One more province (partially) exempt from PIPEDA

The Federal government has expanded the list of organizations that are exempt from the Personal Information Protection and Electronic Documents Act (PIPEDA) on the basis that similar provincial legislation sufficiently protects the relevant personal information. As of October 10, 2012, health care organizations subject to Newfoundland and Labrador’s Personal Health Information Act (PHIA) are exempt from PIPEDA because provincial legislation is “substantially similar”.

Newfoundland and Labrador is now the sixth province to be granted an exemption from some or all of Part I of PIPEDA, and the third to enact exempted personal health information legislation.

Under s. 26(2)(b) of PIPEDA, organizations or activities subject to provincial privacy legislation that is substantially similar to Part I of PIPEDA can be exempted from PIPEDA for the collection, use or disclosure of personal information within that province. This ensures that organizations will not have to comply with two sets of rules that provide the same or greater protection for personal information.

It is important to note that exemptions from PIPEDA are granted only to relevant organizations for their activities within the relevant province. PIPEDA continues to apply to personal information collected, used or disclosed by federal works, undertakings and businesses, as well as to personal information collected, used or disclosed across provincial or Canadian borders in the course of business. The Newfoundland and Labrador exemption is therefore limited in scope as PIPEDA continues to apply to health care organizations’ collection, use and disclosure of personal health information from/into other provinces.

Newfoundland and Labrador’s PHIA has been in force since April 1, 2011. The legislation provides rules for organizations that collect, use and disclose health information that (i) could identify an individual, and (ii) relates to delivering or administering health care. Such organizations include health care providers and operators, provincial agencies involved in health care and health information, ambulance services, pharmacies and others. PHIA provides that consent from the individual must be obtained to collect, use and disclose health information except in specific circumstances. PHIA also provides that applicable organizations must take reasonable steps to secure health information and prevent its disclosure, failing which a fine of not more than $10,000 or imprisonment for a term not exceeding 6 months is possible. However, an organization will not be liable if they demonstrate that reasonable steps were taken to prevent the contravention.

Comprehensive personal information legislation in three provinces has already been declared to be substantially similar to PIPEDA: the Personal Information Protection Act, in British Columbia, the Personal Information Protection Act in Alberta, and An Act respecting the protection of personal information in the private sector in Quebec. Personal health information legislation of two other provinces, in addition to Newfoundland and Labrador, has been declared substantially similar: the Personal Health Information Privacy and Access Act in New Brunswick and the Personal Health Information Protection Act in Ontario. In light of this most recent exemption, it will be interesting to see if similar exemptions are granted in other provinces, leading to fewer organizations which are subject to PIPEDA.

 

CRTC clarifies anti-spam regulations: consent can include electronic forms

David Elder -

Following the registration, three weeks ago, of its new anti-spam regulations, the CRTC has issued a regulatory policy explaining the changes made to the draft regulations that it had originally proposed, as well as providing some guidance as to how some of the requirements will be interpreted.

In Telecom Regulatory Policy CRTC 2012-183, issued to coincide with the publication of the Electronic Commerce Protection Regulations (CRTC) in the Canada Gazette, the Commission notes that many of the changes to the originally proposed version of the Regulations were made in response to public comments, and in most cases were amendments intended to be less prescriptive and more technology neutral.

In an earlier post, we had summarized the main changes in the final regulations. Helpfully, the new Regulatory Policy appears to clarify several uncertainties that had been raised by these changes.

Perhaps most significantly, the Commission explicitly indicates in the Regulatory Policy that consent obtained “in writing” includes electronic forms of consent, putting to rest one of the more significant concerns of companies operating over the internet. In other contexts, the Commission has accepted electronic forms of consent where a user signifies agreement through some positive action, such as clicking on an “I agree” box.

Although in their final form, the Regulations are not yet in force. They will come into force on the day on which the core sections of Canada’s Anti-Spam Law come into force, which is expected to occur later this year.

CRTC tweaks anti-spam regulations

David Elder -

Final regulations made by the CRTC under Canada’s Anti-Spam Law (CASL) include a number of revisions that respond to concerns raised by Canadian businesses; but while some additional flexibility has been provided, the Commission appears to have left a number of other concerns unanswered.

On 7 March 2012, the CRTC registered its Electronic Commerce Protection Regulations (CRTC), a final version of draft regulations that were originally proposed in June 2011.  Those regulations, and the related Electronic Commerce Protection Regulations that were proposed by Industry Canada, attracted significant criticism from the business community, which expressed concern that the regulations omitted some important clarifications of the requirements of the law, failed to provide exemptions for certain business and behaviours that should not be caught by the legislation and imposed unworkable and unnecessary requirements that may have had a disproportionate impact on technologies such as text messaging. 

Those hoping for significant additions to the CRTC Regulations will be disappointed, as the revised Regulations remain in the same form, and appear intended to accomplish the same end, as the earlier version: namely clarifying the sender identity and contact information that must be included in commercial electronic messages and requests for consent to send such messages.  However, to be fair to the CRTC, this narrow focus is consistent with the scope of the regulation-making power provided to the Commission under CASL.

The final Regulations include the following changes from those originally proposed:

  • Clarification that persons sending a message, or persons on whose behalf a message is sent, must identify themselves by the name by which they carry on business.
  • Greater choice with respect to the contact information to be provided.  Senders, and those seeking consent to send messages, may now provide either a telephone number providing access to an agent or a voice messaging system, an email address or a web address.  The original proposal seemed to require the provision of all of these, as well as a physical address.
  • Revised requirements that web-based information be “readily accessible” and that the required unsubscribe mechanism must “be able to be readily performed.” The original proposed Regulations specified these requirements with reference to a maximum number of “clicks.”
  • The revised Regulations now indicate that consent for the receipt of a commercial electronic message may be obtained orally, as well as in writing, as the original proposed regulations provided; however, the Regulations do not provide certainty as to whether electronic forms of consent will be considered to be “in writing,” which was the chief concern of many stakeholders with this requirement. See our earlier post for a discussion of this issue.
  • The Regulations still require that when seeking consent, requestors must include a statement indicating that consent can be withdrawn, but no longer requires the requestor to specify through which avenues such a withdrawal of consent could be made.

The publishing of the CRTC Regulations puts the country one step closer to CASL being proclaimed in force.  The other shoes to drop include finalization of the Industry Canada Regulations (a revised version of which is expected to be published in the near future) and the selection of a vendor to run the Spam Reporting Centre contemplated by the Act.

Facebook reaches agreement with German officials over privacy concerns

Yesterday, Facebook reached an agreement with German data protection officials in order to end a dispute over the social networking site’s “Friend Finder” application. Hamburg’s Data Protection Authority received complaints about the feature, which allows Facebook to send unsolicited email invitations to non-members through current members’ address books. The agreement comes as a response to legal proceedings launched by German officials last year against Facebook for accessing and saving the private data of non-members without their permission. For more information, see this article from the Globe and Mail.

How much money is privacy worth?

According to two recent Federal Court decisions, privacy – though protected by the law - is not worth that much money when it comes to actual damage awards.

While most privacy complaints are resolved through the Office of the Privacy Commissioner of Canada, some cases are litigated in court with plaintiffs hoping to receive monetary compensation for privacy violations. Two such cases are Randall v. Nubodys Fitness Centres, 2010 FC 681 (CanLII) and Stevens v. SNF Maritime Metal Inc. 2010 FC 1137 (CanLII).

Randall involved a situation where an employee’s attendance at a fitness club was regularly reported back to his company which paid half of his monthly fees as part of his benefits package. While the Federal Court agreed that this constituted a violation of his privacy rights, the Court did not award any damages stating that only egregious breaches such as video-taping and phone-line tapping warranted compensation. In Stevens, the Federal Court reached the same conclusion and found that while the applicant’s rights were violated when his company accessed his personal account information, the wrong was not malicious and therefore did not warrant an award of damages. The Court noted that the company then voluntarily put into place a confidentiality policy which would help prevent these situations in the future. 

From these decisions, the Federal Court has shown that while privacy violations are readily recognized and condemned, they will rarely result in any monetary compensation. While Michael Geist states that this may have the unintended consequence of diminishing respect for privacy compliance due to a focus on the bottom line, it is important that companies recognize the other costs involved in breaching privacy - such as a damaged reputation and the cost of litigation. It is always advisable for companies to have and follow privacy policies which will protect both themselves and their employees.

Facebook publishes natural language privacy policy

In November 2009, Facebook responded to privacy concerns by publishing a new, natural language privacy policy. The new policy will first be available for public review and comment, before eventually replacing the current “legalese” version. Last August, Facebook was forced to change its privacy policy, in response to a complaint filed by a Canadian law student with Canada’s Privacy Commissioner. The natural language privacy policy reflects Facebook’s goal to improve “transparency and readability”, according to communications and public policy executive Elliot Schrage.

U.S. federal agencies publish final model GLBA privacy form

On November 16, 2009, the Office of the Comptroller of the Currency, Treasury; the Board of Governors of the Federal Reserve System; the Federal Deposit Insurance Corporation; the Office of Thrift Supervision, Treasury; the National Credit Union Administration; the Federal Trade Commission; the Commodity Futures Trading Commission; and the Securities and Exchange Commission (collectively, the Agencies) published a final rule amending the rules that implement the privacy notice obligations under the Gramm-Leach-Bliley Act (GLBA). Pursuant to the final rule, the Agencies are adopting an optional model privacy form that financial institutions may rely on as a safe harbour and that will satisfy their privacy notice obligations under the GLBA. The final rule will come into effect on December 31, 2009.

The model form replaces the “sample clauses” previously contained in the Agencies’ privacy rules and used by many financial institutions in their GLBA notices as a safe harbour. The Securities and Exchange Commission is eliminating the guidance associated with, and the other Agencies are eliminating the safe harbour permitted for, notices based on the sample clauses if the notice is provided after December 31, 2010.

The final rule includes three versions of the model form: (1) a model form with no opt-out; (2) a model form with opt-out by telephone and/or online; and (3) a model form with opt-out by telephone, online and/or mail-in.