Privacy in the private sector is subject to the Personal Information Protection and Electronic Documents Act (PIPEDA), which governs how private sector organisations handle personal information. The provinces of Alberta, British Columbia and Quebec have enacted private sector privacy statutes which have been deemed 'substantially similar' to PIPEDA. As such, PIPEDA does not apply to commercial organisations operating only within these jurisdictions other than federal works, undertakings or businesses (such as airlines, banks and telecommunications companies), which continue to be covered by PIPEDA.
Section 5(3) of PIPEDA sets out the 'appropriate purpose' principle of the legislation. It states: 'An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider appropriate in the circumstances.'
This term, 'that a reasonable person would consider appropriate in the circumstances', is an overarching requirement of Canadian privacy law. Lawyers and organisations are bound by this obligation in the discovery and disclosure of ESI. As such, they must carefully assess the reasonableness and necessity of producing electronically stored personal information. Courts will take privacy considerations into account when deciding whether to order the production of electronic devices containing sensitive personal information. As a general rule, courts are reluctant to grant discovery requests that are too broad or that involve non-relevant private information. In the case of Desgagne v. Yuen et al, for example, the British Columbia Supreme Court cited privacy concerns in denying a request to produce a plaintiff's entire personal hard drive.
Under PIPEDA's appropriate purpose principle, organisations are responsible for personal information in their custody or control, including personal information transferred to a third-party service provider for processing on the organisation's behalf. Personal information can be transferred to a service provider, without consent, where the transferring organisation uses contractual or other means to provide a comparable level of protection while the information is being processed by the service provider.,
PIPEDA does not distinguish between domestic and international transfers of data. If an organisation is transferring personal information to a service provider outside Canada, the Privacy Commissioner has stated that the organisation needs to make it clear to individuals that their information may be processed in a foreign country and may be accessible to law enforcement authorities of that jurisdiction. This notice must be given in clear and understandable language and ideally when the information is collected.
The coming into force of the European Union's General Data Protection Regulation (GDPR) on 28 May 2018 has potentially far-reaching consequences for the discovery of ESI in Canada as well. Canadian-based organisations may be subject to the GDPR if they have an establishment in the European Union, process personal data in connection with the offering of goods or services to individuals in the European Union or monitor the behaviour of individuals in the European Union.