A proposed class action was commenced in the Supreme Court of British Columbia alleging that Facebook used members’ names or portraits as endorsements of third-party advertisers, without those members’ consent, contrary to the provisions of the Privacy Act. A copy of the Notice of Civil Claim filed in the Supreme Court of British Columbia is available here.
There is privacy legislation at both the federal and provincial levels in Canada. The main legislation at the federal level is the Personal Information Protection and Electronic Documents Act (PIPEDA)
Does PIPEDA Apply to your Business?
The answer is likely – Yes.
PIPEDA applies to all organizations including associations, partnerships, individuals, corporations, trade unions, non-profits and charities which collect, use, or disclose personal information: (a) in the course of commercial activities; or (b) in connection with the operation of a federal work, undertaking or business; or (c) which is disclosed to a third-party or in some cases within the same company across a provincial or national boundary.
(1) Accountability; (2) Identifying Purposes; (3) Consent; (4) Limiting Collection; (5) Limiting Use, Disclosure and Retention; (6) Accuracy; (7) Safeguards; (8) Openness; (9) Individual Access; and (10) Challenging Compliance.
The accountability principle is to the effect that organization is responsible for personal information under its control and shall designate an individual who is accountable for the organization’s compliance with the principles, the legislation and customer or users rights.
The Privacy Commissioner is tasked with ensuring that organizations do not use or disclose personal information for any purpose other than that for which it was collected except with the individual’s consent or as required by law.
Retention of Data
The retention principle states that personal information collected shall only be retained for as long as necessary in order to fulfil the purpose it was collected for.
Transferring or selling personal information
When organizations transfer personal information to a third-party for processing they must use “contractual or other means” to ensure that the third-party will provide a level of protection that is comparable to the protection offered by PIPEDA
If the organization elects to use contractual means, the organization should enter into an agreement with the third-party which ensures they will comply with PIPEDA.