THE INTRODUCTION of computers and email into the workplace and everyday life has dramatically increased the information available to employers, regulators and litigants. Often this information is confidential or of a personal nature. This puts into conflict the obligation to disclose information and the obligation to keep private information confidential.
It is interesting to see how different jurisdictions have chosen to resolve this conflict. The European Union has produced a Data Protection Directive (1) that has been implemented, in varying degrees, in its member states. The EU Directive broadly defines "personal data" to mean "any information relating to an identified or identifiable person". Each member state has considered how best to integrate and implement that directive in their nation. The survey of French data privacy laws, in particular, provides an example of the pitfalls that United States corporations may face in complying with United States law in the face of the EU Directive.
Common law counties such as Canada and New Zealand have also had to deal with the conflict between broad obligations of disclosure and personal and private confidentiality concerns. In Canada, there are ongoing changes to disclosure rules in many of the provinces the goal of which is limiting the traditionally broad disclosure obligations. Further, statutes have been enacted such as the Personal Information Protection and Electronic Documents Act, (2) to provide guidelines for the production of confidential information.
Similarly, New Zealand has enacted the Privacy Act 1993 to establish the parameters for the collection, handling and use of personal information. In both Canada and New Zealand, there is the development of the common law concept of a tort of invasion of privacy.
It is fascinating to compare how the various jurisdictions have handled this complex and sensitive issue. I thank each of the contributors for their thoughtful and useful essays.
Canada is a federal country and as a result has a patchwork of privacy and data protection laws governing the collection, use, and disclosure of personal information. However, most legislation defers to the court process. Recent changes to rules of civil procedure which limit the scope of discovery, including e- discovery show a trend away from the broad disclosure law obligations for disclosure to a proportional principle of discovery. (3) The current privacy laws in Canada generally exempt disclosure in a legal proceeding, including electronic documents, from statutory restrictions. (4)
Under the Personal Information Protection and Electronic Documents Act, information may be collected and used without consent in investigating a breach of an agreement or a contravention of law. (5) Section 7(3)(c) allows information to be disclosed without consent if the disclosure is required to comply with rules of court relating to the production of records or a court order. (6) Under Section 8(8), if the organization has the personal information that is being requested, it must retain the information for as long as necessary to allow the individual to exhaust any recourse that they may have to obtain the information. (7) The Personal Information Protection Acts includes a broad exemption for litigation discovery. Section 3(4) expressly states that it "does not limit the information available by law to a party to a proceeding."
The courts have upheld Sections 7(3)(c) and 8(8) of PIPEDA as to third-- party internet service providers in BMG v. Doe, stating that "... ISPs are not entitled to 'voluntarily' disclose personal information such as the identities requested except with the customer's consent or pursuant to a court order." (9) Practically speaking, a third-party organization who is requested to hand over personal information would probably request a court order before doing so.
PIPEDA's approach to litigation differs slightly from similar legislation in British Columbia, Alberta, and Quebec. …