The Federal Court this week said the Privacy Commissioner‘s jurisdiction includes Canadian privacy infractions by American companies, and that a complaint her office previously rejected as being off-limits should be investigated.
The ruling was sparked by a complaint submitted three years ago to the Office of the Privacy Commissioner by Canadian Internet Policy and Public Interest Clinic‘s executive director, Philippa Lawson. Her assistant had come across a Web site, Abika.com (part of Accusearch Inc.), that purported, according to the judgment, that it could provide background checks, psychological profiles, e-mail traces, unlisted and cell phone numbers, licence plate numbers, and criminal records on individuals, including Canadians.
“It was pretty obvious that it was a complete violation of Canadian privacy laws,” said Lawson.
After poring over the Personal Information Protection and Electronic Documents Act (PIPEDA), the Privacy Commissioner, through Assistant Privacy Commissioner Heather Black, declined to investigate the complaint because, she was told. the Privacy Commissioner had no jurisdiction in the United States, even when it came to Canadians’ personal information. These reasons included the Office’s lack of “requisite legislative authority to exercise our powers outside of Canada,” the Web site’s not providing its Canadian-based sources, and no substantial factors connecting the company to Canada.
Lawson said that she was shocked that the Privacy Commissioner didn’t think that she had any right to take on a privacy case coming out of the U.S., because, Lawson said, “it was obvious that she did.”
Privacy and information security consultant and lawyer Fazila Nurani, founder of Toronto-based PrivaTech Consulting, said that the Privacy Commissioner might have refrained from embarking on an investigation because of implications down the line. “They don’t have the resources to deal with American infractions on Canadians’ information privacy and all kinds of complaints from God-knows-where,” she said.
Since it wasn’t spelled out in PIPEDA, the judicial review, conducted by Justice Sean Harrington, relied on statutory interpretation and case law. “There are lots of gray areas in PIPEDA,” said Nurani.
According to Lawson, “There was nothing that said she didn’t have jurisdiction.”
Harrington used the Act’s integral purpose as a starting point. In an early section, PIPEDA sets out “to establish, in an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the collection, use, and disclosure of personal information in a manner that recognizes the right to privacy of individuals with respect to their personal information and the needs of organizations to collect, use, or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.”
From there, Harrington needed to determine whether the aforementioned “organizations” included American ones. A 2004 decision in a case between the Canadian Association of Internet Providers and the Society of Composers, Authors and Music Publishers of Canada was the precedent cited to show that the U.S. is included in the Privacy Commissioner’s jurisdiction. That case, concerning music copyright on the Internet, included the statement that, “national practice confirms that either the country of transmission or the country of reception may take jurisdiction over a ‘communication’ link to its territory.”
A PIPEDA statute also compels the Privacy Commissioner to investigate each legitimate complaint. Thus, according to the judgment, “PIPEDA gives the Privacy Commissioner jurisdiction to investigate complaints relating to the trans-border flow of personal information… The matter is returned to the Office of the Privacy Commissioner to be investigated in accordance with the reasons given.”
Nurani attributed the importance of the judgment to the fact that it will place the importance on that there is an investigation in the first place, even if there is little content to go on. “It’s better to start the investigation than to cut it off before you begin,” said Nurani.
“This decision is very important,” said Lawson. “It states quite clearly that the Privacy Commissioner is not restrained from investigating cross-border data transfers.”
A spokesperson from the Office of the Privacy Commissioner, Anne-Marie Hayden, said that the Privacy Commissioner needs time to digest the judgment. But, for now, said Hayden, “We will take guidance from the court. We’re very pleased with the decision that gives us the jurisdiction to investigate the matter. The issues surrounding data flow are important to this Office.”
While Lawson acknowledged that this is a “very important first step,” the hands of the Privacy Commissioner, who does not have order-making powers, continue to be tied. “She can recommend that they stop doing it if it is determined by her that they are violating Canadian law,” she said.
But, said Nurani, even if an American company could ignore a Canadian order without penalty, complainants could seek the assistance of the American courts and ask them to issue an order. “Then they’re obligated to comply,” said Nurani.