Keeping you informed at home and abroad

Privacy Laws

The privacy laws in Canada, the United States, the European countries and other parts of the world are, for the most part, based on the widely accepted Fair Information Practice Principles set out in the 1981 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. However, privacy laws around the world still differ in many respects. With this complex web of legislation, organizations with a presence in multiple jurisdictions, such as those conducting business on-line, need to design policies and practices that do not violate any one privacy law that applies to the business.

Privacy commissioners would like to see more consistency in the laws, their application, and how they are being interpreted. Progress on joint initiatives and a harmonized approach to personal information protection is slowly being made, due to collaboration between data protection regulators around the world.


Private and Public Sector Laws

In Canada, the federal private sector privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA), came into force on January 1, 2001. 

Since January 2001, PIPEDA has applied to federally regulated companies, such as airlines, banking, broadcasting, interprovincial transportation and telecommunications. Since January 1, 2004, PIPEDA has applied to every organization that collects, uses or discloses personal information in the course of a commercial activity. However, the federal government may exempt organizations and/or activities within provinces that have adopted privacy legislation that is substantially similar to PIPEDA.

For the public sector at the federal level, the Privacy Act governs the handling of personal information by government bodies. Provincial government bodies are governed by the Freedom of Information laws.


Sector and State-Specific Privacy Laws

In the United States, there is no one comprehensive privacy law that applies to the entire private sector. However, there are numerous sector and state-specific laws that businesses operating in the United States need to understand.

All states have some statutory protection for specific privacy rights, and some state constitutions specifically identify a right of privacy for their citizens.

Also, breach notification laws are in force in many states and should be well understood in order to appropriately notify regulators and individuals in the context of a data security breach.

The following are three high profile federal statutes in the United States:

Gramm-Leach-Bliley Act

      • Under this law, financial institutions and certain affiliates must comply with broad “consumer privacy” rules.
      • Institutions covered must create and provide notice of policies and procedures governing the collection, secure storage, and disclosure of personal information.
      • Click here for more on Gramm-Leach from the Federal Trade Commission.

Health Insurance Portability and Accountability Act Regulations

      • Applies to health plan providers, health care clearinghouses and certain health care providers.
      • Covers “protected health information”: Information related to physical or mental health, the provision of health care, and the payment for health care.
      • HIPAA violations carry substantial penalties.
      • Click here for more on HIPAA from the United States Department of Health and Human Services.

Children’s Online Privacy Protection Act

    • Applies to the online collection of personal information from children under 13.
    • Requires a notice containing specific details about information practices to be posted on the home page and each area of the website where personal information is collected from children.
    • Click here for more on COPPA from the Federal Trade Commission.

Visit the Electronic Privacy Information Center for more information on privacy laws in the United States.


Privacy in the Global Economy

Countries around the world have data protection laws in place that aim to ensure that government and organizations are protecting citizens’ privacy. Within Europe, there are many stringent laws in place, and many countries outside of Europe, the United States and Canada have turned to addressing privacy through legal obligations.


PRIVATECH offers an online E-learning course to train your staff on how to avoid a costly CASL breach.