Compliance ... without necessarily going out of business Personal - - PowerPoint PPT Presentation

Compliance ... without necessarily going out of business

• Personal Information Protection and

Electronic Documents Act (PIPEDA)

• Canadian federal legislation
• Applies to the private sector
• Supplements existing public sector

privacy legislation

• PIPEDA applies everywhere except:
• Quebec
• BC
• Alberta

• Quebec, BC and Alberta have

their own provincial statutes that are similar to PIPEDA

• Basic principle
• Balance the need of the public

for privacy with the need of business to do business

• Now there is also Canada’s

Anti-Spam Legislation (CASL)

• sending of commercial electronic

messages without consent

• includes email, social networking

accounts, and texts to cell phones

• alteration of transmission data
• results in message being sent to a

different destination without consent

• installation of computer programs

without consent (malware)

• misrepresentations online in the

promotion of products or services

• hacking to collect personal

information

• “address harvesting” and using

the addresses without consent

• CASL administered by a three-

headed monster:

• CRTC
• Competition Bureau
• Federal Privacy Commission

• An Act to promote the efficiency and

adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means

• f carrying out commercial activities, and

to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act

• Any information that links to a

person

• Gender
• Age
• Address
• Social Insurance Number
• Health card number
• Names of family members

• Salary
• Home phone
• E-mail address
• Driving record
• Health information
• Criminal record
• Drug use
• BUT NOT: Employee name, title,

business phone or business address

• Two kinds of personal information
• Sensitive
• Less sensitive
• Less sensitive information causes

less trouble

• The right of privacy is the right to

control access to one’s person and information about oneself.

• Privacy law covers
• Collection (direct or indirect)
• Use
• Retention
• Disclosure
• f personal information
• Governed by ten privacy law

principles

• Accountability
• Identify purposes
• Consent
• Limit collection
• Limit use,

disclosure and retention

• Accuracy
• Safeguards
• Openness
• Access
• Challenging

compliance

• Directive 95/46/EC
• On the protection of individuals

with regard to the processing of personal data and on the free movement of such data

• Designed to balance the needs of

business and the needs of personal privacy

• Directive 95/46/EC to be replaced

by General Data Protection Regulation (GDPR)

• Will extend the scope of EU data

protection to all foreign companies processing EU data

• Will harmonize data protection

regulations throughout the EU

• Easier for non-EU companies to

comply

• Will be a strict compliance regime

with huge fines

• Applies if the data controller /

processor or data subject is based in EU (“long arm” law)

• “Personal data is any information

relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address."

• Generally speaking, if you are

compliant with Canadian privacy law, you will be compliant with EU privacy law, and vice versa

• There are some notice provisions

and administration that differ, but generally both laws are consistent and both recognize that business is global and that “Privacy By Design” must be followed and enforced

Don Johnston 416-865-3072