Columns Archive

CIBC breach spotlights hole in privacy law

Privacy issues have taken centre stage in Canada in recent weeks with the public’s attention focused on the major privacy breach at the CIBC. The CIBC case, involving the unauthorized disclosure of the personal financial information about dozens of bank customers to a scrap yard in the United States, illustrates the critical importance the public now attaches to their personal privacy. Although the scrap yard did not misuse or further disclose the information, the CIBC’s reputation took a hit and the bank has since worked to assure customers their data is properly protected.

This case also brings to the forefront the issue of the jurisdictional limitations built into Canada’s privacy law. In this instance, the data was collected from Canadians in Canada by a Canadian organization. While disclosed to a foreign party, there is no doubt that the Privacy Commissioner of Canada can investigate the matter and seek compensation from the CIBC for those affected by the breach.

However, what if a foreign institution with no physical presence in Canada had collected and used the data? Would the federal privacy commissioner still be legally positioned to seek redress for Canadians victimized by the privacy breach?

According to a recent unpublished letter from the privacy commissioner, the answer is unfortunately no. The Commissioner has adopted the position that Canada’s privacy legislation stops at the border and that her office does not have the power to investigate companies that do not have a physical presence in Canada.

The letter was issued in response to a complaint launched by the Canadian Internet Policy and Public Interest Clinic (CIPPIC) against, a U.S. company that harvests databases and public reports. The company uses the information to produce reports that allegedly include, in some cases, psychosexual profiles. CIPPIC filed its complaint in June, claiming that Abika collects, uses, and discloses the personal information of Canadians without their consent in violation of Canada’s national privacy law.

The privacy commissioner’s office responded privately to Canadian Internet Policy and Public Interest Clinic two weeks ago. It noted that the company does not have a physical presence in Canada and therefore concluded that “while the organization may well be collecting information on Canadians, our legislation does not extend to investigating organizations located only in the United States. We are, therefore, unable to investigate this matter under PIPEDA” (the Personal Information Protection and Electronic Documents Act, Canada’s national privacy law that governs how businesses collect and use personal information).

For the millions of Canadians who may similarly disclose their personal information to companies outside the country, this response places a troubling spotlight on an enormous hole in our privacy legislation.

The decision is disappointing since there is nothing in the statute that specifically precludes the privacy commissioner from investigating foreign organizations. Canada’s privacy legislation is largely silent on the issue of jurisdiction, though it is safe to assume that the privacy commissioner’s enforcement powers do not extend beyond national borders.

While that limitation would undoubtedly hamper some cases, when Canadian privacy interests are at stake it should not foreclose the prospect of possible action. In many other contexts, courts consider whether a foreign organization has a “real and substantial connection” with a local population when deciding whether to assert jurisdiction over a particular matter. The privacy commissioner could similarly assess whether the foreign organization had targeted Canadians for data collection when deciding the appropriate course of action.

Even when the privacy commissioner’s office determines that it is unable to investigate, the office can still take some action. At a minimum, the office should contact its foreign privacy or data protection counterpart to seek their assistance to investigate the complaint. In this Abika matter, that would simply require notifying the U.S. Federal Trade Commission of a possible breach of Canadian or U.S. law.

The jurisdiction issue suggests that despite our national privacy law, Canadians may actually enjoy less privacy protection than U.S. residents in certain instances. For example, consider the lack of recourse available to Canadians who receive unsolicited marketing phone calls from telemarketing companies operating in the United States. Those U.S.-based companies are subject to do-not-call legislation and are therefore faced with a depleted list of available phone numbers (there are more than 66 million U.S. numbers registered on the do-not-call list).

Since Canadian phone numbers cannot be added to the U.S. list, they are fair game for U.S. telemarketers. Moreover, when coupled with the privacy commissioner’s view that national privacy law does not extend to telemarketers without a Canadian physical presence, Canadians enjoy no privacy protection in such circumstances.

In a global networked world, limiting privacy protection to physical presence potentially eviscerates the effectiveness of privacy legislation. The U.S. recognized this several years ago when it enacted the Children’s Online Privacy Protection Act. That statute, focused solely on the protection of children’s online privacy, purports to regulate any Web site, wherever it is located, provided that it targets U.S. children.

Canadians, both young and old, deserve similar protection. If the current law does not address the issue, Canada should move quickly to plug its jurisdictional privacy hole.

Comments are closed.