Canada's Data Protection Act Becomes Law
The new legislation, which is widely supported by both business and consumer groups, establishes rules that govern the collection, use and disclosure of personal information in the private sector.
Royal Assent was granted April 13, and the act comes into force Jan. 1, 2001. An exception has been made for health-related companies, which have two years to prepare.
The law is designed to help Canada meet the European Union's new data protection standards. At present, the province of Quebec is the only jurisdiction in North America with a private sector data protection law that meets the EU requirements.
Business groups began lobbying for federal privacy legislation in 1995 based on the idea that Canadians would otherwise lack confidence in electronic commerce.
The legislation, which also gives the force of law to contracts signed with electronic signatures, was the result of a lengthy process of negotiations between privacy advocates and the marketing industry.
It was expected the bill would become law last year, but the Senate delayed passage when it amended the legislation to impose a two-year moratorium on its implementation for the healthcare industry.
The Senate was responding to the arguments of privacy advocates who felt the bill did not protect patients. Practitioners and healthcare information providers, on the other hand, worried it would cripple research efforts that rely on such information.
Richard Rosenberg, vice president of Electronic Frontier Canada Inc., a privacy advocacy group, said he and others argued from the beginning that the bill was stacked in favor of business because it doesn't, in all cases, require companies to obtain positive-option consent from consumers before data can be collected.
Positive-option consent is required in only cases of sensitive information such as financial and health-related data.
Rosenberg, a professor of computer science at the University of British Columbia, said the guiding principle of the legislation "should have been positive opt-in consent."
He added that technology, which is constantly being developed, will "soon render the legislation obsolete."
Most mainstream Canadian advertisers will hardly notice the bill when it's implemented. That's because the Canadian Marketing Association's Code of Ethics covers most of the points contained in the legislation.
In a speech earlier this year to the Canadian Bar Association, Privacy Commissioner Bruce Phillips said, "This bill represents a great leap forward.
"It will require business to respect a code of fair information practice requiring individual consent for the collection, use and disclosure of personal information."
Under the act, the federal Privacy Commissioner is given statutory authority to investigate complaints, issue reports and conduct audits. As a last resort, the act provides recourse to the Federal Court and empowers the court to award damages.
To see the law in full, visit the Privacy Commission Web site at www.privcom.gc.ca. The following points present some of the act's key elements:
* The act provides new rights when personal information is collected, used or disclosed for commercial purposes.
* The purpose of data collection should be specified at or before the time of collection to the individual from whom the personal information is collected. Depending upon the way in which the information is collected, this can be done orally or in writing.
* The act contains a "primacy clause," meaning the law takes precedence over subsequent laws, unless those laws specifically state otherwise.