On September 6, 2019, the Superior Court of Québec, in Opencorporates Ltd. c Registraire des entreprises du Québec,1 issued a declaratory judgment against the Registrar stating that it did not have the authority under its constituting Act — the Act respecting the legal publicity of enterprises (ALPE)2 — to prevent the applicant from publishing and distributing the data it had lawfully collected from the Register.
As a preliminary matter, the Registrar readily acknowledged that nothing in its enabling statute, nor in any other legislation, explicitly granted it the ability to monitor how the Register data is used once it is lawfully obtained.6 That said, the Registrar argued that the applicant’s use of the Register data violated the broader object and purpose of the ALPE, thereby entitling it to take action against OpenCorporates. Considering that OpenCorporates’ database did not restrain the manner in which searches could be conducted — unlike the Register, which was expressly designed to prevent users from conducting searches based on a natural person’s name or address7 — the Registrar alleged that the applicant was violating the purpose of the ALPE. In addition, the Registrar advanced that the ALPE granted it the exclusive authority to maintain and publish information with respect to Québec enterprises and, to that end, it was empowered to ensure the security of the Register data.
At the outset, the court clarified what the case was not about — namely, the legality of the OpenCorporates’ database itself. The court explicitly left open the possibility that a natural person, whose personal information is concerned by the applicant’s activities, may contest those practices under applicable privacy laws.8
Analysis and Business Takeaways
While the decision answers certain key questions, it nonetheless leaves others unanswered. Most notably, the court left open the possibility that a natural person, under applicable privacy legislations, could challenge OpenCorporates’ practices. For example, in Québec, An Act respecting the Protection of Personal Information in the Private Sector10 (Québec ARPPIPS) operates in place of federal Personal Information Protection and Electronic Documents Act (PIPEDA) for intra-provincial matters, and, as a result, applies to personal information collected within the context of this case. OpenCorporates would be subject to Québec ARPPIPS if it is considered as collecting the Register’s information in a commercial capacity11 even if it is a U.K.-based publisher that has no place of business in Québec.12
The Register’s information includes personal information and it should be noted that the Québec ARPPIPS does not include an exception for personal information that is publicly available, although certain parts of the act do not apply to personal information, which, by law, is public.13 In similar type of cases rendered under PIPEDA, the Office of the Privacy Commissioner articulated the view that it was illegal for foreign-based entities to collect publicly available information of Canadians and repurpose/republish such information.14
The author gratefully acknowledges the assistance of articling student Andy Nagy in writing this article.
1 OpenCorporates Ltd. c. Registraire des entreprises du Québec, 2019 QCCS 3801 [OpenCorporates].
2 Act respecting the legal publicity of enterprises, RSQ c P-44.1.
3 Ibid, ss 1-2.
4 Ibid, s 3.
5 OpenCorporates, supra note 1 at para 1.
6 Ibid at para 20.
7 Indeed, the Registrar was required under the Act to establish a legal framework for information technology to limit the Register’s search functions to the purpose for which the Register was created— namely, to enable the public to find information about a corporation, as opposed to an individual. See generally ibid at paras 72-80.
8 Ibid at paras 44-47.
9 Ibid at paras 72-80.
10 An Act respecting the Protection of Personal Information in the Private Sector, RSQ 1993, c P-39.1 [Québec ARPPIPS].
11 See ibid, s 1: “in the course of carrying on an enterprise within the meaning of article 1525 of the Civil Code”. See also Firquet c. Acti-Com, 2018 QCCAI 245 at para 14.
12 See Institut d’assurance du Canada c. Guay,  CAI 431. See also Institut d’assurance du Canada c. Guay, 1997 CanLII 6532 (QC CQ). Outside of Québec, it has been established that PIPEDA can apply to a foreign-based organization engaged in a commercial activity where there is a real and substantial connection to Canada. See Lawson v Accusearch Inc, 2007 FC 125; AT v. Globe24h.com, 2017 FC 114.
13 See Québec ARPPIPS, supra note 10, s 1: “Divisions II and III of this Act do not apply to personal information which by law is public.”
14 PIPEDA Report of Findings #2015-002, “Website that generates revenue by republishing Canadian court decisions and allowing them to be indexed by search engines contravened PIPEDA”, June 5, 2015; PIPEDA Report of Findings #2018-002, “Company’s re-use of millions of Canadian Facebook user profiles violated privacy law: Complaints under the Personal Information Protection and Electronic Documents Act against Profile Technology Ltd”, June 12, 2018.
15 See generally, Toronto Real Estate Board v. Commissioner of Competition,  3 FCR 563, leave to appeal to SCC refused, 37932 (August 23, 2018).
16 Personal Information Protection and Electronic Documents Act, SC 2000, c 5 s 7(1)(d),(2)(c.1),(3)(h.1) [PIPEDA]; Regulations Specifying Publicly Available Information, SOR/2001-7; Personal Information Protection Act, RSA 2003, c P-6.5 ss 14, 17, 20 [Alberta PIPA]; Personal Information Protection Act Regulation, Alta Reg 366/2003, s 7; Personal Information Protection Act, RSBC 2003, c 63 ss 12(e), 15(e), 18(e) [BC PIPA].
17 PIPEDA, ibid, s 2(1); Alberta PIPA, ibid, s 4(3)(d); BC PIPA, ibid, s 1.