At the time
this article was written Gerald Neary was Director General, Investigations and
Inquiries in the Office of the Privacy Commissioner of Canada. This is an
edited and updated version of a speech to Members of TECHNET 2000 in Ottawa on
April 13, 2000.
In April 2000 Parliament
passed the Personal Information Protection and Electronic Documents Act
(otherwise known as Bill C-6). This law extends privacy protection to the
private sector, including the burgeoning and complex field of electronic
commerce. This article examines some provisions of the new law which came into
the effect on January 1, 2001.
Not long ago, I might have begun
a speech on this topic with a quotation like the one which appeared on the
cover of the March 2000 issue of PC Computing.
- WE KNOW EVERYTHING ABOUT YOU
- Where you live
- Where you work
- How much you make
- What you buy
- What you do on the Web
- Your private past
Not that this scary message is
no longer true but the new act of Parliament has put informational privacy on a
much more secure footing.
The Privacy Act.
Some say that electronic
commerce currently holds privacy in low esteem. They suggest that many
businesses — and not only those in electronic commerce — know and seek to know
far more than they need and ought to know about individuals. It is implied that
many businesses have only a mercenary, or at best, a cavalier regard for the
privacy of their clients, customers, and employees, and that many use and
disclose personal information in highly inappropriate ways. Whatever the
speculations, what is true — is that the potential for business to abuse
personal information and violate the privacy of individuals tends to increase
almost daily through ever-developing intrusive technologies. Yes, the scary,
deplorable truth is that our privacy can be at considerable risk in electronic
commerce and elsewhere in the private setor.
Rather than dwelling on all the
scary negatives let me address the legislation which holds new hope for
privacy, not only in electronic commerce, but also throughout the private
sector. It is not a panacea, but it is a positive force that I believe has
strong potential to raise privacy standards several notches higher in the
sector that dares to call itself private.
To appreciate the new Act, it
will be helpful to know something about the existing one from which it largely
derives its core values of fair information practices – the federal Privacy
Act. This Act has been in force since 1983. The official whose main
responsibility it is to supervise the application of the Act is the Privacy
Commissioner of Canada. The Privacy Commissioner is an officer of Parliament,
responsible directly to Parliament. He does not report to or through any one
minister of the Crown.
Essentially, the Privacy Act
regulates how federal government institutions may collect, use and disclose
personal information about individual Canadians. As for the individuals
themselves, the Act provides them with a right of access to information held
about them by the federal government, and a right to request correction of any
erroneous information.
The Act gives the Privacy
Commissioner powers to audit federal institutions for compliance with the Act.
It also obliges the Commissioner to investigate complaints by individuals about
breaches of the Act.
Individuals may lodge a formal
complaint with the Commissioner, for instance, if they believe that a government
institution has denied them due access to their personal information, or has
taken too long in providing it, or has applied unacceptable exemptions to it,
or has refused to correct errors in it.
Or they may complain that a
government institution has collected personal information about them that it
shouldn’t have collected, or destroyed personal information that it shouldn’t
have destroyed, or used or disclosed their information for purposes other than
those for which it was originally collected.
Every year, the Commissioner
receives hundreds of such complaints, which his staff duly investigates. The
Commissioner subsequently reports his findings both to the individual
complainants and to the federal institutions concerned. In a remarkably large
number of cases, the complaints are resolved to the satisfaction of all
parties.
Indeed, that is what the Privacy
Commissioner of Canada has always sought above all — not confrontation, or
imposition of his authority, or heavy-handed enforcement of privacy law, but
rather resolution. He seeks to resolve, not only the complaints that he
receives, but perhaps more importantly, the underlying problems that give rise
to the complaints.
In order to understand how the
work of the Office of the Privacy Commissioner will carry over into the private
sector, it is important to understand the Office’s traditional role. The
Privacy Commissioner has always functioned primarily as an ombudsman — not as a
policeman. We know that powers of enforcement tend to cause adversarial relations,
and we have learned from long experience that there is great advantage in our
ability to audit and investigate conduct of government institutions without
being taken for adversaries.
To powers of enforcement, the
Commissioner much prefers his powers of investigation and negotiation, his
powers of persuasion and resolution. Sometimes, but only when all else fails,
he resorts to another highly effective power available to him – the power of
embarrassment through publicity. But all in all, the Commissioner believes, and
we his staff believe, that the true worth and effectiveness of the Office have
always derived, and will continue to derive from the Commissioner’s role as an
ombudsman.
The federal Privacy Act
and equivalent legislation in most Canadian provinces are the expression of
internationally accepted privacy principles known as “fair information
practices”. However, these laws apply only to information handled by
governments. Increasingly the international community has been calling for the extension
of fair information practices to the private sector, too. But, until recently
Canada’s response to that call had been woefully inadequate. Only the province
of Quebec had previously enacted comprehensive private-sector data protection
legislation.
The Personal Information
Protection and Electronic Documents Act
The Personal Information
Protection and Electronic Documents Act addresses this inadequacy in a big
way. This is the most important legislative instrument for the defence of
privacy since the federal Privacy Act was passed in 1982.
Essentially, the new Act will
require private sector organizations to respect a code of fair information
practices governing collection, use and disclosure of personal data. In this
regard, the new Act is very much like the Privacy Act in the federal
sphere, but with one important new emphasis. The key principle of the new
legislation is consent. As a general rule, no one will be able to use another
person’s information without that person’s permission. In other words,
organizations will not ordinarily be permitted to collect, use or disclose
personal information about you without first telling you its intentions and
obtaining your explicit consent.
Also, organizations must
establish an open and transparent relationship with their clients by providing
clear explanations of what they do with their clients’ personal information.
They must give their clients the name or title and the address of an officer
who is responsible for information holdings and to whom complaints and
inquiries can be addressed.
Individuals in turn have the
right of access to the personal information an organization holds about them
and to request that it be corrected if it is erroneous. Furthermore, the
business must establish a process for individuals to obtain their personal
information.
The new Act also provides a
mechanism for independent oversight, namely the Privacy Commissioner of Canada
and his Office. Again, the Commissioner’s responsibilities and authorities
under the new Act are similar to those under the Privacy Act. The new
Act obliges the Commissioner to investigate complaints from individuals and
issue reports containing his findings and recommendations. He has been provided
with statutory authority to summon witnesses, administer oaths, receive
evidence, enter premises, and examine documents. He also has the authority to
conduct audits of organizations in respect of their compliance with the Act.
As for private citizens, the new
Act permits them to file written complaints with the Commissioner against
organizations they believe to be in contravention of any provision dealing with
the protection of personal information. The Commissioner himself may initiate a
complaint if he is satisfied that reasonable grounds exist for investigating
any particular matter or issue.
Under the new Act, as under the Privacy
Act, it remains an offence for any party to obstruct the Commissioner
during an investigation or audit or to dispose of information requested by an
individual. The new Act goes further by also making it an offence for employers
to take various retaliatory measures against employees (that is to say, they
are prohibited from dismissing, disciplining, or otherwise disadvantaging employees
who report a contravention of the Act to the Privacy Commissioner, or who
refuse to contravene the data protection provisions, or who have done or stated
an intention to do anything to prevent a contravention of the Act’s privacy
provisions.)
Furthermore, the Act permits a
complainant, after receiving the Commissioner’s report, to apply to the Federal
Court for a hearing. The Court, in turn, has broad powers to grant remedies.
These include ordering an organization to correct its information practices,
ordering an organization to publish a notice of any action taken or proposed in
correcting its information practices, and awarding damages to the complainant,
including damages for humiliation suffered.
We believe that
heavy-handedness would only work against us. If we were to provoke hostile
reaction from the business community by operating in an overbearing and
arbitrary manner, the new law would probably fail. We see consultation and
cooperation as the way to success.
If some of these provisions
sound tough, it is only because they reflect the importance that the new Act
attaches to protecting personal information. Nevertheless, as far as recourse
to the Court is concerned, it is worth remarking that similar recourse has
always been available under the Privacy Act, but has seldom been used.
Of the more than 20,000 complaints received by our Office since 1983, fewer
than a dozen proved to be so problematic as to require the attention of the
Federal Court. Nor does the Commissioner foresee any significant increase in
that ratio under the new legislation.
It is also noteworthy that the
Commissioner still does not have any authority to issue a binding order or to
impose penalties. Under the new Act, as under the Privacy Act, the
Commissioner’s powers will be limited to those of an ombudsman.
We believe that in the private
sector it will be even more important for us to continue to exercise our
traditional ombuds role, as opposed to some kind of police role. Our approach
must continue to be non-confrontational and non-adversarial, seeking resolution
of problems rather than imposition of authority.
The goal of the Office of the
Privacy Commissioner will not be to force compliance for compliance’s sake, but
rather to create and cultivate a state of mind in which business will routinely
take into account the privacy rights of clients, customers, and employees in
developing and marketing products and formulating administrative practices.
The goal of the new Act is not
to impede business. The goal is to strike a reasonable balance between
respecting the legitimate needs of business to gather and use personal
information and respecting the right of individuals to have their personal
information protected.
Nevertheless, there is no doubt
that the latter side of the equation will require adjustments on the part of
business. The Act does mean to provide individuals with privacy protection
where no protection, or little protection, or at best inconsistent protection
existed before, and that means that many organizations will have to change the
way they do business. There is no getting around it. To meet the new
obligations for handling the personal information they are entrusted with, many
organizations will have to adjust their current practices. No one expects it to
happen overnight, but change must come.
A good number of organizations
have already taken steps to prepare for the new legislation. Indeed, for some
it has been a natural progression, in that a major component of the legislation
is the Canadian Standards Association’s Model Privacy Code, which the Canadian
business sector helped to develop. Many companies therefore have a proprietary
interest in the Code and, by extension, in the new Act that incorporates it.
We in the Office of the Privacy
Commissioner know that business will need our help in adjusting to the new
legislation. It will be a learning experience for all concerned. Our focus in
the coming months will be to learn about business from business and to educate
business about the new legislation and about our role in it. We will meet with
representatives of the various business sectors affected by the legislation,
discuss their concerns, and look for solutions that will make the new law both
workable for them and effective for the Canadian public.
We are confident that business
by and large will come to see the wisdom of the new law. For one thing,
business depends on satisfied clients and customers, and reputation is an
important asset for any company. Few, we suspect, will be willing to risk being
singled out in any way for wilfully flouting the rights of individuals.
But it is not only the threat of
complaints or bad publicity or possible court action that will compel
compliance with the new legislation. There is mounting evidence that companies
are coming to understand, through their own experience, the importance of
privacy protection in gaining and retaining consumer trust and confidence. We
believe that, once the playing field is made level for all through the
legislation, the vast majority of private-sector organizations will embrace
common privacy principles not just because they are the law, but because they
are simply good business practice.
The new Act also assigns two new
roles to the Privacy Commissioner — those of researcher and educator.
Previously the Commissioner had no formal mandate — and hence no resources —
for either research or education, although the Office did as much as it could
manage to do in both fields. Now, however, the new Act expressly requires the
Commissioner both to undertake and publish research related to the protection
of personal information and to conduct public education on privacy matters
relating to the private sector.
Our Office regards the new
education role as essential to the process of implementing the legislation. Up
to now, without specific authority or resources, it has been a struggle for the
Office to educate Canadians properly about their privacy rights and about the
developments that threaten or strengthen those rights. The new mandate is most
welcome, even though it applies only to the new legislation, and not the Privacy
Act.
Recent surveys show that
consumers’ uneasiness about the privacy of their personal information in the
business world — and particularly in e-commerce — derives in large part from
lack of knowledge about just what happens to the personal information they
divulge. The Office of the Privacy Commissioner will take steps to foster
public understanding of how personal information is used and shared. One of the
Commissioner’s goals is to make Canadians aware of invasive practices and of
the personal and social consequences of privacy intrusions. The Office has
already begun to develop educational materials that will give Canadians the
tools they need to protect their own privacy.
To accommodate adjustment, the
new legislation will be phased in over four years. The present year 2000 is
regarded as the ramp-up or implementation period, during which businesses are
expected to take stock of their information practices and get their houses in
order.
In 2001, the new law takes
effect, applying at first only to the clients and employees of businesses
engaged in federal works and undertakings, and to organizations handling
crossborder transfers of personal information for consideration. In 2002,
application will extend to personal health information.
The year 2004 will see full
application of the Act, covering all businesses involved in the handling of
personal information within a province, except in cases where the province has
substantially similar legislation.
Conclusion
Privacy is one of those higher
human principles, along with dignity, respect, autonomy and freedom, that
govern how we live and what kind of people we are. I see the Personal Information
Protection and Electronic Documents Act as not simply a piece of
legislation to regulate the processing of personal data in the private sector,
but as an instrument to enhance respect for one of the very underpinnings of
democratic society — the right to control what others can learn about us.