The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Friday, February 12, 2010
Over the last month, the Office of the Privacy Commissioner of Canada has launched two public consultations related to new and emerging technologies. The first, called for in January of this year, relates to "online tracking, profiling and targeting of consumers by marketers and other businesses." The second, which will focus on cloud computing, was announced yesterday. The consultations call for written submissions and will culminate with public events in Toronto, Montreal and Calgary.
It will be interesting to see what these consultations bring to the fore, particularly in light of the Commissioner's observation that PIPEDA has been "sorely tested" over the last decade and may need fortification for the next decade:
Speech: The Future of Privacy Regulation – February 10, 2010
"But what we can say for certain is that the regulatory framework we have in place now for the protection of privacy and personal information is already being sorely tested. We have bent and stretched it in many different ways.
And, if we don’t want it to snap, we need to figure out how to fortify it for the decade ahead.
For that, we need to look at our privacy laws and administrative structures. We need to dramatically modernize the Privacy Act, which governs the public sector, and to consider whether PIPEDA, the private-sector Personal Information Protection and Electronic Documents Act, remains suited for the next 10 years.
But we cannot function in isolation. We need to examine what’s happening in other jurisdictions, and work with them on common approaches to the challenges we all share."
PIPEDA, for all its weirdness as a statute, is in my view surprisingly resilient. It is because it is based on flexible principles rather than prescriptive rules that it can accommodate various industries and new technologies. The defects that were there on day one are generally still there, but its technological neutrality was well drafted and has withstood the test of time.
For example, it is firmly based on the idea of reasonableness, notice and consent. Provided the purposes are reasonable, there is notice and consent it obtained, the law fits and will work. This is regardless of whether the information is collected online, in person or via stone tablets. It works if the information is directly indentifiable to the individual (name), can lead to the identification of the individual (other identifier) or relates to some characteristic of the individual (house price). The exceptions to the law, such as journalistic collections of information, are generally reasonable and in fact necessary in light of the Charter of Rights and Freedoms.
Perhaps some guidance is useful. For example, it would help to have some consensus on best practices for notices to individuals related to the use of persisent cookies or when information will potentially cross borders. But ultimately all of these are within the domain of a judge interpreting the statute, who will have a pretty robust, principled, technologically neutral lens to look through.
Those are just my thoughts ... it will be interesting to see what the participants have to say.
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.