Explained: Canadian Data Privacy Laws in Easy Terms
2 years ago
Canada is one of the few countries across the world that consider data privacy as a serious business.
Be it a small startup or a large corporation, federal and provincial governments never show mercy if anyone violates Canadian data privacy laws.
There are many victims of Canadian privacy legislation who either have paid a hefty fine or stopped their business operation in Canada.
One most recent victim is Clearview.
News release: Clearview AI’s unlawful practices represented mass surveillance of Canadians, commissioners say https://t.co/LI4AQBh0jm pic.twitter.com/ViuVocoIqw— OPC (@PrivacyPrivee) February 3, 2021
Clearview vs Privacy Commissioners: The Entire Incident
Clearview is a New York-based technology company that offers facial recognition software.
The top customers of the Clearview software are private companies, law enforcement agencies, universities and individuals.
Clearview allows its customers to know the details of individuals by uploading just an image of that person.
In this way, it stores many crucial and confidential biometric information of the individuals.
It is a great technology - unless the purpose of using Clearview facial recognition is right.
Several police forces in Canada including Royal Canadian Mounted Police are using it.
Privacy commissioners in action:
After initial complaints and reports, the federal privacy commissioner, and privacy commissioners of Alberta, British Columbia and Quebec launched the inquiry against Clearview.
They wanted to examine whether Clearview follows the applicable Canadian privacy laws and whether it collects, uses and discloses personal information according to laws.
More specifically, privacy commissioners sought to investigate:
- Whether Clearview obtains the consent of individuals before collecting, using and sharing personal information.
- Whether Clearview collects, uses and discloses personal information for an appropriate reason.
- Whether Clearview had reported the creation of a database of biometric characteristics.
What did Clearview do wrong or unlawful?
- Clearview collected the personal information of the users without asking for their permission.
- Clearview collected personal information from publicly available websites. (However, Clearview claimed that the consent requirement does not apply to information gathered from publicly available websites. But, they were wrong. Under PIPEDA (federal law), PIPA (Alberta law), PIPA (B.C. law), Quebec’s privacy law, there is no such exception.
- Clearview collected, used and shared the information for the wrong purpose. (It is collecting information to provide service to its customers.)
Clearview in its defence:
Clearview made the following points in its defence which however were all rejected by privacy commissioners.
- PIPEDA does not apply to us (Clearview), as none of our activities originally take place in Canada.
- Not many Canadians would have used our services.
- None of the provincial privacy laws applicable to us (Clearview) as we did not collect, use or disclose personal information within the provinces of Alberta, Quebec or British Columbia, but rather in the United States.
Penalties to Clearview:
Privacy commissioners told Clearview that they could order or recommend to:
- Stop its service offering in Canada.
- Stop the collection, usage and disclosure of Canadians’ personal information.
- Delete database that contains the collected information of the Canadians.
#AnOpinion: What made Clearview the victim of Canadian data privacy laws?
It is clearly visible that Clearview misunderstood the privacy laws requirements. It in fact gave a cold shoulder to provincial privacy laws.
Understand the Structure of Canadian Data Privacy Laws
Well, it is complicated and confusing. Thus many companies can’t be compliant with privacy laws even after putting in much effort.
In Canada, there are major 5 types of privacy laws.
- Public sector privacy law applicable at the federal level
The Privacy Act - is the single act that applies to all personal information collected, used and shared by the federal government of Canada and its ministries.
- Private sector privacy law applicable at the federal level
PIPEDA is one such law that applies to information collected, used and shared by the private sector within Canada.
- Public sector privacy laws applicable at the provincial level
All major provinces in Canada have their own dedicated laws that apply to the public sector within that particular province. For instance, FOIP in Alberta and FIPPA & MFIPPA in Ontario.
- Private sector privacy laws applicable at the provincial level
All major provinces in Canada have their own dedicated laws that apply to the private sector within that particular province. For instance, PIPA in Alberta, PIPA in B.C.
There are some provinces including Ontario that do not have dedicated private sector law. In such a province, you have to follow PIPEDA - federal level privacy law for the private sector.
- Industry-wise laws applicable at the provincial level
One industry that is highly regulated in Canada is the healthcare industry. Major Canadian provinces including Alberta and Ontario have dedicated privacy laws for healthcare such as PHIPA in Ontario and HIA in Alberta.
You should also read our other useful resources:
The Most Challenging Part is: Many Sub-Requirements of Each Requirement of Each Law!
Yes, each privacy law includes several hundred requirements that you must adhere to.
However, there are some requirements that size as much as another law.
For instance, the HIA (Health Information Act) of Alberta has one requirement called PIA (Privacy Impact Assessment) under its section 64.
To be compliant with HIA, PIA is one of the requirements that you have to meet.
But to meet the PIA requirement, you have to meet many sub-requirements of PIA.
This makes it very challenging to address all requirements of the law and be compliant with it.
The situation gets worse when there are multiple laws applying to your organization.
Confused About Where to Start to Be Compliant With Privacy Laws? Follow These Simple Steps
Before we move ahead, understand the fact that privacy laws in Canada are applicable to entire organizations including staff, business partners, apps, servers, software or any digital system.
Thus, your compliance strategy should be based on several fronts such as internal stakeholders, external stakeholders, internal digital systems and external digital systems.
You can also divide the regulations of law into technical, business and operational regulations.
The following are important steps that will help you.
- Know which privacy laws apply to you.
- Read and understand each and every requirement of those laws.
- Prioritize requirements as not all requirements are mandatory.
- List out the steps you have to execute to address each requirement.
- Document each and every step that directly influences compliance.
- Have a dedicated resource that only looks after the compliance readiness of your organization.
- Make sure your business partners are also privacy laws compliant.
- Carry out a compliance audit on a regular basis.
Still, Confused? Talk to Our Local Compliance Experts
We’re an Ontario-based team of Compliance experts - working with a simple vision to let businesses focus on business - not on legal challenges.
Being a Canadian company, we know the gravity of Canadian privacy legislation for all Canadian organizations.
We offer comprehensive compliance consulting for any federal and provincial privacy law.
With our technical team, we even help organizations implement compliance regulations for mobile apps, software, websites and any digital system.
We have also mastered PIA and TRA which respectively reveal privacy vulnerabilities in an organization and in the apps, software, websites.
Our CEO himself leads our compliance team.
And thus, only our most experienced team will be working for you to solve your compliance-related challenges.