11. Technology and the Law
Governments have attempted to respond to the increased pace of change that technology is generating. As a result, new regulations have been enacted over the past number of years to which Canadian organizations must adhere. Some of the key ones are highlighted below, but businesses are encouraged to do their own research into new legislation which may impact their organization or industry. Local trade groups and business associations are great resources to find updated rules and regulations.
The Privacy Act
The purpose of this Act (https://laws-lois.justice.gc.ca/eng/ACTS/P-21/page-1.html#h-39717)
is to extend the present laws of Canada that protect the privacy of individuals with respect to personal information about themselves held by a government institution and that provide individuals with a right of access to that information.
This Act is for governments only and does not apply to the private sector. Specifically, it applies to any department or ministry of state of the Government of Canada, or any person or office, Crown corporation, and any wholly owned subsidiary of such a corporation or government institution. The Act recognizes that personal information must be collected by governments, but that governments should be restricted in how they use information to protect individuals against government overreach.
Collection, Retention and Disposal of Personal Information
- No personal information shall be collected by a government institution unless it relates directly to an operating program or activity of the institution.
- A government institution shall, wherever possible, collect personal information that is intended to be used for an administrative purpose directly from the individual to whom it relates.
- A government institution shall inform the individual of the purpose for which the information is being collected.
- A government institution shall take all reasonable steps to ensure that personal information is as accurate, up-to-date and complete as possible.
- Personal information under the control of a government institution shall not, without the consent of the individual to whom it relates, be disclosed by the institution.
These aspects of the Privacy Act are highlighted here to serve as a reference for businesses to consult as they develop their own plans regarding the collection, retention and disposal of personal information. Businesses receive the same treatment as individuals under the Act which means businesses can feel confident that Governments in Canada take privacy seriously and that these elements are enshrined in law.
Freedom of Information and Personal Privacy Act (FIPPA – Ontario)
In addition to the Federal government’s privacy legislation, the Ontario Government enacted its own legislation to enhance the existing federal statutes. One of the key areas was access to government information. The goal was to increase transparency and open government in the province. This began with the Ontario Government establishing the Commission on Freedom of Information and Individual Privacy in 1977 to look at ways to improve public information policies and public sector access and privacy legislation. The Commission was headed by Dr. D. Carlton Williams and is known as the “Williams Commission”.
The framework for Ontario’s legislation is set out in the Commission’s report entitled “Public Government for Private People, The Report of the Commission on Freedom of Information and Individual Privacy” published in 1980.
FIPPA received royal assent in 1987 and came into force on January 1, 1988. The municipal counterpart, MFIPPA, came into force on January 1, 1991.
The William’s Commission, in making its recommendations, considered policy goals relating to good government such as:
- Transparency: The public’s right to know what the government is doing and how decisions have been reached.
- Accountability: The public’s ability to hold elected representatives responsible for how they carry out their roles.
- Public participation: Citizen involvement in policy development and decision-making.
- Fairness in decision-making: An individual’s ability to present their side of an issue, and their right to access the information on which a decision-maker will act, including the criteria to be applied.
- Personal privacy: The government’s records of personal information and information management practices, and an individual’s right to have access to government information concerning them.
- Administrative costs: The cost-benefit of the resources required to administer the legislation and the benefits to society from a more open government.
Many of the same themes from the Privacy Act are replicated in this act. However, one notable difference is the access to information known as ‘Freedom in Information’. This part of the Act allows any individual resident of Ontario to request government information. This ensures that the government is held accountable for the action they take by the citizens whom they serve.
The Personal Information Protection and Electronic Documents Act (PIPEDA)
Unlike the Privacy Act, PIPEDA applies to private-sector organizations across Canada that collect, use or disclose personal information in the course of a commercial activity. The law defines a commercial activity as any particular transaction, act, or conduct, or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.
There are several requirements to comply with the law. Organizations covered by PIPEDA must generally obtain an individual’s consent when they collect, use, or disclose that individual’s personal information. People have the right to access their personal information held by an organization. They also have the right to challenge its accuracy.
Personal information can only be used for the purposes for which it was collected. If an organization is going to use it for another purpose, they must obtain consent again. Personal information must be protected by appropriate safeguards.
Provincial Privacy Laws
Alberta, British Columbia and Quebec have their own private-sector privacy laws that are very similar to PIPEDA. Organizations subject to a substantially similar provincial privacy law are generally exempt from PIPEDA with respect to the collection, use or disclosure of personal information that occurs within that province. Ontario, New Brunswick, Nova Scotia and Newfoundland and Labrador have also adopted substantially similar legislation regarding the collection, use and disclosure of personal health information.
Information that Crosses Borders
All businesses operating in Canada that handle personal information which crosses provincial or national borders in the course of commercial activities are subject to PIPEDA, regardless of the province or territory in which they are based (including provinces with substantially similar legislation).
Under PIPEDA, personal information includes any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form, such as:
- age, name, ID numbers, income, ethnic origin, or blood type;
- opinions, evaluations, comments, social status, or disciplinary actions; and
- employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs).
Businesses must follow the ten fair information principles to protect personal information, which are set out in Schedule 1 of PIPEDA. Following these principles, contributes to building trust in your business and in the digital economy. The principles are:
- Comply with all ten fair information principles.
- Appoint someone to be responsible for your organization’s PIPEDA compliance.
- Protect all personal information held by your organization, including any personal information you transfer to a third party for processing.
- Develop and implement personal information policies and practices.
- Identify and document the purposes for collecting personal information. This step helps to identify which specific personal information to collect.
- Tell your customers why your organization needs their personal information before or at the time of collection. Depending on how the information is collected, this can be done orally or in writing.
- Obtain their consent again should you identify a new purpose.
- Meaningful consent is an essential element of PIPEDA. Organizations are generally required to obtain meaningful consent for the collection, use and disclosure of personal information.
- To make consent meaningful, people must understand what they are consenting to. Consent is only considered valid if it is reasonable to expect that your customers will understand the nature, purpose and consequences of the collection, use or disclosure of their personal information.
- Consent can only be required for collections, uses or disclosures that are necessary to fulfil an explicitly specified and legitimate purpose. For non-integral collections, uses and disclosures, individuals must be given a choice.
- The form of consent must take into account the sensitivity of the personal information. The way you seek consent will depend on the circumstances and type of information you are collecting.
- Individuals can withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice, and you must inform individuals of the implications of withdrawal.
- Collect only the personal information your organization needs to fulfill a legitimate identified purpose.
- Be honest about the reasons you are collecting personal information.
- Collect personal information by fair and lawful means. This requirement is intended to prevent organizations from collecting information through misleading claims or deception about the purpose.
Limiting Use, Disclosure, and Retention
- Unless consent states otherwise—or unless doing so is required by law—an organization may use or disclose personal information only for the specific purposes for which it was collected and may only retain personal information for the time required to serve the identified purposes.
- Organizations must know what personal information they have, where it is, and what is being done with it.
- Updated consent is required if there is an intention to use or disclose personal information for a new purpose.
- Organizations may collect, use or disclose personal information only for purposes that a reasonable person would consider appropriate in the circumstances.
- Guidelines and procedures must be in place for retaining and destroying personal information.
- Minimize the possibility of using incorrect information when making a decision about an individual or when disclosing information to third parties.
- Protect personal information in a way that is appropriate to how sensitive it is.
- Protect all personal information (regardless of how it is stored) against loss, theft, or any unauthorized access, disclosure, copying, use or modification.
- Inform customers and employees regarding policies and practices for managing personal information.
- Ensure the policies and practices easily understandable and easily available.
- When asked, advise people about the personal information about them your organization holds.
- Explain where the information was obtained.
- Explain how that information is or has been used and to whom it has been disclosed.
- Give people access to their information at minimal or no cost or explain your reasons for not providing access. Providing access can take different forms. For example, you may provide a written or electronic copy of the information or allow the individual to view the information or listen to a recording of the information.
- Correct or amend personal information in cases where accuracy and completeness is deficient.
- Note any disputes on file and advise third parties where appropriate.
- Provide recourse by developing simple complaint handling and investigation procedures.
- Tell complainants about their avenues of recourse. These include your organization’s own complaint procedures, along with those related to industry associations, regulatory bodies and the OPC.
- Investigate all complaints you receive.
- Improve any information-handling practices and policies that are found to be problematic.
Regulation relating to Artificial Intelligence (AI) is complex and evolving, so cases involving AI technologies and tools are generally viewed as subject to the same laws and regulations governing other technology, such as data privacy laws and intellectual property laws. Use of AI innovations typically require compliance with any industry specific regulations applicable to their use, such as those applicable to the financial services or healthcare sectors. As the use of AI is still relatively new, and the technology is rapidly progressing, the legal status of AI tools is still largely untested.
Canada’s Anti-Spam Legislation (CASL)
Canada’s anti-spam legislation (CASL) is the federal law dealing with spam and other electronic threats. It is meant to protect Canadians while ensuring that businesses can continue to compete in the global marketplace. CASL protects consumers and businesses from the misuse of digital technology, including spam and other electronic threats. It requires businesses and organizations to obtain consent before sending commercial electronic messages.
Acts Under Consideration:
The Government of Canada has tabled Bill C-27, the Digital Charter Implementation Act, 2022 to strengthen Canada’s private sector privacy law, create new rules for the responsible development and deployment of artificial intelligence (AI), and continue advancing the implementation of Canada’s Digital Charter. As such, the Digital Charter Implementation Act, 2022 introduces three proposed acts: the Consumer Privacy Protection Act, the Artificial Intelligence and Data Act, and the Personal Information and Data Protection Tribunal Act.
The proposed Consumer Privacy Protection Act will address the needs of Canadians who rely on digital technology and respond to feedback received on previous proposed legislation. This law will ensure that the privacy of Canadians will be protected and that innovative businesses can benefit from clear rules as technology continues to evolve. Bill C-27 also proposes to establish the Personal Information and Data Protection Tribunal, which would play a role in the enforcement of the Consumer Privacy Protection Act. In particular, the Tribunal would review recommendations by the Privacy Commissioner of Canada to impose administrative monetary penalties for certain contraventions of the Act. The Tribunal would provide an accessible mechanism for organizations and individuals to seek a review of Privacy Commissioner decisions.
The first reading of Bill C-27 occurred on June 16, 2022.
European Union (EU) General Data Protection Regulation (GDPR)
Canadian businesses who operate within the European Union (EU)must follow a comprehensive set of laws to protect the privacy of European individuals and businesses known as the EU General Data Protection Regulation (GDPR). Under GDPR, individuals have the right to know how their personal data is being collected and used, to remove information from the internet, and to stop companies from processing their data. GDPR has significant penalties. For example, businesses mishandling customer information may be fined up to four percent of their annual worldwide revenue. Under GDPR, businesses must comply with six data processing principles. Personal information must be:
- Processed lawfully, fairly and transparently;
- Collected only for specific legitimate purposes;
- Adequate, relevant and limited to what is necessary;
- Accurate and, where necessary, kept up to date;
- Stored only as long as is necessary; and
- Processed in a manner that ensures appropriate security.
Interestingly, many of these principles were developed in Canada by the work done at Metropolitan University in Toronto by Ann Cavoukian, Ph.D. who focuses on ‘Privacy by Design’. Privacy by Design is an internationally recognized privacy standard that has been endorsed globally, since 2010, by Data Protection Authorities and Privacy Commissioners. It requires building privacy into the design, operation and management of IT systems, networks, and business processes. Privacy by Design is structured around seven Foundational Principles that exist as the baseline for robust data protection. (https://www.torontomu.ca/content/dam/pbdce/certification/Privacy-by-Design-Overview_PbDCE.pdf)