Canadian Parliamentary Review

Current Issue
Canadian Region CPA
Archives
Upcoming Issue
Editorial and Stylistic Guidelines
Subscribe
Search
HomeContact UsFrançais

PDF
Privacy and Electronic Commerce
Gerald Neary

At the time this article was written Gerald Neary was Director General, Investigations and Inquiries in the Office of the Privacy Commissioner of Canada. This is an edited and updated version of a speech to Members of TECHNET 2000 in Ottawa on April 13, 2000.

In April 2000 Parliament passed the Personal Information Protection and Electronic Documents Act (otherwise known as Bill C-6). This law extends privacy protection to the private sector, including the burgeoning and complex field of electronic commerce. This article examines some provisions of the new law which came into the effect on January 1, 2001.

Not long ago, I might have begun a speech on this topic with a quotation like the one which appeared on the cover of the March 2000 issue of PC Computing.

  • WE KNOW EVERYTHING ABOUT YOU
  • Where you live
  • Where you work
  • How much you make
  • What you buy
  • What you do on the Web
  • Your private past

Not that this scary message is no longer true but the new act of Parliament has put informational privacy on a much more secure footing.

The Privacy Act.

Some say that electronic commerce currently holds privacy in low esteem. They suggest that many businesses — and not only those in electronic commerce — know and seek to know far more than they need and ought to know about individuals. It is implied that many businesses have only a mercenary, or at best, a cavalier regard for the privacy of their clients, customers, and employees, and that many use and disclose personal information in highly inappropriate ways. Whatever the speculations, what is true — is that the potential for business to abuse personal information and violate the privacy of individuals tends to increase almost daily through ever-developing intrusive technologies. Yes, the scary, deplorable truth is that our privacy can be at considerable risk in electronic commerce and elsewhere in the private setor.

Rather than dwelling on all the scary negatives let me address the legislation which holds new hope for privacy, not only in electronic commerce, but also throughout the private sector. It is not a panacea, but it is a positive force that I believe has strong potential to raise privacy standards several notches higher in the sector that dares to call itself private.

To appreciate the new Act, it will be helpful to know something about the existing one from which it largely derives its core values of fair information practices – the federal Privacy Act.  This Act has been in force since 1983. The official whose main responsibility it is to supervise the application of the Act is the Privacy Commissioner of Canada. The Privacy Commissioner is an officer of Parliament, responsible directly to Parliament. He does not report to or through any one minister of the Crown.

Essentially, the Privacy Act regulates how federal government institutions may collect, use and disclose personal information about individual Canadians. As for the individuals themselves, the Act provides them with a right of access to information held about them by the federal government, and a right to request correction of any erroneous information.

The Act gives the Privacy Commissioner powers to audit federal institutions for compliance with the Act. It also obliges the Commissioner to investigate complaints by individuals about breaches of the Act.

Individuals may lodge a formal complaint with the Commissioner, for instance, if they believe that a government institution has denied them due access to their personal information, or has taken too long in providing it, or has applied unacceptable exemptions to it, or has refused to correct errors in it.

Or they may complain that a government institution has collected personal information about them that it shouldn’t have collected, or destroyed personal information that it shouldn’t have destroyed, or used or disclosed their information for purposes other than those for which it was originally collected.

Every year, the Commissioner receives hundreds of such complaints, which his staff duly investigates. The Commissioner subsequently reports his findings both to the individual complainants and to the federal institutions concerned. In a remarkably large number of cases, the complaints are resolved to the satisfaction of all parties.

Indeed, that is what the Privacy Commissioner of Canada has always sought above all — not confrontation, or imposition of his authority, or heavy-handed enforcement of privacy law, but rather resolution. He seeks to resolve, not only the complaints that he receives, but perhaps more importantly, the underlying problems that give rise to the complaints.

In order to understand how the work of the Office of the Privacy Commissioner will carry over into the private sector, it is important to understand the Office’s traditional role. The Privacy Commissioner has always functioned primarily as an ombudsman — not as a policeman. We know that powers of enforcement tend to cause adversarial relations, and we have learned from long experience that there is great advantage in our ability to audit and investigate conduct of government institutions without being taken for adversaries.

To powers of enforcement, the Commissioner much prefers his powers of investigation and negotiation, his powers of persuasion and resolution. Sometimes, but only when all else fails, he resorts to another highly effective power available to him – the power of embarrassment through publicity. But all in all, the Commissioner believes, and we his staff believe, that the true worth and effectiveness of the Office have always derived, and will continue to derive from the Commissioner’s role as an ombudsman.

The federal Privacy Act and equivalent legislation in most Canadian provinces are the expression of internationally accepted privacy principles known as “fair information practices”. However, these laws apply only to information handled by governments. Increasingly the international community has been calling for the extension of fair information practices to the private sector, too. But, until recently Canada’s response to that call had been woefully inadequate. Only the province of Quebec had previously enacted comprehensive private-sector data protection legislation.

The Personal Information Protection and Electronic Documents Act

The Personal Information Protection and Electronic Documents Act addresses this inadequacy in a big way. This is the most important legislative instrument for the defence of privacy since the federal Privacy Act was passed in 1982.

Essentially, the new Act will require private sector organizations to respect a code of fair information practices governing collection, use and disclosure of personal data. In this regard, the new Act is very much like the Privacy Act in the federal sphere, but with one important new emphasis. The key principle of the new legislation is consent. As a general rule, no one will be able to use another person’s information without that person’s permission. In other words, organizations will not ordinarily be permitted to collect, use or disclose personal information about you without first telling you its intentions and obtaining your explicit consent.

Also, organizations must establish an open and transparent relationship with their clients by providing clear explanations of what they do with their clients’ personal information. They must give their clients the name or title and the address of an officer who is responsible for information holdings and to whom complaints and inquiries can be addressed.

Individuals in turn have the right of access to the personal information an organization holds about them and to request that it be corrected if it is erroneous. Furthermore, the business must establish a process for individuals to obtain their personal information.

The new Act also provides a mechanism for independent oversight, namely the Privacy Commissioner of Canada and his Office. Again, the Commissioner’s responsibilities and authorities under the new Act are similar to those under the Privacy Act. The new Act obliges the Commissioner to investigate complaints from individuals and issue reports containing his findings and recommendations. He has been provided with statutory authority to summon witnesses, administer oaths, receive evidence, enter premises, and examine documents. He also has the authority to conduct audits of organizations in respect of their compliance with the Act.

As for private citizens, the new Act permits them to file written complaints with the Commissioner against organizations they believe to be in contravention of any provision dealing with the protection of personal information. The Commissioner himself may initiate a complaint if he is satisfied that reasonable grounds exist for investigating any particular matter or issue.

Under the new Act, as under the Privacy Act, it remains an offence for any party to obstruct the Commissioner during an investigation or audit or to dispose of information requested by an individual. The new Act goes further by also making it an offence for employers to take various retaliatory measures against employees (that is to say, they are prohibited from dismissing, disciplining, or otherwise disadvantaging employees who report a contravention of the Act to the Privacy Commissioner, or who refuse to contravene the data protection provisions, or who have done or stated an intention to do anything to prevent a contravention of the Act’s privacy provisions.)

Furthermore, the Act permits a complainant, after receiving the Commissioner’s report, to apply to the Federal Court for a hearing. The Court, in turn, has broad powers to grant remedies. These include ordering an organization to correct its information practices, ordering an organization to publish a notice of any action taken or proposed in correcting its information practices, and awarding damages to the complainant, including damages for humiliation suffered.

We believe that heavy-handedness would only work against us. If we were to provoke hostile reaction from the business community by operating in an overbearing and arbitrary manner, the new law would probably fail. We see consultation and cooperation as the way to success.

If some of these provisions sound tough, it is only because they reflect the importance that the new Act attaches to protecting personal information. Nevertheless, as far as recourse to the Court is concerned, it is worth remarking that similar recourse has always been available under the Privacy Act, but has seldom been used. Of the more than 20,000 complaints received by our Office since 1983, fewer than a dozen proved to be so problematic as to require the attention of the Federal Court. Nor does the Commissioner foresee any significant increase in that ratio under the new legislation.

It is also noteworthy that the Commissioner still does not have any authority to issue a binding order or to impose penalties. Under the new Act, as under the Privacy Act, the Commissioner’s powers will be limited to those of an ombudsman.

We believe that in the private sector it will be even more important for us to continue to exercise our traditional ombuds role, as opposed to some kind of police role. Our approach must continue to be non-confrontational and non-adversarial, seeking resolution of problems rather than imposition of authority.

The goal of the Office of the Privacy Commissioner will not be to force compliance for compliance’s sake, but rather to create and cultivate a state of mind in which business will routinely take into account the privacy rights of clients, customers, and employees in developing and marketing products and formulating administrative practices.

The goal of the new Act is not to impede business. The goal is to strike a reasonable balance between respecting the legitimate needs of business to gather and use personal information and respecting the right of individuals to have their personal information protected.

Nevertheless, there is no doubt that the latter side of the equation will require adjustments on the part of business. The Act does mean to provide individuals with privacy protection where no protection, or little protection, or at best inconsistent protection existed before, and that means that many organizations will have to change the way they do business. There is no getting around it. To meet the new obligations for handling the personal information they are entrusted with, many organizations will have to adjust their current practices. No one expects it to happen overnight, but change must come.

A good number of organizations have already taken steps to prepare for the new legislation. Indeed, for some it has been a natural progression, in that a major component of the legislation is the Canadian Standards Association’s Model Privacy Code, which the Canadian business sector helped to develop. Many companies therefore have a proprietary interest in the Code and, by extension, in the new Act that incorporates it.

We in the Office of the Privacy Commissioner know that business will need our help in adjusting to the new legislation. It will be a learning experience for all concerned. Our focus in the coming months will be to learn about business from business and to educate business about the new legislation and about our role in it. We will meet with representatives of the various business sectors affected by the legislation, discuss their concerns, and look for solutions that will make the new law both workable for them and effective for the Canadian public.

We are confident that business by and large will come to see the wisdom of the new law. For one thing, business depends on satisfied clients and customers, and reputation is an important asset for any company. Few, we suspect, will be willing to risk being singled out in any way for wilfully flouting the rights of individuals.

But it is not only the threat of complaints or bad publicity or possible court action that will compel compliance with the new legislation. There is mounting evidence that companies are coming to understand, through their own experience, the importance of privacy protection in gaining and retaining consumer trust and confidence. We believe that, once the playing field is made level for all through the legislation, the vast majority of private-sector organizations will embrace common privacy principles not just because they are the law, but because they are simply good business practice.

The new Act also assigns two new roles to the Privacy Commissioner — those of researcher and educator. Previously the Commissioner had no formal mandate — and hence no resources — for either research or education, although the Office did as much as it could manage to do in both fields. Now, however, the new Act expressly requires the Commissioner both to undertake and publish research related to the protection of personal information and to conduct public education on privacy matters relating to the private sector.

Our Office regards the new education role as essential to the process of implementing the legislation. Up to now, without specific authority or resources, it has been a struggle for the Office to educate Canadians properly about their privacy rights and about the developments that threaten or strengthen those rights. The new mandate is most welcome, even though it applies only to the new legislation, and not the Privacy Act.

Recent surveys show that consumers’ uneasiness about the privacy of their personal information in the business world — and particularly in e-commerce — derives in large part from lack of knowledge about just what happens to the personal information they divulge. The Office of the Privacy Commissioner will take steps to foster public understanding of how personal information is used and shared. One of the Commissioner’s goals is to make Canadians aware of invasive practices and of the personal and social consequences of privacy intrusions. The Office has already begun to develop educational materials that will give Canadians the tools they need to protect their own privacy.

To accommodate adjustment, the new legislation will be phased in over four years. The present year 2000 is regarded as the ramp-up or implementation period, during which businesses are expected to take stock of their information practices and get their houses in order.

In 2001, the new law takes effect, applying at first only to the clients and employees of businesses engaged in federal works and undertakings, and to organizations handling crossborder transfers of personal information for consideration. In 2002, application will extend to personal health information.

The year 2004 will see full application of the Act, covering all businesses involved in the handling of personal information within a province, except in cases where the province has substantially similar legislation.

Conclusion

Privacy is one of those higher human principles, along with dignity, respect, autonomy and freedom, that govern how we live and what kind of people we are. I see the Personal Information Protection and Electronic Documents Act as not simply a piece of legislation to regulate the processing of personal data in the private sector, but as an instrument to enhance respect for one of the very underpinnings of democratic society — the right to control what others can learn about us.


Canadian Parliamentary Review Cover
Vol 24 no 1
2001





Last Updated: 2020-09-14