Privacy Law Emerges as Latest Canadian Export

The recent Canadian privacy case involving Facebook attracted international attention as the world's leading social networking site agreed to implement a series of changes that will affect 250 million users.  While the case is widely viewed as a significant victory for Canadian privacy, my weekly technology law column (Toronto Star version, homepage version) notes the issue might never have been addressed but for a second, little-noticed privacy decision released two weeks later.

In December 2004, the Canadian Internet Policy and Public Interest Clinic (CIPPIC) at the University of Ottawa filed a complaint with the Privacy Commissioner of Canada against U.S.-based, an online data broker that collects, uses and discloses the personal information of Canadians (I am an adviser to CIPPIC but was not involved directly in the case).  The company offered a wide range of search services on individuals, purporting to dig up everything from past police reports to consumer preferences.

A year later, the Commissioner ruled that she could not investigate the complaint.  The company refused to respond to questions and the Commissioner was of the view that there was no mechanism to further pursue the case given jurisdictional limits of Canadian privacy law.

CIPPIC asked the federal court to review the decision.  In February 2007, it ruled that the Commissioner was mistaken – the law did not preclude conducting investigations of foreign entities even if subsequent enforcement of a finding might prove difficult.

In light of that ruling, the Commissioner resumed her investigation of, releasing a new finding on July 31, 2009.  Working together with the U.S. Federal Trade Commission, the Commissioner determined that "the American company disclosed the personal information of Canadians, without their knowledge or consent, to third parties" in violation of Canadian law.

During the nearly five years that the case was winding its way through the Canadian legal system, CIPPIC filed a separate complaint against Facebook.  Once again, the Commissioner spent about a year investigating the issue.  Now armed with the decision that conclusively determined that there was no legal barrier to investigating foreign companies on their compliance with Canadian law, the Commissioner conducted a comprehensive investigation of Facebook's privacy practices, identifying several areas in need of change.

Taken together, the two cases provide a powerful response to skeptics who doubted the ability of Canadian privacy law to influence foreign organizations.  Canadian law will not always apply – there is no reason to follow Canadian rules if there is no connection to Canada or no Canadian data collection.  However, organizations that do business in Canada or collect Canadians' personal information should recognize that a corporate office in Chicago will not shield it from the application of Canadian law in Calgary.

When the Canadian government introduced its private sector privacy law in 1998, the world was divided on best approach to address emerging privacy concerns.  The European Union actively promoted its detailed, regulatory approach, while the U.S. sought market-driven solutions backed by tough penalties for violations of privacy promises.  

Supporters touted the Canadian law as a middle ground alternative, featuring regulatory requirements and a privacy commissioner, but with greater marketplace flexibility. At the time, many thought Canada might serve as a model for other countries. Last month, the Privacy Commissioner demonstrated that it is not the Canadian privacy model that has been exported to other countries, but rather the law itself. 


  1. Great read
    Great article and perspective on such a publicized topic. I’m interested to know your thoughts on the impact of this type of ruling – that the jurisdiction now extends past the physical, geographical area to foreign lands. Are other countries also following this principle and what implications does this ability to enforce the law have on possible non-compliant nations like china? Is the enforcement of this law dependent on the cooperation of the nation that the company operates in or would we just ban them (i.e facebook in this case) from ISPs?

  2. re: Ayan
    “what implications does this ability to enforce the law have on possible non-compliant nations like china” I don’t see how China can be compliant as it is a nation and not a company. If you mean Chinese international companies, then if it want to operate in Canada, it will have to follow Canadian laws.

    “enforcement of this law…” I don’t think the law will ever have to be enforced as long as the commissioner’s requests are reasonable. Any refusal by a company like facebook would generate bad publicity and scare away users and investors. Other wise, if the requests are unreasonable, no one knows what would happen after the lawyers are done with it.