Federal Private Sector: Not just one regulator anymore?
Throughout history, no matter what country, the scope and application of constitutional power can be best described as a “contact sport”. In Canada, the game is played by two levels of government operating under a division of power that has evolved through constitutional case law since 1867. A recent decision in Québec raises a new angle to consider for those companies who think they only have to deal with the federal OPC.
The Personal Information Protection and Electronic Documents Act (PIPEDA) is supposed to be an “e-commerce/Internet” statute, constitutionally rooted in the federal government’s trade and commerce power. No one asks about the constitutional aspects of PIPEDA but it pops up every now and again. We assume the federal government did its homework back when it first thought of about the legislation. No one doubts the ability of the federal government to enact data protection legislation concerning (i) all private sector organizations in the territories and (ii) all federal works, undertakings or businesses. Its’ governance of intra-provincial private sector entities is another matter and cases such as 2011 decision in Reference re Securities Act provide fresh fuel to challenge that particular aspect. But for that aspect is a matter for another day. This post is about “federal works, undertakings or businesses” – which I will call the “federal private sector” here.
Different federal and provincial laws can apply to a private sector entity and a recently published decision by the Commission d’access d’information du Quebec (“CAI”) illustrates the point that it applies in the area of data protection as well. Last September, the CAI issued X c. Rogers Communications, a case that involved a complaint about the refusal to open a mobile phone account after the customer declined to provide a driver’s licence for authentication purposes.
Rogers made a secondary argument: while it made a submission to the CAI, the Company did not submit to the jurisdiction of the Commission. The rationale appears to have been that it was a telecommunications company and, as such, was subject to the exclusively federal jurisdiction and only PIPEDA.
The CAI took the position that because Rogers was an entity operating in Québec, s. 81 of the Québec Private Sector Act gave it jurisdiction. This then lead to the constitutional concepts of “co-operative federalism” and “interjursiditional immunity” with the CAI citing a 2014 decision of the Supreme Court of Canada: Bank of Montreal v. Marcotte.
Marcotte indicates that for an interjurisdictional immunity argument to succeed (and invalidate the application of a province’s legislative authority), two questions have to be asked: does the provincial power in question lie at the core of the federal power? If yes, does the provincial power “significantly trammel or impair” the way the federal power can be exercised? In Marcotte, the answer to both was no. In the CAI’s decision concerning Rogers, they also said no. Interestingly, the CAI also cited a number of decisions where federal businesses were also found to be subject to Quebec’s law.
So what does this mean? This Rogers finding by the CAI highlights what may be a misapprehension on the part of federal private sector entities (e.g. banks, telco, airlines) and their advisors: they only have to deal with the OPC. It seems that provincial data protection authorities may play a role in regulating the data protection activities of the federal private sector. It also means that data breach notifications should likely also go to provincial regulators instead of only the OPC.
Will this have a regulatory impact? Canadian data protection regulators have found a way to harmoniously work together and avoid regulatory duplication. Hopefully, this will continue.