In response to a complaint against US-based data-broker Abika.com (see The Canadian Privacy Law Blog: CIPPIC complaint raises a number of novel and interesting issues), the Assistant Privacy Commissioner has posted a letter on the Commission's website lamenting that office's lack of ability to investigate beyond Canada's borders:

Letter released about Abika.com, an on-line data broker in the U.S. - Privacy Commissioner of Canada:

... In order to investigate Abika.com based in Cheyenne, Wyoming, our Office must have the requisite legislative authority to exercise our powers outside Canada. However, basic principles of sovereignty and comity under international law state that a country cannot legislate outside its borders. The general convention is that Canada only legislates for Canada and only regulates activities within its borders. While Parliament may legislate with extraterritorial effect, this is rarely done. In the infrequent case that it is, it is for national security purposes or for a limited class of other purposes. In assessing whether a statute is to be applied outside Canada, a court will consider the intention of the legislature when it enacted the statute. There is a strong presumption that, absent an explicit or implicit contrary intention, Canadian legislation will only apply to the persons, property, juridical acts and events that occur within the territorial boundaries of the enacting body’s jurisdiction.

There is nothing explicit in PIPEDA to suggest that it was meant to apply outside of Canada or that the powers of the Commissioner would extend beyond Canada’s borders. According to leading case law, where the language of a statute can be construed so as not to have extraterritorial effect, then that construction must be adopted. It seems clear that this Act should not be construed to have extraterritorial effect. In the absence of any express or implied legislative intent, I must conclude that PIPEDA has no direct application outside of Canada.

While it is clear that the Commissioner may request information from anyone who she believes may have information relevant to an investigation, the formal investigative powers apply only within Canada. Abika.com has not responded to our request for the names of its Canadian-based sources. As such, we have no means of identifying - let alone investigating - those who would represent a Canadian presence for this organization and further, have no ability to compel an American organization to respond.

Although you referred only to Abika.com, we noted that an Abika.ca existed and enquired with respect to its registration information, on the understanding that a “.ca” registration could not be granted without a Canadian presence. We learned that the registrant of the “.ca” may be a Canadian citizen, but is still residing and working in the United States. In other words, despite the existence of a “.ca” registration, there are still insufficient connecting factors to indicate a real and important link between Canada and Abika.com’s operations in the U.S. As such, we cannot bring Abika.com within Canadian jurisdiction and deem them subject to PIPEDA. As for the legitimacy of the website registration application, we have referred this matter to the Canadian Internet Registration Authority (CIRA) to pursue further.

Global e-commerce poses challenges to all national governments that attempt to safeguard privacy and protect consumers. As you are aware from ongoing meetings with our Office, we share your concerns about the indiscriminate, non-consensual collection, use, and disclosure of personal information by profiling and data broker organizations. We agree that this raises serious privacy considerations. To this end, we have asked the Government of Canada to advise us what formal protocols, if any, exist that would allow us to investigate potential privacy breaches which may violate Canadian data protection laws. As important as it is, however, the specific instance you raise cannot be resolved through the complaint mechanism under PIPEDA....

For more on this issue, see The Canadian Privacy Law Blog: Jurisdictional limits on Canadian privacy law.

CIPPIC, which launched the complaint about Abika in the first place is not pleased by the OPC's response:

CIPPIC News - CIPPIC:

"In a letter dated Nov.18, 2005, the Assistant Privacy Commissioner of Canada responded to CIPPIC's 2004 complaint about Abika.com, a US-based online investigative service that offers to dig up detailed personal information about individuals, including telephone records. The Assistant Commissioner determined that "we cannot proceed with your complaint as we lack jurisdiction to compel U.S. organizations to produce the evidence necessary for us to conduct the investigation". Interestingly, however, the Privacy Commissioner's office recently launched an investigation in respect of another US-based online investigative service, Locatecell.com, using the information provided by a journalist who purchased the Privacy Commissioner's cell phone records and published a cover story on the issue. "

I'm not sure if you can make a direct comparison between the Abika complaint and the investigation of Locatecell.com, since it is pretty clear where in Canada that information actually came from (see: The Canadian Privacy Law Blog: MacLean's cover story on privacy and information brokers).

Labels: information breaches, privacy