Defining Privacy
A critical investigation of Canadian political discourse

Privacy

2.1 Privacy Legislation in Canada

Canadian privacy protection has been described by Finestone as a patchwork garden full of weeds (26). This description comes from a 1997 report by the Standing Committee on Human Rights and the Status of Persons with Disabilities that investigated the past and future of privacy legislation in Canada. Her rationale for the statement still rings true in the almost 20 years that have passed since the report was published. Canada’s federal nature, with divisions of power and responsibility split between the provincial and federal governments, has led to a patchwork of privacy protection that suffers from a lack of enforcement and scope (25-26). At the time the report was written, the only specific federal privacy legislation in Canada was the Privacy Act. This legislation, still in force today, only protects the privacy of personal information held by federal government departments and agencies. Privacy laws concerned with personal information held by non-government organizations, namely businesses, currently exist, but the patchwork metaphor still applies.

This section will examine and describe Canadian federal privacy legislation, specifically the Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA). While some provinces have their own privacy laws, those documents are beyond the scope of this investigation. This section will also briefly cover international agreements to which Canada is a signee, as well as the Canadian Charter of Rights and Freedoms.

International Agreements

Universal Declaration of Human Rights (UDHR) In 1948 the Universal Declaration of Human Rights (UDHR) was adopted by the United Nations General Assembly. The aftermath of WWII brought human rights to the forefront of issues important to all societies at an international scale (Finestone 23, Schabas 407). Article 12 of the Declaration states that “no one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation” and that “everyone has the right to the protection of the law against such interference or attacks”. The UDHR clearly establishes privacy as a fundamental right for all people.

International Covenant on Civil and Political Rights (ICCPR)

In 1976 Canada acceded to the International Covenant on Civil and Political Rights (ICCPR). Article 17 of the Covenant, adopted by the United Nations General Assembly in 1966, has a provision identical to Article 12 of the UDHR mandating the right to privacy and freedom from unlawful interference and attacks. These documents, specifically UDHR, were instrumental in guiding the creation of the Canadian Charter of Rights and Freedoms (Schabas 405).

Guidelines on the Protection of Privacy and Transborder Flows of Personal Data

In 1980, the Organisation for Economic Co-operation and Development (OECD) released a set of guidelines for the protection of privacy and transborder flows of personal data (McIsaac, Shields, and Klein 5.1.1). Their objective was to “ensure that all international data flows were not completely blocked by protective measures taken nationally….and to harmonise the data protection practices of member countries by establishing some minimum standards for handling personal information” (Finestone 26). Twenty-three countries joined with Canada to adhere to the guidelines, passing information privacy laws in accordance with the principles. Both the Privacy Act and PIPEDA were influenced by this adherence (Finestone 26; McIsaac, Shields, and Klein 1.3.3). The countries that have agreed to enact the OECD principles are known as ‘Member countries’.

The guidelines themselves are voluntary, and consist of basic principles that apply to the protection of personal information at both the national and international level. The nationally applicable principles are: collection limitation; data quality; purpose specification; use limitation; security safeguards; openness; individual participation; and accountability (McIsaac, Shields, and Klein 5.1.1). The guidelines refer to the individual or organization collecting the data as the ‘data collector’, while the individual whose personal information is being collected is called the ‘data subject’.

Collection limitation means that the collection of personal data should be subject to limits and collected in a lawful and fair manner with the consent of the data subject (OECD Guidelines 14). Data quality refers to the relevance and accuracy of the data collection, meaning that only data specific to the purpose of use should be collected, and that it should be kept up-to-date (15). Purpose specification means that the purpose of the data collection should be understood by the data collector and the data subject at the time of collection, and that the subsequent use of the data be limited to that initial purpose (15). Use limitation means that the data should not be disclosed or made available for purposes other than the initial reason for collection, unless the data subject has consented, or under the authority of the law (15). Security safeguards imply that data should be reasonably protected against loss, unauthorized access, destruction, use, disclosure, or modification (15). Openness refers to the practice of making the practices and policies of data protection legislation or laws publicly available, as well as the ability to establish the existence, nature, and purpose of the data being collected (15). Individual participation concerns data subjects and their ability to confirm the existence of their own personal data, as well as the means to access and control that data (16). Finally, accountability refers to the data controller, and their responsibility to comply with the above principles (16).

The international principles are focused on co-operation between nations regarding transborder exchanges of data, including that Member countries consider the national and international implications for data processing and export; ensuring that data can flow in a secure and uninterrupted manner between Member countries; that Member countries ensure that data flows are unrestricted when regulated appropriately; and, that Member countries refrain from passing legislation that create unnecessary obstacles to data flow (OECD Guidelines 16-17; McIsaac, Shields, and Klein 5.1.1).

These principles, specifically the ones that apply at the national level, have been influential in the design of public and private sector privacy legislation in Canada, as evinced by the language present in both pieces of legislation. The descriptions of the general principles of the OECD guidelines are instructive of the meanings in the related sections of both the Privacy Act and PIPEDA.

Canadian Legislation

Canadian Charter of Rights and Freedoms

In 1982 the Canadian Charter of Rights and Freedoms came into force as Part I of the Constitution Act, which itself was enacted as Schedule B to the Canada Act, 1982 (note 80 at page 53). The Charter does not specifically include privacy as a right. Despite this, the courts in Canada have consistently interpreted Sections 7 and 8 as guarding against unreasonable privacy invasions (Finestone 24). Section 7 provides for the “right to life, liberty and security of the person and the right not to be deprived thereof except in accordance with the principles of fundamental justice” and s. 8 states that “everyone has the right to be secure against unreasonable search or seizure”.

Section 8 is listed as the second of eight legal rights in the Charter, and while it is not specifically framed as being ‘free’ from something, it has been interpreted by the courts as a ‘right to be free’ from unreasonable search and seizure (Bailey 284). The term ‘unreasonable’ is important here, as the courts must decide where the line between a reasonable search and an unreasonable search lies (Bailey 284). In order for a citizen to understand their rights within the Charter, they need to have an understanding of what reasonable means, so that they can have a reasonable expectation of how to behave according to the law.

The idea of ‘reasonable expectations’, especially in terms of privacy, will be addressed in the next section of this chapter. The discussion will be framed in the context of a landmark Supreme Court ruling on privacy invoking s. 8 of the Charter.

Proposals were made to include privacy as a constitutional right before the Charter even became law. In 1979, the federal government itself considered adding a formal clause to the Charter, and in 1981 the Canadian Bar Association advocated strongly for the inclusion of privacy provisions (Finestone 25). Even if privacy had been enshrined as a constitutional right, Finestone argues that there would still be limitations in the scope of the protection (25). Section 1 of the Charter allows for reasonable limits on any Charter right if those limits are “prescribed by law as can be demonstrably justified in a free and democratic society”. Furthermore, the Charter itself only applies to the laws and activities of government and not the private sector (Finestone 25).

The Privacy Act

Canada’s first overarching privacy legislation came into force in 1983 as the Privacy Act. The legislation is a means of regulating the collection (s. 4), use (s. 5(1)), disclosure (s. 5(2)), and disposal (s.6(3)) of personal information held by the federal government. It covers all federal government departments and most federal agencies (s. 3(a,b) ‘personal information’), but not all Crown corporations or the federally regulated private sector (Schedule s. 3). It requires each government institution, with exceptions, to record the nature and extent of personal information it controls in a central index to which everyone has reasonable access (s. 11).

The Privacy Act is essentially a piece of legislation that mandates the protection of data (Finestone 26; Thacker 4). Its purpose is to enable individuals to have control over the personal information they exchange to receive government benefits without being subject to an uncontrolled and unaccountable bureaucracy (Thacker 4-5).

Personal information, according to the Privacy Act, means “information about an identifiable individual that is recorded in any form” (s. 3) including race, national or ethnic origin, colour, religion, age or marital status (a); education, medical, financial, criminal or employment history (b); identifying numbers or symbols (c); address, fingerprints or blood type (d); personal opinions or views, with exceptions (e); private correspondence with the government (f); the views or opinions of others about an identifiable individual, with exceptions (g, h); and the name of an individual, if disclosure of the name would reveal other information (i). It’s important to note that this is a non-restrictive list of illustrative examples of personal information (McIsaac, Shields, and Klein 3.1.2).

There are three distinct bodies responsible for upholding and maintaining different aspects of the Privacy Act. The Privacy Commissioner receives complaints and investigates non-compliance (Privacy Act, s. 29(1)), the Treasury Board Secretariat co-ordinates and implements the Act (Finestone 26), and the Department of Justice is responsible for the policy implications that arise as a result of the Act (Finestone 26). The designated head of the government department the Act applies to is responsible for compliance, and each government institution must designate a Privacy Coordinator that receives and processes access requests (Thacker 4).

The enforcement powers of the Privacy Commissioner in terms of the Privacy Act apply to requests for personal information and breaches of information privacy (s. 29(1)). When a breach of the Act occurs, the Privacy Commissioner is responsible for an investigation, and in some cases the production of a report with recommendations (Privacy Act, s. 35(2)). The information access aspect of the Privacy Act stems from the fact that the Access to Information Act was enacted at the same time as the Privacy Act (Finestone 26). The interplay of these two Acts results, according to Finestone, is to ensure a balance of privacy and access, where information held by government institutions is kept private if its personal and kept publicly available if its non-personal (26).

Section 75(2) required a comprehensive review of the provisions and operations of the Privacy Act by July 1, 1986, three years after the Act came into force (Thacker 1). An identical provision was included in the Access to Information Act (Thacker 1). The review and resulting report, titled Open and Shut: Enhancing the Right to Know and the Right to Privacy, was undertaken by the Standing Committee on Justice and Solicitor General and released in 1987.

The report made a number of recommendations for the amendment of the Privacy Act, notably, that the definition of personal information to be broadened (Thacker 24, 58, 72); that the audit and enforcement powers of the Privacy Commissioner be extended (Thacker 38); and, that a definition of privacy be explicitly included in the Act (Thacker 38). The recommended definition of privacy is the following: “(p)rivacy is the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is to be communicated to others” (Thacker 58).

An actual definition of privacy is absent from any of the Canadian legislation on privacy, and despite the recommendation for its inclusion in the Privacy Act in 1987, it has yet to appear there, or anywhere. In fact, not one of the recommendations made in the 1987 report were ever enacted (“Letter to the Standing Committee”). The definition suggested by the report is focused on describing the meaning of privacy as a concept related to personal information, rather than attempting to situate the concept within a philosophical understanding of the fundamental right of individuals. The absence of a definition of privacy is a common characteristic of all of the legislation discussed in this section.

The report goes on to encourage the development of vital ‘statutory protections’ for the privacy of Canadians by developing the Act into a “broad-based vehicle for protecting a wide range of privacy rights”, proclaiming that “(n)o longer should the Act remain solely a data protection statute” (Thacker 72). While this is short of officially recommending that privacy become a constitutional right, the Committee responsible for the report believes that the Act serves to extend rights, in this case, the right to privacy of personal information shared with the federal government (Thacker 5). Finestone’s report, published 10 years later, also criticized the Privacy Act for being too narrowly focused on data protection and called strongly for the inclusion of privacy as a fundamental right in the Charter (2, 31).

The Supreme Court has recognized that the Privacy Act can be purposively interpreted as ‘quasi-constitutional’, and that the Act itself is a “reminder of the extent to which the protection of privacy is necessary to the preservation of a free and democratic society” (Lavigne v. Canada 789). A purposive interpretation means that the courts can consider not just the wording of the Act itself, but also the intention of the Act as documented in the secondary materials that are a result of the legislative process that created the Act (Sullivan 269). This can include documents tabled during the legislative process, reports to Standing Committees, or the transcripts of Hansard, among other resources (Sullivan 659). Quasi-consitutional Acts are those that express values that are so fundamental that they can override other inconsistent laws (Guide to Federal Acts 33). They are ‘quasi-constitutional’ because they support rights that are not included in the Charter, yet are important enough to be given special consideration by the courts (Guide to Federal Acts 36). What this means is that the protection of personal information shared by individuals with the federal government is less than a constitutional right but more than a legal obligation.

Ultimately, it is the Treasury Board Secretariat that manages the supervision of government-held personal information (Finestone 27). While they issue data protection guidelines to government departments based on the Act, there is no mechanism to ensure compliance (Finestone 27). In fact, according to the current Privacy Commissioner David Therrien, government departments have no obligation to report privacy breaches to the Office of the Privacy Commissioner, and there are no explicit physical, organizational or technical requirements for the safeguarding of personal information, other than the fact that it must be done (“Letter to the Standing Committee”).

Therrien does consider privacy to be a right in Canada and calls for more enforcement powers (“Letter to the Standing Committee”). As he strongly states in his March 2016 letter to the Standing Committee on Access to Information, Privacy and Ethics, “(e)very right needs a remedy in order to have meaning. This is especially so with respect to a fundamental right such as privacy”. This exact statement was made by former Privacy Commissioner Jennifer Stoddart in 2008 (Proposed Immediate Changes).

The Privacy Act is responsible for regulating matters of privacy as they relate to personal information held by the federal government, but there are other federal statutes that regulate other aspects of privacy, such as the Criminal Code, the Telecommunications Act, and the Personal Information Protection and Electronic Documents Act.

Criminal Code

Section 162(1) in Part V of the Criminal Code protects against voyeurism by making it an offence to make a visual recording of a person in circumstances that give rise to a reasonable expectation of privacy. This applies primarily to situations involving nudity or sexual activity. There is an exemption in the case of peace officers who have obtained a warrant (s. 162(3)).

Part VI of the Canadian Criminal Code protects against the invasion of privacy involving the interception of private communications (s. 184). It is an offence, punishable by up to five years, for anyone to willfully intercept private communications through the use of a technical device (s. 184(1)) without the consent of one of the parties or a warrant (s. 184(2)(a,b)). There is no such prohibition against secretly taking photographs or video with no sound, though this is covered by s. 162(1) if the recording is voyeuristic in nature.

According to the Criminal Code, private communication means:

any oral communication, or any telecommunication, that is made by an originator who is in Canada or is intended by the originator to be received by a person who is in Canada and that is made under circumstances in which it is reasonable for the originator to expect that it will not be intercepted by any person other than the person intended by the originator to receive it, and includes any radio-based telephone communication that is treated electronically or otherwise for the purpose of preventing intelligible reception by any person other than the person intended by the originator to receive it (s. 183).

This definition of private communication is as close to a definition of privacy as any of the Acts discussed in this section include. Both of the Criminal Code protections rely heavily on the concept of ‘reasonable expectations’, much like the Charter of Rights and Freedoms.

Protection of Canadians from Online Crime Act

In 2014, an amendment to the Criminal Code known as Bill C-13, or the Protection of Canadians from Online Crime Act, came into force. It expands on s. 162(1) of the Criminal Code with the addition of a clause which makes it a crime to publish, distribute, transmit, sell, make available, or advertise an intimate image of a person knowing that the person depicted in the image did not give their consent (Bill C-13, cl. 3).

The addition in the Criminal Code of s. 487.0195(1) allows for peace officers or public officers to ask a person to voluntarily preserve data that the person is not prohibited by law from preserving or to voluntarily provide a document to the officer that the person is not prohibited by law from disclosing (Bill C-13, cl. 20). Furthermore, requests can not only be made by peace officers, but public officers, which includes who is anyone who is appointed or designated to administer or enforce a federal or provincial law (Bill C-13, cl. 20).

Also added, in s. 487.0195(2), is the protection from criminal or civil liability for preserving or providing data to law enforcement when that data is not prohibited by law from disclosure (Bill C-13, cl. 20).

Telecommunications Act

Section 7(i) of the Telecommunications Act states that “telecommunications performs an essential role in the maintenance of Canada’s identity and sovereignty and that the Canadian telecommunications policy has as its objectives to…contribute to the protection of the privacy of persons”. This Act guides the policies and regulations of the Canadian Radio-television and Telecommunications Commission (CRTC) and applies to telecommunications in Canada, which covers the emission, transmission or reception of intelligence by any wire, cable, radio, optical or other electromagnetic system, or by any similar technical system (s. 2(1)).

In 2006, the Cabinet issued a policy direction to the CRTC stating that the Commission should “rely on market forces to the maximum extent feasible as the means of achieving the telecommunications policy objectives” (“Direction to the CRTC”, s. 1(a)(i)). This affects all of the policy objectives listed in s. 7 of the Telecommunications Act, meaning that the privacy statement in s. 7(i) is subject to economic factors.

The Personal Information Protection and Electronic Documents Act (PIPEDA) PIPEDA applies to the protection of informational privacy in the private sector, and it began to come into force in stages in 2000 (s. 72, Note). The intent of PIPEDA is to “support and promote electronic commerce by protecting personal information that is collected, used or disclosed in certain circumstances, by providing for the use of electronic means to communicate or record information or transactions”. Part 1 of the Act is concerned with the protection of personal information collected by the private sector (s. 3), while Part 2 is focused on the electronic transmission of documents and electronic records (s. 32).

Part 2 of PIPEDA has almost nothing to do with privacy; its focus is on the regulation of the use of electronic alternatives over paper documents where communication with the federal government is concerned (s. 32). Despite the focus in this Part on ‘electronic commerce’, PIPEDA does not provide an explicit definition of the word ‘electronic’. The Act defines ‘electronic document’ as “data that is recorded or stored on any medium in or by a computer system or other similar device and that can be read or perceived by a person or a computer system or other similar device”, while ‘data’ is defined as “representations of information or concepts, in any form” (s. 31(1)).

While PIPEDA was influenced in part by the OECD guidelines on transborder flows of data, it was also influenced by the European Union Data Protection Directive, which requires countries in the EU to refuse the transfer of personal information to countries outside the EU without an assurance that the data will be adequately protected (Stoddart). In 2001, the European Commission decided that PIPEDA provided this protection (Stoddart).

The first version of the Act defined personal information simply as “information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization” (s. 2(1)). This differs from the Privacy Act slightly, as it doesn’t contain the phrase ‘recorded in any form’, which is included in the Privacy Act definition. The aspect of ‘electronic commerce’ in the Act’s description originates from the provision for federal trade and commerce in s. 91(2) of the Constitution Act, 1867 (McIsaac, Shields, and Klein 1.3.3). This provision allows the federal government to regulate matters that affect the country as a whole, which includes the jurisdiction to regulate matters provincially (McIsaac, Shields, and Klein 1.3.3).

In the name of consistency and federalism, PIPEDA does not apply to organizations already covered by provincial or territorial privacy legislation, as long as the legislation is ‘substantially similar’ to PIPEDA (McIsaac, Shields, and Klein 1.3.3; PIPEDA, s. 26(2)(b)). According to Industry Canada (which is now known as Innovation, Science and Economic Development), substantially similar means that the provincial/territorial legislation will incorporate the 10 principles in Schedule 1 of PIPEDA; “provide for an independent and effective oversight and redress mechanism with powers to investigate”; and “restrict the collection, use and disclosure of personal information to purposes that are appropriate or legitimate” (Simpson 2388). Substantially similar privacy legislation exists in Alberta, British Columbia, Ontario and Quebec, while New Brunswick and Newfoundland and Labrador are substantially similar with respect to respect to personal health information custodians (McIsaac, Shields, and Klein 1.3.3). Though regardless of the existence of substantially similar legislation, PIPEDA applies in all provinces to federal works and undertakings (s. 30(1)), these include businesses like banks, airlines, railways, telecommunications companies, and any work “declared by Parliament to be for the general advantage of Canada or for the advantage of two or more provinces” (s. 2(1)).

In provinces without substantially similar privacy legislation, PIPEDA applies to the collection, use and disclosure of personal information by federal works and undertakings and by local works and undertakings (McIsaac, Shields, and Klein 1.3.3; PIPEDA, s. 2(1)). This means that the Act applies to any non-government business or organization in provinces without substantially similar privacy legislation that engage in ‘commercial activities’ (PIPEDA, s. 2(1)). According to the Act, commercial activities are “any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists” (s. 2(1)). PIPEDA also applies to personal information in interprovincial (s. 23) and international transactions (s. 23.1).

PIPEDA does not apply to the collection of personal information for any purpose other than commercial activities. This exempts information collection for journalistic, artistic, or literary purposes (PIPEDA, s. 4(2)(c)).

Like the Privacy Act, PIPEDA regulates the collection, use, disclosure, and disposal of personal information. Part 1 of PIPEDA is influenced by the OECD guiding principles and the Canadian Standards Association Model Code for the Protection of Personal Information (McIsaac, Shields, and Klein 1.3.3). The core principles in PIPEDA are: accountability; identifying purposes; consent; limiting collection; limiting use, disclosure, and retention; accuracy; safeguards; openness; individual access; and challenging compliance (PIPEDA, Schedule 1, s. 4.1 - s. 4.10).

PIPEDA also depends heavily on the concept of ‘reasonable expectations’ and the ‘right to privacy’. The purpose statement of the Act proclaims that “in an era in which technology increasingly facilitates the circulation and exchange of information” the Act recognizes the “right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances” (s. 3).

Despite the characterization of informational privacy as a right, PIPEDA includes several notable exemptions in the area of consent. The majority of these exemptions focus on providing information for the purposes of national security, law enforcement, or the courts (PIPEDA, s. 7(3)), but consent is also not necessary if the collection is “clearly in the interests of the individual and consent cannot be obtained in a timely way” (PIPEDA, s. 7(1)(a)).

PIPEDA is under the purview of the Privacy Commissioner (PIPEDA, s. 12.1), much like the Privacy Act. Under PIPEDA, the Privacy Commissioner can receive and investigate complaints (s. 12) and issue reports (s. 13). The Privacy Commissioner is also responsible for public education about the Act, and the promotion of policy development and compliance for organizations subject to the Act (s. 24). While the Privacy Commissioner does not have any enforcement capabilities, the Federal Court of Canada has the power to issue rulings and make orders based on the Act (s. 16).

Though the wording of the Act implies an individual’s right to the privacy of their personal information as it relates to commercial activities, PIPEDA has not been recognized by the courts as having quasi-constitutional status. The Federal Court of Canada has acknowledged that PIPEDA is a “fundamental law of Canada” (Eastmond v. CPR, para. 100) in a ruling that has been cited with approval in several cases (Leading by Example 17). The reliance of PIPEDA on the concept of an individual’s reasonable expectation of privacy has been disputed by the Supreme Court of Canada (R. v. Spencer 215). This topic will be discussed in detail in the next section.

The Digital Privacy Act

The Digital Privacy Act, or Bill S-4, is an amendment to PIPEDA that partially came into force in 2015. The key aspects of this amendment include a breach notification requirement (cl. 10.1) and a breach record keeping requirement that requires organizations to keep and maintain records on information breaches (cl. 10.3), neither of which has yet to come into force (cl. 27); it includes more consent exemptions, primarily in the area of business and employment transactions (cl. 7); and a clarification of the meaning of ‘valid consent’ (cl. 5). This last point specifies that an individual’s consent to the collection, use or disclosure of their personal information is valid only if “it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting” (cl. 5). This differs from the original wording in PIPEDA that required organizations to make a reasonable effort in ensuring that an individual is advised of the purposes of information collection and use; essentially this change was a shift from a subjective understanding of consent, to an objective one (Gratton).

Bill S-4 also changed the definition of personal information, which is now simply “information about an identifiable individual” (cl. 2(1)).

Returning to Finestone’s metaphor from the beginning of this section, privacy legislation in Canada truly is a ‘patchwork garden full of weeds’ (26). The explicit protection of personal information is the overwhelming focus of every privacy regulation and law in Canada. Privacy was not included as a right in the Canadian Charter of Rights and Freedoms, and although the Privacy Act and PIPEDA have been interpreted as having a special or fundamental status in Canadian law, they both still suffer from a severe lack of enforcement capability by a Privacy Commissioner who is limited to publishing reports and recommendations.

Despite years of recommendations by MPs, lawyers, and Privacy Commissioners in support of broadening the concept of the privacy debate in Canada beyond that of data protection, none of the laws currently attempt to define privacy, even in the narrowest sense of the privacy of information.

The next section of this chapter will explore the challenge of defining privacy by examining the philosophical and legal scholarship that has informed major federal publications and legal decisions on privacy.

Top of Page Home