No dice: Supreme Court declares Alberta privacy law unconstitutional in Palace Casino case

David Elder -

In a landmark ruling, the Supreme Court of Canada has declared Alberta’s Personal Information Protection Act (PIPA) to be invalid in its entirety, finding that it infringes the freedom of expression guaranteed by the Canadian Charter of Rights and Freedoms by limiting the ability of labour unions to videotape and photograph individuals crossing a picket line.

The declaration of invalidity is suspended for a period of 12 months to give the legislature time to decide how best to make the law constitutional. In light of the “comprehensive and integrated structure” of the law, the Court decided to strike PIPA down in its entirety, rather than declare as invalid particular provisions.

The Court’s ruling was made in the case of Alberta (Information and Privacy Commissioner) v. United Food and Commercial Workers, Local 401, which iscommonly referenced as the “Palace Casino” case, as the case arose in the context of a labour dispute between the management and employees of an Edmonton casino of that name.

As we noted in a previous post, the case considered complaints made by individuals who were videotaped by the union as they crossed the picket line in front of the casino.  Like other Canadian private sector privacy laws, Alberta’s PIPA generally requires the consent of individuals for the collection, use and disclosure of their personal information, including videotaped images of identifiable individuals.  The union, which did not obtain such consent, videotaped and photographed the picket lines in order to publicize the images of individuals crossing the lines.  An Adjudicator for the Information and Privacy Commissioner of Alberta found that the union had contravened the Act, and ordered the union to stop such collection and destroy any personal information obtained in breach of the Act.

The judgement focuses in particular on the breadth of PIPA, which the Court found limits the non-consensual collection, use and disclosure of personal information without regard for the nature of the information, or the purpose or context for its collection, use or disclosure. It is this approach, which the court found “deems virtually all personal information to be protected regardless of context,” which resulted in a finding of a Charter violation, since PIPA excludes any mechanisms by which a union’s constitutional right to freedom of expression may be balanced with the privacy interests protected by the Act.

Moreover, the Court noted that picketing represents a particularly crucial form of expression, and that the restrictions imposed by the statute impaired the ability of the union to communicate with and persuade the public, one of its most effective bargaining strategies in the course of a lawful strike. As a result, the Court found that the infringement of the freedom of expression was not justified under s. 1 of the Charter.

The ruling will have significant implications for other private sector privacy laws in Canada, and particularly with the existing provincial privacy laws in British Columbia, Québec and Manitoba (although the latter is not yet in force). Implications for the federal law, the Personal Information Protection and Electronic Documents Act, which applies in the remaining provinces, are less clear, since the federal applies to the collection of personal information from the public only in the course of commercial activities, which would not appear to include the activities of a union during a labour dispute.

Manitobans get new privacy law, but no one to complain to

David Elder and Bessie Qu -

Nearly a decade after British Columbia and Alberta enacted their own private sector privacy laws, Manitoba’s Legislative Assembly recently passed the Personal Information Protection and Identity Theft Prevention Act (PIPITPA or the Act), a privacy statute governing the private sector in that province.

The Act, which has yet to be proclaimed in force, will apply to the collection, use and disclosure of personal information by organizations carrying on commercial activities in Manitoba, and will govern the handling of both consumer and employee information. While much of the Act is modeled after Alberta’s Personal Information Protection Act (PIPA), several differences are worth noting:

Oversight – strangely,unlike the other federal and provincial private sector privacy laws, which are administered and enforced by their respective privacy commissioners, the new Manitoba law does not establish a privacy commissioner’s office to oversee the bill. Moreover, it lacks any sort of complaint mechanism by which individuals might file complaints relating to non-compliance with the Act (although the Act gives limited procedural powers to the  province's Ombudsman, an existing office that otherwise investigates and reports on general complaints with respect to the operation of  government).  This odd structure is apparently due to the fact that the law originated as a private member’s bill, which, under legislative rules, could not contain provisions that would have placed additional financial obligations on the government.

Private right of action - the Act provides individuals a statutory right of action to claim damages arising out of failure to safeguard personal information or to provide notification of a privacy breach. Unlike the private sector privacy statutes in Alberta and British Columbia, the Manitoba law does not make its private right of action conditional on a finding by the regulator of a violation of the statute; rather, aggrieved individuals can directly bring an action, without any oversight or involvement whatsoever by the Ombudsman. The statute does not explicitly indicate whether the damages available through such an action would include moral damages or damages for non-pecuniary losses, although this has certainly been the case in other jurisdictions. Given the lack of a complaint mechanism or the requirement that the Ombudsman make a finding of non-compliance before an action for damages may be initiated, the enforcement of the Act may largely be driven by private litigation, and could serve to encourage the filing of class action suits for privacy breaches in Manitoba.  Although the Act does provide that non-compliance with the key requirements of the Act constitutes an offence carrying fines of up to $100,000 for businesses, it seems unlikely that scarce Crown resources would be directed at the investigation and prosecution of any but the most egregious of privacy violations.

Breach notification - one of the other distinguishing features of the Act is the breach notification provision, which requires organizations to notify affected individuals directly, instead of notifying a regulator, if their personal information has been stolen, lost or accessed in an unauthorized manner. Notice is not required where a law enforcement agency investigating the breach instructs the organization to not disclose the breach or where the organization itself is satisfied that it is not reasonably possible for the information to be used unlawfully. Unlike Alberta’s PIPA, the Act does not contain a harm threshold for triggering the notification requirement, which suggests that all breaches can potentially trigger notification.

The handling of personal information by private sector organizations in Manitoba is currently governed by the federal private sector law, the Personal Information Protection and Electronic Documents Act (PIPEDA), which applies to the collection, use and disclosure of personal information in the course of commercial activity, but does not apply to the handling of employee data by most employers in the province, as PIPEDA applies only to employee personal information that is handled by federally regulated organizations. The new Manitoba law would introduce a privacy framework for the handling of employee personal information.

PIPEDA will continue to apply - even after PIPITPA is proclaimed in force - until the Governor in Council is satisfied that the Manitoba law is substantially similar to Part 1 of PIPEDA. However, without a complaint mechanism, it remains to be seen whether PIPITPA, in its current form, would be considered “substantially similar” to the federal law, raising the possibility that Manitoba organizations might be faced with complying with two overlapping privacy laws. To avoid this possibility, the Government of Manitoba could introduce a bill amending PIPITPA so as to introduce a complaint mechanism and clarify an oversight role.

New privacy bill would require breach notification, allow Commissioner to make orders

David Elder -

In an apparent attempt to apply pressure to the government to amend the federal private sector privacy law, New Democrat Digital Issues Critic Charmaine Borg recently introduced a private members bill that would introduce mandatory data breach reporting and provide the Privacy Commissioner of Canada with direct enforcement powers.

The government’s own bill to amend the Personal Information Protection and Electronic Documents Act (PIPEDA) was introduced in September of 2011, but Bill C-12, as the bill is known, has not moved forward since that time. 

The New Democrat bill, known as C-475, differs from C-12 in several important ways.

First, C-475 would require that organizations report data breaches to the Privacy Commissioner, who would then determine whether the organization would be required to notify affected individuals (although organizations would not be precluded from providing such notice).   By contrast, Bill C-12 includes a provision that would require organizations to report data breaches to the Privacy Commissioner, as well as to notify affected individuals in certain circumstances.

Bill C-475 also contemplates what appear to be lower standards for the types of breaches that require reporting, or with respect to which the Privacy Commissioner may require notification of affected individuals, likely resulting in more reports and notifications than under the government bill. 

In this regard, Bill C-12 requires organizations to report material breaches of security safeguards involving personal information; Bill C-475 requires organizations to notify the Privacy Commissioner where a reasonable person would conclude that there exists a possible risk of harm to an individual as a result of the breach. With respect to notification of affected individuals, Bill C-12 would require organizations to notify an individual where it is reasonable to conclude that the breach creates a real risk of significant harm to the individual; Bill C-475 would provide that the Privacy Commissioner may require an organization to notify affected individuals to whom there is “an appreciable risk of harm” as a result of the breach.

Bill C-475 would also provide the Privacy Commissioner with new enforcement powers respecting compliance with PIPEDA as a whole, including the ability to issue orders requiring organizations to take corrective action to come into compliance with the law and to publish notices of any such action taken or proposed to be taken. The Bill would also provide the Privacy Commissioner with the ability to seek from the Federal Court penalties of up to $500,000 against organizations that do not comply with orders issued by the Commissioner. 

The Bill would also create a private right of action whereby individuals affected by any violation of PIPEDA that was made the subject of a Privacy Commissioner order may seek damages for losses suffered as a result of the non-compliance.

At the same time, the New Democrat bill omits several important business-friendly reforms contained in the government bill, including a clearer and more expansive carve out for business contact information and a prospective business transaction exception that would allow businesses to disclose personal information without consent in the context of certain transactions, including mergers, acquisitions and financing.

Many business concerns remain following revisions to anti-spam regulations

David Elder -

Much-anticipated revisions to the originally proposed Electronic Commerce Protection Regulations provide some useful clarifications and additional exemptions with respect to Canada’s Anti-Spam Law (CASL), but many concerns remain with respect to the potential over-reach of the not-yet-in-force law and the unnecessary and burdensome financial and administrative obligations that it may impose on legitimate business activity.

In fact, while the revised Regulations do respond to some of the concerns raised with respect to the previously proposed regulations – and indeed, the Act as a whole - the new Regulations may be more notable for what they don’t include than for what they do cover. 

In this regard, many of the issues raised and exemptions requested by the business community following the pre-publication of the original proposed Regulations have not been accommodated, including:

  • Accepting as valid under CASL consents to the receipt of commercial electronic messages that are obtained in compliance with the federal private sector privacy law, the Personal Information Protection and Electronic Documents Act.  In the explanatory remarks accompanying the proposed Regulations, the Government explicitly indicates that CASL is intended to create a higher threshold for consent for the receipt of commercial electronic messages.
  • Allowing Canadian businesses to send, on behalf of foreign organizations, commercial electronic messages to recipients outside of Canada.  Concerned with the potential for abuse by spammers, the Government rejected submissions that the lack of an exemption for such activity would put Canadian outsourcing and cloud computing firms at a significant disadvantage with respect to their foreign counterparts.
  • Allowing manufacturers without a direct relationship with end users of their products (such as where the products are purchased from a retailer) to send commercial electronic messages to those end users.  The Government rejected an exemption for manufacturers as too broad, but as noted below, has created new exemptions with respect to sending warranty and recall information.
  • Reducing the complexity of the requirements for the collection and withdrawal of consent for the receipt of commercial electronic messages sent by as-yet-unknown third parties.  The Regulations continue to require organizations collecting such consents on behalf of such third party organizations to engage in detailed tracking of such consents and take responsibility for the actions of such third parties.
  • Expanding the “existing business relationship” exemption to include legitimate commercial electronic messages sent in the context of additional ongoing business relationships, which do not clearly fall within the narrow definition of the current exemption.

Nevertheless, the revised regulations do provide some clarification of key legislative terms, as well as new exemptions for business activities that were not intended to be within the scope of CASL.  Moreover, the Government has indicated that Industry Canada and the CRTC are exploring the use of interpretational guidelines and other guidance material to provide clarity where appropriate.

Virtual Friends

One such clarification is that the revised Regulations amend the previous definition of “personal relationship” so as to correct what many argued was an unduly narrow exemption from the anti-spam requirements for commercial electronic messages sent between individuals.

CASL provides that its core anti-spam provision does not apply to commercial electronic messages that are sent by an individual to another individual with whom they have a “personal or family relationship.”  However, in the original regulations proposed by Industry Canada, the term “personal relationship” was defined so as to recognize only those relationships where the individuals concerned had actually met face-to-face within the previous 2 years.

The revised Regulations exempt commercial electronic messages sent between individuals who have had direct, voluntary two-way communications, in circumstances where it would be reasonable to conclude that the relationship is personal.  In reaching such a conclusion, all relevant factors are to be considered, including the nature and frequency of such communications, the length of time over which the parties have communicated and whether the parties have met in person.  The two-year limitation period has been removed.  Recipients of exempted “personal relationship” messages may opt-out of receipt of such messages, in which case the exemption no longer applies.

The exemption may be most relevant for businesses where they may facilitate or encourage customers to send commercial electronic messages to their personal networks, such as through “forward to a friend” features.

B2B Exemptions

One of the chief criticisms of the earlier regulations, and of CASL as a whole, has been that the since the definition of “commercial electronic message” is so broad, the Act could impose unnecessary consent and disclosure requirements on regular business communications that should not be within the scope of the law.

In response, the revised Regulations introduce new exemptions for commercial electronic messages sent within a business, or sent between businesses that are already in a business relationship, where the messages are sent by employees, representatives, contractors or franchisee and the message concerns the organization or the individual recipient’s role, functions or duties within or on behalf of the organization.

Messages in Response

Again, due to the broad definition of “commercial electronic message”, concerns were raised that businesses responding to inquiries could be caught by the anti-spam law.  While CASL includes an exemption for individuals contacting an organization to inquire about its business, there was no corresponding exemption with respect to the organization’s response.

Accordingly, the revised regulations include a new exemption for commercial electronic messages that are sent in response to a request, inquiry or complaint, or that is otherwise solicited by the recipient.

Incidentally in Canada

One of the key concerns of many foreign companies was that CASL applies to commercial electronic messages that are either sent from or accessed through a computer system located in Canada.  Accordingly, concerns arose about the potential application of the law to commercial electronic messages sent from outside Canada, to recipients who are ordinarily resident outside Canada, but who may access such messages during visits to Canada.

A new provision in the revised Regulations appears to largely satisfy this concern, by exempting such messages, provided that they relate to a product, good, service or organization located or provided outside Canada, and that the sender did not know and could not reasonably be expected to know that the message would be accessed using a computer system located in Canada.  However, uncertainties still remain, for example with respect to the treatment of a non-Canadian sender who also makes the product or service in question available through a Canadian subsidiary or affiliate.

Non-Transactional Business Communications

The revised Regulations also include a new provision exempting commercial electronic messages sent for purposes relating to the satisfaction, notification or enforcement of legal or juridical rights and obligations, such as sending warranty or recall information, electronic bank statements, notices of copyright infringement, etc..  Again, such an explicit exemption was considered necessary by some in view of the broad definition of commercial electronic message found in the Act.

Referral Messages

The revised Regulations contain a new exemption for commercial electronic messages sent based on a referral by one or more individuals, where such individuals have an existing business or non-business relationship or a personal or family relationship with the sender and the recipient.  The exemption applies only to the first commercial electronic message sent to contact the recipient, and the message must disclose the full name of the referring individual or individuals.  Several stakeholders had previously expressed concern that without such an exemption, they could not directly act upon referrals from friends, family and clients without first obtaining consent.

Telecom Service Provider Software

Finally, the revised regulations add two types of telecom service provider (TSP) software to the list of specified computer programs (such as HTML code, Java scripts, cookies, etc.), for which express consent is assumed if the individual’s conduct leads to a reasonable belief that they consent to such an installation.  The new exemptions relate to TSP programs to prevent unauthorized or fraudulent use of a service or system, or to update or upgrade systems on their networks.

Next Steps

While passed into law in December 2010, CASL has yet to be proclaimed in force, in part because the Government was awaiting the finalization of two sets of regulations: one to be made by Industry Canada, and one to be made by the CRTC.  The Electronic Commerce Protection Regulations (CRTC) were finalized last year, and the CRTC has issued two interpretation bulletins to provide guidance as to how it intends to apply those Regulations.

The proposed revisions to the remaining Electronic Commerce Protection Regulations were officially published for comment on January 5th, 2013, starting CASL on the final leg of its long journey to coming into force.  Following a 30 day comment period, it is expected that the Regulations will be finalized, and a date will be announced for the coming into force of the new anti-spam regime.

Panning for gold in the mud: the availability of privacy damages under PIPEDA

More than 10 years after the introduction of federal private sector privacy legislation in Canada, damage awards for breaches of the law have been few and far between -- and where such awards have been made, the dollar amounts awarded have been modest.

In light of the sometimes confusing, and even contradictory judgments to date, there is also considerable uncertainty as to when such damages might be awarded, and what evidentiary test a complainant might have to meet.

In Panning for gold in the mud: the availability of privacy damages under PIPEDA, in the December 2011 edition of the Canadian Privacy Law Review, David Elder of our Privacy and Data Protection Group, attempts to knit together the existing case law into a coherent analytic framework for the availability of privacy damages in Canada.

Article reproduced with permission of the publisher from Canadian Privacy Law Review, Vol. 9, No. 1, December 2011.

Nothing up in the air about privacy: foreign airline must comply with Canadian law

David Elder -

When in Rome, do as the Romans do.  Similarly, when doing business in Canada, do as Canadian privacy law requires.

That is the lesson learned by a foreign-based airline following a finding by the Office of the Privacy Commissioner (OPC) of Canada that the carrier had violated Canadian privacy law, even though the company operates in compliance with European privacy requirements.  The decision further confirms the fact that foreign businesses that operate or provide services in Canada will be subject to all requirements of Canadian privacy law, regardless of the scope of the privacy regimes in their home countries.

In a Report of Findings recently posted by the OPC, Netherlands-based KLM Royal Dutch Airlines (KLM) was found to have breached several provisions of the Personal Information Protection and Electronic Documents Act (PIPEDA), including failing to respond in a timely way to a request by a customer for access to records containing personal information; failing to implement practices to ensure that the requirements of the Act; and failure to make available to the public its policies respecting the management of personal information.

In a preliminary report of findings, the OPC had recommended that KLM develop a clear and simple access to information request procedure and ensure that the privacy policy posted on the Canadian version of its website comply with PIPEDA.

KLM took the position that the Dutch Data Protection Authority supervises KLM in the security of personal data under the Dutch Personal Data Protection Act, including requirements respecting transparency and the manner in which access to information requests must be processed.  The airline further noted that Dutch law does not require further transparency of policies and practices, and only allows individuals to view their personal information, not to access it.  KLM questioned the OPC’s jurisdiction over KLM.

Relying on the Federal Court’s decision in Lawson v. Accusearch Inc., which had earlier found that the OPC had jurisdiction to investigate complaints respecting the collection by foreign organizations of personal information about Canadian residents, the OPC confirmed that it had jurisdiction in the complaint against KLM because there was a real and substantial connection to Canada.  In this regard, the OPC noted that:

  • The complainant seeking access to his personal information was a Canadian resident
  • KLM offers services in Canada, and has employees at several Canadian airports
  • KLM operates a Canadian version of its website, which actively targets Canadians, and through which Canadians may reserve flights
  • KLM operates scheduled non-stop flights to and from Canadian cities (and in fact, the complainant originally booked a KLM flight departing from Toronto);
  • KLM needs to collect personal information from Canadian passengers to offer air travel to those passengers.

In the circumstances, and in view of judgement in the Accusearch case, the finding of Canadian jurisdiction over the handling of the personal information in question may not be particularly surprising: it was collected from Canadians, in Canada, with respect to a service provided - at least in part - in Canada. 

However, many businesses may be surprised that compliance with a European data protection law will not guarantee compliance with Canadian law – despite the fact that the European Data Protection Directive (on which member state privacy laws are based) and PIPEDA were derived from the same set of essential privacy principles, and even though European data protection laws tend to be viewed in some jurisdictions as being particularly stringent.

Although Canadian privacy laws are in broad accord with many international data protection regimes, there are often subtle differences between these foreign laws and Canadian privacy requirements.  Accordingly, foreign organization doing business in Canada should not assume that practices and policies that comply with the law of their home country will necessarily suffice when collecting, using and disclosing information in Canada.

PIPEDA for the Practice of Law

The Canadian Privacy Commissioner released guidelines for lawyers seeking to understand  the Personal Information Protection and Electronic Documents Act (PIPEDA) at the Canadian Bar Association convention on August 16, 2011. Entitled “PIPEDA and Your Practice: A Privacy Handbook for Lawyers”, it provides an overview of PIPEDA requirements as they apply to lawyers and law firms in private practice as well as corporate counsel.

Whereas lawyers already must keep client information confidential, PIPEDA introduced additional requirements that are highlighted in the handbook. For example, conducting a credit check on a potential client requires prior informed consent, and the Commissioner recommends similarly obtaining informed consent for all information collected for litigation purposes (despite this latter point still not clear in the case law). Also, at a client’s request, information about the client must be provided within 30 days at no charge, and irrespective of whether or not a solicitor’s lien exists.

The Commissioner can make non-binding recommendations either following a complaint or on its own initiative, and the complainant or Commissioner may subsequently proceed to Federal Court for enforcement. The Commissioner’s website offers lawyers a Self-Assessment Tool to promote compliance with PIPEDA.

Federal Court muddies the waters on privacy damages

David Elder -

In a problematic judgement, the Federal Court of Canada has awarded damages against a bank for the wrongful disclosure by one of its employees of account information in response to a subpoena.

This is only the second case in which the Court has awarded damages for non-compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA); and like the first damage award under the statute, the amount awarded was minimal. The case is also perplexing, because it seems to contradict the reasoning in an earlier decision by the same court, which established that to be eligible for an award of damages, the alleged injury must result directly from a breach of the Act.

In the case of Landry v. Royal Bank of Canada, the husband in a divorce proceeding sent a subpoena duces tecum1 to the bank, ordering one of the bank’s employees to appear before the court and bring certain records concerning the account records of his wife. In violation of the bank’s own policy, which requires the consent of the account holder before account information can be released to a third party, an employee of the bank disclosed the records in question directly to counsel for the husband.

Not surprisingly, the Court readily found that the disclosure was in breach of the bank’s obligations under PIPEDA. What was surprising was that any damages at all were awarded on the facts of the case.

In this regard, the record revealed that the applicant wife had, in the last years of her marriage, opened a bank account without her husband’s knowledge and built a nest egg. In the divorce proceeding, she concealed the existence of the account in question from both her husband and the court, despite a clear legal obligation to make a full and honest disclosure of assets and despite being asked repeatedly under oath about the existence of such an account. As a result of the subpoena, the account records were properly provided by the bank to the divorce court, which later placed the information on the public record and took it into account in rendering judgement. The divorce judgement itself made pointed reference to the applicant’s secretive behaviour and denials under oath.

In her pleadings, the applicant had claimed that the bank’s disclosure had done great harm to her personal life, and that she now had problems with her family and friends “as a result of the conduct of her ex-husband, who was using certain passages of the divorce judgement to harm her reputation.”

In earlier cases, the Court seemed to have established the principles that damage awards under PIPEDA should only be made “in the most egregious situations” and that to be eligible for an award from the court, the applicant would have to establish damages flowing directly from the privacy breach itself, rather than from some concealed behaviour that only came to light through the privacy breach.

For example, in the case of Stevens v. SNF Maritime Metal Inc., the Court found that the applicant’s claim for damages flowed from the loss of his employment, and implicitly, that the employment had been lost due to a fraud he committed against his employer. Although the Court found that, although the fraud may not have come to light except through the privacy breach of a third party, it was the fraud itself, and not the disclosure thereof, that gave rise to the damages.

By contrast, in Landry, the Court seems to have taken the opposite approach. Despite the Court’s explicit acknowledgement that the bank had acted properly in filing the applicant’s account information with the divorce court pursuant to the subpoena, and its implicit finding that the alleged damages stemmed from public dissemination of the resulting divorce judgement by the husband, the Court nevertheless awarded damages – albeit minimal damages -- to the Applicant, noting that the bank’s error remained serious, even when these factors were taken into account.

Although the applicant sought damages totalling $100,000, including $25,000 in exemplary damages, she was awarded only a token $ 4,500. Although she was also awarded her costs, plus interest, the resulting damage award likely pales in comparison to the amount that the applicant would have incurred in legal fees, which would not be covered by the cost award.

While the Landry decision shows that the court may not been entirely consistent in its approach to damage awards under PIPEDA, one thing seems certain: litigants are unlikely to receive any substantial damage awards under the statute unless they can demonstrate significant, tangible losses.

[1]  A subpoena duces tecum is a court summons ordering a named party to appear before the court and bring with them specified documents or other tangible evidence for use by the court; however, it does not require that the evidentiary material in question be provided at that time to the party requesting the subpoena; rather, it contemplates that during the proceedings, the court will determine whether the material in question should be disclosed, weighing such factors as the right to privacy and the existence of privilege. 

Privacy Commissioner can now be choosier about complaints she investigates

David Elder -

Legislative amendments proclaimed in force last week mean that the Privacy Commissioner of Canada may now be more selective about the complaints her office decides to investigate.

The amendments in question, made to the Personal Information Protection and Electronic Documents Act (PIPEDA), were actually contained in Bill C-28, Canada’s Anti-Spam Legislation, which received Royal Assent last December.  Although most of that statute is not yet in force (and, as we noted on our Canadian Communications Law blog, may be delayed in coming into force by the federal election call), last week the Governor in Council proclaimed in force some of the consequential amendments in that bill that affect PIPEDA, leaving for proclamation at a later date those PIPEDA amendments that coordinate with new obligations in the Anti-Spam law itself.

Previously, PIPEDA required the Privacy Commissioner to investigate all complaints submitted to her office, regardless of their nature or seriousness, although she had some discretion in not having to prepare a report in all cases.

With these new amendments, the Commissioner is no longer required in all circumstances to conduct an investigation in respect of a complaint received.  Complaints need not be investigated if the complainant has not exhausted other grievance or review procedures that may be available, if the complaint could be more appropriately dealt with under another Federal or Provincial law, or if the complaint was not filed within a reasonable time after subject matter of the complaint arose. 
In all cases, complainants must be notified that their complaint will not be investigated.  The Commissioner retains the right to reconsider a decision not to investigate a particular complaint, if the complainant is able to provide compelling reasons to investigate.

The new powers have long been sought by the Commissioner as a way to better manage the workload of the Office of the Privacy Commissioner, by weeding out complaints whose resolution would be of little public interest or significance, thereby allowing for the focus of resources on issues of a broader systemic nature.  The authority to manage the processing of complaints in this way is already afforded to some degree to other tribunals, including the Canadian Human Rights Commission and the Privacy Commissioner for Alberta.

Once the investigation of a compliant commences, the new amendments also give the Privacy Commissioner the power to discontinue investigation in certain circumstances.  Investigations may be discontinued where:

  • there is insufficient evidence to pursue the complaint
  • the complaint is trivial, frivolous or vexatious or is made in bad faith
  • the organization that was the subject of the complaint has provided a fair and reasonable response
  • the subject matter is already the subject of a report by the Commissioner
  • the complainant has not exhausted other grievance or review procedures that may be available
  • the complaint could be more appropriately dealt with under another Federal or Provincial law
  • the complaint was not filed within a reasonable time after subject matter of the complaint arose
  • the matter is being or has already been addressed via another grievance or review process, or pursuant to a procedure under another Canadian law

As with a case of declining to investigate, the Commissioner must notify a complainant and organization of the discontinuance of a complaint, giving reasons for the discontinuance.

With other tribunals that have the power to decline to investigate complaints, there has understandably been a reluctance to exercise this authority, since doing so denies a complainant a full consideration on the merits of the complaint.  As a result, the bar for refusing a complaint has tended to have been set fairly high, with complaints being declined or discontinued only in the clearest and most egregious of circumstances.
One suspects that this will also be the approach of the Privacy Commissioner; however, the new powers should nevertheless afford her office a great deal more control in managing its caseload, focusing strained resources on matters of the greatest public interest and systemic benefit.

UPDATE: The Order Fixing April 1, 2011 as the day on which the provisions in question come into force was published in the Canada Gazette on April 13, 2011, along with an Explanatory Note.