Canadian privacy law raises ante
Next month, Canada will enact a law that offers sweeping privacy protections for its citizens. But the law may also create legal obligations and data management problems for potentially thousands of businesses that exchange data with firms and subsidiaries in Canada, the U.S.'s largest trading partner.
On Jan. 1, Canada's Personal Information Protection and Electronic Documents Act becomes law, requiring businesses to offer Canadian citizens certain guarantees regarding the collection and use of personal data. For example, they must get a customer's consent before sharing data with affiliates or commercial partners and must provide access to that data for review.
Initially, the law will apply only to certain federally regulated businesses in Canada: airlines, banks, telecommunications firms and broadcasting organizations. But by 2004, virtually every Canadian business will be affected -- and consequently, so will a broader range of U.S. businesses.
"In some cases, [the law] is going to create some interesting nightmares" for companies, said Murray Long, a privacy consultant in Ottawa. Long cited the case of a Canadian affiliate that stores its data in U.S.-based servers.
"How do you ensure that the [privacy compliance] safeguards on the U.S. corporate network are up to par?" he said.
The Canadian law will likely force many U.S. companies that exchange personally identifiable information with Canadian firms and subsidiaries to have a contract that commits them to following Canada's law, say legal experts.
"A multinational company operating in Canada will have to have dozens and dozens of contracts with everybody who supplies them with any personal information, including their own subsidiaries," said David Aaron, a former official at the U.S. Department of Commerce who negotiated the European "safe harbor" agreement and is now an attorney at Dorsey & Whitney LLP in Washington.
And even though it may take three years before the law affects all U.S. firms doing business in Canada, the lack of a grandfather clause -- which would have exempted data collected prior to the law's enactment -- may force companies to begin seeking an individual's consent well before any deadline, legal experts noted.
If a company doesn't have the consent of the individual on the day the law takes effect, it won't be able to use that person's information, even if his data was collected years ago, said Brian C. Keith, an attorney at Borden Ladner Gervais LLP in Toronto.
Some companies, such as American Express Co. in New York, prepared long ago to adapt to the law. Amex already follows the Canadian Standards Association's model code on privacy, on which the act is based, said Sally Cowan, the company's chief privacy officer. As a result, she said, the law will have "no impact" on Amex.
Canadian privacy advocates maintain that the new privacy law will help businesses.
"Consumers are more and more asking about privacy policies, and I think that organizations that have good policies and procedures in place will be able to sort of turn [privacy compliance] to their advantage," said Heather Black, a legal advisor at the Office of the Privacy Commissioner of Canada in Ottawa.