Well folks, it seems we hit a rare "slow" privacy news week in Canada.
The House of Commons of Canada StandingCommitteeon Industry and Technology, which has been doing its clause-by-clause review of Bill C-27, didn't hold a single meeting this week. Aside from Quebec's anonymization regulation becoming law, not much was making the privacy news rounds.
So, I will take this opportunity to write about something that has been in the back of my mind for a while now: The myth that Canada's private-sector privacy laws are "substantially similar."
For those not aware, this term comes from the Personal Information Protection and Electronic Documents Act. It allows the federal Cabinet to issue an order that PIPEDA will not apply to organizations or certain activities within a province when that province has passed substantially similar legislation.
Several orders have been passed regarding provincial health privacy laws. Orders have also been passed regarding Alberta, British Columbia and Quebec’s general private-sector privacy laws. It's these last three laws and PIPEDA that I want to touch on.
It's easy to get lulled into thinking that because these provincial laws have been deemed "substantially similar" then advice or practices meant to comply with PIPEDA are sufficient to comply with the provincial laws and vice-versa. As the saying goes, what’s good for the goose is good for the gander. All these laws are based on the same 10 privacy principles after all.
Dig a little deeper, however, and the façade quickly crumbles.
Aside from the obvious differences in Quebec's law, other notable differences appear when comparing exceptions to consent under each of these laws. If you're an organization with operations across Canada, the circumstances under which you're permitted to collect, use or disclose personal information without consent can be vastly different depending on whether PIPEDA or one of its three "substantially similar" counterparts applies. This is extremely relevant for investigations and even has implications for handling personal information in emergencies.
This is not to mention the disparity in enforcement powers at the federal and provincial levels, which, if it ever passes, Bill C-27 would close.
As the next generation of Canadian privacy laws are introduced, it would be nice to see more consistency across the board, so our privacy laws live up to their "substantially similar" label. On that note, Alberta's Standing Committee on Resource Stewardship invited written submissions for its review of the province’s Personal Information Protection Act.
And if you're hungry for some good privacy reading and watching during a slow news week, I invite you to check out David Fraser's recent post and video on an important Ontario court decision affecting legal privilege in data breaches and David Young's overview of the Supreme Court of Canada’s R. v. Bykovets decision.