On January 8th, the Alberta Court of Queen’s Bench quashed an order of the Information and Privacy Commissioner of Alberta that dealt with a City of Edmonton directive to second hand goods dealers that required them to collect the personal information of individuals selling used goods.
The City required dealers to collect the name, date of birth, gender, eye colour, hair colour and identification details of all sellers and upload this and other information to a database hosted by a third-party under contract to the City. The police could access the database, but the information also remained available to dealers (presumably) for use in their business.
In February 2008 the IPC ordered the City to stop collecting information and destroy its database. It held that the scheme established a “collection” by the City, but that this collection violated the Alberta Freedom of Information and Protection of Privacy Act because it was not authorized by law, was not collected for the purpose of law enforcement and was not necessary for an operating program or activity of the City. The key finding was that the City’s longstanding by-law, which required used goods dealers to make information available to peace officers, did not allow the City to implement a scheme whereby information is uploaded to a database under the City’s control.
The Court of Queen’s Bench held that the IPC’s reading of the by-law was too strict and that that by-law provision that required dealers to “record” and “make available” information authorized it to direct the uploading of personal information to a secure database to be accessed on a standing basis. The outcome of the Queen’s Bench decision did not turn on this finding, because it held in any event that the City was not collecting information through dealers. Since dealers had their own purpose for collecting the information and also collected and uploaded additional information than that required by the City, the Court held they were not the City’s agents. According to the Court, the scheme entailed a collection by the police rather than the City, a collection that was lawful because it was made for the purpose of law enforcement. Finally, the Court held that the Commissioner erred in ordering the destruction of the database.
The Queen’s Bench decision is lengthy and includes more findings than described in this post. Though most of the Court’s conclusions are technical, it does seem to comment generally on the interpretation of municipal powers as they pertain to personal privacy and on the proper characterization of data flows. Moreover, the Court’s rather quick but clear conclusion that the collection was for “law enforcement” purposes is significant and appears to conflict with the Ontario Court of Appeal’s finding in the 2007 Cash Converters case. These points of significance aside, there is also an interesting subtext that is illustrated by the Court’s rather complete and forceful quashing of the OIPC order.
Business Watch International Inc. v. Alberta (Information and Privacy Commissioner), 2009 ABQB 10.