When was pipeda enacted

And the consequences are starting to become clear. Many people live much of their lives online. According to some estimates, Canadians lead the world in Internet use, averaging Footnote 5. When we browse online, conduct searches, communicate with our friends or download music, we create data trails that reveal a great deal about who we are — our interests, our habits, our opinions — and in many cases even where we are.

According to IBM, we are globally creating 2. Ninety per cent of the data that exists in the world today has been created in the last two years. Footnote 7. Personal information is central to the global digital economy. Some of the largest companies boast customers or users in the hundreds of millions. Facebook, for example, has more than one billion users worldwide, including almost 20 million users in Canada.

Twitter currently has over million users. Even smaller organizations, particularly those with a digital presence, are increasingly collecting large quantities of personal information Footnote 8. Most Internet companies offer their services at no monetary cost. They are, however, under increasing pressure to find ways to turn a profit from their services, with one of the most obvious options being to capitalize upon their treasure trove of personal information.

It is a highly competitive environment, with new players appearing seemingly daily. Increasingly, many companies are seeking to combine online and offline data, which will give them more insight into their customers and enable them to anticipate their needs and wants — sometimes even before individuals are aware of them Footnote 9. Seventy percent of Canadians we surveyed in believe that they have less personal information protection than they did 10 years ago.

Fifty-six percent say they are not confident that they know how new technologies affect their privacy, up from forty-seven percent in Footnote As the environment evolves, the risks to privacy continue to grow.

Organizations are using personal information in ways previously unimaginable. While many of these new uses will have the potential to benefit individuals and society, there are risks that personal information may be used in ways that are highly intrusive and offend our sense of privacy. Even when the information is not misused, it could be lost, accessed without authorization or stolen by sophisticated hackers. Given that the goal of PIPEDA is to achieve a balance between the privacy rights of individuals and the legitimate needs of organizations to collect, use or disclose personal information for an appropriate purpose, it is important to examine whether that objective is being met in the evolving environment and how PIPEDA could be improved to better achieve that goal.

There are four pressure points that we have identified in the 12 years in which we have been overseeing compliance with PIPEDA and monitoring the changing environment. The Commissioner may seek resolution through negotiation, persuasion and mediation.

While the Commissioner may encourage compliance by naming respondent organizations when it is deemed in the public interest, she herself has no direct enforcement powers.

The Commissioner can only, in certain circumstances, apply to the Federal Court to have the Court hear certain matters raised in complaints to her Office; order the respondent to take action to correct its practices; or award damages to the complainant. The appropriateness of the current PIPEDA enforcement model has been the subject of debate prior to the law coming into force and in the ensuing years.

While the question was raised during the first mandated review of the law in , the Privacy Commissioner opted not to propose changes to the enforcement structure at that time for a number of reasons. The Office was just emerging from a period of instability, scrutiny and reduced capacity, and it was still early days in terms of interpreting and applying PIPEDA. Instead, the Office signaled its intent to make greater use of its existing powers to conduct audits, initiate complaints, and resort to court action to encourage greater compliance with the law.

In addition to investigating thousands of complaints received by individuals, the Commissioner has initiated herself 38 complaint investigations and conducted three audits of PIPEDA-regulated organizations since Also since , the Commissioner has named companies in the public interest 32 times, and initiated 17 court actions.

However, as globalization creates a more open economy, the Office is no longer dealing solely with Canadian companies. Many are headquartered in other countries, with or without their own regulatory privacy requirements. It is legitimate to question how a small entity with limited resources, such as the OPC, can attract the attention of these companies and proactively encourage them to comply with PIPEDA when the reality is that there are very limited consequences for contravening Canadian privacy law.

We have made use of the existing tools under the Act, and in some cases, we have been successful in prompting change — but often after we have invested significant resources and almost always after the fact.

We have seen some organizations ignore our recommendations until the matter goes to Court; others, in the name of consultation with the Office, pay lip service to our concerns but ultimately ignore our advice.

The days of soft recommendations with few consequences for non-compliance Footnote 15 are no longer effective in a rapidly changing environment where privacy risks are on the rise. It is time to put in place financial incentives to ensure that organizations accept greater responsibility for putting appropriate protections in place from the start, and sanctions in the event that they do not.

Without such measures, the Privacy Commissioner will have limited ability to ensure that organizations are appropriately protecting personal information in the age of Big Data. Several provincial commissioners have order-making powers, in addition to other functions prescribed in their legislation that are similar to those of the OPC, such as carrying out investigations, conducting research or educating business or the public about privacy issues. Order-making powers do not inhibit the ability of those commissioners to perform a range of functions.

In fact, this multiplicity of roles is commonplace for many administrative agencies. In other jurisdictions, there has been a trend towards more robust enforcement powers, and more substantial penalties and fines. The U. Federal Trade Commissioner FTC has negotiated a number of high-profile financial settlements over privacy infractions Footnote In the United Kingdom, these stronger enforcement powers have not precluded an ombudsman-like approach, where appropriate, and fines have been issued only where a softer touch has failed.

To bring some uniformity to the powers across the continent, one proposed aspect of the regulation calls for all DPAs to have the power to issue orders to cease specific activities, correct, erase or destroy data and provide individuals with access to their data.

In addition to making breach reporting mandatory, the proposed Regulation would empower each DPA to impose administrative sanctions, ranging from warnings to fines Footnote One of the reasons PIPEDA was enacted was to create a vehicle for Canada to provide a level of protection for personal information that would facilitate the flow of personal information from EU member states to Canada. The current EU Data Protection Directive, adopted in , which the proposed Regulation would replace introduced a requirement that member states allow transfers of personal information to a third country such as Canada only if the third country ensures an adequate level of protection for that information.

The adequacy concept is retained under the Regulation. Against the backdrop of these changes, the enforcement model provided for under PIPEDA appears increasingly out of date.

When it was introduced in , it was considered a leader among data protection legislation because of its technology-neutral, principled-based approach. However, the past decade has witnessed the rise of new laws elsewhere that are providing data protection authorities with stronger powers commensurate with the increasing risks to personal information.

While at the moment, the Commissioner has the power to name a company in the public interest, which may encourage some companies to adopt her recommendations to avoid negative publicity of offside privacy practices, naming is ultimately only one means of encouraging compliance.

Recommendation 1: Strengthen enforcement and encourage greater compliance. These could include statutory damages administered by the Federal Court ; or giving the Commissioner the power to make orders; or affording the Commissioner with the power to impose administrative monetary penalties; or a combination of the above.

There are a number of options that, alone or in combination, could strengthen the current enforcement model and encourage greater compliance with the Act. Another option would be to give the Commissioner power to order organizations to do or cease doing something in order to bring themselves into compliance with PIPEDA. A third option would be to afford the Commissioner the power to impose administrative monetary penalties in cases that warrant it. Each of these enforcement options is explored further below.

Pursuant to this model, damages would be awarded for contraventions of certain PIPEDA provisions, without the requirement for a claimant to prove an actual loss stemming from the contravention. A range of damage awards could be prescribed, setting out minimum and maximum amounts for contraventions of specific provisions. Within that range, courts may assess damages based on a number of explicit factors to be taken into consideration.

From a policy perspective, statutory damages are appropriate in situations in which it is difficult or impossible for a plaintiff to prove a quantifiable loss as a result of a contravention of the law. Challenging Compliance. In order to be PIPEDA compliant, organizations must conduct their affairs in a manner consistent with these 10 principles. The cornerstone of PIPEDA is that "personal information" may not be collected, used or disclosed in the context of a "commercial activity" without the consent of the individual to whom the information relates.

PIPEDA does not apply to any data that have been made anonymous and does not apply to data or information that are already in the public domain. That being said, it is likely that personal information in the public domain may only be used in a manner that is consistent with the reason that such information is found in the public domain.

PIPEDA does not apply to personal information about employees collected, used or disclosed by an organization in the employment context unless the information is collected, used or disclosed in connection with the operation of a federal work, undertaking or business. As the employment relationship typically falls within provincial jurisdiction, one would have to look to the laws in each province to determine what, if any, obligations exist in respect of the privacy or confidentiality of employee personal information.

The common law may also impact on privacy rights in the workplace. In addition to these general exceptions, there are specific exceptions to the consent requirement in PIPEDA which are set out in the legislation as follows:. Develop a process for obtaining consent for the collection, use and disclosure of personal information. To be valid, the consent must be meaningful and must be freely obtained.

An organization cannot require a person to provide consent to the collection, use and disclosure of personal information a precondition to providing services unless the collection, use or disclosure of personal information is reasonably required to fulfill the explicitly stated and legitimate purposes. Consent may be express or implied, oral or written. The appropriate form of consent will depend upon the circumstances and the sensitivity of the personal information in question.

Ensure that personal information in their possession, power and control is kept up-to-date and accurate in order to minimize the possibility that inaccurate information is used to make a decision about an individual. This responsibility must be tempered, however, with an organization's responsibility not to routinely update information unless it is necessary in order to fulfill the purposes for which the information was collected.

These conflicting requirements will require organizations to reevaluate their data retention policies. Develop and implement a Privacy Policy that is consistent with the Model Code's 10 principles and which sets out the organization's purpose for collecting, using and disclosing personal information and sets out the measures taken for ensuring the safe-keeping of such information.

The Privacy Policy must also provide a mechanism for individuals to access their personal information and provide a mechanism for making and responding to inquiries and complaints. The Privacy Commissioner encourages organizations to ensure that the designated Privacy Officer is a member of senior management. Publicize its Privacy Policy and the identity and contact information of the individual Privacy Officer.

An organization must also publicize the kinds of personal information it holds, how it can be accessed and what types of personal information it provides to third parties, including its subsidiaries and or parent company.

Implement security measures to protect the personal information in their control. Such security measures must take into account protecting both hard copies as well as electronic copies of personal information from theft and other unauthorized access, disclosure, use or modification.

Where a complaint is brought to the Privacy Commissioner, s he may conduct an investigation of the organization that is the subject of the complaint upon being provided with reasonable grounds that there has been a privacy violation. Marginal note: Effect of amendment or repeal. Marginal note: Effect of striking out listed provision. In addition, other individuals within the organization may be delegated to act on behalf of the designated individual s.

An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party. Organizations shall implement policies and practices to give effect to the principles, including. The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.

The organization shall document the purposes for which personal information is collected in order to comply with the Openness principle Clause 4. Identifying the purposes for which personal information is collected at or before the time of collection allows organizations to determine the information they need to collect to fulfil these purposes.

The Limiting Collection principle Clause 4. The identified purposes should be specified at or before the time of collection to the individual from whom the personal information is collected.

Depending upon the way in which the information is collected, this can be done orally or in writing. An application form, for example, may give notice of the purposes. When personal information that has been collected is to be used for a purpose not previously identified, the new purpose shall be identified prior to use.

Unless the new purpose is required by law, the consent of the individual is required before information can be used for that purpose. For an elaboration on consent, please refer to the Consent principle Clause 4. Persons collecting personal information should be able to explain to individuals the purposes for which the information is being collected. This principle is linked closely to the Limiting Collection principle Clause 4.

The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Note: In certain circumstances personal information can be collected, used, or disclosed without the knowledge and consent of the individual.

For example, legal, medical, or security reasons may make it impossible or impractical to seek consent. When information is being collected for the detection and prevention of fraud or for law enforcement, seeking the consent of the individual might defeat the purpose of collecting the information.

Seeking consent may be impossible or inappropriate when the individual is a minor, seriously ill, or mentally incapacitated. In addition, organizations that do not have a direct relationship with the individual may not always be able to seek consent.

For example, seeking consent may be impractical for a charity or a direct-marketing firm that wishes to acquire a mailing list from another organization. In such cases, the organization providing the list would be expected to obtain consent before disclosing personal information.

Consent is required for the collection of personal information and the subsequent use or disclosure of this information. Typically, an organization will seek consent for the use or disclosure of the information at the time of collection. In certain circumstances, consent with respect to use or disclosure may be sought after the information has been collected but before use for example, when an organization wants to use information for a purpose not previously identified.

Organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed. An organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified, and legitimate purposes.

The form of the consent sought by the organization may vary, depending upon the circumstances and the type of information. In determining the form of consent to use, organizations shall take into account the sensitivity of the information. Although some information for example, medical records and income records is almost always considered to be sensitive, any information can be sensitive, depending on the context. For example, the names and addresses of subscribers to a newsmagazine would generally not be considered sensitive information.

However, the names and addresses of subscribers to some special-interest magazines might be considered sensitive. In obtaining consent, the reasonable expectations of the individual are also relevant. On the other hand, an individual would not reasonably expect that personal information given to a health-care professional would be given to a company selling health-care products, unless consent were obtained. Consent shall not be obtained through deception. The way in which an organization seeks consent may vary, depending on the circumstances and the type of information collected.

An organization should generally seek express consent when the information is likely to be considered sensitive. Implied consent would generally be appropriate when the information is less sensitive. Consent can also be given by an authorized representative such as a legal guardian or a person having power of attorney.

By completing and signing the form, the individual is giving consent to the collection and the specified uses;. Individuals who do not check the box are assumed to consent to the transfer of this information to third parties;. An individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice.

The organization shall inform the individual of the implications of such withdrawal. The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.

Organizations shall not collect personal information indiscriminately. Both the amount and the type of information collected shall be limited to that which is necessary to fulfil the purposes identified. Organizations shall specify the type of information collected as part of their information-handling policies and practices, in accordance with the Openness principle Clause 4.

The requirement that personal information be collected by fair and lawful means is intended to prevent organizations from collecting information by misleading or deceiving individuals about the purpose for which information is being collected. This requirement implies that consent with respect to collection must not be obtained through deception. This principle is linked closely to the Identifying Purposes principle Clause 4.

Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfilment of those purposes. Organizations using personal information for a new purpose shall document this purpose see Clause 4.