I just returned from a very good few days at the Canadian Bar Association’s annual get-together
in Winnipeg, Manitoba. There were quite a few privacy-related events during the
two-day substantive program.
The first event was more administrative than anything. It
was the meeting of the CBA Privacy Law subsection. The meeting was chaired by Brian Bowman, the section
secretary who is also a privacy lawyer at Pitblado
in Winnipeg. We reviewed the privacy-related resolutions passed by the CBA
general meeting and the extensive activity undertaken by the section during its
first year. (I’m told that it has an unprecedented level of activity for a
brand-new section.) The next year should be just as busy.
David
Young, who chairs the Advocacy and Government Relations subsection led a
discussion of the contribution that can be made when the Personal Information Protection
and Electronic Documents Act (Canada) comes up for full review in 2006.
I expect there will be no shortage of suggestions. Ann Goldsmith, legal counsel
to the Office of the Privacy Commissioner
mentioned they have many suggestions already, with deemed consent for due
diligence review in the course of sales of businesses near the top of their list.
Cross-border privacy issues
The second event was also on Monday: a panel discussion of
cross-border privacy issues. Moderated by David Young of Lang Michener, the panel was composed
of Simon
Chester of McMillan Binch,
Evelyn Sullen of Volkswagen of America Inc.
and me. The presentation that I gave is available here and I’ll try to
get permission to post Simon and Evelyn’s powerpoints.
Simon Chester began with a presentation on European privacy
law, using three European women as illustrations of the law’s development and
enforcement: (a) Bodil Lindqvist,
(b) Naomi Campbell (see Campbell v. MGN Limited, [2004] UKHL 22) and (c)
Princess
Caroline of Monaco. The first example demonstrates how some authorities in Europe
are being much more aggressive in enforcing the Data Protection Directive,
including against clearly non-commercial and “domestic” use of personal
information. The latter two examples show how the balance between privacy and
freedom of the press are moving clearly towards privacy in Europe. (We will not
likely see any of the Campbell/Caroline examples in Canada soon, as PIPEDA
specifically does not apply to information collected for “artistic, literary or
journalistic purposes. Any similar complaints against paparazzi will have to be
grounded in the independent tort of “invasion of privacy”, which is being
slowly developed in the Canadian provinces that do not have a statutory tort.) Interested readers should take a look at Simon's comprehensive paper, which is available here.
Evelyn’s presentation included an overview of the sectoral
laws in the United States (COPPA, HIPAA, GLB, etc.) and a look at Volkswagen USA’s
experience in addressing PIPEDA and the European privacy rules. It was
estimated that VW spent about $500K in complying with PIPEDA, including postage
for sending a “grandfathering/opt-out” letter to all customers in their
database.
One of the questions posed was whether to adopt a fragmented
privacy management system within an international company or should one try to
develop a policy that complies with all legal regimes in which the company
operates. Much of what was discussed in the international context is also
applicable within the Canadian federal system. We are dealing with a number of
privacy regimes in this country, including the present 100% overlap between
federal and provincial laws in Alberta and British Columbia. (I am told that
the Order-in-Council to declare AB and BC’s laws “substantially similar” to
PIPEDA is on the agenda for the next meeting of the federal cabinet.) We also
have an interesting overlap in the health privacy arena. Alberta, Saskatchewan
and Manitoba each have provincial health information laws and none of them are
expected to be declared substantially similar. This means that physicians in
private practice, who are engaged in “commercial activities”, must comply with
PIPEDA and with the local health information law. In most cases, the healthcare
professionals can design their programs to comply with the most demanding
individual rules and principles. In some cases, this is not always possible as
some contradictions may appear between the laws.
Update on Canada’s Privacy Laws
On Tuesday, Brian Bowman moderated a panel of
representatives from various privacy commissioners’ offices. On the panel was
Heather Black, Assistant Privacy Commissioner of Canada; Brian Loukidelis,
Information and Privacy Commissioner from British Columbia, Barry Tuckett, Manitoba’s
Ombudsman and Mary O'Donoghue, legal counsel to the Information and Privacy Commissioner of Ontario.
Each of the panelists gave an update on developments in their respective
jurisdictions, beginning with Heather Black’s overview of the roll-out of
PIPEDA. Heather made an interesting distinction between systemic and more
accidental violations of PIPEDA. Systemic violations are those which
demonstrate a systemic problem, such as a lack of awareness, policies or
procedures. Accidental ones are simply where a company’s established – and otherwise
compliant – procedures and policies are not followed, resulting in a breach.
Both are problems, but the balance of complaints is leaning further away from
systemic breaches. Heather also mentioned that the number of complaints that
are “well founded” has declined (to the end of 2003) to around 20% from 45% a
couple of years before.
Mary O'Donoghue, from the Ontario Information and Privacy
Commissioner’s Office, provided a very good and brief overview of the Personal Health
Information Protection Act, 2004.
At the moment, I’m a little jetlagged. I’ll try to write
more about the conference when I’ve got a few more minutes and once I’ve heard
back from my co-panellists about posting their materials.
0 comments:
Post a Comment