This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
December 6, 2000
Privacy Commissioner of Canada
(Check Against Delivery)
The Province of Quebec really is the pioneer in this country when it comes to protecting the individual's right to privacy in the private sector.
The success with which the privacy law has been implemented here in Quebec gives me a feeling of optimism as we approach the implementation of the federal government's Personal Information Protection and Electronic Documents Act.
Private sector organizations in this province seem to have adapted quite readily to the notion that protecting peoples' personal information is actually a pretty good idea.
I am looking forward to a similar response when the federal law extending Canadians' privacy rights to include a large part of the private sector comes into effect January 1st.
Anyone involved in those kinds of undertakings should be aware that there are some important differences between the federal and Quebec laws, and I will touch on some of those a little later.
As well as expanding Canadians' privacy rights to include their dealings with private sector organizations, this new legislation will mean some significant changes for the Office of the Privacy Commissioner.
First, the Office will be responsible for overseeing these new rights in addition to the existing job of ensuring that Canadians' privacy rights with respect to the federal government are not abused.
A second, and in my opinion a very welcome and necessary change, is the Privacy Commissioner's new mandate to carry out research and public education on privacy issues.
I am looking forward to these new responsibilities with anticipation, although I realize for those about to come under this kind of regulation for the first time, the emotion may be closer to trepidation.
I hope what I have to say today will ease some of those concerns, and add to your understanding of what this legislation does, and why we need it. I'll also try to explain where and how the Privacy Commissioner fits in to all of this, and what you can expect from my office and me as this legislation is implemented.
Let me begin by saying I believe privacy will be the defining issue of this new decade.
I say that because, in terms of privacy, we really have come to a kind of crossroads.
Until recently, our privacy was protected pretty much by default.
Unless you were very famous, or very important or had committed a crime, your personal information was scattered here and there, and kept in hard copy files.
Assembling any kind of dossier on any one of us meant quite a bit of legwork: Someone would have to go to a fair amount of trouble to find out about you.
To say "times have changed" is a bit of an understatement. Today, information that even a few years ago might have taken weeks or months to dig out can be compiled literally in minutes at a computer keyboard.
It used to be someone had to go out of their way to access our private data - now we must go out of our way to ensure our private data stays private.
How we deal with this issue, this new reality, now -over these next few years - will decide how the individual relates to society in Canada for many, many years to come. It will determine the very type of society we leave to our children.
So what exactly is this privacy we are trying to protect?
All of us want to be able to go about the business of our lives without having someone looking over our shoulder, demanding to know what we're doing, and why we're doing it.
In that context, privacy might well be defined as the right to say "none of your damn business."
That is certainly part of it, but in the information age, I believe the definition of privacy goes much further.
If you asked me, I would define privacy as the right to control access to one's person and to information about oneself.
As long as society and other individuals make their judgements about who we are based on the information they have about us - and I suspect that will be the case for a good long time - this idea of control of our personal information will be at the very heart of our personal privacy.
Critical to that notion of control is the concept of choice, or consent.
If you live as a hermit, on some remote mountainside, chances are your privacy is pretty well intact.
But the moment you choose to come down into a city or village, you are choosing to give up some of your privacy. Just by walking along a street, you are giving up some information.
People can make judgments or assumptions about you on the basis of your physical appearance, how you're dressed, how well groomed you are - a whole host of visual clues, whether accurate or inaccurate.
If you choose to pick up some supplies, you give up more of your privacy. The shopkeeper may gain some insight into your dietary habits. The pharmacist is left to contemplate your need for cough medication, and the cashier at the newsstand can make note of your reading habits.
You've lost some of your privacy, but you considered it a worthwhile trade. You like steak. The coughing was driving you crazy, and you don't particularly care if people know you like mystery novels.
The point is this: the more we become involved with the collective whole and society at large, the more information we surrender about ourselves. When we apply for a job, open a bank account, explore the Internet, or take part in any of the myriad transactions of daily life, we make another contribution to the gradual erosion of our private selves.
Thus, privacy is not an absolute. It is rarely stripped away in one fell swoop. It is a continuum of choices and trade-offs.
Revealing information about ourselves only when and as we choose is the very essence of privacy.
These days, we sometimes don't have a choice. Surveillance has become a matter of routine. Cameras follow us from the bank machine to the corner store to the elevator in our office building.
Thanks to the wonderful convenience of the debit card, your bank could find out where you ate lunch yesterday, and where you bought your mother's Christmas present.
Suppose you have an elderly, shut-in aunt who likes her gin. Being a kindly soul, you make a habit of stopping at the liquor store for her on your way home. Anyone looking at your debit or credit card purchases might well conclude you're an alcoholic.
Perhaps a close friend has moved to Las Vegas, so you fly down there four or five times a year to visit him. Someone looking at your travel habits is likely to assume you're a compulsive gambler.
Likewise, there are suggestions that collecting all of our medical records in one massive database would be a good idea, but who is to decide whether and with whom our medical histories will be shared? There is a powerful and steadily-increasing demand for our personal health information from any number of secondary users.
Suppose the records are shared with researchers at a pharmaceutical company. The pharmaceutical company decides it is reasonable to share the information with an insurance company, again, for research purposes. This is not a problem; all the names and numbers have been removed.
Not necessarily: American computer scientist Latanya Sweeney has shown that simply removing identifying details from patient records does not assure privacy.
With a few patient-specific details, an individual can be identified. The data can also be linked or matched with information from other sources to identify people by so-called "inferential disclosure".
In this case, two plus two equals you.
One day you apply for an insurance policy, but the company sees something it doesn't like in the blood test from your last checkup. It's quite possible the lab put your name on someone else's sample. It's not your mistake, but you still don't get the insurance, and you may never know why.
That same, inaccurate blood test could deny you a job, or dismiss you from the one you have now.
For the individual, a privacy invasion can be every bit as devastating as a home invasion.
The vast array of data and the conclusions that can be drawn about us from it is simply stunning.
The destination, date and duration of virtually every telephone call we make.
Is there a list of every movie you've ever rented?
Why were you taking anti-depressants in 1992?
None of your damn business indeed.
Despite all this potential for intrusion, people quite rightly want to avail themselves of the advantages that information technology offers.
Quick and efficient access to financial transactions, flight bookings, almost any kind of information about anything, is a great leap forward. But if we pay for these conveniences with a basic and fundamental human right, we must question their value.
And individuals are doing just that. Public opinion surveys consistently show the vast majority of Canadians worry about the impact of the Internet and e-commerce on their personal privacy. Privacy concerns are perhaps the single biggest deterrent to doing business online.
If you have to wonder - every time you click into a web site, every time you make a purchase with your debit card, every time you fill out an application for something - what information you are giving away, to whom you are giving it and for what purpose, you have no privacy.
To feel one is being monitored, to be self-conscious about every move one makes, is the essence of life in a totalitarian state.
That is why we have a Privacy Commissioner to monitor how government and private sector organizations respect citizens' right to privacy, and whether those organizations pursue fair information practices.
Which brings us to the Personal Information Protection and Electronic Documents Act.
This Act is intended to strike a balance between the information needs of our modern society and the rights of individuals to control how their personal information is collected, used and disclosed by the private sector. It is intended to give individuals a choice when it comes to revealing their personal information.
For all of us, this law means a new level of privacy protection when dealing with private sector organizations.
For the private sector, it means a clear and consistent standard for the protection of privacy. A standard, I should add, that it must meet.
For the office of the privacy commissioner, the Act brings greater responsibility, an expanded role, and a new mandate to educate Canadians and organizations about the issues surrounding personal privacy.
At the core of the legislation is a code of fair information principles. I won't list all of them, but what they say, basically, is this:
- anyone collecting personal information in the course of a commercial activity must explain the purpose of collecting it, and obtain the individual's consent;
- they must limit the collection of personal information to what is reasonable under the circumstances, and use it only for the purpose for which it was collected;
- they cannot disclose this information to anyone else without consent, and
- they must allow individuals to have access to their own personal information and correct any inaccuracies.
I think it's worth noting here that these principles were not dreamed up by a bunch of bureaucrats in one of Ottawa's ivory towers. The principles are in fact the Model Code for the Protection of Personal Information developed under the guidance of the Canadian Standards Association. The Code is the product of five years of consultation with Canadian business, consumer and other groups.
In that sense, the Code is grounded in the reality of the marketplace.
These principles, and the new law as a whole, are also grounded in the reality that this is the direction in which the entire world is moving. The European Union already puts restrictions on the transfer of personal information to countries that do not protect it adequately. In fact, I have just returned from Brussels where I was explaining the Personal Information Protection and Electronic Documents Act to our trading partners in the E.U., and assuring them it is in line with the privacy principles in practice there.
Once the new law takes effect, organizations based outside Canada will be expected to comply with it when doing business here. And Canadian companies transferring personal information outside Canada for processing must ensure that third parties provide the same level of protection.
I must say, I'm very pleased with the relationship we have with the private sector. I want this relationship to continue.
We have had many very useful discussions already with national associations representing key industries. The advice and input from banks, marketers, the telecommunications sector, Internet providers, manufacturers, retailers and others has been unfailingly thoughtful and practical.
We are in the final stages of preparing a guide to the new legislation for the private sector. It will be available before the end of the year. A number of key industry sectors in Canada have donated their time and expertise to reviewing the guide at various stages of its development. Their suggestions have been a great help in making sure the guide is as useful to business as it can possibly be.
Many organizations about to become subject to this kind of legislation for the first time have asked about when business will be expected to comply with the new law.
The Act will be implemented in three stages. Beginning January 1st, it will apply to federal works, undertakings and businesses. These include banks, telephone and companies, airports, broadcasters and firms engaged in interprovincial or international transportation.
It also applies to disclosures of personal information across provincial or national borders for consideration, by organizations such as credit reporting agencies or organizations that lease, sell or exchange mailing lists or other personal information. That means the personal information itself is the subject of the transaction.
Now, it is highly unlikely any of those enterprises will find me and a posse of auditors on their doorstep on New Year's Day. Nonetheless, the new law does take effect for this group on January 1st, and a customer's right to file a complaint takes effect at the same time.
I am convinced from my contacts with business that organizations within this first group are well aware of the new law and have been preparing for its implementation for some time now.
For this group - the federal works, undertakings and businesses - the law also applies to their employees' personal information in the first year. Although personal health information is exempt until January 1st, 2002.
The final stage of implementation will take place in January 2004. At that time, the Act will extend to the collection, use or disclosure of personal information in the course of any commercial activity within a province.
The federal government may exempt organizations or activities in provinces that have adopted substantially similar privacy legislation. The federal government has already stated publicly that Quebec's law is substantially similar so, in all likelihood, that exemption will be forthcoming.
It will also apply to all interprovincial and international transactions by all organizations subject to the Act in the course of their commercial activities.
Upholding these and the other provisions of the Act is the job of the Privacy Commissioner of Canada. There are some important distinctions to be drawn here between the new federal legislation and the existing law in Quebec.
The Privacy Commissioner of Canada functions as an ombudsman, with a strong emphasis on resolving complaints through mediation and negotiation. Unlike the situation here, I do not have the direct power to order an organization to clean up its Privacy Act, although I do have what some have called the "power of embarrassment". You would be amazed how few organizations want to see their privacy shortcomings on the evening news.
The Privacy Commissioner of Canada also has the power to conduct audits where there are reasonable grounds to believe an organization's privacy and information-handling practices are not all that they could be.
And, if need be, the Privacy Commissioner can seek remedy in the courts, which can order an organization to stop committing privacy violations, and can also award substantial damages to the individual affected.
Like the Privacy Act before it, which sets out privacy rights with respect to the federal government, this new legislation gives the Privacy Commissioner broad powers of investigation.
I am happy to say those powers - to enter premises, subpoena documents, compel testimony - have never been used in the public sector, because there has always been voluntary cooperation. I'd like to keep it that way with the private sector, and I hope we are never put in a position of "last resort".
Of the tens of thousands of complaints filed with the office under the Privacy Act since 1983, only a handful has gone to court.
These numbers prove that a balanced, non-confrontational approach can work. It is the approach I intend to continue as our mandate expands to the private sector.
The nature of the job requires the incumbent to be tough-minded when necessary. The Privacy Commissioner is an Officer of Parliament, charged with the protection of Canadians' right to privacy. I will carry out that mandate.
I also intend the Office of the Privacy Commissioner to exercise with vigour its mandate to carry out public education and communications programs.
In the months ahead, my office will be embarking on a major public information campaign. We will be advertising, producing fact sheets and brochures, and speaking at events like this one across the country. We will be informing Canadians of their new, legislated privacy protections, and reminding private sector organizations of their responsibilities under the Act.
I believe the extent to which we succeed in this will go a long way toward determining how smoothly the law is implemented, and how effective it will be over the long term.
Business must respect this legislation, but my office will be as cooperative and informative as possible. Our job is to help, not hinder.
I believe the Privacy Commissioner can be a valuable resource to the business community.
The same is true of the legislation itself.
The better the private sector understands and addresses the issue of privacy, the better it will be able to establish the trust it must develop to succeed in the world of e-commerce.
We have all seen the results of the public opinion surveys. Consumers expect their privacy to be respected and protected. Enterprises that can offer reasonable assurances of privacy will win. Those that do not will lose. So it goes without saying that good privacy is also good business.
The protection of the individual's right to privacy is the cornerstone of a free, democratic society. I look forward in the years ahead to all of us working together to reinforce that cornerstone.
- Date modified: