The Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”) was designed to protect personal information. The provisions of PIPEDA allow organizations to collect, use, or disclose personal information “only for purposes that a reasonable person would consider are appropriate in the circumstances.” Organizations are prohibited from collecting personal information without the data owner’s consent unless:
- the collection is clearly in the interests of the individual and consent cannot be obtained in a timely way;
- it is reasonable to expect that the collection with the knowledge or consent of the individual would compromise the availability or the accuracy of the information and the collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province;
- the collection is solely for journalistic, artistic or literary purposes;
- the information is publicly available and is specified by the regulations; or
- the collection is made for the purpose of making a disclosure required by law.
It does not appear that PIPEDA extends to companies located in the United States, even if the companies collect information about Canadian citizens. In 2004, the Canadian Internet Policy and Public Interest Clinic (“CIPPIC”) filed formal complaints against two U.S.-based companies for routinely collecting, using, and disclosing information about Canadians for unlimited purposes without the knowledge and consent of the data owners. The Office of the Privacy Commissioner responded that the jurisdiction of the PIPEDA does not extend to organizations that do not have a physical location in Canada.