Report to Parliament Concerning Substantially Similar Provincial Legislation

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

June 2003

Privacy Commissioner of Canada
112 Kent Street
Ottawa, Ontario
K1A 1H3

(613) 995-8210, 1-800-282-1376
Fax (613) 947-6850
TDD (613) 992-9190

Cat. No. IP34-11/2003
ISBN 0-662-67351-4


June 2003

The Honourable Daniel Hays
The Speaker
The Senate of Canada

Dear Speaker Hays:

I have the honour to submit to you my second Report to Parliament Concerning Substantially Similar Provincial Legislation.

Under the Personal Information Protection and Electronic Documents (PIPED) Act, I am required to report annually to the Parliament of Canada on the extent to which the provinces have enacted legislation that is substantially similar to the PIPED Act.

I submitted my first Report to you on this matter in May 2002, in which I indicated that, based on my analysis, Quebec's An Act Respecting the Protection of Personal Information in the Private Sector legislation is substantially similar to the PIPED Act in terms of the extent to which it protects personal information. In this Report, I address the status of private sector privacy legislation in the other provinces.

Yours sincerely,

George Radwanski
Privacy Commissioner of Canada


June 2003

The Honourable Peter Milliken
The Speaker
The House of Commons

Dear Speaker Milliken:

I have the honour to submit to you my second Report to Parliament Concerning Substantially Similar Provincial Legislation.

Under the Personal Information Protection and Electronic Documents (PIPED) Act, I am required to report annually to the Parliament of Canada on the extent to which the provinces have enacted legislation that is substantially similar to the PIPED Act.

I submitted my first Report to you on this matter in May 2002, in which I indicated that, based on my analysis, Quebec's An Act Respecting the Protection of Personal Information in the Private Sector legislation is substantially similar to the PIPED Act in terms of the extent to which it protects personal information. In this Report, I address the status of private sector privacy legislation in the other provinces.

Yours sincerely,

George Radwanski
Privacy Commissioner of Canada


Introduction

Under the Personal Information Protection and Electronic Documents (PIPED) Act I am required by subsection 25(1) to report annually to the Parliament of Canada on the "extent to which the provinces have enacted legislation that is substantially similar to the PIPED Act."

I expect that this reporting will be a key factor in assisting the Minister of Industry in determining whether or not a provincial or territorial law is substantially similar. Industry Canada has stated that the Minister will seek the Privacy Commissioner's views and include those views in any submission to the Governor in Council recommending that provincial or territorial legislation be designated as substantially similar. These reports may also be useful to other interested parties who may wish to comment on the legislation.

Designating legislation as substantially similar allows the Governor in Council under paragraph 26(2)(b) to exempt an organization, a class of organizations, an activity or a class of activities to which the legislation applies from the application of the PIPED Act "in respect of the collection, use or disclosure of personal information that occurs within that province."

The intent of this provision is to allow provinces and territories to regulate the personal information management practices of organizations operating within their borders, provided that they have in place a law that is substantially similar.

However, this provision does not mean that a province can simply pass legislation and expect the Federal Cabinet to automatically designate it as substantially similar. To do so would defeat the purpose and intended effect of the PIPED Act--to provide seamless and meaningful privacy protection throughout Canada.

If the Governor in Council issues an Order declaring a provincial act to be substantially similar, the collection, use or disclosure of personal information by organizations subject to the provincial act will not be covered by the PIPED Act. Personal information that flows across provincial or national borders will be subject to the PIPED Act and the PIPED Act will continue to apply within a province to the activities of federal works, undertakings and businesses that are under federal jurisdiction such as banking, broadcasting, telecommunications and transportation.

If a province enacts private sector privacy legislation that is not found to be substantially similar to the PIPED Act, the provincial law will of course remain in effect. But effective January 1, 2004, it will operate concurrently with the federal law.

The federal provisions will take precedence to the extent of any inconsistency and all organizations carrying out commercial activities will have to comply with the provisions of the PIPED Act. This does not apply however in the case of employment privacy rights where the PIPED Act will not apply even if a province enacts legislation that is not substantially similar or enacts no legislation at all.

In May 2002, I submitted my first Report on the matter of substantially similar provincial legislation. In that Report I concluded that Quebec's An Act Respecting the Protection of Personal Information in the Private Sector is substantially similar to the PIPED Act in terms of the extent to which it protects personal information.


My Criteria for Assessing Provincial Legislation

In that Report I also set out the criteria that I will use in assessing provincial legislation. The PIPED Act does not provide any explicit guidance in terms of the criteria to be used in determining whether or not legislation enacted by a province is substantially similar.

In assessing provincial legislation, I will interpret substantially similar to mean equal or superior to the PIPED Act in the degree and quality of privacy protection provided. The federal law is the threshold or floor. A provincial privacy law must be at least as good, or it is not substantially similar.

To be considered substantially similar, any provincial legislation will have to contain, at a minimum, the ten principles set forth in Schedule 1 to the PIPED Act. While I consider all ten principles of this code to be interrelated and equally important, I consider consent, access and correction rights, along with the reasonable person test to be the key components in making an assessment of substantially similar. In addition, any provincial law would need to provide for effective oversight and redress.

Consent

The federal law says that consent must be informed and that an organization may only collect, use or disclose personal information about an individual with the individual's consent except in certain limited circumstances that are set out in the Act.

After collection, personal information can only be used or disclosed for the purpose for which consent was given, except in certain circumstances that are set out in the Act.

Reasonable Person Test

The reasonable person test provides another important check on organizations. The law states that the collection, use and disclosure of personal information must be limited to purposes that a reasonable person would consider appropriate in the circumstances.

This test prevents organizations from using overly broad or vague statements of the purposes for which information is being collected and from coercing individuals to give consent.

Access and Correction Rights

Individuals must have the right to access personal information that organizations have about them and to correct any information that is incorrect (or to have any disagreement noted and provided to any party who received the information).

Oversight

Where an individual is of the opinion that his or her privacy rights have been violated or that the privacy law has not been respected, the individual must have the ability to complain to a fully independent oversight body with the specific mandate to resolve complaints, thoroughly investigate, mediate, conciliate and make recommendations or issue orders. Such an oversight body also must have the full range of investigative powers to seize documents, enter premises, compel testimony and initiate audits of an organization's practices.

Redress

Following a complaint, and the issuance of my Report, the federal Act allows the complainant (or myself directly) to apply for a hearing in the Federal Court of Canada. The complainant or I can ask the court to order the organization in question to correct its information handling practices and make public the steps it has taken to do so. The court can be asked to award damages to the complainant.

Decisions of the Federal Court can be appealed to the Federal Court of Appeal and with leave to the Supreme Court of Canada.

There must be corresponding redress provisions in any provincial legislation which purports to be substantially similar.


Industry Canada's Process for Assessing Substantially Similar

Following discussions with my Office, Industry Canada published a notice in the Canada Gazette Part 1 (September 22, 2001) setting out the process that the department will follow for determining whether provincial/territorial legislation will be deemed substantially similar.

The process will be triggered by a province, territory or organization advising the Minister of Industry of legislation that it believes is substantially similar to the PIPED Act. The Minister may also act on his or her own initiative and recommend to the Governor in Council that provincial or territorial legislation be designated as substantially similar.

The Minister has stated that he will seek the Privacy Commissioner's views on whether or not legislation is substantially similar and include the Commissioner's views in the submission to the Governor in Council.

The process also provides for an opportunity for the public and interested parties to comment on the legislation in question.

According to the Canada Gazette notice, the Minister will expect substantially similar provincial or territorial legislation to:

  • incorporate the ten principles in Schedule 1 to the PIPED Act;
  • provide for an independent and effective oversight and redress mechanism with powers to investigate; and
  • restrict the collection, use and disclosure of personal information to purposes that are appropriate or legitimate.

Provincial Private Sector Legislation

To date, Quebec is the only province in Canada with comprehensive legislation that applies to personal information in the private sector. An Act Respecting the Protection of Personal Information in the Private Sector came into effect, with a few exceptions, on January 1, 1994. The legislation sets out detailed provisions that enlarge upon and give effect to the information privacy rights in Articles 35 to 41 of the Civil Code of Quebec.

As mentioned above, I have formally reported to Parliament my determination that this legislation is substantially similar to the PIPED Act.

The Government of Ontario released a discussion paper in July 2000 on a proposed Ontario Privacy Act. This was followed by draft legislation that was issued for comments on February 4, 2002. The new legislation is called the Privacy of Personal Information Act, 2002.

The document released by the Ontario Ministry of Consumer and Business Services is both draft legislation and a consultation paper. Individuals and organizations were invited to comment on the legislation until March 31, 2002.

There have, however, been no further indications as of the time of this Report that the Government of Ontario is proceeding with legislation that would be in effect by January 1, 2004.

British Columbia's Bill 38, the Personal Information Protection Act

On April 30, 2003, the British Columbia Government introduced Bill 38, the Personal Information Protection Act. The application of the Bill is broad; unlike the PIPED Act, it applies to all organizations, with a limited number of exceptions, including those that are not engaged in commercial activities. The definition of personal information is comparable to the definition in the PIPED Act; specifically, it does not require that information be recorded or stored.

The Bill has many positive elements. Unfortunately, it also has a number of very grave deficiencies that would in my view make it impossible for the Government of Canada to recognize this legislation in its current form as substantially similar to the PIPED Act.

First, subsections 14(b) and 17(b) allow the use and disclosure, respectively, of information collected before the Act comes into force where that use or disclosure fulfills the purposes for which the information was collected. These "grandfathering" provisions make it significantly different from the PIPED Act, which does not distinguish between personal information collected before and after its coming into effect. The Bill effectively eliminates any need for consent to use or disclose information that has already been collected.

The Bill provides that any use or disclosure of information that was collected before the Act came into force must be consistent with the purpose that was stated at the time it was collected. However, since there was no requirement to specify purposes before the Act came into force, an organization can use or disclose existing information for any purpose and claim that it is only using or disclosing the information for a previously intended purpose. This would make it extremely difficult for an individual to challenge the use of this grandfathered personal information.

This is clearly inconsistent with the PIPED Act, which takes a much more privacy-protective approach: to use or disclose information collected before the Act came into force, organizations require consent.

Second, the Bill is clearly inferior to the PIPED Act with regard to the concept of consent, which is at the heart of any statute purporting to protect privacy.

In section 8, the Bill specifically refers to implicit consent--a weak form of consent that is acceptable only in certain limited circumstances--but says nothing about express or written consent.

This is a critical omission, because it could very well lead an organization to assume that it can rely entirely on implicit consent. There is nothing in the legislation to prevent an organization from doing so, nor anything that the Commissioner could use to require express consent.

In contrast, the PIPED Act strongly recommends the use of express consent with respect to the collection, use or disclosure of sensitive information. Principle 4.3.4, in Schedule 1, states, "In determining the form of consent to use, organizations shall take into account the sensitivity of the information." As it is now written, Bill 38 is unclear about when, if at all, express consent should be used.

A statutory scheme that allowed organizations to rely entirely on implicit consent would provide a significantly lower level of protection than that provided by the PIPED Act.

Third, the Bill is clearly inferior to the PIPED Act with regard to privacy rights in employment. Sections 13, 16 and 19 specifically allow the collection, use and disclosure of employee personal information without consent. This completely deprives an employee, or a prospective employee, of any control over his or her information.

Although the Bill requires that the collection, use or disclosure of employee personal information be reasonable for the purposes of establishing, managing or terminating an employment relationship, this is a weak test that would not protect employees or prospective employees concerned about their privacy. An employer could argue that almost any intrusion on employee privacy is "reasonable" in the sense that it is potentially helpful for establishing, managing or terminating an employment relationship.

The employee could complain after the fact that this intrusion was not reasonable, but the information would have already been collected and disclosed. Once privacy has been violated, it cannot be unviolated. The damage has been done.

The PIPED Act, in contrast, makes no distinction between information collected, used, or disclosed in employment and in commercial activities. The protection afforded employees covered by Bill 38 would be drastically inferior to that enjoyed by employees covered by the PIPED Act.

Fourth, a fundamental component of the PIPED Act is the power of individuals to find out what personal information organizations have about them and to correct any information that is incomplete or wrong.

The access and correction provisions in Bill 38 fail to provide similarly effective protection. Under paragraph 23(4)(d), individuals would be prevented from obtaining access to information about themselves if it would reveal the identity of individuals who provided the information. This provision could prevent an individual from obtaining access to negative comments provided by a co-worker or supervisor or pejorative information provided to a banker or other credit grantor if it would reveal the identity of the person who made the comments. Without access to this information, an individual would not even know it existed and obviously would not be able to challenge its accuracy.

As well, there is no requirement, when the accuracy of information is in dispute, that the organization in control of the information inform other organizations that have access to the information about the substance of the dispute. Subsection 24(3) only requires that the organization annotate the personal information under its control noting the dispute. The other organizations can retain, use and even disclose personal information, regardless of whether its accuracy is in dispute. The PIPED Act contains such a requirement, as should any proper privacy legislation, and the failure of Bill 38 to do so is a substantial weakness.

Finally, the draft legislation allows collection, use or disclosure without consent for the purposes of an investigation or proceeding. This is a necessary feature of any privacy protection law, but the definition of the term "investigation" in the Bill is much broader than the way in which the term is used in the PIPED Act. The PIPED Act limits the term to investigations of "a breach of an agreement or a contravention of the laws of Canada or a province."

The definition in Bill 38 also includes an investigation related to "a circumstance or conduct that may result in a remedy or relief being available under an enactment, under the common law or in equity" "the prevention of fraud" and trading in securities. The Bill also contains a similarly broad definition of "proceeding."

These definitions are detrimental to the level of protection afforded by the Bill. Allowing an excessive number of situations in which personal information can be collected, used or disclosed without consent seriously erodes the fundamental principle of consent that is the underpinning of any sound privacy legislation.

On a positive note, the Bill contains a reasonable person test and the oversight and redress provisions are comparable to corresponding provisions in the PIPED Act. One notable difference is that Bill 38 gives the British Columbia Information and Privacy Commissioner order making power.

With respect to the ten principles in Schedule 1 to the PIPED Act, Bill 38 does not incorporate all ten principles in the sense of being given fully meaningful effect. The absence of any reference to express consent and the failure to require consent for the collection, use or disclosure of employee personal information mean that the consent principle is not fully incorporated in the Bill. Similarly, the grandfathering provisions prevent the draft legislation from adequately limiting use and disclosure and the individual access principle is not fully incorporated in the Bill.

Based on my assessment of Bill 38, in its current form, the draft legislation cannot be regarded as substantially similar to the PIPED Act in terms of the extent to which it protects personal information.

Alberta's Bill 44, the Personal Information Protection Act

On May 14, 2003, the Alberta Government introduced Bill 44, the Personal Information Protection Act. Bill 44 is very similar to British Columbia's draft legislation, Bill 38. The two Bills have the same structure and many of the provisions use the same language.

Similarly, Bill 44 has several serious deficiencies that would in my view make it impossible for the Government of Canada to recognize Bill 44 in its current form as substantially similar to the PIPED Act.

First, section 62 gives the Lieutenant Governor in Council (the Cabinet) the discretion to issue sweeping regulations dealing with a broad range of matters, including:

  • giving consent;
  • the procedures to be followed in making and responding to access requests;
  • the circumstances in which personal information can be collected, used or disclosed without consent; and
  • the personal information to which the Act does not apply.

This broad authority to make regulations is deeply troubling because it has the potential to dramatically reduce the scope of the proposed law and weaken the fair information principles that form the core of sound privacy legislation. No similarly broad regulatory discretion exists in the PIPED Act.

Regulation making authority should be limited to unforeseen housekeeping matters. Fundamental changes that would impact individuals' right to privacy, such as those that would be permitted under this Bill, should be subject to full and open public debate.

Second, section 4 allows an organization to use and disclose information collected before the Act comes into force for the purposes for which the information was collected. The Alberta draft legislation specifies that this information is "deemed to have been collected pursuant to consent given by that individual." This eliminates any need for an organization to seek consent to use or disclose information that has already been collected.

Limiting the use or disclosure of this information to the purposes for which it was collected does not provide any meaningful protection since there was no requirement to specify purposes when the information was collected. An organization can use or disclose this personal information for any purpose and claim that this purpose was intended when it was collected, making it extremely difficult for an individual to challenge the use of this grandfathered personal information.

This is clearly inconsistent with the PIPED Act, which does not distinguish between personal information collected before and after its coming into effect. The PIPED Act takes a much more privacy-protective approach: to use or disclose information collected before the Act came into force, organizations require consent.

Third, the Bill is clearly inferior to the PIPED Act with regard to privacy rights in the workplace. Sections 15, 18 and 21 allow the collection, use and disclosure of employee personal information without consent--completely depriving an employee or a prospective employee of any control over his or her information.

The Bill does not even contain a requirement that the organization inform employees after the fact that their information was collected, used or disclosed without consent. As a result, employees may be completely unaware that the collection, use or disclosure took place, denying them the right to complain. And even if they do become aware, complaining after the fact cannot undo the damage that has been done. Once privacy is lost, it cannot be regained.

The Bill requires that the collection, use or disclosure of employee personal information be reasonable, but this provides little or no meaningful protection. From the employer's perspective--which seems to be the perspective from which these provisions of the Bill were drafted--almost any intrusion on employee privacy can be seen as "reasonable."

The PIPED Act, in contrast, makes no distinction between information collected, used, or disclosed in employment and in commercial activities. The protection afforded employees covered by Bill 44 would be drastically inferior to that enjoyed by employees covered by the PIPED Act.

Fourth, the PIPED Act gives individuals the right to access personal information that organizations have about them and to correct any information that is incorrect (or to have any disagreement noted and provided to any party who received the information). By exercising these rights, individuals can help police the practices of an organization by ensuring that the information being collected is not excessive and that inaccurate information is not being used to make decisions that might affect them. The access and correction rights in Bill 44 are considerably more circumscribed than those in the PIPED Act.

Under paragraph 24(3)(c), individuals could be prevented from obtaining access to information about themselves if it would reveal the identity of individuals who provided the information. As noted above, this provision could prevent an individual from obtaining access to negative or inaccurate comments if the person who made the comments did not consent to the disclosure of his or her identity. Without access to this information, an individual would not even know it existed and obviously would not be able to challenge its accuracy.

Individuals can also be denied access on the grounds that disclosure might result in that type of information no longer being provided to the organization. The PIPED Act does not contain such a provision and it is difficult to see the need for it given the other grounds in the Bill for denying access. This is a very amorphous basis for denying access that would be almost impossible for an individual to challenge.

Bill 44 also differs from the PIPED Act with respect to fees. Bill 44 allows an organization to charge "reasonable" fees for access. The PIPED Act requires that access be provided at "minimal or no cost." An individual's right to access his or her personal information should not be constrained by cost.

When the accuracy of information is in dispute, Bill 44 does not require the organization in control of the information to inform other organizations that have access to the information about the substance of the dispute. Subsection 25(3) only requires that the organization annotate the personal information under its control noting the dispute. Other organizations with access to this information could use and even disclose this personal information without being aware that its accuracy has been challenged. The PIPED Act contains such a requirement and the failure of Bill 44 to do so is a substantial weakness.

Fifth, the draft legislation allows collection, use or disclosure without consent for the purposes of an investigation or a legal proceeding. The problem is that the definition of the term "investigation" in the Bill is much broader than the way in which the term is used in the PIPED Act. The Bill contains a similarly broad definition of "legal proceeding."

Furthermore, there is no requirement, similar to that in the PIPED Act, that personal information can only be collected, used and disclosed without consent for the purposes of an investigation, if it is reasonable to expect that "the knowledge or consent of the individual would compromise the availability or the accuracy of the information."

As a result, the Bill would allow too much scope for organizations to collect, use or disclose personal information without consent on the grounds that it is required for an investigation or a legal proceeding. Allowing an excessive number of situations in which personal information can be collected, used or disclosed without consent seriously erodes the fundamental principle of consent that is the underpinning of any sound privacy legislation.

Finally, I want to comment on sections 55 and 56 dealing with professional regulatory bodies and non-profit organizations. The Bill would permit the Lieutenant Governor in Council to delay or exempt application of the Act to these types of organizations. I would see no problem if the Act only applied to professional regulatory bodies and non-profits to the extent they engage in commercial activities--this is consistent with the PIPED Act--but to exempt them entirely would establish a lower level of protection than that provided by the PIPED Act. Some non-profit organizations collect highly sensitive information, including information about medical conditions. To allow non-profits to disclose this information for gain without consent would provide a lower level of protection than under the PIPED Act.

The Bill contains a reasonable person test and the oversight and redress provisions are comparable to corresponding provisions in the PIPED Act although Bill 44 gives the Alberta Information and Privacy Commissioner order making power.

Bill 44 does not meaningfully incorporate all ten principles in Schedule 1 to the PIPED Act. The failure to require consent for the collection, use or disclosure of employee personal information means that the consent principle is not fully incorporated in the Bill. Similarly, the grandfathering provisions prevent the draft legislation from adequately limiting use and disclosure and the individual access principle is not fully incorporated in the Bill.

Based on my assessment of Bill 44, in its current form, the draft legislation cannot be regarded as substantially similar to the PIPED Act in terms of the extent to which it protects personal information.


Provincial Sector-Specific Legislation

Many provincial sector-specific laws include provisions dealing with the protection of personal information. Every province except New Brunswick has legislation dealing with consumer credit reporting. These acts typically impose an obligation on credit reporting agencies to ensure the accuracy of the information, place limits on the disclosure of the information and give consumers the right to have access to, and challenge the accuracy of, the information.

Many acts impose obligations limiting the disclosure of information. Several provinces have passed legislation that imposes restrictions on the disclosure of personal information by private investigators. Laws governing credit unions typically have provisions dealing with the confidentiality of information relating to members' transactions. There are a large number of provincial acts that contain confidentiality provisions concerning personal information collected by professionals.

The Health Sector

The provinces of Alberta, Manitoba and Saskatchewan have all passed health specific privacy legislation. The legislation in Manitoba and Alberta is currently in force. Saskatchewan has not announced when its legislation will come into force. On May 8, 2003, the Government of Saskatchewan introduced Bill 28, An Act to amend The Health Information Protection Act and to make consequential amendment to The Regional Health Services Act.

All three laws establish rules for the collection, use and disclosure of personal health information. They each set out rights of access and correction as well as the right to request a review by an oversight body, that can investigate complaints.

These laws apply to personal health information held by provincial government ministries, hospitals, regulated health professions (such as physicians, pharmacists, dentists, registered nurses), laboratories and other health care facilities.

Quebec's An Act Respecting the Protection of Personal Information in the Private Sector covers health information in the private sector. It applies to all enterprises in Quebec, including private sector organizations that deliver health services, as well as any professional who operates a practice. Quebec's Act Respecting Access to Documents Held by Public Bodies and the Protection of Personal Information applies to the remainder of the health sector.

British Columbia does not have specific health sector legislation, but its public sector legislation, the Freedom of Information and Protection of Privacy Act, covers health information held by all publicly funded health organizations and health care providers, including clinics, universities and hospitals.

In 1995 the scope of the Act was expanded to include all self-governing professional bodies. These bodies include the College of Physicians and Surgeons, the College of Dental Surgeons, the College of Pharmacists, Registered Nurses' Association and the Health Professions Council. Practitioners in private practice and private clinics and laboratories fall outside the scope of the Act.

If passed, British Columbia's Bill 38, the Personal Information Protection Act, will apply to personal health information not covered by the Freedom of Information and Protection of Privacy Act.

In December 2000, Ontario introduced Bill 159, the Personal Health Information Privacy Act. This Bill died on the order paper when the provincial legislature prorogued on March 2, 2001.

As I stated in my first Report to Parliament regarding substantially similar legislation in May 2002, I consider it appropriate to defer commenting on sector-specific provincial legislation until it becomes more clear which provinces are likely to have comprehensive private sector legislation in place by January 1, 2004. I accordingly anticipate addressing the matter of substantially similar sector-specific provincial legislation in a further Report to Parliament in the autumn of this year.


Conclusion

In statutory terms, nothing has changed since my last Report, in the sense that no provinces have enacted new comprehensive private sector privacy legislation which would qualify for consideration under subsections 25(1) or 26(2)(b) of the Personal Information Protection and Electronic Documents Act.

However, since January 1, 2004, is fast approaching and since two provinces have introduced major legislative initiatives in this regard, I have deemed it helpful to make clear at the earliest possible time that neither the British Columbia draft legislation nor the Alberta draft legislation would permit me to find substantial similarity under subsection 25(1) of the PIPED Act.

The British Columbia draft legislation fails to sufficiently incorporate Principles 4.3 (Consent), 4.5 (Limiting Use, Disclosure, and Retention) and 4.9 (Individual Access) of the Act. Bill 38 thereby fails to meet the criteria for determining substantial similarity that I have previously set out, as well as those set out by Industry Canada in the Canada Gazette of September 22, 2001.

The Alberta draft legislation fails to sufficiently incorporate Principles 4.5 (Limiting Use, Disclosure, and Retention) and 4.9 (Individual Access) of the Act. In addition, the broad regulation-making authority would deprive the Act of the certainty and specificity which is essential if it is to be substantially similar to the PIPED Act in which the regulation-making authority is more limited. Bill 44 thereby fails to meet the criteria for determining substantial similarity that I have previously set out, as well as those set out by Industry Canada in the Canada Gazette of September 22, 2001.

It is therefore my view that, if these bills are enacted in their current form, it would not be possible for the Minister of Industry to recommend to Cabinet an exemption for either British Columbia or Alberta under paragraph 26(2)(b) of the Act without thereby violating the requirements, purpose and intended effect of the PIPED Act in protecting the privacy rights of all Canadians.

Date modified: