A recent decision by the Office of the Privacy Commissioner of Canada (OPC) reminds multi-national companies that carry on business in Canada that compliance with foreign data protection legislation may not be sufficient in protecting them from the scope of Canadian privacy legislation.
In its Report of Findings #2011-002, the OPC considered two complaints lodged under the Personal Information Protection and Electronic Documents Act (PIPEDA) with respect to KLM Royal Dutch Airlines, a Netherlands-based company, and its failure to adhere to Canadian standards of openness, transparency, and access to information. In particular, the complainant alleged that KLM had denied him access to his personal information and to that of his family members, and that KLM had failed to provide the complainant with information about its policies and practices relating to the management of his personal information, contrary to its obligations under PIPEDA.
The OPC relied on the Federal Court’s decision in Lawson v. Accusearch Inc.,  4 F.C.R. 314, which established the Privacy Commissioner’s jurisdiction under PIPEDA to investigate complaints against foreign-based organizations where such organizations have a real and substantial connection to Canada, and found that KLM’s privacy practices did in fact fall within the purview of PIPEDA. The OPC considered the following factors in its analysis on this point: the complainant and his family members were Canadian residents; they had booked a KLM-operated flight from Toronto; KLM offers services within Canada and has a website that actively targets Canadians, is accessible by Canadians, and from which Canadians may reserve flights; KLM regularly operates scheduled non-stop flights to and from Canadian destinations; and, KLM needs to collect Canadian passengers’ personal information in order to offer its services to those passengers. Although KLM is a Netherlands-based airline that handles data in accordance with a European data protection law, namely the Dutch Personal Data Protection Act, the OPC found that KLM is nonetheless required to comply with PIPEDA and, more particularly, with access and openness provisions contained therein, when transacting with Canadians and handling the personal information of Canadians.
Upon establishing its jurisdiction over the complaints, the OPC looked to the validity of the complaints themselves. In particular, the OPC reviewed access and openness requirements set out in PIPEDA and concluded that KLM had not been compliant with its obligations. As a result, the OPC found the complaints to have been well-founded.
First, KLM had neglected to meet its access obligations. Pursuant to subsections 8(3), 8(4), and 8(5) of PIPEDA, KLM was required to respond to a request for access to information no later than thirty days after receipt of such a request or, if it could not respond within the time limit, KLM was required to request an extension of time. KLM had instead unnecessarily taken months to reply to the complainant’s access request and had not sought an extension of time.
Canadian privacy laws are extensive and provide strict requirements for organizations that collect, use and disclose personal information. While similarities between Canadian and international privacy requirements do exist, multi-national companies that carry on business in Canada must structure policies and practices so as to ensure compliance not only with applicable foreign privacy requirements, but also with Canada’s privacy regime.