I just returned from a very good few days at the Canadian Bar Association’s annual get-together in Winnipeg, Manitoba. There were quite a few privacy-related events during the two-day substantive program.
The first event was more administrative than anything. It was the meeting of the CBA Privacy Law subsection. The meeting was chaired by Brian Bowman, the section secretary who is also a privacy lawyer at Pitblado in Winnipeg. We reviewed the privacy-related resolutions passed by the CBA general meeting and the extensive activity undertaken by the section during its first year. (I’m told that it has an unprecedented level of activity for a brand-new section.) The next year should be just as busy.
David Young, who chairs the Advocacy and Government Relations subsection led a discussion of the contribution that can be made when the Personal Information Protection and Electronic Documents Act (Canada) comes up for full review in 2006. I expect there will be no shortage of suggestions. Ann Goldsmith, legal counsel to the Office of the Privacy Commissioner mentioned they have many suggestions already, with deemed consent for due diligence review in the course of sales of businesses near the top of their list.
Cross-border privacy issues
The second event was also on Monday: a panel discussion of cross-border privacy issues. Moderated by David Young of Lang Michener, the panel was composed of Simon Chester of McMillan Binch, Evelyn Sullen of Volkswagen of America Inc. and me. The presentation that I gave is available here and I’ll try to get permission to post Simon and Evelyn’s powerpoints.
Simon Chester began with a presentation on European privacy law, using three European women as illustrations of the law’s development and enforcement: (a) Bodil Lindqvist, (b) Naomi Campbell (see Campbell v. MGN Limited,  UKHL 22) and (c) Princess Caroline of Monaco. The first example demonstrates how some authorities in Europe are being much more aggressive in enforcing the Data Protection Directive, including against clearly non-commercial and “domestic” use of personal information. The latter two examples show how the balance between privacy and freedom of the press are moving clearly towards privacy in Europe. (We will not likely see any of the Campbell/Caroline examples in Canada soon, as PIPEDA specifically does not apply to information collected for “artistic, literary or journalistic purposes. Any similar complaints against paparazzi will have to be grounded in the independent tort of “invasion of privacy”, which is being slowly developed in the Canadian provinces that do not have a statutory tort.) Interested readers should take a look at Simon's comprehensive paper, which is available here.
Evelyn’s presentation included an overview of the sectoral laws in the United States (COPPA, HIPAA, GLB, etc.) and a look at Volkswagen USA’s experience in addressing PIPEDA and the European privacy rules. It was estimated that VW spent about $500K in complying with PIPEDA, including postage for sending a “grandfathering/opt-out” letter to all customers in their database.
One of the questions posed was whether to adopt a fragmented privacy management system within an international company or should one try to develop a policy that complies with all legal regimes in which the company operates. Much of what was discussed in the international context is also applicable within the Canadian federal system. We are dealing with a number of privacy regimes in this country, including the present 100% overlap between federal and provincial laws in Alberta and British Columbia. (I am told that the Order-in-Council to declare AB and BC’s laws “substantially similar” to PIPEDA is on the agenda for the next meeting of the federal cabinet.) We also have an interesting overlap in the health privacy arena. Alberta, Saskatchewan and Manitoba each have provincial health information laws and none of them are expected to be declared substantially similar. This means that physicians in private practice, who are engaged in “commercial activities”, must comply with PIPEDA and with the local health information law. In most cases, the healthcare professionals can design their programs to comply with the most demanding individual rules and principles. In some cases, this is not always possible as some contradictions may appear between the laws.
Update on Canada’s Privacy Laws
On Tuesday, Brian Bowman moderated a panel of representatives from various privacy commissioners’ offices. On the panel was Heather Black, Assistant Privacy Commissioner of Canada; Brian Loukidelis, Information and Privacy Commissioner from British Columbia, Barry Tuckett, Manitoba’s Ombudsman and Mary O'Donoghue, legal counsel to the Information and Privacy Commissioner of Ontario. Each of the panelists gave an update on developments in their respective jurisdictions, beginning with Heather Black’s overview of the roll-out of PIPEDA. Heather made an interesting distinction between systemic and more accidental violations of PIPEDA. Systemic violations are those which demonstrate a systemic problem, such as a lack of awareness, policies or procedures. Accidental ones are simply where a company’s established – and otherwise compliant – procedures and policies are not followed, resulting in a breach. Both are problems, but the balance of complaints is leaning further away from systemic breaches. Heather also mentioned that the number of complaints that are “well founded” has declined (to the end of 2003) to around 20% from 45% a couple of years before.
Mary O'Donoghue, from the Ontario Information and Privacy Commissioner’s Office, provided a very good and brief overview of the Personal Health Information Protection Act, 2004.
At the moment, I’m a little jetlagged. I’ll try to write more about the conference when I’ve got a few more minutes and once I’ve heard back from my co-panellists about posting their materials.