At the time this article was written
Bruce Phillips was the privacy Commissioner of Canada
Everyone agrees on the need for
business to respect the privacy of the individual. But there is less agreement
on the extent to which privacy should be protected or on how this is to be
done. In a recent appearance before the Senate Standing Committee, the Privacy
Commissioner argued strongly for government regulation as opposed to the
self-regulation. The following is an extract from his testimony along with
comments and questions from some of the Senators present.
Three years ago I recommended that
all financial institutions under federal jurisdiction be required to adhere to
a code of fair information practices, with an independent oversight and dispute
resolution mechanism. At the time a good deal of interest was evinced in a
so-called sectoral approach. That is to say, a code of practice being developed
specifically for the banks and that being embodied as regulations in the Bank
I thought that was not a bad
approach then. I still think it is not a bad approach. But my own thinking on
this subject has evolved a good deal partly because of the multitude of changes
that have taken place in the whole field of information management brought
about by the marriage of computer technology and high speed transmission
systems, and other developments as well.
Some of those include the
the emergence in the province of
Quebec of a new privacy regime which covers both the private and public sector
and the consequent development of uneven standards across the country if other
provinces follow suit;
the imminent application of the
European draft directive on privacy practice, which will empower member states
of the European Union to decline to make data transfers to countries which they
consider do not have adequate protection as defined by their own draft
directive. At this moment we do not enjoy that standard.
the government's own rapid move
toward the implementation of new information highway techniques in the
management of its own information holdings which comprehends, among other
things, the marriage of private and public sector data management systems.
At the moment we have a federal
Privacy Act which lays down conditions under which the Government of Canada may
collect, use, dispose and disclose personal information. Once those
arrangements are complete and we have a marriage of both government and private
sector systems, what then becomes of the various forms of protection that are
now offered in the Privacy Act unless amendments are made to cover that
Those are some of the major
developments that have taken place, not to mention overall the very rapid
conversion of almost all of the information management practices both in public
and private sectors over to databases that are now almost completely
computerized and now offer improvements in terms of the manipulation, marriage
of databases and the compilation of dossiers in a degree and at a speed which
was never contemplated as recently as five years ago.
This has led me to the conclusion
that we need now a much more comprehensive look at the whole issue of privacy
protection in the information highway age. When I first broached this subject
generally in 1992, it was a fairly lonely position. I did not have a whole lot
of company. But I feel a lot less lonely now. The government's Advisory Council
on the Information Highway recently concluded its study of this particular
aspect of information highway problems. Although its final report has not been
published, I have seen its recommendations dealing with this issue. The
advisory council will be advising the government that legislation is needed in
this field and that oversight mechanisms are required.
My provincial counterparts in
Quebec, Ontario, and British Columbia now all subscribe to the proposition that
it is no longer possible to get by on pure voluntaryism.
We have to see this issue in
another dimension other than simply self-regulation. We are not self-regulating
or regulating a commodity here. Privacy is not a hockey helmet
We are talking about the legal
recognition of a right and recognizing that in the specific terms in which we
are dealing with it here, namely in the commercial world and in public sector
information holdings. So that there are two parts of this, one of which is
philosophical and the more important part if you are to understand this issue.
The other issue is whether adding a
few more regulations to the statutes will impose uncomfortable or inconvenient
burdens on a particular sector of business.
Everything in life is
self-regulated to a certain extent. We do not have policemen sitting in the
back seats of our automobiles when we drive to work in the morning. We regulate
ourselves to obey traffic laws, but we know that there is a law to which we are
expected to conform and that there may be a policeman waiting around the corner
to see whether we do. It is that kind of inducement which helps us all
understand that we have common obligations to society, but we are not left
entirely to our individual discretion. That is the basis of my argument about
I listen with great interest to the
Canadian Standards Association when they talk about voluntarism. Their code is
a very interesting and exciting development. Over three years they have
produced ten very important principles. If that were the law of the land,
privacy advocates would be very content with it, because it expresses all the
basic and important principles of privacy protection. However, if it is left
entirely to the discretion of the individual corporations, and indeed in the
CSA system you can subscribe to the code or not, as you wish, then it simply is
not good enough.
There is also a lot of interest in
a recent Equifax survey which purports to show that the majority of Canadians
would much prefer to have this whole matter dealt with by the private sector.
Of course, that survey was commissioned by Equifax Limited, which is North
America's largest credit reporting institution. It was done and paid for by
them, for their purposes. Furthermore the Equifax people, who include Professor
Alan Westin, a noted privacy expert, noted that 74 per cent was conditional
upon the assumption that business had satisfactory handled all the privacy
I do not wish to get into a war on
surveys, but I would offer you the Ekos survey done a year or so before. It was
a much more comprehensive survey. It did not ask only one question about public
attitudes toward government involvement in this, but several. It reported that
approximately 90 per cent of the public was concerned and uneasy about the
usage of information and that 65 per cent had concluded that it was necessary
to get the government involved in a solution.
There are statistics and there are
statistics, and we are entitled to take a hard look at their origin.
Senator Michael Kirby: I would like you to comment on two issues.
First, what constitutes consent? Is it just someone signing their name? If they
do that, should the consent only be for a limited period, such as a year or
two? If you have your card for longer than that, do you have to sign for
consent again? Second, what is your reaction to truly broad, unbelievably
sweeping consent conditions rather than more narrow, focused and precise
Bruce Phillips: We try to describe consent as uninformed
and informed consent, and to describe the difference. Informed consent is when
it is written sufficiently largely and in enough detail that it is clear what
is being talked about. Uninformed consent is the kind of thing you find on the
backs of credit card applications — which I mentioned at the last hearing — in
type so small that Superman would have trouble reading it, which says that the
credit card issuing company can use the information for any purpose whatsoever.
It says that right on them. I invite you to read them. That constitutes a
waiver in perpetuity to any usage whatsoever which the company wishes to make
All these credit card companies are
very happy to subscribe to these voluntary codes and to tell you how good their
practices are. Nevertheless, for reasons I do not understand, because it seems
to be contradictory to the policies to which they commit themselves and to the
code, they insist on including that kind of language on the back of those
applications. That is not informed consent, in my opinion.
It would be informed consent if,
included in the description of the terms and conditions, there were the
warning, in large print: "This application may be dangerous to the
disclosure of your personal information in ways that you do not
understand." That would get the customer's attention. That is more like
I am reminded of the cellular
telephone issue. People suddenly discovered that their intimate conversations
were winding up on the pages of the newspapers. There was no informed consent
in the sale and marketing of those products because people were not advised
that that too was dangerous to their privacy. I believe that in cases like that
there is an obligation on the person marketing the item to make it clear to the
public what privacy implications are involved.
In respect of the particular issue
here, I agree with you that this is not informed consent. There is an enormous
power imbalance involved in all of these things. We know that. If people go to
a bank for a mortgage and are desperate to get the house built before the rates
go up next week, they will sign nearly anything to get that mortgage,
including, if necessary, a waiver for subsequent third party use of the
The public needs to have that power
imbalance redressed and to have more transparency and openness introduced into
the process in the bargain.
Senator Leo Kolber: First, I must tell you that I am biased
against legislation of almost any kind. You said that signing a credit card application
gives your information in perpetuity. You know very well that you are giving a
balance sheet which is a snapshot of what is happening on one particular day. I
find that "in perpetuity" may be exaggerating the situation because a
year later your financial information would no doubt be different. That point
does not bother me. Could you define what you mean by privacy?
Bruce Phillips: Privacy, in the information age, is the
right of the person to whom the information relates to retain some control over
the disposal, collection and use of that information.
Senator Leo Kolber: That sounds like a good definition, but I
am really getting at whether the cosmetics of this thing are outweighing the
For example, a fellow makes application
for a mortgage. He freely gives out his information stating his income and
debts. If that information goes elsewhere; what harm has he suffered?
There could be embarrassment that
his financial situation is not what he would like people to think it is; or it
is much better than people think it is and they will come asking him for money
or he will be solicited. I appreciate that is not a good thing. However, is it
worth creating a new body of legislation? Lawyers will make a lot of money, the
legislation will go to the Supreme Court at some point and there will be a
whole new body of cases and law and implementation problems. In other words,
are we making a mountain out of a mole hill?
Bruce Phillips: It is very difficult to obtain precise
information about what occurs behind corporate veils. If there is no right of
entry, it is difficult to find out what is happening.
I can give you specific instances
of real harm being inflicted as a consequence of what I consider to be unfair
or inadequate information practices. Books have been written on the subject.
The largest body of journalism in history reposes in the United States where
there is a privacy press that has been active for some time. They report
literally hundreds of cases of people suffering real harm.
For example, there is a
hard-working man who applies for a mortgage loan. The mortgage company took
some preliminary details and stated that it all looked okay. Assuming it all
checked out, he would receive the loan. He was told to go ahead and make the
deal with the builder.
On the strength of that assurance
he began making deals with his builder and signing contracts. In the meantime,
the lending company did a more thorough check. They called him some time later
and said, "Sorry, the deal is off, you are a dead beat. We just got a
check on you from the credit company." It plunged that man into an
enormous amount of difficulty with the builders. His employer heard about it.
His job was in jeopardy. He had to pay legal expenses to sort it all out.
That was based on a credit report
that did not even apply to him. It involved somebody else all together. That is
what can happen when there is an absence of transparency in the process.
Senator Leo Kolber: That is a bad example, and it is unfair.
Thirty years ago, I went to Brooks Brothers and ordered some shirts. I wanted
to pay cash, however the clerk wanted me to sign something and become a credit
customer because I would receive points. I did it. I got a letter from Brooks
Brothers a week later saying I was a dead beat and I would not receive credit
from their company.
I called Brooks Brothers back and
they insisted my credit was no good. The clerk asked if my wife's name was
something and I said no. He said, "Did you live at this address?" I
said no. There was another Leo Kolber some place who was a dead beat. I do not
find the example you gave me very illuminating.
Bruce Phillips: I found it fairly persuasive. If the
people concerned with those dossiers were made aware at regular intervals of
what was in them, that kind of problem could be avoided.
There was a case of a town in New
England where the entire tax roll of 1500 people were being carried as tax
delinquents by a credit reporting company without their knowledge because there
is no obligation by anybody involved in that process to let people know what is
on their files. That is one aspect of privacy; it is not all of it, of course.
Senator John Sylvain: I was one of the biggest users of Equifax
Canada Inc. Before it became Equifax, it was called the Retail Credit Company.
The Retail Credit Company had to change its name to Equifax to get rid of the
baggage it had acquired over all those years.
Forty five years ago I used a lot
of their services. It is interesting how the information was gathered. It shows
how far we have come in the collation of this information and the limitations
that have been put on the type of information gathered.
In those days, they used to hire a
bunch of young people — they were as low paid as you could get them — and they
went around to Bruce Phillips' neighbour, Mrs. Smith, and said, "What kind
of a guy is Bruce Phillips? Does he take a drink? Does he beat his wife?"
This is what occurred.
One chap applied for automobile
insurance to a company and was turned down because it was said that he was in
the entertainment business. It turned out it was Peter Jennings who was here in
Ottawa reading the news. He was not really an entertainer — as he is now — he
has done well for himself. He had been turned down for insurance because of
what some neighbour said about him being on CTV or CBC.
The system we had before was much
worse than it is now. There were a lot of changes made and a lot of the
information that used to be gathered is now prohibited. People cannot be
described by their religion or morals et cetera which used to be written in
large letters across the application forms.
There is still a need for the
individual who is to lend the money to know something about the recipient.
Senator Kolber, if you were a total stranger, he would want to know a little
bit more and get some information from a third party perhaps. The question is
how far that can go.
I have no objection to the
underwriter receiving as much information as possible. I was an underwriter for
many years, and I needed all the information I could get. I still made a lot of
Once the information is given,
privacy enters in. It could be given voluntarily if that is what the individual
wants. Most people do not read anything on the back of an application form.
They sign simply because they need the money.
There was a clause in an insurance
policy in Quebec which had to be written in red because it was a co-insurance
clause. It was still not read by anyone. If they did they would not have
How far should a financial
institution go to explain that the information given for the purpose or
transaction stays there? Do you see a difference between purpose and
transaction? How far must the underwriter go and be given information in order
to make a decision? Consequently, what happens to the information after that?
Bruce Phillips: A sufficient explanation ought to be given
so that reasonable people would understand why the information is being sought.
That is to say, in simple, big, easy-to-read type and in language that is clear
and unambiguous and easy to understand.
The federal Privacy Act says you
cannot collect information from people unless it is authorized by a program
activity of the department concerned and without explaining why you want the information.
However, it is pretty fuzzy as well. If I were to rewrite it, I would try to
use language such as that.
If you are buying a cellular
telephone, put a big warning label on the package. I am not kidding. I am
serious. The label would say "Warning: This device is subject to
interception by anyone in the general public. Be aware".
That philosophical approach to the
explanation for the purpose for collecting information ought to be applied. It
is simple, clear and easy to read.
Senator Marjorie LeBreton: I was particularly interested in your
reference to one-stop shopping for banking, insurance, and so on down the line.
My concern has to do with the rights of the individual and the privacy of the
individual. When a person arranges a loan to buy a car or a mortgage to buy a
house, they are nervous about it. They are so relieved when it has been
approved that they will sign anything. They take up an offer to perhaps buy
mortgage insurance or car insurance. Five years down the road, at a time to
renew the mortgage, their situation vis-à-vis their health changes. This
information is all there, and the lender learns that the person is ill. The
institution is reluctant to lend them the money or renew the mortgage. It also
affects their ability to insure the mortgage.
Do you see that as a real risk or a
fear in the future, and should the act be amended to take that type of scenario
Bruce Phillips: You are really discussing an issue of
credit worthiness. We have said over and over again that there is nothing in
the Office of the Privacy Commissioner that resists the notion of the right of
business to collect sufficient information to do its business. In every
business transaction, there is at least an implied understanding between the
two parties to the transaction that enough information must be exchanged so
that both sides know what they are doing.
In the particular example you cite,
the circumstances of the person who wishes to obtain credit have changed materially
over the course of the relationship with the credit-granting institution. I
would say the credit granter is entitled to that information.
I would go on to say, though, that
I do not see that the rest of the world would be entitled to that information.
That is our problem with all of this information collection business. What
happens to it subsequently? How much does the client really understand what is
going on? What recourse is there for the customer if there is dissatisfaction?
What confidence is there in a system in which they do not have the right to get
an independent investigator.
Those are the issues that I see.
The right of the credit granter to ask for the information in the first
instance seems to me to be a reasonable one.
Senator Marjorie LeBreton: You talked about the standards of European
countries. You said that we in Canada do not meet those standards at the
present time. Does the United States meet those standards? Does this in any way
impede our ability to compete in the future?
Bruce Phillips: The answer to the second question is
possibly, probably, unless we do something. The answer to the first one is no,
the United States does not have, in my opinion, or in the opinion of any
experts, what the European Community would consider to be adequate privacy
The essence of the European
approach is that both public sector and private sector information gathering
and information retention and disclosure is governed by law and is subject to
examination by a policeman, a data protection commissioner in all these
jurisdictions. To them, adequate protection, which is the standard now
contained in Europe for transborder data flows, does not cover voluntary codes
of the kind that we have in this country.
I am baffled by the reluctance of
the private sector to accept as a legal requirement what they are only too
prepared to swear up and down they will vigorously enforce if they are only
left to do it themselves. What is the difference? I say is that one is a
traffic law where I say, "Just don't bother me, and I will not run any
stop lights." The other one is, "Well, if you do run a stop light,
somebody might catch you, and it will cost you $10." I do not understand,
unless there is something involved in their practices which they simply do not
want to talk about.
There are, I might add, many things
not being talked about these days in the field of information management, not
the least of them being security of information. This is a subject that is only
a component of the privacy question generally. There was one survey that showed
something like a quarter of all businesses surveyed have suffered losses
because of computer crime. I was at a conference in Toronto a few months ago,
and I talked to several people from private corporations who are responsible
for computer security. They had all suffered losses. Companies are not talking
about it. They are afraid to talk about it because it might rattle public
confidence in the security and integrity of their information holding systems.
Those costs are being passed on to the public, and the public does not know
anything about it.
There was a computer security
conference in Montreal a couple of months ago, and the chief of computer
security of the United States Department of Defence was there. He told the
following story. He became concerned about computer insecurity. He hired tiger
teams or attack teams and told them, "Do your best to see if you can
penetrate my systems." I think there were several hundred or a thousand
attempts, and they were successful in cracking his systems over 90 per cent of
the time and were detected doing it only 5 per cent of the time. These were
some of the most sensitive computerized databases in the entire United States,
which shows you how vulnerable they are. I was informed the FBI ran similar
tests with similar results.
That is a whole other aspect of the
privacy question, because that covers all kinds of information, including
personal information. If the Department of Defence of the United States can do
no better than that, what kind of security does your file in some bank have? It
is something that this committee may want to consider. It is a big issue, and
it is getting bigger.
Senator David Angus: I do not see that there will be a huge new
growth industry for lawyers. Nor do I see a great new body of jurisprudence
building up. I also do not see a huge mushrooming bureaucracy that you ascribe
to his comments.
Today, people only make complaints
when they know about it, or if they feel they have enough moral suasion that
something might be done about it. Basically, they know it is all voluntary and
there is no law behind it.
Are not the 1,500 complaints which
you see on the government side, and whatever other number there is on the
private side, like needles in a haystack in terms of what ultimately there
Bruce Phillips: I do not have a crystal ball. You have
certainly raised a very good point, senator. I will address it this way. When
it comes to enforcement, oversight and sanctions, a lot depends on the way you
go about it. You can put in place a hard-nosed kind of system with a police
mentality driving it; or you can put in place an ombuds approach committed to
education, committed to understanding the culture of business and committed to
bringing business along in a greater appreciation of what is involved.
It is my own view that you do not
have to fine banks or transportation companies vast sums of money, or anything
of that nature. I think the power of embarrassment is the most effective power
there is when dealing with things such as civil and human rights. If a bank
were found by an independent ombudsperson to be systematically or repeatedly
offending good privacy practice, and that was drawn to the attention of the
public, then I do not think you would have to go a whole lot farther than that
before the bank would understand that the retention of its clientele would
require a different approach on their part.
There is always an ongoing debate
in matters of this kind about whether my kind of office, which is that kind of
office, or the order-powering agency is better.
Senator John Stewart: I am interested in the way you focus on
financial institutions. You say changes in banking legislation over the past
several years have created increasingly powerful financial interests.
Immediately upon reading that I said to myself: Mr. Phillips is really against
that legislation, not on financial grounds but because of its implications for
privacy. It seems to me that, in a sense, you throw up your hands and say,
"Well, each segment of this financial department store has a right to
specific information, but of course there should be a water-tight wall between
each segment of the department store." You seem to think that that would
be sufficient. I suspect that regardless of what the law says with regard to
rights, that these walls are quite pervious and that information will leak
through in gallons.
If privacy is as important as you
say it is — ought we not to think of the validity of the merging of these
various financial operations that were permitted by the previous legislation so
that the next time around, with a view to privacy, we separate some of these
activities, such as insurance, banking and the like? Perhaps you do not want to
go that far.
Bruce Phillips: I state this as a self-evident fact.
Chartered banks are now authorized to participate in a great many other
financial activities from which they were previously foreclosed. As a
consequence, in my opinion for what it is worth, they are bigger, stronger and
more powerful institutions. Individual clients are not as strong.
To come to the specific point you
raise about one-stop shopping, that addresses what we call in our racket the
"transparency issue" or the "informed-clientele issue". If
you are collecting and using information about people, it should be clearly
understood by everybody what is your information practice. Thus, if you are
running an operation in which you are offering a variety of services, and if
you collect information from a customer and you may use it for all those
purposes, they should know about it in advance. That is what I am saying.