The Electronic Commerce Protection Act – The Privacy Provisions

The Electronic Commerce Protection Act includes a noteworthy change to Canada's private sector privacy legislation (earlier posts on anti-spam provisions, enforcement, do-not-call). PIPEDA includes specific provisions dealing with the issue of consent for the collection of personal information, including the possibility of collecting personal information without knowledge or consent in certain circumstances.  The ECPA adds a new provision that effectively overrides this exception – ie. it requires consent.  The provisions are designed to target both spyware and the harvesting of email addresses or other collection of personal information without consent (a practice known as dictionary attacks).

The new PIPEDA Section 7.1(2) states:
Section 7 and the exception set out in clause 4.3 of Schedule 1 [ie. consent exception] do not apply in respect of:

(a) the collection of an individual's electronic address, if the address is collected by the use of a computer program that is designed or marketed for use in generating or searching for, and collecting, electronic addresses; or

(b) the use of an individual's electronic address, if the address is collected by the use of a computer program described in (a).

Section 7.1(3) creates a similar prohibition against collecting personal information through any means of telecommunications, if the collection is made by accessing a computer system without authorization.  There is a parallel provision for the use of this information.

In addition to these new provisions, the ECPA makes changes to PIPEDA's investigative provisions.  While Canadians may file a complaint under these new provisions, the Privacy Commissioner may decline to investigate if the Commissioner is of the view that it can be dealt with by the CRTC or the Competition Bureau. The ECPA also opens the door to provincial involvement, granting the Federal Privacy Commissioner the power to consult with their provincial privacy counterparts, coordinate activities, and share information.   The same sharing of information powers can be used to provide information to foreign authorities.

One Comment

  1. What’s An “individual’s electronic address”?
    I don’t have the background in privacy and legislation to address this next qeustion, so I’ll raise it here to see what people think.

    The term “individual’s electronic address” – is there part of PIPEDA, or rulings, or cases, that make clear one way or another — could this refer to your IP address?

    Because – obviously – although automated collection and subsequent use of email addresses using a program is commonly associated with harvesting addresses for spamming. But automated collection of IP addresses is almost always done with a program. And the subsequent use part is going to be something completely different than spamming as we know it today.