A recent decision by the Office of the Privacy Commissioner of Canada (OPC) reminds multi-national companies that carry on business in Canada that compliance with foreign data protection legislation may not be sufficient in protecting them from the scope of Canadian privacy legislation.   

In its Report of Findings #2011-002, the OPC considered two complaints lodged under the Personal Information Protection and Electronic Documents Act (PIPEDA) with respect to KLM Royal Dutch Airlines, a Netherlands-based company, and its failure to adhere to Canadian standards of openness, transparency, and access to information.  In particular, the complainant alleged that KLM had denied him access to his personal information and to that of his family members, and that KLM had failed to provide the complainant with information about its policies and practices relating to the management of his personal information, contrary to its obligations under PIPEDA. 

The OPC relied on the Federal Court’s decision in Lawson v. Accusearch Inc., [2007] 4 F.C.R. 314, which established the Privacy Commissioner’s jurisdiction under PIPEDA to investigate complaints against foreign-based organizations where such organizations have a real and substantial connection to Canada, and found that KLM’s privacy practices did in fact fall within the purview of PIPEDA.  The OPC considered the following factors in its analysis on this point: the complainant and his family members were Canadian residents; they had booked a KLM-operated flight from Toronto; KLM offers services within Canada and has a website that actively targets Canadians, is accessible by Canadians, and from which Canadians may reserve flights; KLM regularly operates scheduled non-stop flights to and from Canadian destinations; and, KLM needs to collect Canadian passengers’ personal information in order to offer its services to those passengers.  Although KLM is a Netherlands-based airline that handles data in accordance with a European data protection law, namely the Dutch Personal Data Protection Act, the OPC found that KLM is nonetheless required to comply with PIPEDA and, more particularly, with access and openness provisions contained therein, when transacting with Canadians and handling the personal information of Canadians. 

Upon establishing its jurisdiction over the complaints, the OPC looked to the validity of the complaints themselves.  In particular, the OPC reviewed access and openness requirements set out in PIPEDA and concluded that KLM had not been compliant with its obligations.  As a result, the OPC found the complaints to have been well-founded.

First, KLM had neglected to meet its access obligations.  Pursuant to subsections 8(3), 8(4), and 8(5) of PIPEDA, KLM was required to respond to a request for access to information no later than thirty days after receipt of such a request or, if it could not respond within the time limit, KLM was required to request an extension of time.  KLM had instead unnecessarily taken months to reply to the complainant’s access request and had not sought an extension of time.

Second, KLM had failed to meet its openness requirements.  Pursuant to Principle 4.8 of PIPEDA, an organization is required to make readily available to individuals specific information about its policies and practices relating to the management of personal information.  KLM had ignored the complainant’s request for information about its data use, access, and retention policies.  KLM had only made one privacy policy readily available for review on its main website, and such policy was incomplete, not compliant with PIPEDA, and not inclusive of comprehensive information on KLM’s practices and policies relative to its personal information management practices.   

The OPC concluded its investigation with two recommendations: first, that KLM develop a simple and clear access-to-personal-information-request procedure and make such procedure readily available to customers; and second, that KLM ensure that the privacy policy on the Canadian version of its website complies with PIPEDA.

Canadian privacy laws are extensive and provide strict requirements for organizations that collect, use and disclose personal information.  While similarities between Canadian and international privacy requirements do exist, multi-national companies that carry on business in Canada must structure policies and practices so as to ensure compliance not only with applicable foreign privacy requirements, but also with Canada’s privacy regime. 

The struggle for multi-national companies to comply with Canadian privacy requirements is not a new one.  In 2009, for example, the OPC made headlines by requiring social networking giant Facebook to overhaul its privacy policy and practices to comply with the Canadian privacy regime.  These recent findings by the OPC confirm that the issue of privacy compliance for multi-national organizations is far from closed.  Organizations operating internationally must continue to be aware of the repercussions of their international practice, and must ensure that they put real effort and attention into the development of compliant and effective privacy policies and procedures.  In this highly globalized world, where online and cross-border transactions have become the norm, it will be curious to see how the courts continue to apply the “real and substantial connection” test.