The recent Canadian privacy case involving Facebook attracted international attention as the world's leading social networking site agreed to implement a series of changes that will affect 250 million users. While the case is widely viewed as a significant victory for Canadian privacy, my weekly technology law column (Toronto Star version, homepage version) notes the issue might never have been addressed but for a second, little-noticed privacy decision released two weeks later.
In December 2004, the Canadian Internet Policy and Public Interest Clinic (CIPPIC) at the University of Ottawa filed a complaint with the Privacy Commissioner of Canada against U.S.-based Abika.com, an online data broker that collects, uses and discloses the personal information of Canadians (I am an adviser to CIPPIC but was not involved directly in the case). The company offered a wide range of search services on individuals, purporting to dig up everything from past police reports to consumer preferences.
A year later, the Commissioner ruled that she could not investigate the complaint. The company refused to respond to questions and the Commissioner was of the view that there was no mechanism to further pursue the case given jurisdictional limits of Canadian privacy law.
CIPPIC asked the federal court to review the decision. In February 2007, it ruled that the Commissioner was mistaken – the law did not preclude conducting investigations of foreign entities even if subsequent enforcement of a finding might prove difficult.
In light of that ruling, the Commissioner resumed her investigation of Abika.com, releasing a new finding on July 31, 2009. Working together with the U.S. Federal Trade Commission, the Commissioner determined that "the American company disclosed the personal information of Canadians, without their knowledge or consent, to third parties" in violation of Canadian law.
During the nearly five years that the Abika.com case was winding its way through the Canadian legal system, CIPPIC filed a separate complaint against Facebook. Once again, the Commissioner spent about a year investigating the issue. Now armed with the Abika.com decision that conclusively determined that there was no legal barrier to investigating foreign companies on their compliance with Canadian law, the Commissioner conducted a comprehensive investigation of Facebook's privacy practices, identifying several areas in need of change.
Taken together, the two cases provide a powerful response to skeptics who doubted the ability of Canadian privacy law to influence foreign organizations. Canadian law will not always apply – there is no reason to follow Canadian rules if there is no connection to Canada or no Canadian data collection. However, organizations that do business in Canada or collect Canadians' personal information should recognize that a corporate office in Chicago will not shield it from the application of Canadian law in Calgary.
When the Canadian government introduced its private sector privacy law in 1998, the world was divided on best approach to address emerging privacy concerns. The European Union actively promoted its detailed, regulatory approach, while the U.S. sought market-driven solutions backed by tough penalties for violations of privacy promises.
Supporters touted the Canadian law as a middle ground alternative, featuring regulatory requirements and a privacy commissioner, but with greater marketplace flexibility. At the time, many thought Canada might serve as a model for other countries. Last month, the Privacy Commissioner demonstrated that it is not the Canadian privacy model that has been exported to other countries, but rather the law itself.