Teresa Scassa - Blog

Friday, 18 October 2013 08:52

Manitoba’s new Personal Information Protection and Identity Theft Protection Act: A Substantially Dissimilar Statute

Written by  Teresa Scassa
Rate this item
(0 votes)

The Manitoba government has recently enacted the Personal Information Protection and Identity Theft Protection Act (PIPITPA), which has yet to come into force. This statute is private sector data protection legislation which will is presumably intended to apply in place of the federal Personal Information Protection and Electronic Documents Act (PIPEDA) to private sector activity within provincial jurisdiction. In order to effectively substitute for the application of PIPEDA, the PIPITPA would need to be declared by the federal Governor-in-Council to be substantially similar to PIPEDA. If Manitoba were to be successful, it would join the ranks of Alberta, British Columbia and Quebec as a province with legislation that is substantially similar to PIPEDA. However, as I will explain below, this may be a difficult case to make.

In terms of the substantive norms that guide the collection, use or disclosure of personal information, the Manitoba legislation draws heavily upon Alberta’s Personal Information Protection Act (PIPA). Indeed, many of the provisions of PIPITPA are taken word for word from the Alberta statute. There are, however, some differences. Unlike PIPA, PIPITPA does not create distinct obligations to notify individuals when they outsource the processing or storage of their personal information to a company in another country (see art. 6(2) of PIPA). Neither does PIPITPA require notification of individuals when an organization uses an offshore service provider to collect personal information, or where it transfers personal information to an offshore company (PIPA s. 13.1). The obligations in PIPITPA regarding personal employee information are also slightly different from those in PIPA; they seem to be somewhat more permissive (although such protections are notably absent under PIPEDA). Perhaps one of the most significant substantive differences relates to the date breach notification requirements. Alberta’s PIPA requires the Commissioner to be notified by an organization where there has been unauthorized access to or disclosure of personal information. The Commissioner may then require the organization to notify affected individuals where “there is a real risk of significant harm as a result of the loss or unauthorized access.” Under Manitoba’s new legislation, an organization must “as soon as is reasonably practicable”, notify any individual if their personal information that has been in the custody or control of the organization “is stolen, lost or accessed in an unauthorized manner.” The organization is not required to make such a notification if it is “satisfied that it is not reasonably possible for the personal information to be used unlawfully.” (art. 34) The difference is important: under Alberta’s statute, the Commissioner, at arm’s length, makes the call as to whether notification is required; under the Manitoba legislation it is the organization, facing embarrassment or even possible legal action, that gets to decide whether individuals should be told of the mishandling of their personal information.

The most significant difference between the Manitoba legislation and both PIPEDA and its substantially similar counterparts relates to oversight and enforcement. The Manitoba Ombudsman is given extremely limited oversight powers under the legislation, and there is no mechanism through which the public can make complaints regarding the handling of their personal information by private sector organizations. Instead, the Manitoba legislation offers only judicial recourse. For example, individuals are given a right of action in a court of competent jurisdiction where an organization has failed to take proper care of information under its control, or for failure in its duty to notify of a significant security breach in respect of personal information. The Act also provides that it is an offence to willfully collect, use or disclose personal information in contravention of the Act, to wilfully attempt to access personal information, or to dispose, alter, falsify, conceal or disclose personal information in order to evade a request for access. These offences require the acts to be willful, setting a rather high threshold. The legislation provides a defense where the organization is considered to have “acted reasonably in the circumstances.” The mens rea requirement will likely make prosecutions rare; in any event, they will be beyond the power of individuals to initiate and pursue on their own. Without a complaint mechanism and without the power to control prosecutions of offenses, the individual is left with no other option but to take an organization to court. As we have seen with court actions under PIPEDA, the damage awards are typically too low to make this kind of recourse practicable. An individual who is willing to take the time and effort to represent themselves in small claims court might walk away with a few dollars, but for many types of mishandling of personal information a complaints mechanism would be far more effective in guiding an organization to modify its practices while at the same time reassuring individuals that something has been done to rectify the problem.

The lack of effective oversight and the lack of an accessible complaints mechanism, in my view make this legislation very far from being substantially similar to PIPEDA. Basic normative requirements are essentially meaningless without appropriate oversight. It is worth noting that even with PIPEDA’s much more significant oversight provisions, the Privacy Commissioner of Canada has grown frustrated with the limits of her own lack of order-making powers under PIPEDA, and with the lack of additional powers to impose fines or penalties in appropriate circumstances. The Manitoba legislation is a long way from what should be required of a province that wishes to remove its private sector organizations out from under the reach of PIPEDA.

Login to post comments

Canadian Trademark Law

Published in 2015 by Lexis Nexis

Canadian Trademark Law 2d Edition

Buy on LexisNexis

Electronic Commerce and Internet Law in Canada, 2nd Edition

Published in 2012 by CCH Canadian Ltd.

Electronic Commerce and Internet Law in Canada

Buy on CCH Canadian

Intellectual Property for the 21st Century

Intellectual Property Law for the 21st Century:

Interdisciplinary Approaches

Purchase from Irwin Law