A. INTRODUCTION

Recent developments that have been made in the area of electronic commerce have provided consumers with many conveniences, but at the same time these developments have given rise to significant privacy concerns. Modern day conveniences that consumers enjoy, such as online banking, online trading and the use of Interac have enabled businesses to collect with relative ease the personal information of consumers without their specific knowledge or consent. In addition, the combination of e-commerce and the internet means that personal information collected can potentially be made available to a worldwide audience.

In response to these concerns, the Federal Government of Canada passed the Personal Information Protection and Electronic Documents Act (“PIPEDA” or the “Act”) to inspire consumer confidence in e-commerce activities. Although PIPEDA initially was proclaimed into force in response to e-commerce concerns, the Act is actually broad and far reaching in that when fully implemented it will purport to regulate all collection, use and disclosure of personal information by organizations in the course of commercial activities, regardless of whether the personal information was obtained through or is even related to e-commerce.

B. OVERVIEW OF PIPEDA

The implementation and coming into force of PIPEDA is divided into three stages. On January 1, 2001, PIPEDA applied to personal information collected, used or disclosed in the course of commercial activities by federal works, undertakings and business. On January 1, 2002, the Act was extended to the collection, use or disclosure of personal health information by the same organizations already covered in Stage 1. Finally, on January 1, 2004, the Act will apply to every organization that collects, uses or discloses personal information, including personal health information, in the course of commercial activities.

PIPEDA is comprised of five parts, but only Part One deals with the protection of personal information in the private sector and will be the focus of this article’s discussion. Part One, in turn, is divided into five divisions: Division 1 outlines the rules for the collection, use and disclosure of personal information in the course of commercial activities; Division 2 deals with remedies; Division 3 deals with privacy audits; Division 4 deals with general matters; and Division 5 contains the Act’s transitional provisions.

The substantive portions of PIPEDA are not found in Part One of the Act, but can be found in Schedule 1 to the Act. The provisions of Schedule 1 of the Act, based on the Canadian Standards Association’s “Model Code for the Protection of Personal Information” (the “Model Code”), are the core of PIPEDA. The Model Code was designed to provide businesses with some minimal guidelines concerning the protection of personal information in their care and control.

C. DOES PIPEDA APPLY TO CHARITIES AND NON-PROFIT ORGANIZATIONS?

As mentioned above, beginning January 1, 2004, PIPEDA will apply to every organization that collects, uses or discloses personal information, including personal health information, in the course of commercial activities. Whether a charity or non-profit organization will be subject to PIPEDA depends on whether these organizations engage in the kind of commercial activities contemplated by the Act.

Commercial activity is defined broadly as “any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.” Priscilla Platt, et al., in Privacy Law in the Private Sector – An Annotation of the Legislation in Canada, explain that the term commercial activity is not limited to businesses engaging in regular commercial activities, but also includes single isolated acts of commercial activities by non-commercial organizations. Therefore, charities or non-profit organizations engaging in commercial activities that are ancillary to its primary purposes may be subject to the Act to the extent that those commercial activities involve the collection, use or disclosure of personal information.

The definition of commercial activity also includes the phrase “conduct that is of a commercial character”. The listed examples of conduct that is of a commercial character – selling, bartering or leasing of donor, membership or other fundraising lists – sets out a guideline as to what other activities may be viewed as “conduct that is of a commercial character”. As the drafters of PIPEDA specifically used the word “includes”, it is presumed that they intended for the Act to cover any other conduct similar to those already listed.

Although the term commercial activity has also been judicially interpreted under other statutes, the courts have found it difficult to assign a clear-cut judicial definition to this term. In Windsor-Essex County Real Estate Board v. Windsor (City) (1974), 6 O.R. (2d) 21, the court held that “there is no doubt that an intention to make a profit will be a very important factor in determining whether an activity is a commercial activity, but the lack of it does not automatically prevent if from being so characterized.” (This decision was overruled on other grounds in Ontario (Regional Assessment Commission) v. Caisse Populaire de Hearst Ltee., (1983) 143 D.L.R. (3d) 590.) At this time, the scope of the term commercial activity is still under debate and will undoubtedly be subject to more judicial interpretation in the future.

Presently, it is generally agreed that the term commercial activity appears to cover for-profit activities. However, Priscilla Platt, et al explain that it is possible that the courts may broaden its interpretation to include any transaction that involves the exchange of consideration. Legal commentators have indicated that this position is supported by the fact that the definition of commercial activity includes “bartering”, which suggests that any transactions involving an exchange of consideration would be sufficient. Therefore, the cautious approach would be to assume that PIPEDA can apply to charities and non-profit organizations that collect, use or disclose personal information while carrying out some form of commercial activity.

D. EFFECT OF PIPEDA

If a charity or non-profit organization is deemed to be subject to PIPEDA, the Act will impose onerous, and time-consuming administrative costs on the organization. The Act requires organizations to comply with the 10 principles incorporated in Schedule 1 of the Act. As indicated above, Schedule 1 is based on the Canadian Standards Association’s “Model Code for the Protection of Personal Information”. In summary, Schedule 1 sets out the following 10 principles:

1. Accountability – An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with the following principles.
2. Identifying Purposes – The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.
3. Consent – The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
4. Limiting Collection - The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.
5. Limiting Use, Disclosure, and Retention – Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.
6. Accuracy – Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.
7. Safeguards – Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
8. Openness – An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.
9. Individual Access – Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
10. Challenging Compliance – An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization’s compliance.

It is important to note that Schedule 1 contains both mandatory provisions and discretionary provisions. As all 10 principles use mandatory language through the word “shall”, an organization is obliged to comply with the principles. However, the subclauses within the 10 principles only use discretionary language through the word “should”; therefore, the subclauses are only recommendations and do not impose any obligations. However, an organization would be prudent to voluntarily follow the recommendations set out in the subclauses in light of the fact that section 11(1) of the Act allows an individual to file a complaint against an organization for contravening a mandatory obligation or for not following a recommendation set out in Schedule 1. It is clear that not only may the privacy Commissioner investigate an organization for breaches of the mandatory obligations but also for failure to follow discretionary recommendations.

E. CONSEQUENCES OF NON-COMPLIANCE

If an organization fails to comply with PIPEDA’s requirements in its data collection procedures, it can become subject to a complaint. As mentioned above, Division 2 of PIPEDA outlines the remedies available to an individual where it is alleged that an organization has contravened a requirement under Part I of the legislation. Section 11 (1) of PIPEDA provides that an individual may file a written complaint with the Commissioner alleging that an organization has either contravened a Division 1 provision, or a Schedule 1 recommendation. The Commissioner may also initiate a complaint if it is satisfied that there are reasonable grounds to investigate the matter (s. 11 (2)). Under s. 11 (4), the Commissioner must give notice to an organization if a complaint under PIPEDA has been filed against it.

The Commissioner must investigate all complaints as stipulated under s. 12(1) of PIPEDA, and has extensive powers by which to investigate complaints. These powers include:

• Summoning and enforcing the appearance of persons to give testimony before the Commissioner (s. 12 (1)(a));
• Administering oaths (s. 12(1)(b));
• Receiving and accepting any evidence, by oath, affidavit or otherwise, that the Commissioner deems fit, regardless of whether it would be admissible in court [Emphasis added] (s. 12 (1)(c));
• Enter any premises occupied by an organization, other than a dwelling house, at any reasonable time (s. 12 (1)(d));
• Converse in private with any person in any premises entered (s. 12(1)(e)); and
• Examine or obtain copies of or extracts of relevant materials found in any premises (s. 12 (1)(f)).

It is important to note that a Commissioner’s findings after investigating a complaint are not binding on an organization. Under sections 14 and 15 of PIPEDA, a complainant, including the Commissioner, after the Commissioner’s report has been issued, may apply for a court hearing to the Federal Court. Upon hearing the case, the Federal Court may give a number of remedies found in s. 16 of PIPEDA, including:

• An order that the organization correct its practices to comply with sections 5 to 10 of PIPEDA (s. 16 (a));
• An order that the organization publish a notice of any action taken or proposed to correct its practices (s. 16(b)); and
• An award of damages to the complainant, including damages for any humiliation that the complainant has suffered (s. 16(c)).

Section 28, under Division 4 of PIPEDA, outlines three statutory offences under which an organization can be charged, which include:

• knowingly contravening s. 8 (8) of the Act. Section 8 (8) stipulates that an organization has a duty to retain information until a requester’s recourses have been exhausted;
• knowingly contravening s. 27.1 of the Act. Section 27.1 prohibits employers from taking action against employees and independent contractors who, in good faith, report contraventions of PIPEDA to the Commissioner, or refuse to participate in activities which fail to comply with the legislation;
• obstructing the Commissioner or the Commissioner’s delegate in the investigation of a complaint or in conducting an audit.

The three statutory offences listed above are punishable by summary conviction and a fine not exceeding $10 000 (s. 28 (a)), or by an indictable offence and a fine not exceeding $100 000 (s. 28 (b)). For charities and non-profit organizations, many of which have limited resources, paying a fine and/or being exposed to criminal conviction can be devastating to the organization’s reputation, financial health, and future existence.

F. CONCLUSION

On January 1, 2004, all organizations collecting, using and disclosing personal information throughout the course of their commercial activities must comply with PIPEDA. Therefore, any charity and non-profit organization engaging in such activities would be well-advised to take immediate steps to implement a sound privacy policy. A sound privacy policy will provide both structure to an organization’s information collection procedures, and protection from public complaints and criminal sanctions.