Airlines conducting business in Canada may be subject to Canadian privacy laws

The Office of the Privacy Commissioner of Canada (the Commissioner) recently issued an important report laying out the test to be used to determine whether it has jurisdiction to investigate a complaint based on the Personal Information Protection and Electronic Documents Act (PIPEDA) against a foreign airline which carry passengers to and from Canada.¹

The report was issued further to a complaint made in 2009 to the Commissioner against KLM Royal Dutch Airlines (KLM) by a former passenger (the Complainant) who flew on the airline on his way back to Canada four years before. The Complainant alleged that KLM breached its obligations under PIPEDA because it had failed to give him access to the passenger-information record pertaining to him and his family and to provide him with their policies and practices regarding the management of personal information.

The Commissioner found that even though KLM is headquartered in the Netherlands, it had jurisdiction to investigate this complaint since there was a “real and substantial connection” between the airline and Canada. The “real and substantial connection test” has principally been used to determine when a Canadian Court should take jurisdiction over a foreign defendant. It also served as the basis of the 2007 Federal Court decision Lawson v. Accusearch2 which ruled that even though PIPEDA does not have extraterritorial effect, the Commissioner has the power to investigate complaints with a sufficient connection to Canada.

With respect to the complaint against KLM, the Commissioner found that there was a real and substantial connection for the following reasons: a) the Complainant is a Canadian resident; b) KLM offers services within Canada and has employees in several Canadian airports; c) KLM has a Canadian version of its website; d) KLM frequently operates non-stop flights to and from Canadian airports; e) the Complainant booked a flight from Toronto operated by KLM; and f) KLM has to collect personal data from its Canadian passengers in order to offer them services.

After conducting an investigation, the Commissioner concluded that KLM had taken an undue delay to respond to the Complainant’s request to access his personal information and that its on-line privacy policy did not provide sufficient information on its practices and policies with respect to the management of personal information. Because of the real and substantial connection with Canada, the Commissioner held that KLM’s policies and practices must therefore be modified to ensure compliance with PIPEDA‚ even though they already met the standards of the Dutch Personal Data Protection Act.

The Commissioner’s findings in this report is relevant to any passenger airline conducting significant business in Canada as PIPEDA governs the collection, use or disclosure of any personal information in the course of commercial activities. While the Commissioner does not have the power to impose fines on organizations whose policies breach PIDEDA, a complainant may nevertheless rely on a Commissioner’s report to apply subsequently to the Federal Court for damages.