The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

Search this blog

Recent Posts

On Twitter

About this page and the author

The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.

For full contact information and a brief bio, please see David's profile.

Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.

David Fraser's Facebook profile

Privacy Calendar



Subscribe with Bloglines

RSS Atom Feed

RSS FEED for this site

Subscribe to this Blog as a Yahoo! Group/Mailing List
Powered by

Subscribe with Bloglines
Add to Technorati Favorites!

Blogs I Follow

Small Print

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.

Monday, November 21, 2005

Office of the Privacy Commissioner responds to complaint against US data-broker: No jurisdiction to investigate outside of Canada 

In response to a complaint against US-based data-broker (see The Canadian Privacy Law Blog: CIPPIC complaint raises a number of novel and interesting issues), the Assistant Privacy Commissioner has posted a letter on the Commission's website lamenting that office's lack of ability to investigate beyond Canada's borders:

Letter released about, an on-line data broker in the U.S. - Privacy Commissioner of Canada:

... In order to investigate based in Cheyenne, Wyoming, our Office must have the requisite legislative authority to exercise our powers outside Canada. However, basic principles of sovereignty and comity under international law state that a country cannot legislate outside its borders. The general convention is that Canada only legislates for Canada and only regulates activities within its borders. While Parliament may legislate with extraterritorial effect, this is rarely done. In the infrequent case that it is, it is for national security purposes or for a limited class of other purposes. In assessing whether a statute is to be applied outside Canada, a court will consider the intention of the legislature when it enacted the statute. There is a strong presumption that, absent an explicit or implicit contrary intention, Canadian legislation will only apply to the persons, property, juridical acts and events that occur within the territorial boundaries of the enacting body’s jurisdiction.

There is nothing explicit in PIPEDA to suggest that it was meant to apply outside of Canada or that the powers of the Commissioner would extend beyond Canada’s borders. According to leading case law, where the language of a statute can be construed so as not to have extraterritorial effect, then that construction must be adopted. It seems clear that this Act should not be construed to have extraterritorial effect. In the absence of any express or implied legislative intent, I must conclude that PIPEDA has no direct application outside of Canada.

While it is clear that the Commissioner may request information from anyone who she believes may have information relevant to an investigation, the formal investigative powers apply only within Canada. has not responded to our request for the names of its Canadian-based sources. As such, we have no means of identifying - let alone investigating - those who would represent a Canadian presence for this organization and further, have no ability to compel an American organization to respond.

Although you referred only to, we noted that an existed and enquired with respect to its registration information, on the understanding that a “.ca” registration could not be granted without a Canadian presence. We learned that the registrant of the “.ca” may be a Canadian citizen, but is still residing and working in the United States. In other words, despite the existence of a “.ca” registration, there are still insufficient connecting factors to indicate a real and important link between Canada and’s operations in the U.S. As such, we cannot bring within Canadian jurisdiction and deem them subject to PIPEDA. As for the legitimacy of the website registration application, we have referred this matter to the Canadian Internet Registration Authority (CIRA) to pursue further.

Global e-commerce poses challenges to all national governments that attempt to safeguard privacy and protect consumers. As you are aware from ongoing meetings with our Office, we share your concerns about the indiscriminate, non-consensual collection, use, and disclosure of personal information by profiling and data broker organizations. We agree that this raises serious privacy considerations. To this end, we have asked the Government of Canada to advise us what formal protocols, if any, exist that would allow us to investigate potential privacy breaches which may violate Canadian data protection laws. As important as it is, however, the specific instance you raise cannot be resolved through the complaint mechanism under PIPEDA....

For more on this issue, see The Canadian Privacy Law Blog: Jurisdictional limits on Canadian privacy law.

CIPPIC, which launched the complaint about Abika in the first place is not pleased by the OPC's response:


"In a letter dated Nov.18, 2005, the Assistant Privacy Commissioner of Canada responded to CIPPIC's 2004 complaint about, a US-based online investigative service that offers to dig up detailed personal information about individuals, including telephone records. The Assistant Commissioner determined that "we cannot proceed with your complaint as we lack jurisdiction to compel U.S. organizations to produce the evidence necessary for us to conduct the investigation". Interestingly, however, the Privacy Commissioner's office recently launched an investigation in respect of another US-based online investigative service,, using the information provided by a journalist who purchased the Privacy Commissioner's cell phone records and published a cover story on the issue. "

I'm not sure if you can make a direct comparison between the Abika complaint and the investigation of, since it is pretty clear where in Canada that information actually came from (see: The Canadian Privacy Law Blog: MacLean's cover story on privacy and information brokers).

Labels: ,

Links to this post:

Create a Link

This page is powered by Blogger. Isn't yours? Creative Commons License
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License. lawyer blogs