Privacy Legislation (UK, US & Canada)
Private
Public
Federal
Provincial
Federal
Provincial
(PIPAs - 2004)
Exempts from PIPEDA
PID/Employment/Non-Commercial
Consent is a main driving principle for the PIPAs
US laws (no official laws seen as adequate)
IAPP's US State Privacy Tracker
Health Insurance Portability & Accountability Act (HIPAA) - 1996
Enforced by the Health & Human Service's Office of Civil Rights
PIPEDA (Personal Information Protection & Electronic Documents Act) - only act in Canada that has been given adequacy by the EU
passed in 2001
10 Privacy Principles
OPC - can suggest improvements - needs to apply to court for enforcement
Municipal
AB PIPA (Alberta Personal Information Protection Act)
BC PIPA (British Columbia Personal Information Protection Act)
Digital Privacy Act (sub-section of PIPEDA)
PID processed via the internet
4 areas improved
Bill C-27 - Consumer Privacy Protection Act (CCPA)
(Digital Charter Implementation Act)
(will modify PIPEDA & implement new laws
strengthen privacy rights)
Introduced in 2022 & re-introduced in 2023
OPC may have the ability to fine organisations
3/5% - $10m/$25m penalties depending on the offense
Personal Information & Data Protection Tribunal Act (focused on privacy and data protection - address disputes related to privacy breaches and data handling)
Artificial Intelligence and Data Act (AIDA) (deals with artificial intelligence (AI) and data governance. It aims to set guidelines for responsible AI use, data transparency, and accountability)
Consumer Privacy Protection Act (CCPA) (replaces Part 1 of PIPEDA - governing statute for data privacy at the federal level)
10 Privacy Principles (Schedule 1):
Principle 1. Accountability (4.1)
Principle 2. Identifying purpose (4.2)
Principle 3. Consent (4.3)
Principle 4. Limiting collection (4.4)
Principle 5. Limiting use, disclosure & retention (4.5)
Principle 6. Accuracy (4.6)
Principle 7. Safeguards (4.7)
Principle 8. Openness (4.8)
Principle 9. Individual access (4.9)
Principle 10. Challenging compliance (4.10)
Note: Collection, Storage, Use & Disclosure/Communication of PID
Division 1.1 Breaches of Security Safeguards
OPC website allows investigation tool search against each CSA standard and complaint type
Quebec Act (passed 1994) "La Commission"
Civil Code Principles
Commercial activities
Labour unions
Lawyers
Physicians
The Privacy Legislation Modernisation Act Law 25 (Bill 64 adopted) Quebec National Assembly
Closer to GDPR than PIPEDA
Canada's Ant-Spam Legislation (CASL) (toughest anti-spam law in the world)
- Enforced by the Canadian Radio-Television & Telecommunications Commission
- Relates to Commercial Electronic Messages (CEMs) & - Computer Installed Programs
- Prohibits the unauthorised alternation of transmission data
Artificial Intelligence and Data Act (AIDA) - still to be approved by the government
Provide an account for the system
Inform individuals of any decisions that could have a significant impact
Required to provide individuals with explanations
Meet consumer protection and human rights
AI and Data Commissioners position will be created
Prohibit reckless and malicious uses of AI
Charter of Rights and Freedoms
Privacy Act (approved 1980s)
Imposes rules on the federal government
Gives the OPC the right to investigate the government3
There are parameters - consent, purpose obtained
13 situations provided for situations where consent would not be needed for disclosure or transfer
Openness: Government institutions must notify the Treasury Board Secretariat via the publication in Info Source of personal information banks and classes of PID annually
Right to Access: 30 days for a response
Retention: 2 years from the last activity/use (decision making process) unless consent from the individual to dispose of earlier / access to information has been received & the individual has had an opportunity to exercise their rights
Privacy Impact Assessments: Treasury Board - Directive of PIAs
Access to Information Act
Freedom of Information and Protection of Privacy Act (FIPPA)
Request copies of public information held by ministries and the Office of the Premiers OR
Obtain their PID from public institutions
OPC
Complaints
Investigations
Recommendations
Federal Court
Compliance Audits
PIPEDA
(includes Health data )
Privacy Act
(includes Health data)
FIPPA
FIPs
CASL
AIDA
PIPAs
Quebec Law
Law 25
Digital Privacy Act
Bill C-27
PHIPAs
PHIPAs
Genetic Non-Discrimination Act
Children's Online Privacy Protection Act (COPPA) - 1998
Enforced by the Federal Trade Commission (FTC)
Privacy Act - 1974
Enforced by the federal government
Gramm-Leach-Bliley Act (GLBA) - 1999
No single entity enforced this act
Fair Credit Reporting Act (FCRA) - 1970
Enforced by Federal Trade Commission (FTC)
CCPA (California Consumer Privacy Act)
(effective 2020)
Data privacy impact assessment: OPC guidance (https://www.priv.gc.ca/en/privacy-topics/privacy-impact-assessments/gd_exp_202003/
Privacy policies & procedures:
Organisational commitment: Appoint Privacy Officer & Team (https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda-compliance-help/pipeda-compliance-and-training-tools/gl_acc_201204/)
Create confidentiality agreements for employees and service providers.
Develop and implement privacy policies that outline how personal information will be handled.
Access to Information Act
EU GDPR
(adopted 2016 - effective 2018)
UK GDPR
All businesses
Duties of data
controllers or processors
(DPIAs & DSAs)
pseudonymisation
ROPA (article 30)
security of personal data (article 32)
Data Protection Officer (articles 37-39)
Controllers & processors (articles 24 - 43)
DPIAs (article 35)
Transfers of personal data to third countries (articles 44 - 50)
Supervisory authorities (articles 51 - 59)
Rights of data subjects
(DSARs)
Articles 12 -23
right of access (article 15)
rectification (article 16)
erasure ('right to be forgotten) (article 17)
restriction of processing (article 18 & 19)
rectification or erasure (article 19)
data portability (article 20)
not been obtained from the data subject (article 14)
collected from data subject (article 13)
transparency (article 12)
automated decision-making (AI) (article 22)
right to object (article 21)
restrictions (article 23)
Cooperation among member states (articles 60 - 76)
Articles 6 & 9
legal basis
9.2 (i) Public health
9.2 (j) archiving purposes (scientific/historical)
9.2 (e) made public by the data subject
9.2 (b) employement and social security
9.2 (f) legal claims / courts judicial capacity
6.1 (f) & 9.2 (d) legitimate interest
6.1(a) & 9.2 (a) consent (article 7 & 8)
6.1 (e) & 9.2 (g) & 9.2 (h) public interest/public duty/authority/health
6.1(b) contractual obligations
6.1 (d) & 9.2 (c) vital interests
6.1(c) legal obligations
Remedies, liability & penalties (articles 77 - 84)
7 principles
(Article 5)
Accuracy
Storage limitation
Data minimisation
Integrity and confidentiality (security)
Purpose limitation
Accountability
Lawfulness, fairness and transparency
Liability or penalties for breach of rights (Personal - 10m euros / 2% - Sensitive - 20m euros / 4%)
Miscellaneous final provisions (article 94 - 99)
Provisions relating to specific processing situations (articles 85 - 91)
Delegated acts and implementing acts (article 92 - 93)
ICO (Information Commissioners Office)