Doing Business in Canada? All Organizations Carrying on Commercial Activities in Canada Will Be Subject to New Privacy Rules Beginning January 1, 2004

The last stage of Canada's Personal Information Protection and Electronic Documents Act ("PIPEDA") is set to take effect on January 1, 2004. PIPEDA already covers federally regulated entities in Canada and will now apply to the collection, use, or disclosure of personal information in the course of any commercial activity in Canada. This means that all businesses and business activities, not just activities conducted through Web sites or electronic commerce, will be subject to the new privacy rules. U.S. companies with operations or subsidiaries in Canada will have to comply with the requirements of PIPEDA. The new rules could potentially apply to the collection of Canadians' personal information by U.S. companies that operate entirely outside Canada.

The new law regulates the management of personal information collected by companies doing business in Canada. PIPEDA contains detailed requirements based on the following ten core principles:

1. Accountability. An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for that organization's compliance with the following principles.

2. Identifying Purposes. The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.

3. Consent. The knowledge and consent of each individual is required for the collection, use, or disclosure of personal information, except where inappropriate.

4. Limiting Collection. The collection of personal information shall be limited to that which is necessary for the purposes identified by each organization. Information shall be collected by fair and lawful means.

5. Limiting Use, Disclosure, and Retention. Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.

6. Accuracy. Personal information shall be accurate, complete, and as up-to-date as is necessary for the purposes for which it is to be used.

7. Safeguards. Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

8. Openness. An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.

9. Individual Access. Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

10. Challenging Compliance. An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals who are accountable for each organization's compliance.

Implementing PIPEDA may prove challenging for companies doing business in Canada. For example:

• Transfer of Personal Information. Businesses must comply with specific requirements when transferring personal information to third parties. Companies may need to update and/or implement new contracts with service providers, subsidiaries, affiliates, and partners.

• No Grandfathering. PIPEDA also applies to personal information collected before January 1, 2004. If a business did not receive consent when the personal information was initially collected, the company may no longer use the information until consent is subsequently obtained from the individual.

Although January 2004 is seven months off, do not underestimate the amount of work that may be required. Depending on a company's current privacy practices, it may take time to design and implement procedures that comply with PIPEDA.