Just two days before key phases of Canada's national privacy law, the Personal Information Protection and Electronic Documents Act PIPEDA), went into effect January 1, the Quebec Court of Appeal cleared the way for the province's attorney general to contest the constitutional validity of the law.
PIPEDA applies to businesses and provincial commercial activities, governing how businesses manage and protect customer information. The law is meant to protect the private information that consumers give to companies in the course of doing business. It imposes significant restrictions on the collection, use, and disclosure of personal information nationwide unless a province enacts its own "substantially similar" privacy legislation.
Similar provincial legislation has so far been introduced in British Columbia, Alberta, and Quebec, whose private-sector privacy law has been in place since 1993 and was recently deemed substantially similar to PIPEDA by the federal cabinet. Ontario, which failed to introduce its own private-sector privacy legislation in 2003, is under the jurisdiction of the federal law until an acceptable provincial equivalent is passed sometime this year.
Ann Cavoukian, Ontario's information and privacy commissioner, told the Toronto Star that Quebec's constitutional challenge is "unfortunate" because it came just days before the most important phase of the federal law went into effect. "If anything, this will create greater uncertainty and confusion," she said.
PIPEDA's path has been fraught with challenges and criticism, and not just in Quebec. The federal law--introduced in 2000 but until recently limited in application to federally regulated companies such as airlines, banks, and telecommunications providers--requires every Canadian business to appoint a privacy officer or contact person and implement systems to ensure customer information is secure, accurate, collected with appropriate consent, and not used beyond a specific stated purpose. Businesses that do not follow the law can be taken to court or publicly exposed.
PIPEDA proponent Michael Geist, the Canada research chair in Internet and e-commerce at the University of Ottawa and technology counsel for law firm Osler Hoskin & Harcourt LLP, says maintaining a federal privacy law is essential "because the provincial mish mash of laws that would fill the void would create uncertainty and costs for the business and privacy communities." Without PIPEDA, he says, provincial alternatives that may potentially conflict would magnify costs and create uncertainty for large and small businesses.
The Canadian business community has long supported a national privacy standard, in part because dealing with one federal privacy law is much preferred to the alternative: complying with dozens of provincial laws. At a Senate committee hearing on PIPEDA, the Canadian Chamber of Commerce stated that the business community views a coordinated national framework as essential. The Information Technology Association of Canada lauded the government for showing initiative in attempting to create a uniform law applying to all companies, regardless of their location. At the same hearing, the Canadian Association of Internet Providers emphasized "the importance of having uniform legislation, if not between Canada and the rest of the world, certainly within Canada ... Allowing each jurisdiction to tailor additional laws could create a patchwork of legislation that effectively would prevent electronic commerce from crossing provincial borders."
In addition, without PIPEDA, doing business with the world would be challenging for Canadian companies. The European Union allows its member countries to share personal customer information only with other nations that meet the EU's privacy standards. PIPEDA received the EU's seal of approval in 2002, meaning Canada meets those standards now, but a successful court challenge against the federal law could lead to a "data blockage" between Canada and the European Union that could stifle overseas e-commerce, experts contend. …