The Electronic Commerce Protection Act includes a noteworthy change to Canada's private sector privacy legislation (earlier posts on anti-spam provisions, enforcement, do-not-call). PIPEDA includes specific provisions dealing with the issue of consent for the collection of personal information, including the possibility of collecting personal information without knowledge or consent in certain circumstances. The ECPA adds a new provision that effectively overrides this exception – ie. it requires consent. The provisions are designed to target both spyware and the harvesting of email addresses or other collection of personal information without consent (a practice known as dictionary attacks).
The new PIPEDA Section 7.1(2) states:
Section 7 and the exception set out in clause 4.3 of Schedule 1 [ie. consent exception] do not apply in respect of:
(a) the collection of an individual's electronic address, if the address is collected by the use of a computer program that is designed or marketed for use in generating or searching for, and collecting, electronic addresses; or
(b) the use of an individual's electronic address, if the address is collected by the use of a computer program described in (a).
Section 7.1(3) creates a similar prohibition against collecting personal information through any means of telecommunications, if the collection is made by accessing a computer system without authorization. There is a parallel provision for the use of this information.
In addition to these new provisions, the ECPA makes changes to PIPEDA's investigative provisions. While Canadians may file a complaint under these new provisions, the Privacy Commissioner may decline to investigate if the Commissioner is of the view that it can be dealt with by the CRTC or the Competition Bureau. The ECPA also opens the door to provincial involvement, granting the Federal Privacy Commissioner the power to consult with their provincial privacy counterparts, coordinate activities, and share information. The same sharing of information powers can be used to provide information to foreign authorities.