Canadian Information Privacy Laws: Key Facts that US-Based Companies Need to Know

In recent years, Canada has become a place of interest for US-based energy companies looking to expand their businesses. Canada is a dynamic market for new generation construction, green energy resources, smart metering, conservation, and energy marketing. Many US-based companies in the energy sector are now setting up shop in Canada.

Information privacy is an important aspect of doing business in Canada. In recent years, the collection and use of personal information (e.g., name, address, energy consumption data, etc.) by companies in the course of their business activities has come under intense scrutiny. Information privacy legislation has been enacted in Canada just as it has in the US. When a foreign company enters the Canadian market, there are a number of important aspects of Canada’s information privacy policy that must be understood in order to successfully operate in Canada.

In this article, we provide an overview of the Canadian information privacy landscape, including legal and cultural issues, and how they impact the operations of US-based businesses that seek to do business in Canada. This information is particularly relevant to those companies that deal directly with individual consumers, and collect and manage their personal data, such as energy marketers.

Canadian Privacy and Personal Information Protection Landscape

Canadian individuals are protected by federal and, in some locations, provincial privacy legislation. At a federal level, the Personal Information Protection and Electronic Documents Act (PIPEDA) protects the collection, use and disclosure of personal information for almost all private sector corporations doing business in Canada. Some of the provinces, notably Québec, Alberta, and British Columbia have enacted their own private sector privacy legislation. These provincial-level protections have been deemed 'substantially similar' to the federal PIPEDA, and can therefore supplant PIPEDA in those provinces. In all other provinces and territories, PIPEDA is now the privacy law of general application in the private sector.

PIPEDA requires compliance with the ten “fair information management principles” of the “Model Code for the Protection of Personal Information” formed by the Canadian Standards Association. The principles reflect those described in the Organization for Economic Cooperation and Development’s (OECD’s) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, which Canada adopted in 1984. The ten principles result in a substantial list of requirements that an organization must satisfy in order to be compliant, and meeting these requirements has resulted in significant and ongoing efforts for affected organizations in Canada.

Oversight of PIPEDA rests with the Privacy Commissioner of Canada, an office that can audit the privacy practices of organizations suspected of a breach of PIPEDA. The Commissioner has the power to investigate complaints of non-compliance. Those that are upheld may be referred to the Federal Court of Canada, which has wide remedial authority, including the ability to award damages to a plaintiff. At the provincial level, those provinces with 'substantially similar' privacy legislation have their own privacy offices and commissioners, each with their own ability to investigate complaints and, in some cases, to issue binding compliance orders. Individuals also generally have the right to launch court proceedings to claim damages under the various federal or provincial privacy legislations.

Differences from US Information Privacy Legislation

Canadian privacy law is more closely aligned with the highly protective European Union stance as enacted by the 1995 EU Data Privacy Directive, than with the 'sectoral' systems in the US, in which privacy legislation is enacted industry-by-industry (e.g., the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act), and for which national security tends to trump the rights of individuals where personal data protection is concerned.

There are also distinct cultural differences in the way Canadians and Americans view data privacy issues. According to a report provided to the US Department of Homeland Security by the Office of the Privacy Commissioner of Canada, Canadians are more suspicious about government infringement of their privacy rights in the name of national security than their US counterparts. This concern is reflected in the general public approval of the federal and provincial privacy legislation in Canada.

Practical Considerations for Doing Business in Canada

Any organization seeking to do business in Canada must comply with current privacy laws. In practical terms, most of the actions a business must take stem from the first and most fundamental requirement of PIPEDA – that of accountability. A member of the management team must be appointed as the company's Privacy Officer. Management must support the company's privacy activities and policies in a meaningful way. Under the direction of the Privacy Officer, a privacy policy must be created that adheres to the basic principles of PIPEDA, and the organization's employees must be trained to respect this policy. The policy must describe what types of personal information is collected; how the organization collects, uses and discloses personal information, as well as the organization's purposes for doing so; how to gain access to personal information held by the organization; and how to reach the Privacy Officer and make an inquiry or complaint about an organization’s privacy practices. A set of controls and systems must be in place to support the company’s privacy policies.

The subjects of the data being collected must be informed of the reasons for their personal information being collected, and their consent must be obtained for the collection, use or disclosure of their information. Generally, this means that any vehicle through which an individual provides personal information to the company (contracts, websites, etc.) will require an information disclosure and consent clause. Interestingly, PIPEDA forbids a company from making the provision of a service conditional on the individual's consent to use their personal information.

PIPEDA contains a broad set of personal information management practices. These include: limits on internal and collateral use of personal information and requirements to use technology-based and physical safeguards to protect against unauthorized access, theft or alteration of the information. PIPEDA also gives individuals a right to access personal information held by an organization and to challenge its accuracy. Individuals have a right to complain and seek redress for breaches of the ten privacy principles contained in the privacy code.

The Canadian Privacy Commissioner may require an organization to perform a Privacy Impact Assessment (PIA), or Privacy Audits, in order to assess an organization's level of data protection compliance as well as to identify gaps within its data protection practices. In the case of a US-based business, a cross-border PIA can be conducted as part of an initial privacy review and on an ongoing basis as new services or business partners are under consideration. These audits – while rare – can be time consuming and expensive.

One very important consequence of Canadian privacy legislation relates to the outsourcing and offshoring of data processing and data management infrastructure. The cultural considerations mentioned earlier are very relevant when considering cross-border information flow from Canada to the US, in particular where such data is subject to access under anti-terrorism provisions in the USA PATRIOT Act. Such concerns exist even when the data remains in Canada, but is managed by a US-controlled entity. In such circumstances, companies need to disclose to the Canadians whose information is being collected and managed that their personal information may be accessible by US law enforcement agencies. In order to mitigate any issues raised by sending personal information offshore, many companies operating in Canada use Canadian-based service providers to store and access their data entirely within Canada.

US-Based Companies’ Experience in Entering Canada

The privacy law-related experience of US-based companies entering Canadian markets has been mixed, and depends to some degree on the scope of the endeavor, the structure and location of the Canadian organization, the location of the Canadian data, and last but certainly not least, how publicly visible the business' activities are. An often cited example of the extent to which a US company may go in order to conduct business in Canada is that of the government of the province of British Columbia’s (BC) move to outsource the processing of health records and services to a US-based company1. This initiative led to a privacy concern-driven public outcry, with the local government union forcing the provincial privacy commissioner to conduct an inquiry into the matter. Eight months and five hundred submissions later, the commissioner’s report triggered substantial changes to the provincial privacy legislation, and eventually led to the government placing stringent contractual conditions around the outsourcer’s operations in BC. These conditions and protections include requirements that all IT infrastructure and storage be located in Canada, and that the outsourcer form a Canadian subsidiary with only the employees of that company having access to the Canadian data. Furthermore, under the terms of the agreement, the board of directors of the new subsidiary must be Canadian citizens and resident in BC, the shares of the company must be held in trust by a BC trust company, and in the event of even an anticipated privacy breach, ownership of the shares may be immediately transferred permanently to the provincial government.

This is clearly a major contractual obligation for any company, and obviously represents the more onerous end of the scale in a politically sensitive sector (health care and personal health records). However, for smaller operations, even those not directly linked to Canadian provincial or federal governments, the same principles with respect to locating data and employees (or service providers) in Canada, and of employing strict privacy-related contractual terms.

Privacy Law Perspective on Personal Information of Canadians Stored and/or Accessed Outside Canada

One of the most significant issues driving changes to privacy legislation in Canada is that of cross-border information flow from Canada to the US in particular where such data is subject to access under anti-terrorism provisions in the USA PATRIOT Act. Such concerns exist even when the data resides in Canada but is managed by a US-controlled organization. In response to public concerns about potential threats to privacy arising under the USA PATRIOT Act, the provinces of Quebec, Alberta and Nova Scotia have proposed amendments to their public sector privacy legislation. These amendments would prohibit public sector bodies from allowing service providers to access or store personal information transferred to them in the course of providing services from or in a location outside Canada without consent from each individual. The proposed amendments would also require service providers to notify Canadians of all demands for access to their personal information from a foreign jurisdiction. The privacy community is anticipating that the province of Ontario will introduce its own made-in-Ontario privacy legislation that covers the private sector at some point in the future. It is expected that any such legislation would contain similar provisions to the amendments described above. With the growing public awareness and concern about the confidentiality of personal data, it is safe to assume that any such privacy legislation will be progressively more stringent than existing laws, especially as it relates to cross-border outsourcing.

While these measures, to date, apply to public sector organizations only, provincial and federal privacy commissioners have stated their desire to extend these measures to private sector privacy legislation.

In summary, it can be expected that at the federal and provincial levels, private and public sector privacy laws will be introduced or amended to strengthen the privacy protection afforded to Canadian customers of a US-based company by imposing restrictions on the storage and access of Canadian data outside of Canada. It is essential to remember that while data can be outsourced, liability cannot.

Further information on this topic

US-based energy companies can find more information about the Canadian information privacy landscape by visiting The SPi Group’s website at http://www.thespigroup.com.

About the company:

The SPi Group Inc. (SPi) is a Toronto-based provider of products and services to the energy industry. SPi’s technology portfolio includes secure, reliable and auditable data transport solution, and a wide variety of billing and settlement solutions, based on portable and open standards. SPi was instrumental in the successful opening of the Ontario electricity market and is currently the primary provider of EBT hub services in Ontario serving over 85% of the total market. SPi also provides the most widely deployed billing and settlement solution for energy retailers within Ontario.

Note 1:

• http://www.davis.ca/publication/USA-Patriot-Act-and-Public
  -Sector-Outsourcing-in-British-Columbia-An-Overview.pdf,
• http://www.oipc.bc.ca/sector_public/archives/
  usa_patriot_act/pdfs/report/privacy-final.pdf