Compliance ... without necessarily going out of business
• Personal Information Protection and Electronic Documents Act (PIPEDA) • Canadian federal legislation • Applies to the private sector • Supplements existing public sector privacy legislation • PIPEDA applies everywhere except: • Quebec • BC • Alberta
• Quebec, BC and Alberta have their own provincial statutes that are similar to PIPEDA • Basic principle • Balance the need of the public for privacy with the need of business to do business
• Now there is also Canada’s Anti-Spam Legislation (CASL) • sending of commercial electronic messages without consent • includes email, social networking accounts, and texts to cell phones • alteration of transmission data • results in message being sent to a different destination without consent
• installation of computer programs without consent (malware) • misrepresentations online in the promotion of products or services • hacking to collect personal information • “address harvesting” and using the addresses without consent
• CASL administered by a three- headed monster: • CRTC • Competition Bureau • Federal Privacy Commission
• An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act
• Any information that links to a person • Gender • Age • Address • Social Insurance Number • Health card number • Names of family members
• Salary • Home phone • E-mail address • Driving record • Health information • Criminal record • Drug use • BUT NOT: Employee name, title, business phone or business address
• Two kinds of personal information • Sensitive • Less sensitive • Less sensitive information causes less trouble • The right of privacy is the right to control access to one’s person and information about oneself.
• Privacy law covers • Collection (direct or indirect) • Use • Retention • Disclosure of personal information • Governed by ten privacy law principles
• Accountability • Accuracy • Identify purposes • Safeguards • Consent • Openness • Limit collection • Access • Limit use, • Challenging disclosure and compliance retention
• Directive 95/46/EC • On the protection of individuals with regard to the processing of personal data and on the free movement of such data • Designed to balance the needs of business and the needs of personal privacy
• Directive 95/46/EC to be replaced by General Data Protection Regulation (GDPR) • Will extend the scope of EU data protection to all foreign companies processing EU data • Will harmonize data protection regulations throughout the EU
• Easier for non-EU companies to comply • Will be a strict compliance regime with huge fines • Applies if the data controller / processor or data subject is based in EU (“long arm” law)
• “Personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address."
• Generally speaking, if you are compliant with Canadian privacy law, you will be compliant with EU privacy law, and vice versa • There are some notice provisions and administration that differ, but generally both laws are consistent and both recognize that business is global and that “Privacy By Design” must be followed and enforced
Don Johnston 416-865-3072
Recommend
More recommend