Canadian telcos and banks subject to the Quebec privacy law
A decision was recently issued by the Quebec Commission d’Accès à l’information (“CAI”) pursuant to the Act respecting the protection of personal information in the private sector following (“Quebec Private Sector Act”) following a complaint filed against Rogers Communications (“Telco”) pertaining to the collection of personal information. In X. c. Rogers Communications Inc., the complainant’s social insurance number (SIN) and driver’s licence number were collected by Telco in the context of the activation of a cell phone.
The CAI ordered Telco to cease collecting and holding the numbers of pieces of identification, including the SIN, presented by customers when opening an account for activation of a cell phone. I already blogged about the legality of the collection of SINs and drivers license numbers to confirm the customer’s identity and to conduct credit checks in Canadian Telcos can’t collect SINs and drivers licence numbers. But this recent decision is also interesting for issues pertaining to the jurisdiction of the CAI over a complaint involving a telco, an area of federal jurisdiction.
Telco submitted its observations without admission of the CAI’s jurisdiction over the issues raised in the complaint. The only ground alleged was the fact that it is a telecommunications undertaking, an area of exclusive federal jurisdiction. In this capacity, Telco argued that it would be subject only to the PIPEDA and considers that it complies with the applicable principles thereof.
Does the CAI has jurisdiction over complaints filed with a Telco or a Bank?
The CAI has the power to inquire into the application of s. 81 of the Quebec Private Sector Act. This Act applies to every person who collects, holds, uses or communicates personal information to third persons in the course of carrying on an enterprise in Québec (see s. 1 of the Private Sector Act and also art. 1525 of the Civil Code of Québec).
A telco carries on an organized economic activity that is commercial in nature, which consists of selling products and services. It is therefore an enterprise within the meaning of article 1525 of the Civil Code of Québec. Carrying on this economic activity involves the collection, holding, use and communication of personal information. Thus, a telco is subject to the Private Sector Act, an Act of general application that establishes specific rules regarding the protection of personal information within the context of carrying on an enterprise in Québec.
For the CAI to conclude the inapplicability of the Quebec Private Sector Act, it would have to be proven that the Quebec Private Sector Act affects one of its essential elements to the point of impairing the core of the federal power in telecommunications matters as pointed out by the Supreme Court in the recent decision Banque de Montréal v. Marcotte.
The CAI articulated the view that the facts in the case and the observations presented did not show how the application of the Quebec Private Sector Act, in the case of verification of the identity of a customer and his solvency, impaired the core of telecommunications activities. Moreover, the decision mentions that CAI and the Court of Québec have already concluded that the Quebec Private Sector Act applies to federally regulated enterprises (which would include telcos or financial institutions) in many decisions including in Nadler v. Rogers Communications Inc., 2014 QCCQ 5609.
Finally, Telco submitted that the Office of the Privacy Commissioner of Canada has already concluded that the collection of two pieces of identification, including the SIN and the driver’s licence number for identification and credit check purposes, was in compliance with the PIPEDA in Summaries of conclusions of inquiries under PIPEDA no 2002-104, no 2003-151, no 2003-204, no 2003-217 and no 2005-288. The CAI articulated the view that these conclusions do not exempt a telco from complying with the provisions of the Quebec Private Sector Act.
The CAI explains how as the Supreme Court has already indicated, if it is possible for an organization to comply with the provincial and federal statutes by satisfying the criteria of the stricter statute, there is no conflict and the organization must comply with the stricter rule in Procureur général de la Colombie-Britannique v. Lafarge Canada Inc. According to the Court, an interpretation must be favoured that seeks to reconcile provincial and federal legislation applicable to a given situation, especially when they pursue the same objective. The CAI explains that the Quebec Private Sector Act and the PIPEDA seek the same objective: the protection of individual’s personal information, and that both laws limit the collection of personal information by organizations.
A party invoking federal paramountcy must prove a conflict between the two statutes. The CAI therefore concluded that the collection of a customer’s personal identity information with a view to verifying his solvency is subject to the applicable rules of the Quebec Private Sector Act and that the CAI has the jurisdiction to rule on this type of complaint.
Telcos and banks subject to the Quebec Private Sector Act when carrying on an enterprise in Québec
Many Canadian telcos and banks work under the assumption that the Quebec Private Sector Act does not apply to their activities. This decision from the CAI confirms that this assumption is not accurate if they are carrying on an enterprise in Québec. What is also important to keep in mind, is that the Quebec Private Sector Act is probably the most stringent data protection law that we have in Canada.
This content has been updated on November 2, 2014 at 21 h 24 min.