Privacy Legislation (UK, US & Canada)

Private

Public

Federal

Provincial

Federal

Provincial
(PIPAs - 2004)
Exempts from PIPEDA
PID/Employment/Non-Commercial
Consent is a main driving principle for the PIPAs

US laws (no official laws seen as adequate)
IAPP's US State Privacy Tracker

Health Insurance Portability & Accountability Act (HIPAA) - 1996
Enforced by the Health & Human Service's Office of Civil Rights

PIPEDA (Personal Information Protection & Electronic Documents Act) - only act in Canada that has been given adequacy by the EU
passed in 2001
10 Privacy Principles
OPC - can suggest improvements - needs to apply to court for enforcement

Municipal

AB PIPA (Alberta Personal Information Protection Act)

BC PIPA (British Columbia Personal Information Protection Act)

Digital Privacy Act (sub-section of PIPEDA)
PID processed via the internet
4 areas improved

Bill C-27 - Consumer Privacy Protection Act (CCPA)
(Digital Charter Implementation Act)

(will modify PIPEDA & implement new laws
strengthen privacy rights)
Introduced in 2022 & re-introduced in 2023
OPC may have the ability to fine organisations
3/5% - $10m/$25m penalties depending on the offense

Personal Information & Data Protection Tribunal Act (focused on privacy and data protection - address disputes related to privacy breaches and data handling)

Artificial Intelligence and Data Act (AIDA) (deals with artificial intelligence (AI) and data governance. It aims to set guidelines for responsible AI use, data transparency, and accountability)

Consumer Privacy Protection Act (CCPA) (replaces Part 1 of PIPEDA - governing statute for data privacy at the federal level)

10 Privacy Principles (Schedule 1):


Principle 1. Accountability (4.1)
Principle 2. Identifying purpose (4.2)
Principle 3. Consent (4.3)
Principle 4. Limiting collection (4.4)
Principle 5. Limiting use, disclosure & retention (4.5)
Principle 6. Accuracy (4.6)
Principle 7. Safeguards (4.7)
Principle 8. Openness (4.8)
Principle 9. Individual access (4.9)
Principle 10. Challenging compliance (4.10)


Note: Collection, Storage, Use & Disclosure/Communication of PID


Division 1.1 Breaches of Security Safeguards


OPC website allows investigation tool search against each CSA standard and complaint type

Quebec Act (passed 1994) "La Commission"
Civil Code Principles
Commercial activities
Labour unions
Lawyers
Physicians

The Privacy Legislation Modernisation Act Law 25 (Bill 64 adopted) Quebec National Assembly
Closer to GDPR than PIPEDA

Canada's Ant-Spam Legislation (CASL) (toughest anti-spam law in the world)

  • Enforced by the Canadian Radio-Television & Telecommunications Commission
  • Relates to Commercial Electronic Messages (CEMs) & - Computer Installed Programs
  • Prohibits the unauthorised alternation of transmission data

Artificial Intelligence and Data Act (AIDA) - still to be approved by the government
Provide an account for the system
Inform individuals of any decisions that could have a significant impact
Required to provide individuals with explanations
Meet consumer protection and human rights
AI and Data Commissioners position will be created
Prohibit reckless and malicious uses of AI

Charter of Rights and Freedoms

Privacy Act (approved 1980s)
Imposes rules on the federal government
Gives the OPC the right to investigate the government3


There are parameters - consent, purpose obtained
13 situations provided for situations where consent would not be needed for disclosure or transfer


Openness: Government institutions must notify the Treasury Board Secretariat via the publication in Info Source of personal information banks and classes of PID annually


Right to Access: 30 days for a response


Retention: 2 years from the last activity/use (decision making process) unless consent from the individual to dispose of earlier / access to information has been received & the individual has had an opportunity to exercise their rights

Privacy Impact Assessments:
Treasury Board - Directive of PIAs

Access to Information Act

Freedom of Information and Protection of Privacy Act (FIPPA)


Request copies of public information held by ministries and the Office of the Premiers OR
Obtain their PID from public institutions

OPC
Complaints
Investigations
Recommendations
Federal Court
Compliance Audits

PIPEDA
(includes Health data )

Privacy Act
(includes Health data)

FIPPA

FIPs

CASL

AIDA

PIPAs

Quebec Law

Law 25

Digital Privacy Act

Bill C-27

PHIPAs

PHIPAs

Genetic Non-Discrimination Act

Children's Online Privacy Protection Act (COPPA) - 1998
Enforced by the Federal Trade Commission (FTC)

Privacy Act - 1974
Enforced by the federal government

Gramm-Leach-Bliley Act (GLBA) - 1999
No single entity enforced this act

Fair Credit Reporting Act (FCRA) - 1970
Enforced by Federal Trade Commission (FTC)

CCPA (California Consumer Privacy Act)
(effective 2020)

Privacy policies & procedures:

Create confidentiality agreements for employees and service providers.

Develop and implement privacy policies that outline how personal information will be handled.

Access to Information Act

EU GDPR
(adopted 2016 - effective 2018)
UK GDPR

All businesses

Duties of data
controllers or processors
(DPIAs & DSAs)

pseudonymisation

ROPA (article 30)

security of personal data (article 32)

Data Protection Officer (articles 37-39)

Controllers & processors (articles 24 - 43)

DPIAs (article 35)

Transfers of personal data to third countries (articles 44 - 50)

Supervisory authorities (articles 51 - 59)

Rights of data subjects
(DSARs)

Articles 12 -23

right of access (article 15)

rectification (article 16)

erasure ('right to be forgotten) (article 17)

restriction of processing (article 18 & 19)

rectification or erasure (article 19)

data portability (article 20)

not been obtained from the data subject (article 14)

collected from data subject (article 13)

transparency (article 12)

automated decision-making (AI) (article 22)

right to object (article 21)

restrictions (article 23)

Cooperation among member states (articles 60 - 76)

Articles 6 & 9

legal basis

9.2 (i) Public health

9.2 (j) archiving purposes (scientific/historical)

9.2 (e) made public by the data subject

9.2 (b) employement and social security

9.2 (f) legal claims / courts judicial capacity

6.1 (f) & 9.2 (d) legitimate interest

6.1(a) & 9.2 (a) consent (article 7 & 8)

6.1 (e) & 9.2 (g) & 9.2 (h) public interest/public duty/authority/health

6.1(b) contractual obligations

6.1 (d) & 9.2 (c) vital interests

6.1(c) legal obligations

Remedies, liability & penalties (articles 77 - 84)

7 principles
(Article 5)

Accuracy

Storage limitation

Data minimisation

Integrity and confidentiality (security)

Purpose limitation

Accountability

Lawfulness, fairness and transparency

Liability or penalties for breach of rights (Personal - 10m euros / 2% - Sensitive - 20m euros / 4%)

Miscellaneous final provisions (article 94 - 99)

Provisions relating to specific processing situations (articles 85 - 91)

Delegated acts and implementing acts (article 92 - 93)

ICO (Information Commissioners Office)