When I teach my students about Canada's Personal Information Protection and Electronic Documents Act, I must always start by talking about the federal government's constitutional limitations in legislating privacy.
Because of the separation of powers in our 1867 Constitution, the federal government can regulate privacy only in as much as it is implicated in trade and commerce (although it also has the power to regulate employee privacy among industries that are federally regulated — known as federal work, undertakings and businesses. So news this week that Privacy Commissioner of Canada Philippe Dufresne initiated an investigation into the Montreal-based World Anti-Doping Agency raises some interesting issues some privacy pros may not know about.
The WADA is funded by various organizing sports entities that want to eliminate or deter an athletes' use of prohibited drugs — or hormones or the like. These organizations are all around the world. They are global, which means that when the WADA examines an athlete's blood or urine sample, they are collecting and processing the personal information of athletes from other countries. There is clearly some transborder data flow.
In the EU, they have long said — since 1995, but even more stringently in 2018 with the adoption of the EU General Data Protection Regulation — that the personal information of residents in the EU can only be transferred to other countries if those countries were deemed adequate. Shortly after the passage of the PIPEDA, the European Commission reluctantly, and with caveats, agreed to declare that if an organization was subject to the PIPEDA, it would be seen as being in an adequate jurisdiction, allowing the flow of information to Canadian organizations subject to that law. You already know this part.
But, because the PIPEDA is restricted constitutionally to only regulating organizations involved in commercial activity (the trade and commerce restriction), the WADA fell outside the law's purview. No one really wanted the WADA to have to move out of its Montreal headquarters to meet the EU privacy restriction requiring organizations to be subject to the PIPEDA, so WADA asked an exception be created that would specifically make the law applicable to them — even if they weren't conducting commercial activity.
Anyway, that's the Cole's Notes version of why that noncommercial entity is actually subject to the PIPEDA, something you might have been wondering with this week's announcement. For the privacy-nerds, like me, who want to know the section of the PIPEDA that allows this, it's 4(1.1). You know, it's not the first time the Office of the Privacy Commissioner has investigated the WADA. There's a case summary about a 2016 breach that was published in 2018.
I guess the whole point of the story is that if you are an athlete, don't take illegal substances; and if you're an organization not subject to PIPEDA — be careful what you ask for.
Kris Klein, CIPP/C, CIPM, FIP, is the managing director in Canada for the IAPP.