The New Wave of Privacy Protection in Canada
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Speaking notes prepared for the FIPA Conference
March 9, 2000
Vancouver, British Columbia
Director, Private Sector Secretariat
(Check Against Delivery)
I am pleased to be here this morning to give you the Office of the Privacy Commissioner of Canada's perspective on the Personal Information Protection and Electronic Documents Act.
As we see it, Bill C-6 is about ensuring a fair balance between the business world's legitimate need for information and our fundamental right as individuals to privacy. The motivation behind this new law and those who have supported it, is to protect, "the right to control what others can learn about us." C-6 is very much about protecting human dignity and the right to be left alone.
Bill C-6 takes a significant step to fill in the gaps in the patchwork of laws and policies that protect personal information in this country. It brings Canada into line with international data protection norms. It is an "advance" that is long overdue. Some time ago, most European countries, and several other jurisdictions around the world, took steps to protect personal information held by the private sector. In that respect, Canada joins the ranks of other industrialized countries that recognize the importance of protecting their citizens' informational privacy.
Businesses in Canada are ever more aware of and, in some cases, concerned about the impact of Bill C-6 on their operations. Ideally, business should view data protection laws, the same way traffic laws are viewed. Knowing that the law exists, businesses should largely self-regulate. The objective of C-6 is to create a state of mind in which businesses routinely consider the privacy rights of their clients, customers and employees when developing products and administrative practices.
Public opinion polls tell us that Canadians worry about the potential abuse of their personal information. As individuals, business people probably share this concern. We want to encourage business people to treat the personal information of their customers with the same respect that they, as individuals, would like their own personal information to be treated.
The OPC has a key role to play in the implementation of this new legislation and will proceed cautiously. The Commissioner has no intention of recklessly impeding business. He understands that information, including personal information, is the lifeblood of business. He wants to avoid antagonizing the private sector, or attempting to beat it into submission, while at the same time promoting an honest respect for the privacy rights of individuals.
I won't pretend that everything will stay the same as it was before Bill C-6. This legislation is being introduced for a reason: to offer protection to individuals where no, little or, at best, inconsistent protection of their personal information existed before. Some organizations will need to change the way they do business to meet the requirements of the Bill. No one expects this to change overnight, but change it must.
The Privacy Commissioner wants to help businesses adjust to this legislation. He firmly believes that the only way its goals will be met is through the active cooperation of all parties. The Bill will fail if it provokes a hostile reaction from the business community by operating in an overbearing and arbitrary manner.
The focus of our Office in the coming months will be to learn about business from business and to educate business about C-6 and the OPC. We will meet with representatives of the business sectors affected by the legislation, discuss their concerns, and look for solutions that make the legislation both workable for them and effective for the Canadian public.
There are still uncertainties about this new legislation, for business as well as for us. We want to resolve as many of those uncertainties as possible, and as soon as possible, to ensure the smooth transition from the current status quo to life under private sector data protection rules.
Companies can prepare now for the new legislation by auditing their current information handling practices and assessing them against the standards set out in the Bill and its schedule. Organizations should review how they conduct their business to determine:
- what personal information they collect
- why they do so
- how they collect it
- what they do with it
- where is it kept
- when is it used or disposed of
- ho they give it to
Organizations may be surprised to learn that they really don't know what personal information they gather, why they collect it at all, how it is used and what quality controls and security safeguards, if any, are in place to protect that information. Some may even decide that they are collecting excessive amounts of personal information for no valid reason and at unnecessary cost.
Canadian businesses can ease the transition by handling personal information with the care necessary in a technologically sophisticated and information-hungry society. This makes sense if they wish to remain free from intervention by the Commissioner and the courts.
It also makes good business sense in a climate where Canadians increasingly see respect for their privacy as an essential requirement for doing business with business. Consumer trust and confidence have always been important prerequisites for on-going business success. Respect for customer privacy is becoming an essential requirement for securing that trust. People do not want their lives to be an open book. Even if they are willing to relinquish personal information, they want to know what happens to it once it is in someone else's hands. We believe that if businesses approach personal information as something of value that must be safeguarded and handled with care, they will enjoy the rewards of customer loyalty.
The very heart of Bill C-6 is the CSA's Model Privacy Code, which the private sector helped create and over which it can claim some ownership. Perhaps more so than almost any other piece of federal legislation in recent years, C-6 reflects the consensus of significant sectors of Canada's business community.
As well intentioned as the CSA Model privacy Code is, it is not a watertight legal text. Settling its interpretation will not be easy. The Bill itself refines and clarifies some of the principles stated in the Code, but the generality of the wording in the Code makes C-6 an unusual piece of legislation to work with.
Now, a word or two concerning the Privacy Commissioner's view about powers of enforcement. Some Members of Parliament, and several witnesses who appeared before committees examining Bill C-6, called for the Privacy Commissioner to have the power to make binding orders.
As those of you who have heard him speak already know the Privacy Commissioner does not want powers of enforcement. Instead, he favours a non-confrontational approach and non-adversarial measures - the trademarks of the ombudsman. Fortunately, the Bill reflects this. This ombuds role emphasizes the resolution of complaints. And perhaps more important, it emphasizes correcting the underlying problems that lead to those complaints. As an ombudsman, the Commissioner can approach an enterprise to discuss unacceptable privacy practices and to look for ways to prevent their recurrence.
The history of the Office of the Privacy Commissioner also teaches a lesson about the ombuds role. The 16 years or so of experience of the Office with this role has shown that heavy-fisted enforcement is not necessary to secure the privacy rights of Canadians. However, if experience with Bill C-6 shows that the lack of an order-making power hinders the Privacy Commissioner, Parliament can remedy the situation.
The Commissioner is also not keen to run to court. It may surprise some of you to learn that of the 20,000 complaints handled by the Privacy Commissioner's Office since 1983, fewer than a dozen have ended up before the courts. The Office is less a police department than a problem solver. Recourse to the courts remains, but only as a last resort.
Non-confrontation, openness to discussion, and the reluctance to run to court, however, do not mean the Privacy Commissioner is toothless. He may not have powers of enforcement, but he can publicize wrongdoing. Given the concerns of Canadians about threats to their privacy, disclosure of practices that interfere with their privacy may be an effective way to ensure that the Bill's principles are respected. However, even here, the Commissioner's approach will be cautious.
Publicity will not be used recklessly. We believe that publicity will not often be necessary once private sector organizations realize the benefits of respecting their customers' privacy.
Bill C-6 establishes procedures for complaining to the Privacy Commissioner about violations of its data protection provisions. An individual may file a written complaint alleging that an organization has contravened a provision dealing with the protection of personal information or failed to follow a provision set out in the Schedule to the Bill. As well, C-6 permits the Commissioner to initiate a complaint if he is satisfied that there are reasonable grounds to investigate a matter.
Under certain circumstances, the complainant may appeal to the Federal Court. The Court has the power to order an organization to correct its practices to comply with the Bill and may also award damages to the complainant.
The toolkit available to the Privacy Commissioner under Bill C-6 also includes the right, on reasonable notice and at any reasonable time, to audit the personal information management practices of an organization. This power, however, comes into play only if the Commissioner has reasonable grounds to believe that the organization is contravening the privacy provisions of the Bill.
The criminal law bolsters these powers. It is a criminal offence to obstruct the Commissioner during an investigation or audit or to knowingly dispose of information requested by an individual. The Bill also makes it an offence for employers to retaliate against employees who:
- report a contravention of the Bill to the Privacy Commissioner,
- refuse to contravene the data protection provisions,
- or who take action or state their intention to prevent a contravention of the Bill's privacy provisions.
The Bill assigns two other roles to the Privacy Commissioner, as a researcher and an educator. C-6 requires the Commissioner to undertake and publish research related to the protection of personal information. As well, education is an essential part of the process of implementing C-6. Our Office has struggled for years to educate Canadians about their privacy rights and about developments that strengthen or threaten those rights. Yet until now, there has been no formal authority for the Office to conduct public education. Bill C-6 addresses this deficiency - at least for education relating to the private sector.
Recent surveys show that consumers are uneasy about the state of personal information practices in the business world, particularly in the world of e-commerce. Some of these concerns are based on consumers' lack of knowledge about just what happens to the personal information they divulge.
Our Office will take steps to foster public understanding of how personal information is used and shared. One of the Commissioner's goals is to make Canadians aware of privacy invasive practices and of the personal and social consequences of privacy intrusions. We will work to develop educational materials that will provide Canadians with the tools they need to protect their own privacy.
Bill C-6 is among the most important pieces of privacy legislation in several decades. The Bill takes one step in the direction of securing greater respect for this fundamental human right we call privacy.
Some will argue that the Bill does not go far enough. Others will counter that it creates unnecessary burdens for business. Indeed, the Bill is not perfect - no matter what your perspective on it. Fine-tuning may be required. However, that should not stop us from working with business and consumer groups to ensure that what we have now weaves its way deep into the fabric of the relationship between businesses and the individuals whose personal information they collect, use and disclose.
- Date modified: