Canadian privacy law

Last updated

Canadian privacy law is derived from the common law, statutes of the Parliament of Canada and the various provincial legislatures, and the Canadian Charter of Rights and Freedoms . Perhaps ironically, Canada's legal conceptualization of privacy, along with most modern legal Western conceptions of privacy, can be traced back to Warren and Brandeis’s "The Right to Privacy" published in the Harvard Law Review in 1890, [1] Holvast states "Almost all authors on privacy start the discussion with the famous article 'The Right to Privacy' of Samuel Warren and Louis Brandeis". [1]

Contents

Evolution of Canadian privacy statutes

Canadian privacy law has evolved over time into what it is today. The first instance of a formal law came when, in 1977, the Canadian government introduced data protection provisions into the Canadian Human Rights Act. [2] In 1982, the Canadian Charter of Rights and Freedoms outlined that everyone has "the right to life, liberty and security of the person" and "the right to be free from unreasonable search or seizure", [3] but did not directly mention the concept of privacy. In 1983, the federal Privacy Act regulated how federal government collects, uses and discloses personal information. Canadians' constitutional right to privacy was further confirmed in the 1984 Supreme Court case, Hunter v. Southam. [4] In this case, Section 8 of the Canadian Charter of Rights and Freedoms (1982) was found "to protect individuals from unjustified state intrusions upon their privacy" and the court stated such Charter rights should be interpreted broadly. [5] Later, in a 1988 Supreme Court case, the right to privacy was established as "an essential component of individual freedom". [4] The court report from R. v. Dyment states, "From the earliest stage of Charter interpretation, this Court has made it clear that the rights it guarantees [including privacy rights] must be interpreted generously, and not in a narrow or legalistic fashion". [5] Throughout the late 1990s and 2000s, privacy legislation placed restrictions on the collection, use and disclosure of information by provincial and territorial governments and by companies and institutions in the private sector.

Governing relations with public sector institutions

Privacy Act

The Privacy Act, passed in 1983 [6] by the Parliament of Canada, regulates how federal government institutions collect, use and disclose personal information. It also provides individuals with a right of access to information held about them by the federal government, and a right to request correction of any erroneous information. [2]

The Act established the office of the Privacy Commissioner of Canada, who is an Officer of Parliament. The responsibilities of the Privacy Commissioner includes supervising the application of the Act itself.

Under the Act, the Privacy Commissioner has powers to audit federal government institutions to ensure their compliance with the act, and is obliged to investigate complaints by individuals about breaches of the act. The Act and its equivalent legislation in most provinces are the expression of internationally accepted principles known as "fair information practices." As a last resort, the Privacy Commissioner of Canada does have the "power of embarrassment", which can be used in the hopes that the party being embarrassed will rectify the problem under public scrutiny [2]

Although the office of the commissioner has no mandate to conduct extensive research and education under the current Privacy Act, the Commissioner believed that he had become a leading educator in Canada on the issue of privacy. [2]

Access to Information Act

The next major change to the Canadian privacy laws came in 1985 in the form of the Access to Information Act . The main purposes of the Act were to provide citizens with the right of access to information under the control of governmental institutions. The Act limits access to personal information under specific circumstances. [7]

Freedom of Information Act

The Freedom of Information Act was enacted in 1996, and expanded upon the principles of the Privacy Act and Access to Information Act. It was designed to make governmental institutions more accountable to the public, and to protect individual privacy by giving the public right of access to records, as well as giving individuals right of access to and a right to request correction of personal information about themselves. It also specifies limits to the rights of access given to individuals, prevents the unauthorized collection, use or disclosure of personal information by public bodies, and redefines the role of the Privacy Commissioner of Canada. [8]

Extension to private sector organizations

Federal

The Personal Information Protection and Electronic Documents Act ("PIPEDA") governs the topic of data privacy, and how private-sector companies can collect, use and disclose personal information. The Act also contains various provisions to facilitate the use of electronic documents. PIPEDA was passed in 2000 to promote consumer trust in electronic commerce, as well as was intended to assure that Canadian privacy laws protect the personal information of citizens of other nationalities to be in compliance with EU data protection law. In recent years, there have been numerous calls for reform as PIPEDA is considered outdated and unable to address AI effectively. [9] The Canadian government responded with a comprehensive reform project under Parliamentary discussion. [10]

PIPEDA includes and creates provisions of the Canadian Standards Association's Model Code for the Protection of Personal Information, developed in 1995. Like any privacy protection act, the individual must be informed of information that may be disclosed, whereby consent is given. This may be done through accepting terms, signing a document or verbal communication.

In PIPEDA, "Personal Information" is specified as information about an identifiable individual, which includes both collected information and inferred information about individuals. [11]

Provinces

PIPEDA allows for similar provincial laws to continue to be in effect. Quebec, British Columbia and Alberta have subsequently been determined to have similar legislation, and laws governing personal health information only, in Ontario and New Brunswick, have received similar recognition. They all govern:

  • What personal information can be collected from individuals (including customers, clients and employees);
  • When consent is required to collect personal information and how consent is obtained;
  • What notice must be provided before personal information is collected, and
  • How personal information may be used or disclosed;
  • The purposes for which personal information may be collected, used or disclosed by the organization;
  • How an individual may get access to and request correction of his or her personal information held by the organization.

The provincial Acts that have been so recognized, and agencies responsible, are as follows:

ProvinceActFederal recognitionProvincial regulator
Flag of British Columbia.svg  British Columbia Personal Information Protection Act, S.B.C. 2003, c. 63 Organizations in the Province of British Columbia Exemption Order, SOR/2004-220 Office of the Information and Privacy Commissioner
Flag of Alberta.svg  Alberta Personal Information Protection Act, S.A. 2003, c. P-6.5 Organizations in the Province of Alberta Exemption Order, SOR/2004-219 Office of the Information and Privacy Commissioner
Flag of Nova Scotia.svg  Nova Scotia Personal Health Information Act, S.N.S. 2010, c. 41 Personal Health Information Custodians in Nova Scotia Exemption Order, SOR/2016-62,(deemed substantially similar to Part 1 of Personal Information Protection and Electronic Documents Act) Office of the Information and Privacy Commissioner for Nova Scotia
Flag of Ontario.svg  Ontario Personal Health Information Protection Act, 2004, S.O. 2004, c. 3, Schedule A, Health Information Custodians in the Province of Ontario Exemption Order, SOR/2005-399 Office of the Information and Privacy Commissioner of Ontario
Flag of Quebec.svg  Quebec An Act respecting the protection of personal information in the private sector, R.S.Q., c. P-39.1 Organizations in the Province of Quebec Exemption Order, SOR/2003-374 Commission d’accès à l’information
Flag of New Brunswick.svg  New Brunswick Personal Health Information Privacy and Access Act, S.N.B. 2009, c. P-7.05 Personal Health Information Custodians in New Brunswick Exemption Order, SOR/2011-265 Office of the Access to Information and Privacy Commissioner
Flag of Newfoundland and Labrador.svg  Newfoundland and Labrador Personal Health Information Act (PHIA), S.N.L. 2008, c. P-7.01 Personal Health Information Custodians in Newfoundland and Labrador Exemption Order, S.I./2012-72 (only in relation to personal health information custodians) Office of the Information and Privacy Commissioner of Newfoundland and Labrador

Development of personal privacy rights

Provincial statutes

The Civil Code of Quebec contains provisions governing privacy rights that can be enforced in the courts. [12] In addition, the following provinces have passed similar statutes:

All four Acts establish a limited right of action, whereby liability will only be found if the defendant acts wilfully (not a requirement in Manitoba) and without a claim of right. Moreover, the nature and degree of the plaintiff‟s privacy entitlement is circumscribed by what is "reasonable in the circumstances".

Evolution of the common law

In January 2012, the Ontario Court of Appeal declared that the common law in Canada recognizes a right to personal privacy, more specifically identified as a "tort of intrusion upon seclusion", [17] as well as considering that appropriation of personality is already recognized as a tort in Ontario law. [18] The ramifications of this decision are just beginning to be discussed. [19] [20]

See also

Related Research Articles

<span class="mw-page-title-main">Privacy</span> Seclusion from unwanted attention

Privacy is the ability of an individual or group to seclude themselves or information about themselves, and thereby express themselves selectively.

Freedom of information laws allow access by the general public to data held by national governments and, where applicable, by state and local governments. The emergence of freedom of information legislation was a response to increasing dissatisfaction with the secrecy surrounding government policy development and decision making. In recent years Access to Information Act has also been used. They establish a "right-to-know" legal process by which requests may be made for government-held information, to be received freely or at minimal cost, barring standard exceptions. Also variously referred to as open records, or sunshine laws, governments are typically bound by a duty to publish and promote openness. In many countries there are constitutional guarantees for the right of access to information, but these are usually unused if specific support legislation does not exist. Additionally, the United Nations Sustainable Development Goal 16 has a target to ensure public access to information and the protection of fundamental freedoms as a means to ensure accountable, inclusive and just institutions.

The right to privacy is an element of various legal traditions that intends to restrain governmental and private actions that threaten the privacy of individuals. Over 185 national constitutions mention the right to privacy. On 10 December 1948, the United Nations General Assembly adopted the Universal Declaration of Human Rights (UDHR); while the right to privacy does not appear in the document, many interpret this through Article 12, which states: "No one shall be subjected to arbitrary interference with their privacy, family, home or correspondence, nor to attacks upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks."

Medical privacy, or health privacy, is the practice of maintaining the security and confidentiality of patient records. It involves both the conversational discretion of health care providers and the security of medical records. The terms can also refer to the physical privacy of patients from other patients and providers while in a medical facility, and to modesty in medical settings. Modern concerns include the degree of disclosure to insurance companies, employers, and other third parties. The advent of electronic medical records (EMR) and patient care management systems (PCMS) have raised new concerns about privacy, balanced with efforts to reduce duplication of services and medical errors.

The Personal Information Protection and Electronic Documents Act is a Canadian law relating to data privacy. It governs how private sector organizations collect, use and disclose personal information in the course of commercial business. In addition, the Act contains various provisions to facilitate the use of electronic documents. PIPEDA became law on 13 April 2000 to promote consumer trust in electronic commerce. The act was also intended to reassure the European Union that the Canadian privacy law was adequate to protect the personal information of European citizens. In accordance with section 29 of PIPEDA, Part I of the Act must be reviewed by Parliament every five years. The first Parliamentary review occurred in 2007.

<span class="mw-page-title-main">Privacy laws of the United States</span>

Privacy laws of the United States deal with several different legal concepts. One is the invasion of privacy, a tort based in common law allowing an aggrieved party to bring a lawsuit against an individual who unlawfully intrudes into their private affairs, discloses their private information, publicizes them in a false light, or appropriates their name for personal gain.

A privacy policy is a statement or legal document that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client's data. Personal information can be anything that can be used to identify an individual, not limited to the person's name, address, date of birth, marital status, contact information, ID issue, and expiry date, financial records, credit information, medical history, where one travels, and intentions to acquire goods and services. In the case of a business, it is often a statement that declares a party's policy on how it collects, stores, and releases personal information it collects. It informs the client what specific information is collected, and whether it is kept confidential, shared with partners, or sold to other firms or enterprises. Privacy policies typically represent a broader, more generalized treatment, as opposed to data use statements, which tend to be more detailed and specific.

Email privacy is a broad topic dealing with issues of unauthorized access to, and inspection of, electronic mail, or unauthorized tracking when a user reads an email. This unauthorized access can happen while an email is in transit, as well as when it is stored on email servers or on a user's computer, or when the user reads the message. In countries with a constitutional guarantee of the secrecy of correspondence, whether email can be equated with letters—therefore having legal protection from all forms of eavesdropping—is disputed because of the very nature of email.

Information privacy, data privacy or data protection laws provide a legal framework on how to obtain, use and store data of natural persons. The various laws around the world describe the rights of natural persons to control who is using its data. This includes usually the right to get details on which data is stored, for what purpose and to request the deletion in case the purpose is not given anymore.

The Privacy Act is the federal information-privacy legislation of Canada that came into effect on July 1, 1983. Administered by the Privacy Commissioner of Canada, the Act sets out rules for how institutions of the Government of Canada collect, use, disclose, retain, and dispose of personal information of individuals.

Privacy law is a set of regulations that govern the collection, storage, and utilization of personal information from healthcare, governments, companies, public or private entities, or individuals.

<span class="mw-page-title-main">Information and Privacy Commissioner of Ontario</span>

The Information and Privacy Commissioner of Ontario was established as an officer of the Legislature by Ontario's Freedom of Information and Protection of Privacy Act, which came into effect on January 1, 1988. The current commissioner is Patricia Kosseim.

Source protection, sometimes also referred to as source confidentiality or in the U.S. as the reporter's privilege, is a right accorded to journalists under the laws of many countries, as well as under international law. It prohibits authorities, including the courts, from compelling a journalist to reveal the identity of an anonymous source for a story. The right is based on a recognition that without a strong guarantee of anonymity, many would be deterred from coming forward and sharing information of public interests with journalists.

The Fighting Internet and Wireless Spam Act, is Canada's anti-spam legislation that received Royal Assent on December 15, 2010. The Act replaced Bill C-27, the Electronic Commerce Protection Act (ECPA), which was passed by the House of Commons, but died due to the prorogation of the second session of the 40th Canadian Parliament on December 30, 2009. The Act went into effect July 1, 2014.

There is no absolute right to privacy in Australian law and there is no clearly recognised tort of invasion of privacy or similar remedy available to people who feel their privacy has been violated. Privacy is, however, affected and protected in limited ways by common law in Australia and a range of federal, state and territorial laws, as well as administrative arrangements.

New Zealand is committed to the Universal Declaration of Human Rights and has ratified the International Covenant on Civil and Political Rights, both of which contain a right to privacy. Privacy law in New Zealand is dealt with by statute and the common law. The Privacy Act 2020 addresses the collection, storage and handling of information. A general right to privacy has otherwise been created in the tort of privacy. Such a right was recognised in Hosking v Runting [2003] 3 NZLR 385, a case that dealt with publication of private facts. In the subsequent case C v Holland [2012] NZHC 2155 the Court recognised a right to privacy in the sense of seclusion or a right to be free from unwanted intrusion.

Misuse of private information is a new common law tort that English courts recognised in Campbell v MGN Ltd. Arising as a branch of the law relating to breach of confidence, it has been reinforced by Article 8 of the European Convention on Human Rights, supplemented by s. 6 of the Human Rights Act 1998, which obliges public institutions not to act inconsistently with Convention rights.

<i>R v Spencer</i> Supreme Court of Canada case

R v Spencer, 2014 SCC 43 is a landmark decision of the Supreme Court of Canada on informational privacy. The Court unanimously held that internet users were entitled to a reasonable expectation of privacy in subscriber information held by Internet service providers. And as such, police attempts to access such data could be subject to section 8 of the Charter of Rights and Freedoms.

Privacy and the United States government consists of enacted legislation, funding of regulatory agencies, enforcement of court precedents, creation of congressional committees, evaluation of judicial decisions, and implementation of executive orders in response to major court cases and technological change. Because the United States government is composed of three distinct branches governed by both the separation of powers and checks and balances, the change in privacy practice can be separated relative to the actions performed by the three branches.

The right of access, also referred to as right to access and (data) subject access, is one of the most fundamental rights in data protection laws around the world. For instance, the United States, Singapore, Brazil, and countries in Europe have all developed laws that regulate access to personal data as privacy protection. The European Union states that: "The right of access occupies a central role in EU data protection law's arsenal of data subject empowerment measures." This right is often implemented as a Subject Access Request (SAR) or Data Subject Access Request (DSAR).

References

  1. 1 2 Holvast, Jan (2009). "History of Privacy". The Future of Identity in the Information Society. IFIP Advances in Information and Communication Technology. Vol. 298. pp. 13–42. doi:10.1007/978-3-642-03315-5_2. ISBN   978-3-642-03314-8 . Retrieved 2018-11-15.{{cite book}}: |website= ignored (help)
  2. 1 2 3 4 "The Evolution of Canada's Privacy Laws - Privacy Commissioner of Canada". Archived from the original on 2006-08-15. Retrieved 2008-07-30.
  3. "Canadian charter of rights and freedoms". Archived from the original on 2006-10-20. Retrieved 2008-07-30.
  4. 1 2 Communications, Government of Canada, Department of Justice, Electronic (24 November 2005). "Department of Justice - THE OFFICES OF THE INFORMATION AND PRIVACY COMMISSIONERS: THE MERGER AND RELATED ISSUES". www.justice.gc.ca. Retrieved 2018-03-09.{{cite web}}: CS1 maint: multiple names: authors list (link)
  5. 1 2 "R. v. Dyment - SCC Cases (Lexum)". scc-csc.lexum.com. January 2001. Retrieved 2018-03-09.
  6. https://laws-lois.justice.gc.ca/eng/acts/p-21/FullText.html Privacy Act
  7. "Access to Information Act". laws.justice.gc.ca. Archived from the original on 2001-04-08.
  8. "Freedom of Information and Protection of Privacy Act". gov.bc.ca. Archived from the original on 4 August 2008. Retrieved 18 January 2017.
  9. "Policy Proposals for PIPEDA Reform to Address Artificial Intelligence Report". November 2020.
  10. "Consumer Privacy Protection Act".
  11. "Personal Information Protection and Electronic Documents Act - an Unofficial Version of the Act - Privacy Commissioner of Canada". Archived from the original on 2009-02-28. Retrieved 2008-07-30.
  12. CCQ, ss. 3 and 35-37, as well as s. 5 of the Charter of Human Rights and Freedoms, R.S.Q. c. C-12
  13. Privacy Act, R.S.B.C. 1996 c. 373
  14. Privacy Act, R.S.S. 1978, c. P-24
  15. Privacy Act, R.S.M. 1987 c.P125
  16. Privacy Act, R.S.N. 1990, c.P-22
  17. Jones v. Tsige, 2012 ONCA 32, 2012-01-18
  18. Cathy Beagan Flood; Iris Fischer; Nicole Henderson; Pei Li. "Ontario Court of Appeal Recognizes New Privacy Tort". Blake, Cassels & Graydon. Archived from the original on 2012-11-03. Retrieved 2012-02-03.
  19. Rob Barrass; Lyndsay A. Wasser (January 2012). "seclusion intrusion: a common law tort for invasion of privacy". McMillan LLP. Archived from the original on 2012-11-08. Retrieved 2012-01-19.
  20. Kirk Makin (2012-01-19). "Ontario court paves way for victims of privacy intrusion to sue snoopers". The Globe and Mail . Retrieved 2012-01-20.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.