.
The federal Privacy Commissioner receives complaints, conducts investigations and issues findings on matters related to both the public sector (Privacy Act) and the private sector (PIPEDA). Under both of these Acts, the Commissioner has the power to make recommendations; however, she cannot issue orders or impose penalties. Also under both statutes, the Commissioner has broad investigatory powers, including the power to subpoena witnesses and compel testimony, to enter premises in order to obtain documents and to conduct interviews. The Commissioner is also charged with conducting periodic audits of both federal institutions and private organizations to determine their compliance with the Privacy Act and PIPEDA, respectively. The Supreme Court of Canada recently granted leave to appeal a Federal Court of Appeal’s decision that stated that the Privacy Commissioner cannot, in the course of an investigation, compel the production of documents allegedly protected by solicitor-client privilege. The Court of Appeal held that only express language in the statute would be capable of overriding the general rule of solicitor-client privilege, and no such language exists in PIPEDA.41
While not binding, the Privacy Commissioner's decisions are considered to be of national importance. In a 2004 Federal Court decision involving a Privacy Commissioner finding, the court did not hesitate to classify PIPEDA as a fundamental law of Canada.42 It was also determined that the Privacy Commissioner could be granted a degree of deference with regards to his or her expertise, but not to findings of fact.43
In 2005-2006, the Privacy Commissioner received 1,028 complaints, nearly 35% less then the previous year. Quebec topped the list with 249, followed by Ontario with 225, while Yukon Territory recorded the lowest, with only 2 complaints.44 Under PIPEDA, the Privacy Commissioner received 424 complaints in 2006, compared with 400 in 2005 while 6,050 inquiries, compared with 5,685 in 2005. The noticeable decline in inquires from 12,312 in 2003 to 6050 in 2006 is an indication that "Canadian organizations and individuals are becoming more familiar with the legislation."45
Anyone can complain to the Commissioner about an alleged violation of PIPEDA. If the Commissioner is satisfied that there are reasonable grounds to investigate a matter under the Act, she may initiate her own complaint.46 Once a complaint is received, the Commissioner assigns an investigator to look into the matter. The investigator then submits his findings to the Commissioner, who considers the case and issues a report with recommendations. Reports must be issued within one year of the complaint. The Commissioner can also request the organization in question to submit, within a specified period of time, notice of any action taken, or proposal to be taken, to implement her recommendations.47
In 2007, the Privacy Commissioner reached a "landmark in supporting Canadian privacy research by pledging $258,000 CDN in research grants to six innovative organizations."48 The research program is in its fourth year and has awarded more than $1,000,000 CDN in grants covering more than 30 privacy research projects in Canada.
Some provincial Privacy Commissioners also engage in significant research, advocacy and public education. The Privacy Commissioners of British Columbia,49 Ontario,50 and Quebec51 all provide extensive information on privacy issues on their websites and have been active on a number of current privacy issues. For example, in 2004, British Columbia’s Privacy Commissioner launched an investigation to determine if the USA Patriot Act applies to the personal information of Canadians that has been outsourced for processing to US companies.52 This investigation was sparked by public concerns about the British Columbia’s government's proposal for contracting the administration of the provincial medical services plan to a Canadian subsidiary of an American company. The federal Privacy Commissioner was among many individuals and organizations who contributed a submission to the investigation.53 The final result of that inquiry lead to a comprehensive Federal strategy.54
- 1. http://laws.justice.gc.ca/en/charter/
- 2. http://www.lexum.umontreal.ca/csc-scc/en/pub/1984/vol2/html/1984scr2_014...
- 3. http://www.lexum.umontreal.ca/csc-scc/en/pub/2003/vol1/html/2003scr1_000...
- 4. http://www.lexum.umontreal.ca/csc-scc/en/pub/1996/vol1/html/1996scr1_012...
- 5. L’Heureux-Dubé, in dissenting judgment but with agreement of the Court on her views of privacy, R.v. O’Connor,  4 S.C.R. 411, 1995 CarswellBC 1098, 1995 CarswellBC 1151; Canadian AIDS Society v. Ontario (1995), 25, O.R. (3d) 388 (Gen. Div); affirmed (1996), 31 O.R. (3d) 798 (C.A.), leave to appeal refused (1997), 216 N.R. 159 (note) (S.C.C.); M, (A.) v. Ryan,  1 S.C.R. 157.
- 6. http://www.lexum.umontreal.ca/csc-scc/en/pub/1993/vol3/html/1993scr3_051...
- 7. http://www.lexum.umontreal.ca/csc-scc/en/pub/1988/vol1/html/1988scr1_003...
- 8. http://www.canlii.org/ca/cas/fca/2000/2000fca10500.html
- 9. http://laws.justice.gc.ca/en/P-21/index.html
- 10. http://laws.justice.gc.ca/en/P-8.6/93196.html
- 11. Ontario (Personal Health Information Protection Act, 2004), Manitoba (Personal Health Information Act), Saskatchewan (Health Information Protection Act) and Alberta (Health Information Act).
- 12. http://canada.justice.gc.ca/stable/EN/Laws/Chap/P/P-21.html
- 13. http://www.privcom.gc.ca/information/pub/pa_reform_060605_e.asp#002
- 14. http://canada.justice.gc.ca/en/ps/atip/provte.html
- 15. http://pqasb.pqarchiver.com/thestar/access/517737781.html?dids=517737781...
- 16. PIPEDA at s.3, supra.
- 17. A national standard: CAN/CSA-Q830-96.
- 18. http://www.qp.gov.ab.ca/documents/Acts/P06P5.cfm?frm_isbn=0779726316
- 19. http://www.oipc.bc.ca/legislation/PIPA2003%20(2004).pdf
- 20. http://www2.publicationsduquebec.gouv.qc.ca/dynamicSearch/telecharge.php...
- 21. http://cmte.parl.gc.ca/cmte/CommitteePublication.aspx?SourceId=204322
- 22. Id. at Recommendation 4.
- 23. Id. at Recommendation 14.
- 24. Id. at Recommendation 23-25.
- 25. Id. at Recommendation 16.
- 26. Id. at Recommendation 18-19.
- 27. http://www.michaelgeist.ca/content/view/1970/135/
- 28. http://www.canlii.org/eliisa/highlight.do?language=en&searchTitle=Federa...
- 29. http://www.canlii.org/ca/sta/b-1.01/
- 30. http://www.canlii.org/ca/sta/i-11.8/
- 31. http://www.canlii.org/ca/sta/t-19.8/
- 32. http://www.canlii.org/ca/sta/t-3.4/
- 33. Young Offenders Act, C. Y-1, s. 38.
- 34. http://www.canlii.org/ca/sta/c-44.6/
- 35. http://www.canlii.org/on/laws/sta/2004c.3sch.a/20050511/whole.html
- 36. http://www.qp.gov.ab.ca/Documents/acts/H05.CFM
- 37. http://web2.gov.mb.ca/laws/statutes/ccsm/p033-5e.php
- 38. http://www.qp.gov.sk.ca/documents/english/chapters/1999/H0-021.pdf
- 39. http://www.privcom.gc.ca
- 40. http://www.privcom.gc.ca/information/comms_e.asp#013
- 41. http://cases-dossiers.scc-csc.gc.ca/information/cms/docket_e.asp?31755
- 42. http://www.canlii.org/ca/cas/fct/2004/2004fc852.html
- 43. Id.
- 44. http://www.privcom.gc.ca/information/ar/200607/2006_pipeda_e.asp#051
- 45. Id.
- 46. Stephanie Perrin, Heather Black, David Flaherty & T. Murray Rankin, The Personal Information Protection and Electronic Documents Act: An Annotated Guide (Toronto, 2001).
- 47. See generally, "Your Privacy Responsibilities: A Guide for Business and Organizations," Office of the Privacy Commissioner of Canada, December 2000.
- 48. http://www.privcom.gc.ca/media/nr-c/2007/nr-c_070627_e.asp
- 49. http://www.oipc.bc.ca/
- 50. http://www.ipc.on.ca/
- 51. http://www.cai.gouv.qc.ca/index-en.html
- 52. Information & Privacy Commissioner for British Columbia, available at http://www.oipcbc.org/sector_public/ usa_patriot_act/pdfs/report/privacy-final.pdf>.
- 53. http://www.privcom.gc.ca/media/nr-c/2004/sub_usapa_040818_e.pdf
- 54. http://www.tbs-sct.gc.ca/pubs_pol/gospubs/TBM_128/pm-prp/pm-prp_e.asp.