As privacy law reform legislation multiplies in Canada, each pursuing its own direction, around the world privacy law reform is also splintering through varied legislative developments. Even Europe’s assertive stance on uniformity with the adoption of the General Data Protection Regulation (GDPR) to replace national privacy laws with one European law, and the creation of the European Data Protection Board (EDPB) “to ensure the consistent application of this Regulation” (Article 70 GDPR), the domestic pull of local politics and culture is fraying consistency in application of the GDPR and uniformity proves illusory. Canada’s constitutional federation has all the makings to lead us in the same direction. The challenge and the strategy is for governments to ensure interoperability of laws and for organizations to develop cohesive internal compliance mechanisms
1. Canada’s constitutional privacy law framework
Simply to set the stage, it is helpful to step back and situate the Canadian privacy regulatory framework in its constitutional context.
Constitutionalists will argue that Canada is the only truly federated state because of the degree of autonomy of each level of government, ensured by the clear division of revenue sources and legislative power. That is the context of the Canadian privacy regulatory framework. The federal Personal Information Protection and Electronic Documents Act (PIPEDA) was adopted under the federal government’s legislative competence over “Trade and Commerce” (Article 91(2) of the Constitution Act of 1867). Québec challenges the constitutionality of PIPEDA arguing that the protection of personal information in the private sector rests exclusively within provincial legislative competence over “Property and Civil right” (Article 92.13). Provincial privacy laws deemed “substantially similar” to PIPEDA apply within the sphere of provincial jurisdiction. Concretely, this means organizations need to comply with the following division of privacy law within Canada:
- Organizations that fall within the legislative authority of the federal government, such as airlines, banks or telcos, are entirely governed by PIPEDA in relation to both their customer data and their employee data (section 4(1) PIPEDA);
- Organizations that do not fall within the authority of the federal government but are pan-Canadian, such as national retailers, will be governed by both PIPEDA and provincial legislation:
- Where the province has enacted its own private sector privacy legislation, being Alberta, with the Personal Information Protection Act (Alberta PIPA), British Columbia with its own Personal Information Protection Act (BC PIPA), and Québec with an Act respecting the protection of personal information in the private sector (Québec Act), the organization must comply with those laws in that province in relation to its customers’ as well as its employees’ information;
- In the other provinces and territories, the organization must comply with PIPEDA in relation to its customer information but there is a legal void in relation to employee information; that being said, because privacy is a fundamental human right, PIPEDA has been recognized to have quasi-constitutional status and employee information is expected to be protected in accordance with the principles enshrined in privacy law.
- Organizations that do not fall within the authority of the federal government and operate in one province or one territory only, where:
- The province has not adopted private sector privacy law, are governed by PIPEDA for their customer data and, as above, through a legal void, by principles of privacy in relation to their employees;
- The province has adopted private sector privacy law, are governed entirely by that law in relation to both its customer and employee information.
- Organizations in the health sector, such as pharmacies, are governed by provincial and territorial health information protection laws except in British Columbia and Québec, where they are governed by the private sector privacy law and in Nunavut where they are governed by PIPEDA.
To ensure interoperability through this legislative quilt, two strategies are imperative: i) legislative consistency among privacy laws such that they are substantively similar, and ii) clear delineation of scope, such as section 3 of the BC PIPA excluding from its application the collection, use or disclosure of personal information, if “the federal Act applies to [it]”.
Both strategies appear at risk as Canadian privacy law reform plans evolve independently. Still, organizations can achieve harmonization in their privacy programs with their own strategies. We will come to that after having surveyed how main emerging trends in privacy law reform in Canada converge and diverge.
2. Emerging data protection trends and regulations…
EU confirms PIPEDA’s adequacy status under the GDPR
In a Report issued two weeks ago,[1] the European Commission advised that i…