The Federal Court ruled that the Personal Information Protection and Electronic Documents Act (PIPEDA) gives the Privacy Commissioner jurisdiction to investigate complaints relating to the transborder flow of personal information. This finding overturned the Assistant Privacy Commissioner’s decision that she could not file a report in relation to a Wyoming-based website’s compilation and disclosure of the sensitive personal information of Canadians, including criminal history background checks, telephone records, insurance status and psychological profiling, which it forwarded to Canadian addresses.
The website, which was marketed to Canadians, maintained a ‘.ca’ registration and clearly gathered information from unnamed Canadian sources. Although it was clear that the Privacy Commissioner would have investigated the company if it had been located in Canada, the Assistant Commissioner held that her formal investigative powers applied only within Canada, and did not even allow her to investigate the activities of a Canadian citizen collecting and disclosing personal information from another country. The Federal Court ruled that PIPEDA applied conflicts of law principles developed at the Supreme Court of Canada to determine that the collection and communication of private information occurred in both Canada and the U.S. In the final analysis, these factors mattered more than the location of the website and the jurisdiction of the company’s incorporation. The fact that the Privacy Commissioner could not subpoena a non-resident company did not change the analysis.
McCarthy Tétrault Notes:
This decision establishes that companies with connections in Canada cannot evade the effects of PIPEDA simply by offshoring their collection, use and disclosure of personal information gathered in a commercial context. However, even the Federal Court acknowledged that the Privacy Commissioner’s international investigations might be toothless, at least where the Privacy Commissioner cannot identify the Canadian sources of data. If a foreign company declines to participate in the process, as in this case, it would appear that the Privacy Commissioner must issue a report without access to highly relevant information. After the report has been lodged, the complainant must take up the matter all over again at the Federal Court under Section 14 of PIPEDA. Only then might the complainant draw on the letters rogatory mechanism to compel disclosure of documents and discovery in the foreign jurisdiction. The effectiveness of this route would seem to vary depending on the willingness of the foreign courts to support a cause of action that might not be mirrored in their own laws. The endgame of the complainant, the executive director of a privacy advocacy organization, may instead be to convince Parliament to endow the Privacy Commissioner with greater investigative or sanctioning powers, or to provide a more effective judicial review process. Accordingly, companies planning their privacy compliance strategy should anticipate possible changes during the statutory review of PIPEDA that is currently before the House of Common’s Standing Committee on Access to Information, Privacy and Ethics.