by Shaya Silber
Privacy law in Canada is regulated by various bodies and pieces of legislation. Most important among these pieces of legislation is PIPEDA. PIPEDA governs how organizations collect, use, and disclose personal information in the context of commercial activities. The Act applies across Canada, except where a province has enacted a similar piece of legislation. For example, British Columbia enacted PIPA, which governs how private sector organizations collect, use, and disclose personal information. Ontario does not currently have such a law to address private organizations (although there is an act which governs the collection and use of medical information and another act which addresses the collection and use of information by government bodies).
Generally speaking, organizations are prohibited from gathering personally identifiable information in the absence of consent by those whose information is being gathered. This includes information such as names, credit card information, telephone numbers and so on.
Privacy commissions have interpreted “personal information” broadly. Typically this has meant any information that applies about a specific person.
However, there seems to be a new development in the law. A recent decision by the Alberta Court of Appeal held that license plate information was considered to be non-identifiable. Until now, it would have seemed that a car’s license plate would be considered personally identifiable information. This is the rationale for distorting images of license plates in Google’s Street View.
The logic behind this is that each car can be traced to the registered owner. The court held that a license plate was attached to a specific vehicle, and not a specific person (i.e. the driver of the vehicle is not necessarily the registered owner). Furthermore, the court stated that a license plate was not private information because it is out in the open, available for all to see and record.
This means businesses now have a legal precedent to rely on if they are recording this kind of information without obtaining specific consent. Furthermore, when it comes to this kind of information, a business need not put in safeguards that it would otherwise have to for personal information, such as storing the information in a safe place.