Monday, February 28, 2022

Video: What are privacy policies for in Canada?

New on my YouTube Channel.

Today I am going to be talking about what privacy policies are really for under Canadian privacy laws.

They are everywhere – on every website – seldom read. But their purpose in Canada is a little misunderstood.

I am going to limit this discussion to Canada’s current federal private sector privacy law, called the Personal Information Protection and Electronic Documents Act or PIPEDA. But most of my comments would be applicable for the “substantially similar” laws in British Columbia and Alberta.

I think most people who follow this sort of stuff know that Canadian private sector privacy law is based on consent – knowledgeable informed consent. There’s often an assumption that the “knowledgeable” and “informed” parts come from people reading privacy policies.

That’s not the way it usually works, however. I think we all know that people seldom read privacy policies. At least based on my own informal polling of my students, fewer people are actually reading privacy policies than ever before.

Let’s look at what the Act actually says about consent. To be informed consent, you have to look at principles 2 and 3 (which are taken from the Canadian Standards Association Model Code for the Protection of Personal Information).

Getting Consent

Principle 2 says

“The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.”

It then goes on and says

“The identified purposes should be specified at or before the time of collection … to the individual from whom the personal information is collected. Depending upon the way in which the information is collected, this can be done orally or in writing. An application form, for example, may give notice of the purposes.”

It does not say that it should be simply set out in a privacy policy.

Principle 3 – Consent

Principle 3 is about consent. It says simply

“The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.”

We can ignore the “except where inappropriate” part because all the exceptions are enumerated in section 7 of the Act.

Principle 3 then goes on and says

“The principle requires “knowledge and consent”.

Organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used.

To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.”

Again, it does not say just throw it in the privacy policy.

So you’re really only confident that you have adequate consent if you are confident the individual has actually been apprised of the purposes for the collection, use or disclosure of their personal information.

In most cases, you can’t be confident that any particular visitor to your website has scrolled to the bottom and has even seen the link to a privacy policy, let alone clicked on one.

In some cases, however, you could use the privacy policy to “identify purposes”. That would be if you require a new visitor to or someone who is just creating a new account to read and acknowledge the privacy policy. In that case, you have made the effort to bring all the purposes to the user’s attention.

In other cases, you might give users clear notice that your privacy policy has been updated.

And either making them review it or at least telling them to do so.

So if a privacy policy in Canada isn’t for getting consent, what is it for?

Principle 8 – Openness

To find out, we have to flip forward to the 8th principle, entitled “Openness”.

Spoiler alert – privacy policies in Canada are about being open and transparent. They should also be where you go for answers to any privacy-related questions.

Let’s read Principle 8, starting with the main principle:

“An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.”

It doesn’t come right out and say “thou shalt have a privacy policy”, but it essentially means that.

Subprinciple 8.1 says:

“Organizations shall be open about their policies and practices with respect to the management of personal information. Individuals shall be able to acquire information about an organization’s policies and practices without unreasonable effort. This information shall be made available in a form that is generally understandable.”

Be open about what you do with personal information. Make it really easy to find and make it easy to understand.

There’s then a list of all the additional things that an organization must have in a privacy policy:

The information made available shall include

(a) the name or title, and the address, of the person who is accountable for the organization’s policies and practices and to whom complaints or inquiries can be forwarded;

This essentially means the contact information for the organization’s privacy officer. It doesn’t have to name them, but there has to be a way to reach that person if there are any complaints or any questions.

(b) the means of gaining access to personal information held by the organization;

In Canada, individuals have a right of access to their personal information, subject to some limitations. This means you have to let individuals know about this right and how to exercise it.

I’ll likely do a full video soon on data subject access rights in Canada.

(c) a description of the type of personal information held by the organization, including a general account of its use;

You have to say what information you collect and how you use it.

(d) a copy of any brochures or other information that explain the organization’s policies, standards, or codes; and

This essentially says you have to have a privacy policy to communicate all this information.

(e) what personal information is made available to related organizations (e.g., subsidiaries).

If you share information between related companies, you should call this out here.

Also, the Privacy Commissioner of Canada says that the privacy policy should include information on whether personal information is stored outside of Canada.

Who reads privacy policies?

In my experience, there are only three categories of readers.

Regulators, who want to make sure you have a mature privacy program.

People with questions about the handling of their personal information.

People with concerns or complaints about the handling of their personal information.

Privacy policies should be written with these audiences in mind.

So at the end of the day, what are privacy policies for?

At the very least, they are so you can say you’ve complied with Principle 8.

But what else? It should serve as a reference for anyone who has any questions or concerns about how an organization handles personal information.

Someone reading it should be able to get a handle on what information the organization collects, understand how it is used and know who to contact with any questions or concerns.

Tuesday, February 22, 2022

Video: Cross-border data flows for Canada

New on my YouTube Channel.

In today's video, I am going to talk about the mosaic of privacy laws that we have in Canada and what they have to say about cross border data transfers.

First, I will talk about public sector privacy laws with two particular examples coming from British Columbia and Nova Scotia.

Then I would be talking about Canada’s private sector privacy laws, in particular PIPEDA and the substantially similar laws in Alberta and British Columbia. I will also briefly discuss the new Quebec privacy statute.

Finally, I will touch on various provincial health privacy laws that also have provisions that relate to cross border data flows

What Canadian privacy laws

Canada is a federal country and jurisdiction as it relates to privacy is divided between the provinces and the federal government.

We also have three general varieties of privacy laws:

Those that regulate the collection, use and disclosure of personal information by the public sector – which includes governments, government agencies and other organizations like universities and school boards.

We have a separate category of privacy laws that regulate the private, non-government sector.

Because healthcare in Canada is a mix of public and private, a number of provinces have developed health privacy laws to ensure uniform treatment of personal health information regardless of whether it’s at a doctor’s office or in a hospital.

Public sector privacy laws

One area in Canada that does not have any gaps in privacy regulation is the public sector. Each federal, provincial and territorial jurisdiction has a public sector privacy law that regulates the collection, use and disclosure of personal information by government and government agencies.

One thing that they all have in common is an obligation to protect and safeguard all personal information against a range of risks, including unauthorized disclosure. Very few of them directly address cross border data flows.

Privacy Act

In the federal jurisdiction, we have the privacy act which regulates federal government institutions.

The privacy act does not address cross border transfers or disclosures of personal information.

Instead, the federal treasury board has created guidelines regarding outsourcing that effects personal information.

These guidelines do not prohibit this storage of personal information outside of Canada, but instead impose an assessment to determine whether in the circumstances it is appropriate to use a particular service that may result in personal information being stored outside of Canada or accessed from outside of Canada.

FIPPA (British Columbia)

In 2004, the British Columbia Freedom of Information and Protection of Privacy Act was amended to essentially prohibit the province’s government from allowing personal information to be stored outside of Canada or accessed from outside of Canada.

This was because of a large-scale union campaign that latched onto privacy and fear of the USA PATRIOT Act to oppose government outsourcing of IT services.

These prohibitions were finally removed in 2021, likely driven by the need of governments, universities and school boards to use more modern cloud technologies to support work from home during the pandemic.

The replacement provisions anticipate the government to pass regulations about cross-border data transfers, but we have not seen those yet.

PIIDPA (Nova Scotia)

In 2006, Nova Scotia followed British Columbia in strictly limiting cross-border data flows when it passed the Personal Information International Disclosure Protection Act, also known as “PIIDPA”.

What PIIDPA contains is a general prohibition against storage or access outside of Canada for public bodies in Nova Scotia. This includes public bodies in the health sector.

PIIDPA is not as draconian as the British Columbia law because it does permit the “head of the public body” to authorize the storage or access outside of Canada if it is for the public body’s necessary operations.

The public body also has to make a report of the decision to the minister of justice, which is then made public.

PIIDPA also imposes specific obligations on all service providers of public bodies.

Foreign demands for disclosure

The most significant – but maybe less known – obligation imposed on service providers relates to “foreign demands for disclosure”. These are warrants, subpoenas and court orders by a foreign authority for records, as long as there is a penalty for non-compliance.

It is unlawful for a service provider to provide the data, and the public body or its service provider must give written notice of the demand to the Nova Scotia Minister of Justice.

Then what? I don’t know. Presumably there would be some government-to-government communications.

Foreign demands under other laws

Every privacy law in Canada permits disclosures without consent where the disclosure is required by law. Some include examples like warrants, subpoenas, litigation document discovery and the like.

None of them specify “where required by CANADIAN law”, but that is a reasonable presumption.

These laws, other than PIIDPA, don’t make it an offense but it would still not be permitted.

But at the same time, the Office of the Privacy Commissioner of Canada has been clear that if information is stored outside of Canada, it becomes subject to the laws of the place where it is stored. That’s a risk that needs to be taken into account in any contracting decision.

Private sector privacy laws

For most of the private sector in Canada, there are no rules that prohibit cross-border data transfers but there are rules that come into play.

Each private sector privacy law requires that the original “controller” makes sure that there are adequate safeguards to protect personal information.

The original controller has to use contractual terms to make sure that any contractors implement those safeguards.

Jurisdiction may affect whether safeguards can be adequately assured.

Disclosures by the organization or its contractors in response to a “foreign demand for disclosure” may be unlawful. Any organization dealing with something like this should immediately seek experienced legal advice.

Alberta’s Personal Information Protection Act

Alberta’s Personal Information Protection Act specifically addresses giving people notice about cross-border data transfers.

Specifically, the law requires policies and procedures that include the countries in which the collection, use, disclosure or storage is occurring or may occur, and the purposes for which the service provider has been authorized to collect, use or disclose personal information for or on behalf of the organization.

Because this information has to be made available upon request, it should be included in an organization’s public-facing privacy policy.

The Privacy Commissioner of Canada recommends this as well for PIPEDA

Quebec’s Bill 64

In the past year, Quebec has significantly updated its private sector privacy law, including provisions that specifically address cross-border data transfers.

These new provisions come into effect on September 22, 2023.

When the Quebec provisions come into effect, they will require a process similar to a data transfer impact assessment under the European GDPR.

Before storing personal information outside of Quebec, the organization will need to carry out a privacy impact assessment, sometimes referred to as a PIA.

Then the organization will need to carry out an analysis of whether there will be “adequate” protection of the personal information when transferred outside of the province.

Finally, there needs to be a written agreement with the service provider that mitigates any risk identified in the PIA and ensures that personal information will be adequately protected.

Health privacy laws

Health privacy laws are a specific kind of privacy law in Canada, which cross over the private sector (doctors’ offices, pharmacies and physiotherapists) and the public sector (health authorities and public hospitals).

Most health privacy laws in Canada prohibit disclosures of personal health information outside of Canada unless there is consent from the individual. Some similarly prohibit disclosures outside of the province.

But most people who practice in this space, and some regulators I’ve spoken to, say that a transfer for processing is not a disclosure for the purposes of this prohibition.

What’s the reality on the ground?

Many people still believe that cross-border transfers are prohibited in Canada, which is likely the result of the publicity around the prohibitions added to the British Columbia public sector law years ago.

The only province that significantly limits cross-border transfers is Nova Scotia, for the public sector in that province.

We still see requests for proposals from both the public and the private sectors that require data residency in Canada.

When this happens in the public sector, this is likely in violation of international trade agreements.