Protecting Privacy in the 21st Century: The Canadian Approach to the Protection of Personal Information
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Privacy Laws & Business 14th Annual International Conference
July 2, 2001
Cambridge, United Kingdom
Privacy Commissioner of Canada
(Check Against Delivery)
Although I don't need to convince you of the importance of privacy, I do want to talk a bit about what it means to me. Then I'll give you a brief overview of my role and the legislation for which I'm responsible. I'll leave some time for your questions after that, and do my best to answer them.
I think that we here today all care about privacy because we recognize that it's a critical element of a free society. In the words of Justice Laforest of the Supreme Court of Canada, privacy is "at the heart of liberty in a modern state."
Both the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights recognize privacy as a fundamental right.
That's because there can be no real freedom without privacy. In fact, it can be argued that privacy is the right from which all others flow-freedom of speech, freedom of conscience, freedom of association, freedom of choice, any freedom you can name.
That, of course, is why lack of real privacy is a distinguishing characteristic of so many totalitarian societies.
And that's why privacy is not only an individual right-it's also a shared value, a social, public good.
This is a particularly important point for a publicly funded privacy protection authority like my office. We're often accused of putting the privacy of the individual before the greater good or the interests of society. And so I spend a lot of time explaining that the interests of society include the privacy of individuals. When privacy is lost, the individual feels it, of course, but society is the real loser.
Naturally, I acknowledge that privacy is not an absolute right. Sometimes some privacy does have to be sacrificed to advance other crucial social objectives.
But I believe that, when someone proposes a limitation on privacy as a trade-off for some other objective, we must pose hard, insistent questions: Is there really a need that clearly outweighs the loss of privacy? Will sacrificing privacy really achieve the objective? Is there a less privacy-invasive way to achieve the same thing?
I define privacy as the right to control access to one's person and to information about oneself. This informational definition of privacy seems to me to capture the most persistent and pressing privacy problem we're faced with today: the collection and compiling of information about us without our knowledge or consent.
It's that problem that leads me to believe that privacy will be the defining issue of this decade.
That's because we are at a crossroads. Privacy is no longer protected by default. When information about us was in paper records, scattered over a lot of locations, compiling a detailed dossier on any individual was a daunting task.
But the move to electronic record-keeping has changed all that, eating away at the barriers of time, distance, and cost that once guarded our privacy. New surveillance technologies-cookies and web bugs, video cameras, e-mail monitoring, smart cards, biometric identifiers, location tracking, drug testing-assail us wherever we turn. Strangers sitting at computer keyboards need little more than seconds to compile dossiers on us, detailing our every action, purchase, statement, even human contact.
So, with the default protection vanishing, it's up to us. The choices we make in confronting this threat to privacy will determine what kind of world we leave for our children and grandchildren.
In Canada, one of the choices we've made as a society is to enact privacy legislation. In 1983, Parliament passed the Privacy Act, which gives Canadians rights of control over and access to their personal information held by government institutions. In 2000, Parliament extended similar protections to the private sector with the Personal Information Protection and Electronic Documents Act. That act came into effect on January 1st of this year.
My mandate flows from those statutes. As the Privacy Commissioner of Canada, I'm an Officer of Parliament, appointed for a seven-year term to be the independent guardian and champion of the privacy rights of Canadians. I don't work for, or report to, the government. I work for and report directly to the people of Canada, through Parliament.
I'm going to focus today on the private sector legislation, but, with some variations, most of what I say about privacy protection in the private sector is also true in the public sector.
The new act applies to personal information collected, used, or disclosed in the course of commercial activities. At the heart of the act is a model code for the protection of personal information, which was developed jointly by business, government, and consumer groups. The code is based on the OECD principles with which you're all familiar.
What the new act says, in a nutshell, is this:
Apart from some very limited exceptions, no private sector organization can collect, use or disclose personal information about you without your consent.
It can collect, use or disclose that information only for the purpose for which you gave consent.
Even with consent, it can only collect information that a reasonable person would consider appropriate under the circumstances.
People have the right to see the personal information that is held about them, and to correct any inaccuracies.
There is oversight, through me and my office, to ensure that the law is respected. And there is redress if people's rights are violated.
The workings of the act, and the way in which it is being applied, reflect its distinctively Canadian character.
One of the complications of life in Canada is the constitutional division of powers and responsibilities between the federal and provincial governments. This gives us a reasonable balance between centralization and local control, but it makes things tricky when we need to speak with a single voice-for example, when we want a single standard for data protection.
The upshot is that this legislation involves the federal and provincial governments in a sort of dance to develop a seamless web of privacy protection in Canada.
The act is coming into effect in stages. It has applied since January of this year to personal information, other than health information, of customers or employees of works, undertakings, or businesses under federal jurisdiction-principally banks, telecommunications, broadcasting, and interprovincial or international transportation.
It also applies to personal information-again, other than health information-when it's disclosed across provincial or national boundaries for consideration. "Disclosed for consideration" is legalese meaning that you get something in exchange for it-for example, through sale, lease, or barter. The personal information itself must be the subject of the exchange for the act to apply.
It also applies to the whole private sector in the Northern Territories which are considered federal works and undertakings under our constitution.
The exclusion of personal health information was a last-minute compromise, and it's temporary. When the law was working its way through Parliament, representatives from the health care sector raised two distinct concerns. Some wanted tougher provisions on patient consent and subsequent uses of personal health information. Others argued that the law would constrain operational activities in health care. Eventually it was agreed that health information would be excluded from coverage under the act for one year after its coming into force. This was supposed to give the health care sector time to work out its problems.
In about six months from now, in January 2002, that exclusion will end. The act will then apply to personal health information about employees or customers of federal works, undertakings, or businesses, or such information that's disclosed across borders for consideration.
The final phase-in stage for the act is 2004. At that time, it will extend to all commercial activities in Canada with one important exception. Where provinces have passed substantially similar privacy legislation, the Federal Government may exempt organizations and activities in the province from the application of the federal legislation, and the provincial law will apply. Federally-regulated businesses in those provinces will continue to be governed by the federal act. So will personal information in all interprovincial and international transactions by organizations in the course of commercial activities.
In short, soon we will have seamless privacy protection in Canada. All of the private sector will be required to comply with the federal law or a substantially similar provincial one.
My approach to the investigation and resolution of citizens' complaints under the act is generally non-confrontational. I don't have direct order-making powers. I'm an ombudsman, and I try to resolve complaints through mediation and discussion.
The law does have teeth. I can subpoena witnesses, and, if necessary, enter and search premises. But it's worth noting that in 20 years of administering the privacy law for the public sector, my office has never had to use those powers, because voluntary cooperation has always been forthcoming. I hope that that will be the case with the private sector as well.
I also have sanctions at my disposal if I find that an organization is violating privacy rights and refuses to modify its conduct or remedy the situation.
First, there's the power of disclosure. I can make public-in a report to Parliament or in a press release, for example-that an organization is violating the law and is refusing to respect the privacy rights of Canadians. That's a very powerful sanction because few businesses would like to read that about themselves in their local newspapers.
I can also go to the Federal Court and ask it to order an organization to do, or cease doing, whatever is necessary to come into compliance with the law and I can ask the court to award damages to anyone whose privacy rights have been violated.
Again, experience with the public sector suggests that I won't often have to use those powers. I won't hesitate to use them if I have to, but I think most private sector companies will recognize, if they haven't already, that good privacy is good business.
And it's not all oversight and enforcement. The act also brings greater responsibility, an expanded role, and a new mandate for me and my office to educate Canadians and organizations about privacy.
To meet these new responsibilities, I've expanded the office's communications capabilities and we've embarked on a major public information campaign, informing Canadians of the new legislated privacy protections, and reminding private sector organizations of their responsibilities under the Act.
There are a couple of things about this legislation that I'd like to point out.
First, it's not some bureaucrat's dream of the way society should be. As I said earlier, it grew out of consultation with business, consumer groups, and government. This gives us a much smoother ride with the act coming into force, because we have support right from the start.
Second, the new law doesn't set Canada apart. The principles on which it's based are widely recognized and accepted. Virtually every other industrialized nation in the world either has legislation like this, or is putting it in place. The only significant exception is the United States. There, the question is not whether the principles are valid, but what is the best way to put them into practice.
So, while the new act is definitely a step forward for privacy in Canada, it really just brings us up to speed with the rest of the world.
In that regard, the European Union's Article 31 Committee, subject to the limitations in the act's scope and the delays before full implementation, has indicated that the act provides adequate protection for personal data transferred from the EU.
It's also worth noting that there has been considerable international interest and activity around the new legislation. We've had a number of foreign delegations visit with us in Ottawa to see how we do things and what they can learn from us. Recently I was invited to speak about the Act to a meeting of the Attorneys General of the United States. They commented that Canada is ahead of the US in protecting privacy.
In comparing Canada with other countries, it's always interesting to see how they've dealt with the interrelationship between privacy and another right, access to government information.
In Canada, unlike the UK, we have separate Commissioners responsible for privacy and for access to information, each with a specific and distinct statutory mandate.
As Privacy Commissioner, and as a former journalist, I've had a lot of occasion to think about the relationship between these two rights. And I believe very strongly that Canada made the right choice in separating the two functions.
As a former journalist, I certainly understand the importance of freedom of information and the critical role that it can play. I think that the UK is to be commended for passing a Freedom of Information Act, which does on the whole lead to more open and transparent government.
But the two rights cannot, in my view, really be considered in the same breath. They're not two sides of the same coin, as is sometimes claimed.
Access to government information is an administrative right that may improve the quality of government. It's a refinement of democracy.
Privacy is a fundamental human right that is essential to our freedom and dignity. It is the very cornerstone of democracy.
It follows from this that privacy trumps access except in the most exceptional circumstances.
And it also follows, I believe, that the two are better dealt with separately, by different agencies. There have been, and doubtless always will be, instances where the two principles conflict with one another. On those occasions, it is critical that the defence of the two principles be carried on in an open, transparent, and independent way.
In a landmark decision in 1997, the Supreme Court of Canada ruled that while the Access to Information Act and the Privacy Act have equal status and must be given equal effect, both statutes recognize that privacy takes precedence over access.
I believe we must always be very clear: Access to information is desirable. Privacy is essential and fundamental.
A point that I often have to emphasize, although it will be well-known to most of you, is that the greatest threats to privacy seldom come from those who want to do harm.
They come from well-intentioned people who say that privacy needs to be sacrificed on the altar of some greater good-customer service, prevention of crime, the advancement of science, efficiency.
Of course, sometimes privacy does have to yield to other social interests.
But I think we need to ask ourselves-and ask those well-intentioned people-what kind of society we would be serving, building, and promoting, if the destruction of privacy were the price to be paid.
My job is not only to protect individual rights in specific cases. A Privacy Commissioner's voice has to be raised in constant advocacy of privacy, reminding people of their rights and obligations, standing up for principle in the face of expediency and convenience, and strengthening one of the most critical elements of the social glue that binds us together-strengthening privacy.
Thank you for the opportunity to address you. In the time we have left, I'd be happy to try to answer your questions.
- Date modified: