Privacy and Data Protection Laws in Canada

Garrie and Wong (2010) state that “users of social networking sites (SNS) and platforms are realising that their personal information, given for what was believed to be a “limited purpose”, has been hijacked, sold, repackaged, misused, abused and otherwise laid bare to the world” therefore it is imperative that data protection frameworks are established by the government to protect personal information of its citizens.
On a federal level, Canada has two privacy laws: Personal Information Protection and Electronic Documents Act (PIPEDA) and the Privacy Act. On a provincial level, laws such as The Personal Health Information Protection Act (Ontario), Freedom of Information and Protection of Privacy Act (Ontario), The Personal Information Protection Act (Alberta) and An Act Respecting the Protection of Personal Information in the Private Sector (Quebec) were declared by the federal Governor.
PIPEDA applies to private and public sector organisations “who collect, use or disclose personal information in the course of commercial activities” (Treasury Board of Canada Secretariat, 2003). The act which became a law in 2004 is divided into five parts and covers information about an identifiable individual including personal health information. The act establishes ground rules for collection, exchange and disclosure of the information covered under the act. The Office of the Privacy Commissioner of Canada (2005) summarizes PIPEDA as follows:

• If your business wants to collect, use or disclose personal information about people, you need their consent, except in a few specific and limited circumstances.
• You can use or disclose people's personal information only for the purpose for which they gave consent.
• Even with consent, you have to limit collection, use and disclosure to purposes that a reasonable person would consider appropriate under the circumstances.
• Individuals have a right to see the personal information that your business holds about them, and to correct any inaccuracies.
• There's oversight, through the Privacy Commissioner of Canada, to ensure that the law is respected, and redress if people's rights are violated.

The main difference between the PIPEDA and Privacy Act is the fact that PIPEDA is a consent-based act, meaning that you must have consent to collect, use or disclose information. The Privacy Act is authority-based, meaning that you must ensure that you have the legal authority to collect, use or disclose information (Treasury Board of Canada Secretariat, 2003).
While the majority of the legislation bodies are still in the game of “catch up” (Daniel B. Garrie and Rebecca Wong, 2010), Office of the Privacy Commissioner of Canada (OPCC) is proactively looking into technologies and the use of these technologies with potential privacy concerns. For example, a number of studies have been conducted to identify privacy issues related to the use of RFID and Street Imaging technology (i.e. Google Earth), as well as the use of credit card numbers and social networking sites. Furthermore, Canadian Internet Policy and Public Interest Clinic (CIPPIC) filed a complaint against Facebook Inc. for noncompliance with the PIPEDA. According to Denham (2009), the central issues in the investigation was “whether Facebook was providing a sufficient knowledge basis for meaningful consent by documenting purposes for collecting, using, or disclosing personal information and bringing such purposes to individuals’ attention in a reasonably direct and transparent way”.
Furthermore, Kong (2010) notes that “after assessing the Personal Information Protection and Electronic Documents Act (PIPEDA) of Canada, the European Commission deems the transfer of data to Canadian transferees subject to this Act legal” which results in additional business opportunities between the EU and Canada.

Bibliography

• Austin, Lisa M. 2006. "Reviewing PIPEDA: Control, Privacy and the Limits of Fair Information Practices." Canadian Business Law Journal 44, no. 1: 21-53. Business Source Premier, EBSCOhost (accessed December 12, 2010).
  
• Daniel B. Garrie and Rebecca Wong (2010), Social networking: opening the floodgates to "personal data". Computer and Telecommunications Law Review 2010, 16(6), p167-175.
  
• Elizabeth Denham (2009), Report of Findings into the Complaint Filed by the Canadian Internet Policy and Public Interest Clinic (CIPPIC) against Facebook Inc. Under the Personal Information Protection and Electronic Documents Act [online]. Office of Privacy Commissioner of Canada. Available from: http://www.priv.gc.ca/cf-dc/2009/2009_008_0716_e.cfm (accessed December 12, 2010).
  
• Lingjie Kong (2010), Data protection and transborder data flow in the European and global context. European Journal of International Law 2010, 21(2), p441-456.
  
• Office of the Privacy Commissioner of Canada (2005), Complying with the Personal Information Protection and Electronic Documents Act [online]. Available from: http://www.priv.gc.ca/fs-fi/02_05_d_16_e.cfm (accessed December 12, 2010).
  
• Office of the Privacy Commissioner of Canada (2006), RFID Technology [online]. Available from: http://www.priv.gc.ca/fs-fi/02_05_d_28_e.cfm (accessed December 12, 2010).
  
• Office of the Privacy Commissioner of Canada (2009), Captured on Camera - Street-level imaging technology, the Internet and you [online]. Available from: http://www.priv.gc.ca/fs-fi/02_05_d_39_prov_e.cfm (accessed December 12, 2010).
  
• Office of the Privacy Commissioner of Canada (2009), Truncated Credit Card Numbers - Why stores should print only partial credit card information on customer receipts [online]. Available from: http://www.priv.gc.ca/fs-fi/02_05_d_44_tcc_e.cfm (accessed December 12, 2010).
  
• Rivkin, Jennifer. 2005. "What's a Pipeda?." Profit 24, no. 2: 11. Business Source Premier, EBSCOhost (accessed December 12, 2010).
  
• Treasury Board of Canada Secretariat (2003), Personal Information Protection and Electronic Documents Act [online]. Available from: http://www.tbs-sct.gc.ca/pgol-pged/piatp-pfefvp/course1/mod2/mod2-3-eng.asp (accessed December 12, 2010).