Sunday, January 02, 2005

Happy birthday to PIPEDA and Canadian privacy law

One year ago today -- after a long time of only reading others' blogs -- I launched "PIPEDA and Canadian Privacy Law", the blog you are presently reading. My first hope was that it would be a useful resource for lawyers and others who have an interest in privacy law, both in Canada and abroad. My second hope was that I would have the time and inclination to keep it going. According to Blogger, this will be posting number 431, which means I've managed to post, on average, more than once each of the 366 days it's been up and running. It has managed to keep my interest, and I hope it has done the same for its readers.

The last year has been a very busy one on the privacy front in Canada. On January 1, 2004, the federal privacy law came into full effect after being phased in over the period of 2001 - 2004. That has led to a huge change in how consumer privacy is dealt with in Canada. Also on January 1, 2004, British Columbia and Alberta privacy laws came into effect, though there was a significant overlap in jurisdiction before those laws were declared to be "substantially similar" to PIPEDA by the federal cabinet. More recently, Ontario has passed the Personal Health Information Protection Act, which began to regulate health information custodians in that province on November 1, 2004.

We've also seen consumer privacy hit the media in an unprecedented way, thanks to high-profile incidents involving the personal information of Canadians. Perhaps the highest profile was the CIBC faxing fiasco (PIPEDA and Canadian Privacy Law: Incident: Candian bank's internal faxes went to West Virginia for three years), followed by the discovery of reams of pesonal information of Alberta civil servants during a drug raid (PIPEDA and Canadian Privacy Law: Incident: Massive leak of personal information in Edmonton, Alberta).

The year 2004 was also notable for the new attention being paid to cross-border transfers of personal information, thanks to the investigation by the British Columbia Information and Privacy Commissioner into the effect of the USA PATRIOT Act on the privacy of British Columbians (PIPEDA and Canadian Privacy Law: Article: U.S. Patriot Act worries Privacy Commissioner), which begat a similar study by the Alberta Commissioner (PIPEDA and Canadian Privacy Law: Alberta Commissioner to conduct his own "PATRIOT ACT" outsourcing inquiry).

The courts have also had to deal with PIPEDA in various ways.

We also saw the Privacy Commissioner decline to investigate an alleged breach of PIPEDA because the company in question did not have a presence in Canada (see PIPEDA and Canadian Privacy Law: Jurisdictional limitations on Canadian privacy law). I hope this one is taken to the Federal Court, because so much is at stake in the closely integrated economies of North America.

This would have been an even bigger year on the privacy front if it weren't for the backlog at the Office of the Privacy Commissioner of Canada. Hundreds of complaints brought by consumers this year are still in the investigation process, most of which take many months to work their way through the office. In my own experience, most complaints are dealt with via written correspondence along with a huge lag in response times. (Even those that are urgent languish in someone's inbox for months.)

So that was the year 2004. I expect this new year will be even more fruitful as the law is applied in new settings and complaints wind their way through the system. And I plan to keep on blogging about it. Please feel free to comment on this post if you think I've missed something...

No comments: