National Data Processing and Liberties Commission-France

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

23rd International Conference of Data Protection Commissioners

September 26, 2001
Paris, France

George Radwanski
Privacy Commissioner of Canada

(Check Against Delivery)

I have often said that, at least in the Canadian context, I believe that privacy will be the defining issue of this new decade. I still believe that to be true, now more than ever.

Privacy is, of course, a fundamental human right, recognized as such by the United Nations. But it is not only an individual right-it's also a shared value, a social, public good. In the words of Justice Laforest of the Supreme Court of Canada, privacy is "at the heart of liberty in a modern state."

Privacy is perhaps the most basic of our freedoms. Some would suggest that it is the right from which all others flow-freedom of speech, freedom of association, freedom of choice, to name but a few.

Until recently, when I spoke of it as the defining issue, I meant that we are facing unprecedented choices with regard to privacy, as the result of the new challenges presented by advances in technology and in science. The choices we make will determine what kind of society we leave for our children and grandchildren.

I am sure that many people would argue that in the light of recent tragic events, it is now the battle against terrorism that will be the defining issue. That battle must be fought, and it must be won.

But if our reaction to terrorism were to excessively and unnecessarily deprive ourselves of privacy, and the freedoms that flow from it, then the forces of darkness would have won a great and terrible victory. How we preserve our values in the face of challenge will, in fact, be the defining issue of this time.

Perhaps it will be necessary to accept some new intrusive measures to enhance security. But these choices must be made calmly, carefully and case by case. Each such measure should be accepted only if it is demonstrably and clearly necessary to address a specific problem, and only if it is clear that no less privacy-invasive measure could satisfactorily achieve the same result.

Even then, we must be careful to distinguish between what might be appropriate as a short-term, emergency measure and what is justifiable as a lasting change.

All of us as Privacy Commissioners in our respective jurisdictions, have an important responsibility to ensure that public perceptions of these issues are accurate and balanced.

Now, let me turn to a happier subject, to one of the choices Canada has made in the past year -implementing private sector privacy legislation. In 1983, Parliament passed the Privacy Act, which gives Canadians rights of control over and access to their personal information held by government institutions. In 2000, Parliament extended similar protections to the private sector with the Personal Information Protection and Electronic Documents Act. That act came into effect on January 1st of this year.

My mandate flows from those statutes. As the Privacy Commissioner of Canada, I'm an Officer of Parliament, appointed for a seven-year term to be the independent guardian and champion of the privacy rights of Canadians. I don't work for, or report to, the government. I work for and report directly to the people of Canada, through Parliament.

Canada's new private sector act applies to personal information collected, used, or disclosed in the course of commercial activities. At the heart of the act is a model code for the protection of personal information, which was developed jointly by business, government, and consumer groups. The code is based on the OECD principles with which you're all familiar.

The Act is consistent with the European Union's Data Protection Directive, but it's more than this. It's also an attempt to build Canadians' trust in e-commerce.

The purpose of the act is to strike a balance between the legitimate information needs of the private sector and the fundamental privacy rights of individuals. Its objective is to help foster-in a rapidly changing social and technological environment-a state of mind in which businesses routinely consider client, customer and employee privacy rights.

What the new act says, in a nutshell, is this:

Apart from some very limited exceptions, no private sector organization can collect, use or disclose personal information about you without your consent.

It can collect, use or disclose that information only for the purpose for which you gave consent.

Even with consent, it can only collect information that a reasonable person would consider appropriate under the circumstances.

People have the right to see the personal information that is held about them, and to correct any inaccuracies.

There is oversight, through me and my office, to ensure that the law is respected. And there is redress if people's rights are violated.

I'm sure that these basic provisions are familiar to you; they're found in almost all data protection acts.

What's useful to know about the Act is the way in which it is being applied. The Act is coming into effect in stages.

One of the complications of life in Canada is the constitutional division of powers and responsibilities between the federal and provincial governments which makes things tricky when we need to speak with a single voice-for example, when we want a single standard for data protection.

This is why the act is coming into effect in stages. It has applied since January of this year to personal information, other than health information, of customers or employees of works, undertakings, or businesses under federal jurisdiction-principally banks, broadcasters, communications companies, and interprovincial or international transportation.

It also applies to personal information-again, other than health information-when it's disclosed across provincial or national boundaries for consideration. "Disclosed for consideration" is legalese meaning that you get something in exchange for it-for example, through sale, lease, or barter. The personal information itself must be the subject of the exchange for the act to apply.

In the Northwest Territories, Yukon and Nunavut, it applies to the whole private sector, which, under our constitution, is federally regulated.

The exclusion of personal health information was a last-minute, temporary compromise to give the health care sector time to work out implementation issues.

In January 2002, that temporary exclusion will end. The act will then apply to personal health information about employees or customers of federal works, undertakings, or businesses, or personal health information that's disclosed across borders for consideration.

The final phase-in stage for the act is 2004. At that time, it will extend to all commercial activities in Canada with one important exception. Where provinces have passed substantially similar privacy legislation, the Federal Government may exempt organizations and activities in the province from the application of the federal legislation, and the provincial law will apply. I am required under the law to report annually to Parliament on the extent to which provinces have passed subtantially similar legislation. I expect this report to be a key factor in making the determination regarding the substantive similarity of provincial legislation. Federally-regulated businesses in those provinces will continue to be governed by the federal act. So will personal information in all interprovincial and international transactions by organizations in the course of commercial activities.

In short, soon we will have seamless privacy protection in Canada. All of the private sector will be required to comply with the federal law or a substantially similar provincial one.

Another feature that sets the legislation apart is that the Commissioner doesn't have direct order-making powers. This is intended, I believe widely, to prevent the process from being overly legalistic. I'm an ombudsman, and I try to resolve complaints through mediation and discussion.

The law does have teeth. I can subpoena witnesses, and, if necessary, enter and search premises. But it's worth noting that in 20 years of administering the privacy law for the public sector, my office has never had to use those powers, because voluntary cooperation has always been forthcoming. I expect that this will be the case with the private sector as well. So far, my optimism has been justified.

I also have sanctions at my disposal if I find that an organization is violating privacy rights and refuses to modify its conduct or remedy the situation.

First, there's the power of disclosure. I can make public-in a report to Parliament or in a press release, for example-that an organization is violating the law and is refusing to respect the privacy rights of Canadians. That's a very powerful sanction because few businesses would like to read that about themselves in their local newspapers.

I can also go to the Federal Court and ask it to order an organization to do, or cease doing, whatever is necessary to come into compliance with the law and I can ask the court to award damages to anyone whose privacy rights have been violated.

The new act is a major step forward for privacy in Canada. It helps us maintain our place among the world's leaders in privacy protection.

In closing, I just want to emphasize an observation that I expect you share-the greatest threats to privacy seldom come from those who want to do harm.

They come from well-intentioned people who say that privacy needs to be sacrificed on the altar of some greater good-customer service, public safety, the advancement of science, efficiency.

Of course, sometimes privacy does have to yield to other social interests.

But I think we need to ask ourselves-and ask those well-intentioned people-what kind of society we would be serving, building, and protecting, if the destruction of privacy were the price too readily to be paid for all manner of perceived benefits.

Thank you for the opportunity to address you.

Date modified: