1

Canadian Privacy Policy: Customizing E.U.

Standards

Canadian Privacy Policy: Customizing E.U.

StandardsRemarks by Jennifer Stoddart

Privacy Commissioner of Canada

Privacy Symposium: Summer 2007August 23, 2007

2

Personal Information Regulation in Canada

•Fair information/OECD principles became law: Personal Information Protection and Electronic Documents Act (PIPEDA)- 2000

•Civil and common law

3

Characteristics

• Adequate for E.U• Applies to all handling of

personal information by federally regulated commercial entities in Canada affecting Canadians

• Applies outside of Canada if personal information outsourced for processing, other uses (Abika case)

4

Characteristics•Unlike E.U in:–No registration of

databases–No prior approval for

export of personal information

–No restrictions on whistle blowing legislation

5

Characteristics• Enforcement through multi-functional approach• Federally

– Ombudsman (Agent of Parliament)– Investigate complaints– Mediation– Audits– Education– Outreach– Federal court litigation (damages)

• Substantially similar provinces– Tribunals (no damages)

6

Substantially Similar Principle

•Quebec (1994)•Alberta (2004)•B.C. (2004)•Ontario (Health, 2004)

7

Substantially Similar Provinces

• PIPEDA applies when:– Organization handling personal

information is federally regulated, e.g., banks, airlines

– Sending personal information from Canada elsewhere or across provincial borders

– Federally regulated employee information

8

Criteria

•Appropriate consent for collection/use/disclosure

•Opt-in (express) – sensitive

•Opt-out (implied) – reasonable test

9

When You Export Personal Information…

•Exporting personal information outside Canada

•PATRIOT Act Concerns•Finding #313 (CIBC

VISA)•Finding #365 (SWIFT)

10

When You Use Personal Information…

•Direct marketing practices–Finding #308 (Inserts)–Finding #297 (e-mails) –Finding #271 (Solicitations)

11

When Your Entity Markets in Canada…

•Can be situated outside Canada

•Abika case•TJX case and

federal/provincial enforcement

12

Security

• PIPEDA includes security principle in section 7

• Data Breach Guidelines• Recommend mandatory

notification in law

13

International Co-operation in Enforcement

•OPC with FTC and others•OECD Recommendation on

Cross-border Co-operation in the Enforcement of Laws Protecting Privacy, 2007

14

PIPEDA Enforcement: 2006

• 26% of complaints settled• 26 letters of recommendation

(e.g. financial institutions, insurance companies, law firms, real estate firms)

• 2 audits, e.g., Equifax• No OPC initiated actions in

Federal Court

15

Conclusion•Flexible compliance

approach•Same standards as E.U. •Extra-territorial reach• International

enforcement framework

16

29th International Data Protection and Privacy

Commissioners Conference

www.privacyconference2007.gc.ca

www.conferencevieprivee2007.gc.ca

17

THANK YOU!

Questions?www.privcom.gc.ca1-800-282-1376