Philippa Lawson
Counsel, Public Interest Advocacy Centre
CPSR Conference, Boston MA
The subject of this panel couldn’t be more timely for a Canadian – just a few days ago, our federal government tabled legislation to protect personal information in the private sector, and it is notable that the driving force behind this initiative is the growth in Internet use – in particular, electronic commerce.
In fact, the privacy provisions are part of a broader Bill entitled “An Act to Support and Promote Electronic Commerce…”; the Bill also clarifies the legal status of electronic signatures and documents. As a privacy advocate, I’m deeply uncomfortable with this approach of situating basic privacy rights in the context of promoting electronic commerce, but it does appear that the privacy protections in the Bill stand on their own, and apply to all forms of commercial activity. (Bill C-54; available on Canada’s Parliamentary Website: www.parl.gc.ca).
While this legislation remains to be reviewed and passed by Parliament, it is a major initiative, especially considering some very vocal opposition from business lobbies.
I would like to briefly describe how we got to this point in Canada, what the Bill says, and what its prospects are.
The need to control government’s use of personal information has long been recognized in Canada, through legislation applicable to the federal government and most provinces. Under these statutes, Privacy Commissioners receive complaints, conduct investigations, resolve disputes, and make recommendations – but only with respect to matters involving government.
However, with the exception of one renegade province – Quebec – Canadians are basically unprotected as far as their personal information is concerned once it enters the hands of a commercial entity.
Quebec is the only jurisdiction to have laws which establish a right to privacy in the private sector, and which place strict limits on the ability of commercial entities to collect, use and disclose personal information (defined as any information about an identifiable individual). Through its Civil Code (a legal instrument unique to civil law regimes), and its more recent statute respecting the protection of personal information in the private sector (enacted in 1993), Quebec has codified the right to control over one’s personal information, and has given its Privacy Commissioner the power to fine companies in breach of the law. I think this probably reflects the more European outlook of Quebec – a higher value placed on individual privacy, and a more pragmatic view of market forces.
What do Canadians think?
Public opinion surveys over the past several years indicate growing concern about privacy, and a desire for government action. Canadians are starting to wake up to the fact that they have lost control over their personal information, and they are not happy about it.
Meanwhile, the Canadian government is very much awake to the fact that trade with Europe could be seriously hindered if Canada does not establish data protection standards similar to those in place in Europe. The European Union’s data privacy directive takes effect on Oct.25th, and it requires EU countries to block transmission of data to third countries whose domestic legislation does not provide similar privacy protection to that offered in the EU (e.g., individual rights to review, correct and limit the use of personal data).
Moreover, our current government wants to position Canada as a global leader in electronic commerce. Yet, a key reason cited by Canadian consumers for their reluctance to engage in electronic commerce is lack of confidence in how their personal information is gathered, stored and used by online businesses.
Recognizing that privacy legislation was a possibility, industry groups joined with government and public interest organizations in the early 1990s to develop a voluntary code for businesses to use in the treatment of customer information. From the beginning, industry hoped that its participation in this process that would pay off by avoiding government legislation. Consumer and public interest participants, however, saw the process as worthwhile insofar as it would lay the groundwork for legislated privacy protection, something which they have consistently called for.
Despite these conflicting motivations, the working group’s efforts paid off. In 1996, the Model Code for the Protection of Personal Information was approved as a national standard by the Standards Council of Canada. The Code sets out ten basic principles of data protection, similar to those of the OECD. In brief, they provide for individual control over the collection, use and disclosure of personal information. like the Quebec law.
By adopting the Code, and subjecting themselves to independent audits, businesses can demonstrate that they are following fair, nationally accepted standards. Unfortunately, no corporations have yet seen fit to register.
However, a number of industry associations have developed model Codes for their members, based on the CSA principles. Some of these are very good – the problem is that they are not being put into practice.
In some cases, the Code is not binding, and members have simply not adopted it. In others, the policy ostensibly adopted has yet to filter down to the operations level. In still others, a significant number of businesses are not members of the association, and are therefore not bound by the Code – for example, approximately 20% of direct marketers in Canada are not caught by that organization’s binding code.
The point is: industry self-regulation in this context is bound to fail. Quite simply, there are too many market players who fall outside any self-regulated regime. We don’t even need to get into a discussion about lack of effective sanctions, or other weaknesses of voluntary codes.
It is therefore not surprising that some industry groups in Canada have expressed support for privacy laws based on the Model Code which they helped to draft. (e.g., Information Technology Association of Canada, the Canadian Direct Marketing Association and the Canadian Federation of Independent Business)
Despite their distaste for any form of regulation, reputable industry players in Canada are recognizing that they will be better off, in the long run, under a legislated approach which encompasses the entire private sector.
And, to the surprise of many, no one is complaining about the regulatory regime in Quebec – business seems to be able to live with it.
So, it seems there was a happy confluence of forces leading to this recent initiative:
- public pressure;
- a committed Minister;
- dedicated and determined civil servants; and
- no solid or convincing industry opposition.
So, what does the legislation say?
It takes the CSA Model Code, and entrenches the ten principles, word for word, in a statute. I think this is a novel approach to legislation, and it has the strength of building on standards which were developed through consensus by the very stakeholders to whom they will apply. It represents one of the ways in which voluntary codes can be used in the public policy process – as the “backbone” of a law.
On the other hand, the CSA Code is considered a compromise by many privacy advocates, a reasonable first attempt that can do with improvements. For example, the Code requires businesses to limit the collection of personal information to “that which is necessary for the purposes identified by the organization”, but does not expressly limit the purposes for which the information can be used. This lack of any clear “purpose limitation” principle is not corrected in Bill C-54.
Other weaknesses of the Bill include overly broad exceptions to the rule of informed consent, limited powers on the part of the Commissioner to uncover and expose privacy violations, and a lack of any non-court recourse for complainants where an organization fails to comply.
The law will apply first to the federally-regulated private sector. Three years after coming into force, it will apply to all commercial activities in Canada that are not already covered by similar provincial privacy laws. In other words, the federal government is giving the provinces a chance to act, but if they fail to do so within three years, they will be effectively trumped. (I expect that we’ll be hearing from the provinces on that aspect of the Bill!)
The federal Privacy Commissioner will be mandated to investigate and report on complaints, as well as to engage in educational activities. He will also be empowered to audit organizations who appear to be violating the Act, but only where he has reasonable grounds to believe that the statute is being violated.
Complainants will have ultimate recourse will be available to the Federal Court, which has broad remedial powers including the awarding of damages for humiliation, of up to $20,000.
This is so-called “light” regulation. It sets up a complaint-driven process, which many of us feel is inadequate given that privacy violations are so difficult to spot. It requires individuals to go to court for redress, which is costly and therefore unlikely to occur except in unusual cases. It contains some exceptions that we feel are too broad. And it is improperly framed as a means of promoting commerce, rather than protecting privacy. But, it is a start on the path toward recognition of basic privacy rights that is sorely lacking in Canada, and we will be working to improve the Bill as it moves through Parliament.
What are its prospects?
I think that there’s enough positive momentum that this Bill will be enacted, in some form or another. The challenge for privacy advocates will be to ensure that the Act is tight, properly framed, and has adequate teeth.
In conclusion, let me say in response to the question put to us today, that while law, market forces and technology each have an important role to play in the protection of individual privacy, law is the essential starting point – it is necessary to articulate and define the right to privacy. Without a legal structure giving meaning and teeth to privacy rights, technology will be used to take advantage of vulnerable citizens, and market forces will have little effect, since privacy invasions are usually invisible to the consumer. There is nothing wrong with self-regulation, but it does not substitute for the rule of law, especially in respect of human rights and other essential elements of a civil society.