This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
April 13, 2000
Director, Investigations and Inquiries
(Check Against Delivery)
I am very pleased to have been invited here today to speak to you about the state of privacy in electronic commerce. I am all the more pleased to have something good to report, for a change. The good news is that the state of privacy in electronic commerce is about to take a sharp turn for the better.
Just a few days ago, Parliament passed a law called the Personal Information Protection and Electronic Documents Act (otherwise known as Bill C-6). This new law will in effect extend privacy protection to the private sector, including the burgeoning and complex field of electronic commerce.
Not long ago, I might have begun this address in an entirely different way. I might have even tried a scare tactic of some sort. I might have quoted, for example, from something like the cover of the March issue of PC Computing, where bold lettering declares this stark and chilling message:
WE KNOW EVERYTHING ABOUT YOU
Where you live
Where you work
How much you make
What you buy
What you do on the Web
Your private past
Not long ago, I might have hung my whole speech on a quotation like that. There it is in a nutshell, I might have concluded, in a voice of doom and gloom. Behold the deplorable state to which privacy in electronic commerce has sunk. Read it and weep. And while you're at it, caveat emptor.
But the new act of Parliament has made all the difference in what I want to tell you here today. It has in effect put informational privacy on a much more secure footing, thereby inspiring me to deliver a much more positive and encouraging message today.
Not that the scarier message isn't true, mind you. On the contrary, some say that electronic commerce currently holds privacy in low esteem. They suggest that many businesses - and not only those in electronic commerce - know and seek to know far more than they need and ought to know about individuals. It is implied that many businesses have only a mercenary, or at best a cavalier, regard for the privacy of their clients, customers, and employees, and that many use and disclose personal information in highly inappropriate ways. Whatever the speculations, what is true - frighteningly true - is that the potential for business to abuse personal information and violate the privacy of individuals tends to increase almost daily through ever-developing intrusive technologies. Yes, the scary, deplorable truth is that your privacy can be at considerable risk in electronic commerce and elsewhere in the private sector.
But I have to presume that none of that comes as any surprise to this perceptive audience. I presume you are more or less aware of the situation by now - aware enough, at least, to be appropriately cautious. In any event, it occurs to me that I could spend my time here today in a much better way than by dwelling on all the scary negatives. As of April 04, 200, Parliament passed a new legislative instrument that bodes new hope for privacy, not only in electronic commerce, but also throughout the private sector. It is not a panacea, but it is a positive force that I believe has strong potential to raise privacy standards several notches higher in the sector that dares to call itself private.
Allow me therefore to introduce you to the Personal Information Protection and Electronic Documents Act.
I am especially excited about the implementation of this Act, because I will have a role to play in it. The federal Privacy Commissioner has been given oversight responsibilities for the new legislation, very similar to the responsibilities he has carried out for the federal Privacy Act down through the years. That means that the Commissioner and we his staff will be venturing into interesting new territory. I for one am very much looking forward to extending my professional interests beyond the federal sphere and facing the new challenges that I know the private sector will offer.
To appreciate the new Act in all its hope and glory, it will be helpful if you know something about the existing one from which it largely derives its core values of fair information practices - the federal Privacy Act. So, before I tell about the new work that lies ahead for my colleagues and me, please indulge me five minutes while I give you a little background on the legislation that has been keeping us busy up to now. I'd like to think that for most of you it will simply be a case of refreshing your memory.
The federal Privacy Act has been in force since 1983. The official whose main responsibility it is to supervise the application of the Act is the Privacy Commissioner of Canada. The Privacy Commissioner is an officer of Parliament, responsible directly to Parliament. He does not report to or through any one minister of the Crown.
The incumbent is Bruce Phillips, who is now coming to the end of a term that has extended to some ten years. And I know from my personal and professional acquaintance with him that Commissioner Phillips is extremely pleased to have persevered in office long enough to see the passage of the Personal Information Protection and Electronic Documents Act. The expansion of his Office's influence into the private sector is a fitting culmination of the Commissioner's distinguished privacy career.
Essentially, the Privacy Act regulates how federal government institutions may collect, use and disclose personal information about individual Canadians. As for the individuals themselves, the Act provides them with a right of access to information held about them by the federal government, and a right to request correction of any erroneous information.
The Act gives the Privacy Commissioner powers to audit federal institutions for compliance with the Act. It also obliges the Commissioner to investigate complaints by individuals about breaches of the Act.
Individuals may lodge a formal complaint with the Commissioner, for instance, if they believe that a government institution has denied them due access to their personal information, or has taken too long in providing it, or has applied unacceptable exemptions to it, or has refused to correct errors in it.
Or they may complain that a government institution has collected personal information about them that it shouldn't have collected, or destroyed personal information that it shouldn't have destroyed, or used or disclosed their information for purposes other than those for which it was originally collected.
Every year, the Commissioner receives hundreds of such complaints, which his staff duly investigates. The Commissioner subsequently reports his findings both to the individual complainants and to the federal institutions concerned. In a remarkably large number of cases, the complaints are resolved to the satisfaction of all parties.
Indeed, that is what the Privacy Commissioner of Canada has always sought above all - not confrontation, or imposition of his authority, or heavy-handed enforcement of privacy law, but rather resolution. He seeks to resolve, not only the complaints that he receives, but perhaps more importantly, the underlying problems that give rise to the complaints.
In order to understand how the work of the Office of the Privacy Commissioner will carry over into the private sector, it is important to understand the Office's traditional ombuds role. The Privacy Commissioner has always functioned primarily as an ombudsman - not as a policeman. If you are hearing it for the first time, you may be surprised to learn that the Commissioner has never had any powers of enforcement. It may surprise you even more to learn that he doesn't want any.
Nor do we his staff want such powers. We, too, cherish the traditional ombuds role. We know that powers of enforcement tend to cause adversarial relations, and we have learned from long experience that there is great advantage in our ability to audit and investigate conduct of government institutions without being taken for adversaries.
To powers of enforcement, the Commissioner much prefers his powers of investigation and negotiation, his powers of persuasion and resolution. Sometimes, but only when all else fails, he resorts to another highly effective power available to him - the power of embarrassment through publicity. But all in all, the Commissioner believes, and we his staff believe, that the true worth and effectiveness of the Office have always derived, and will continue to derive, from the Commissioner's role as an ombudsman.
The federal Privacy Act and its equivalent legislations in most Canadian provinces are the expression of internationally accepted privacy principles known as "fair information practices". However, these laws apply only to information handled by governments. Increasingly the international community has been calling for the extension of fair information practices to the private sector, too. But, until recently Canada's response to that call had been woefully inadequate. Only the province of Quebec had previously enacted comprehensive private-sector data protection legislation.
But as I have suggested, the Personal Information Protection and Electronic Documents Act is about to address this inadequacy in a big way. This is the most important legislative instrument for the defence of privacy since the federal Privacy Act was passed in 1982.
Essentially, the new Act will require private sector organizations to respect a code of fair information practices governing collection, use and disclosure of personal data. In this regard, the new Act is very much like the Privacy Act in the federal sphere, but with one important new emphasis. The key principle of the new legislation is consent. As a general rule, no one will be able to use another person's information without that person's permission. In other words, organizations will not ordinarily be permitted to collect, use or disclose personal information about you without first telling you its intentions and obtaining your explicit consent.
Also, organizations must establish an open and transparent relationship with their clients by providing clear explanations of what they do with their clients' personal information. They must give their clients the name or title and the address of an officer who is responsible for information holdings and to whom complaints and inquiries can be addressed.
Individuals in turn have the right of access to the personal information an organization holds about them and to request that it be corrected if it is erroneous. Furthermore, the business must establish a process for individuals to obtain their personal information.
As I indicated earlier, the new Act also provides a mechanism for independent oversight, namely the Privacy Commissioner of Canada and his Office. Again, the Commissioner's responsibilities and authorities under the new Act are similar to those under the Privacy Act. The new Act obliges the Commissioner to investigate complaints from individuals and issue reports containing his findings and recommendations. He has been provided with statutory authority to summon witnesses, administer oaths, receive evidence, enter premises, and examine documents. He also has the authority to conduct audits of organizations in respect of their compliance with the Act.
As for private citizens, the new Act permits them to file written complaints with the Commissioner against organizations they believe to be in contravention of any provision dealing with the protection of personal information. The Commissioner himself may initiate a complaint if he is satisfied that reasonable grounds exist for investigating any particular matter or issue.
Under the new Act, as under the Privacy Act, it remains an offence for any party to obstruct the Commissioner during an investigation or audit or to dispose of information requested by an individual. The new Act goes further by also making it an offence for employers to take various retaliatory measures against employees (that is to say, they are prohibited from dismissing, disciplining, or otherwise disadvantaging employees who report a contravention of the Act to the Privacy Commissioner, or who refuse to contravene the data protection provisions, or who have done or stated an intention to do anything to prevent a contravention of the Act's privacy provisions.)
Furthermore, the Act permits a complainant, after receiving the Commissioner's report, to apply to the Federal Court for a hearing. The Court, in turn, has broad powers to grant remedies. These include ordering an organization to correct its information practices, ordering an organization to publish a notice of any action taken or proposed in correcting its information practices, and awarding damages to the complainant, including damages for humiliation suffered.
If some of these provisions sound tough, it is only because they reflect the importance that the new Act attaches to protecting personal information. Nevertheless, as far as recourse to the Court is concerned, it is worth remarking that similar recourse has always been available under the Privacy Act, but has seldom been used. Of the more than 20,000 complaints received by our Office since 1983, fewer than a dozen proved to be so problematic as to require the attention of the Federal Court. Nor does the Commissioner foresee any significant increase in that ratio under the new legislation.
It is also noteworthy that the Commissioner still does not have any authority to issue a binding order or to impose penalties. Under new Act, as under the Privacy Act, the Commissioner's powers will be limited to those of an ombudsman. And, as I have suggested, this is just fine with the Commissioner and his staff. It's what we do best.
In fact, we believe that in the private sector it will be even more important for us to continue to exercise our traditional ombuds role, as opposed to some kind of police role. Our approach must continue to be non-confrontational and non-adversarial, seeking resolution of problems rather than imposition of authority. We believe that heavy-handedness would only work against us. If we were to provoke hostile reaction from the business community by operating in an overbearing and arbitrary manner, the new law would probably fail. We see consultation and cooperation as the way of success.
The goal of the Office of the Privacy Commissioner will not be to force compliance for compliance's sake, but rather to create and cultivate a state of mind in which business will routinely take into account the privacy rights of clients, customers, and employees in developing and marketing products and formulating administrative practices.
The goal of the new Act is not to impede business. The goal is to strike a reasonable balance between respecting the legitimate needs of business to gather and use personal information and respecting the right of individuals to have their personal information protected.
Nevertheless, there is no doubt that the latter side of the equation will require adjustments on the part of business. The Act does mean to provide individuals with privacy protection where no protection, or little protection, or at best inconsistent protection existed before, and that means that many organizations will have to change the way they do business. There's no getting around it. To meet the new obligations for handling the personal information they are entrusted with, many organizations will have to adjust their current practices. No one expects it to happen overnight, but change must come.
A good number of organizations have already taken steps to prepare for the new legislation. Indeed, for some it has been a natural progression, in that a major component of the legislation is the Canadian Standards Association's Model Privacy Code, which the Canadian business sector helped to develop. Many companies therefore have a proprietary interest in the Code and, by extension, in the new Act that incorporates it.
We in the Office of the Privacy Commissioner know that business will need our help in adjusting to the new legislation. It will be a learning experience for all concerned. Our focus in the coming months will be to learn about business from business and to educate business about the new legislation and about our role in it. We will meet with representatives of the various business sectors affected by the legislation, discuss their concerns, and look for solutions that will make the new law both workable for them and effective for the Canadian public.
We are confident that business by and large will come to see the wisdom of the new law. For one thing, business depends on satisfied clients and customers, and reputation is an important asset for any company. Few, we suspect, will be willing to risk being singled out in any way for wilfully flouting the rights of individuals.
But it is not only the threat of complaints or bad publicity or possible court action that will compel compliance with the new legislation. There is mounting evidence that companies are coming to understand, through their own experience, the importance of privacy protection in gaining and retaining consumer trust and confidence. We believe that, once the playing field is made level for all through the legislation, the vast majority of private-sector organizations will embrace common privacy principles not just because they are the law, but because they are simply good business practice.
The new Act also assigns two new roles to the Privacy Commissioner - those of researcher and educator. Previously the Commissioner had no formal mandate - and hence no resources - for either research or education, although the Office did as much as it could manage to do in both fields. Now, however, the new Act expressly requires the Commissioner both to undertake and publish research related to the protection of personal information and to conduct public education on privacy matters relating to the private sector.
Our Office regards the new education role as essential to the process of implementing the legislation. Up to now, without specific authority or resources, it has been a struggle for the Office to educate Canadians properly about their privacy rights and about the developments that threaten or strengthen those rights. The new mandate is most welcome, even though it applies only to the new legislation, and not the Privacy Act.
Recent surveys show that consumers' uneasiness about the privacy of their personal information in the business world - and particularly in e-commerce - derives in large part from lack of knowledge about just what happens to the personal information they divulge. The Office of the Privacy Commissioner will take steps to foster public understanding of how personal information is used and shared. One of the Commissioner's goals is to make Canadians aware of invasive practices and of the personal and social consequences of privacy intrusions. The Office has already begun to develop educational materials that will give Canadians the tools they need to protect their own privacy.
To accommodate adjustment, the new legislation will be phased in over four years. The present year 2000 is regarded as the ramp-up or implementation period, during which businesses are expected to take stock of their information practices and get their houses in order.
In 2001, the new law will take effect, applying at first only to the clients and employees of businesses engaged in federal works and undertakings and to organizations handling crossborder transfers of personal information for consideration. In 2002, application will extend to personal health information.
The year 2004 will see full application of the Act, covering all businesses involved in the handling of personal information within a province, except in cases where the province has substantially similar legislation.
But I think that perhaps my monologue has gone on long enough. It's time for dialogue. Just allow me in closing to pass along to you a quotation I came upon recently. The author was someone named Will Crooks, and I have no idea who he was, but I like what he said very much. He said this: "The most sacred thing is to be able to close your own door."
Now, don't worry, I'm not going to elaborate at the moment. I haven't quite worked out the full analogy yet anyway - something along the lines of technology opening new doors for us but not allowing us to close them, et cetera, et cetera. But what struck me immediately about the quotation is what I want to remark upon - the equation of privacy with the sacred. Even if you don't necessarily believe in sacredness per se, I'm sure you believe in some of the higher human principles that we tend to associate with it or substitute for it - dignity, respect, autonomy, freedom. The point is, privacy is one of those higher principles - one of those interrelated principles that govern how we live and what kind of people we are. I urge you to see the Personal Information Protection and Electronic Documents Act not simply as piece of legislation something to regulate the processing of personal data in the private sector, but as an instrument to enhance respect for one of the very underpinnings of democratic society - the right to control what others can learn about us.
I would be pleased now to respond to any questions or concerns that may have occurred to you over the last half hour. Please feel free to ask me anything you like about the new private sector privacy law, the public sector legislation, privacy issues, electronic commerce, the Privacy Office, what kind of cigars the Commissioner smokes - whatever.
- Date modified: