When in Rome, do as the Romans do. Similarly, when doing business in Canada, do as Canadian privacy law requires.
That is the lesson learned by a foreign-based airline following a finding by the Office of the Privacy Commissioner (OPC) of Canada that the carrier had violated Canadian privacy law, even though the company operates in compliance with European privacy requirements. The decision further confirms the fact that foreign businesses that operate or provide services in Canada will be subject to all requirements of Canadian privacy law, regardless of the scope of the privacy regimes in their home countries.
In a Report of Findings recently posted by the OPC, Netherlands-based KLM Royal Dutch Airlines (KLM) was found to have breached several provisions of the Personal Information Protection and Electronic Documents Act (PIPEDA), including failing to respond in a timely way to a request by a customer for access to records containing personal information; failing to implement practices to ensure that the requirements of the Act; and failure to make available to the public its policies respecting the management of personal information.
KLM took the position that the Dutch Data Protection Authority supervises KLM in the security of personal data under the Dutch Personal Data Protection Act, including requirements respecting transparency and the manner in which access to information requests must be processed. The airline further noted that Dutch law does not require further transparency of policies and practices, and only allows individuals to view their personal information, not to access it. KLM questioned the OPC’s jurisdiction over KLM.
Relying on the Federal Court’s decision in Lawson v. Accusearch Inc., which had earlier found that the OPC had jurisdiction to investigate complaints respecting the collection by foreign organizations of personal information about Canadian residents, the OPC confirmed that it had jurisdiction in the complaint against KLM because there was a real and substantial connection to Canada. In this regard, the OPC noted that:
- The complainant seeking access to his personal information was a Canadian resident
- KLM offers services in Canada, and has employees at several Canadian airports
- KLM operates a Canadian version of its website, which actively targets Canadians, and through which Canadians may reserve flights
- KLM operates scheduled non-stop flights to and from Canadian cities (and in fact, the complainant originally booked a
- KLM flight departing from Toronto); KLM needs to collect personal information from Canadian passengers to offer air travel to those passengers.
In the circumstances, and in view of judgement in the Accusearch case, the finding of Canadian jurisdiction over the handling of the personal information in question may not be particularly surprising: it was collected from Canadians, in Canada, with respect to a service provided - at least in part - in Canada.
However, many businesses may be surprised that compliance with a European data protection law will not guarantee compliance with Canadian law – despite the fact that the European Data Protection Directive (on which member state privacy laws are based) and PIPEDA were derived from the same set of essential privacy principles, and even though European data protection laws tend to be viewed in some jurisdictions as being particularly stringent.
Although Canadian privacy laws are in broad accord with many international data protection regimes, there are often subtle differences between these foreign laws and Canadian privacy requirements. Accordingly, foreign organization doing business in Canada should not assume that practices and policies that comply with the law of their home country will necessarily suffice when collecting, using and disclosing information in Canada.