International eCommerce and Internet Regulation
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Bureau of National Affairs
3rd Annual BNA Public Policy Forum
November 14, 2001
Privacy Commissioner of Canada
(Check Against Delivery)
We are all united in the battle against terrorism. This is, I believe, not only a battle to protect the security of our citizens, crucial though that is. Perhaps even more fundamentally, it is a battle to safeguard and reinforce the core values that illuminate our societies and ensure that we can all live in freedom and dignity.
That is why the subject you are here to discuss remains such a relevant one, even amid the new priorities and distractions presented by the post-September 11 environment.
Maintaining a vibrant and dynamic economy is one of the key challenges we now face in all our Western societies-and the future of electronic commerce is a vital determinant in shaping and driving economic growth. The medium in which it operates, the Internet, is transforming the world. its effect is comparable to that of the Gutenberg printing press.
And regulating the Internet now seems, at least to some people, to be a necessary condition of assuring the success of electronic commerce.
In the middle of it all sits a fundamental human right, the right to privacy.
In my job, I deal with a vast array of privacy challenges, from genetic testing to video surveillance, from information collected about us by banks to how we manage our personal health information. Within all this, an area of critical importance is the collection, use, and disclosure of personal information in the context of electronic commerce. I expect to see a lot of activity in this area in the next few years, particularly as the Internet becomes more closely and effectively regulated.
The pairing of "international electronic commerce" and "Internet regulation" as the subject of a conference speaks volumes. Just the two terms, side by side, tell us a lot about where we are and how we got here.
Not long ago, the term "Internet regulation" was held by a lot of people to be an oxymoron. People said that, by its very nature, the Internet could not be regulated.
The Internet was border-less, diffuse, and decentralized. Websites and their contents were in cyberspace, not in real space. Trying to apply real space laws and regulations to them was futile.
When websites could be hosted in any of a hundred jurisdictions, whose laws would apply? If they could disappear with a keystroke, and reinvent themselves in a different jurisdiction, how could regulations be enforced against them?
Cyberspace was ungovernable. It was the Wild West, a libertarian's fantasy come true.
That seems like a quaint view from a long time ago. We know now that the Internet can be regulated. And the way we found out was through electronic commerce.
Electronic commerce was, as it turned out, not that different from any other commerce.
It required enforceable contracts, authentication of identity, verification of credentials. Doing business with people turned out to require, in most cases, knowing who they are, where they are, and what laws can be applied to them.
The challenges quickly became evident. Whose law does apply? Whose laws do companies have to comply with when they do business on the Internet? How do companies protect themselves from fraudsters and intellectual property thieves operating under a hundred different legal regimes?
It also turned out that, when it comes to electronic commerce, the Internet was actually a less anonymous place than real space. It required more authentication of identity, more verification of credentials. Transactions that could be anonymous in real space-a simple cash sale, for instance-became complicated in cyberspace. As well, knowing your customer in cyberspace entailed knowing a lot more than the corner grocer needs to know about you. And it began to look as though the only way to protect intellectual property was to track who used it.
The implications of this weren't lost on the customers and clients who were going to make or break electronic commerce. Privacy concerns quickly became identified as the most significant barrier to the widespread acceptance of electronic commerce. And so the challenge that arose was, how do we regulate the Internet and make it safe for electronic commerce without eradicating privacy?
In Canada, we responded to that challenge by passing a law, the Personal Information Protection and Electronic Documents Act, that strikes a balance between the legitimate information needs of businesses and the fundamental privacy rights of individuals. It sets out the rules of the game for businesses in Canada. And it gives me, as Privacy Commissioner, a greatly expanded mandate to protect privacy, through persuasion, oversight, and public education.
I want to talk to you today about that law, to let you know how we've addressed this issue in Canada, and how it's likely to affect you. But first, I want to say a few words about privacy, about why it's so important that Canada has laws and a Privacy Commissioner to protect it. And I want to talk about privacy and the difficult world we find ourselves in since the terrorist attacks of September 11.
Privacy is a fundamental human right. It's recognized as such by the United Nations, in international treaties and covenants, and in many national constitutions.
It is perhaps the most basic of freedoms. Some people say that it's the right from which all others flow-freedom of speech, freedom of association, freedom of conscience, to name a few.
It's not only an individual right, although we experience it that way and tend to think of it that way. It's a shared value, and a social, public good. It's critical to the functioning of a healthy liberal democracy. If we lose privacy, we feel it, as individuals. But our society is the real loser.
The heart of privacy is control of personal information-information about ourselves, about our dealings with others, about who we are, what we do, where we go, what we buy. If we control that personal information-if we have control over its collection, use, and disclosure by others-we have safeguarded our privacy.
If others control it, they violate our privacy, and with it, our autonomy and our freedom. Totalitarianism in its various guises has shown us that one way to control people is to get hold of the details of their personal lives. You control people by letting them know that at any moment someone may be looking over their shoulder. You make them weigh every action, every statement, every human contact. You let them wonder who might find out about it, make a record of it, judge it, misconstrue it, or use it to their detriment.
We are facing unprecedented choices with regard to privacy, as the result of advances in technology and in science. At every turn, we're confronted by new technologies that allow or demand the collection, use, or disclosure of personal information. Those technologies often promise to make our lives easier, more comfortable, more secure, less risky. All they ask in return is that we give up some privacy.
Making choices on these questions is not particularly new. They've been with us at least since the advent of computers, and arguably since states started collecting information about citizens for the purpose of social programs.
But they've taken on a new urgency and significance as a result of two things.
One is the growth of electronic commerce, and its use of technologies like cookies, web bugs, and digital certificates, that facilitate commerce but can eradicate privacy, if we don't assert control over them and impose our values on them.
The other is the balancing act between the right of privacy and the needs of public security. Law enforcement and security interests have always been a little frustrated by privacy rights. That frustration is something we've long accepted as healthy. It's what your country recognized in the Fourth Amendment to the Constitution. It's what Canadians embraced when they adopted the Charter of Rights and Freedoms.
Privacy on the Internet, and various means of protecting it like anonymization and encryption, presented a new and substantial challenge to law enforcement and security interests. In the last few years, we've gone through something of an uneasy balance. Law enforcement people talked about the threats of criminals using the Internet, and how what they called "excessive" privacy concerns made it hard to protect us against them. Privacy advocates argued, more or less successfully, that the threats were exaggerated, and the value of privacy under-recognized.
All that changed with the horrific events of September 11.
We know now what terrorists are capable of. The destruction wrought by the terrorists is unlike anything we've ever faced in North America, and we can't discount the evidence of a continuing threat. And that means that people who want to severely limit privacy, or even eradicate it, are not marginal or extreme anymore. They are pretty well assured of a large and sympathetic audience.
Suddenly, the job of a privacy advocate is much harder. To argue against any measure that even just looks like it might increase our security seems to many people the height of folly-or worse, irresponsibility.
The choices we make, faced with this unprecedented pressure to jettison privacy in the interest of security, will determine what kind of society we leave for our children and grandchildren.
The challenge for us now is to ensure that the fundamental human right of privacy does not fall victim to terrorism.
To say that privacy is a fundamental right is of course not the same as saying it's an absolute right. In the U.S., Canada, and Europe, we've all accepted some privacy-invasive measures to meet the kinds of security threats that we're now facing. And we may find it necessary to accept more.
But if we have to choose between security and privacy, we must do it calmly, carefully, and case by case. If governments think they need to infringe on privacy in the name of security, we have to insist that they be specific and limited in what they are proposing.
And we have to subject their proposals to the most rigorous scrutiny, and insist that they be justified according to the following criteria:
First, any proposed measure to limit or infringe privacy must be necessary to address a specific problem.
Second, it must be likely to be effective in addressing that problem-in other words, it must make us safer, not just make us feel safer.
Third, the degree of intrusion or limitation of privacy must be proportional to the security benefit to be derived. It can't be a sledgehammer used to kill a fly.
Finally, there must be no less privacy-intrusive measure that would achieve the same result.
Necessity, effectiveness, proportionality, and the absence of a less privacy-intrusive alternative-these are the tests that we should apply to any proposed new measure that would limit privacy rights.
Even then, we must be careful to distinguish between what might be appropriate as a short-term, emergency measure and what is justifiable as a lasting change.
What I've just said applies primarily to the actions of governments. But it's not exclusive to governments. Businesses of all sorts are concerned about their security in the current environment, and taking steps to protect it. A lot of the steps they are taking involve the personal information of their customers or employees. They need to be aware that their customers and employees have privacy rights. The best way to ensure that any new security measure they're contemplating doesn't unduly infringe privacy is to apply those tests that I mentioned.
Let me turn now to Canada's statutory protection of privacy, and what it means for electronic commerce, particularly for companies from outside Canada.
I'll say a brief word first about my role as the Privacy Commissioner of Canada, for those of you who may not be familiar with it.
I'm an Officer of Parliament, appointed for a seven-year term to be the independent guardian and champion of the privacy rights of Canadians. I don't work for, or report to, the government. I work for and report directly to the people of Canada, through the national Parliament.
My mandate flows from two statutes. The Privacy Act, passed in 1982, gives Canadians rights of control over and access to personal information about them held by federal government institutions. The Personal Information Protection and Electronic Documents Act, which began coming into effect on January 1st of this year, gives people similar rights in their dealings with the commercial private sector.
My job is to oversee both laws, and provide people with a means of recourse when their privacy rights are infringed. The Personal Information Protection and Electronic Documents Act is the one that's of interest to us here today. For reasons that I'll make clear, you should understand this law if you do business in Canada, even if it doesn't apply directly to you.
The act applies to personal information collected, used, or disclosed in the course of commercial activities. It restricts any such collection, use, and disclosure to, in the words of the act, "purposes that a reasonable person would consider appropriate in the circumstances."
You need to pay particular attention to that, because it's fundamental to what the act is about. What it means is that it's not enough for an organization to know exactly why it wants to collect, use, or disclose someone's personal information. It's got to be able to justify it. It's got to be thinking in terms of whether its reasons for doing so can meet the test of scrutiny by a reasonable third party.
The act incorporates a model code for the protection of personal information, which was developed jointly by business, government, and consumer groups. The code is based on the OECD principles of fair information practices, established some twenty years ago, and accepted worldwide as a baseline.
The most important principles of the code are as follows:
Apart from some very limited exceptions, no private sector organization can collect, use, or disclose personal information about someone without their consent.
It can collect, use or disclose that information only for the purpose for which they gave consent.
People have the right to see the personal information that is held about them, and to correct any inaccuracies.
There is oversight, through me and my office, to ensure that the law is respected, and there is redress if people's rights are violated.
The workings of the act, and the way in which it's being applied, reflect the complications of Canadian federalism, with its division of powers and responsibilities between the federal and provincial governments. I know you face some of the same complications in this country.
Ultimately, what works best for business is a single standard for data protection. This legislation will get us there in Canada, although it will take a little time.
The act is coming into effect in stages. It has applied since January of this year to personal information, other than health information, of customers or employees of what are called federal works, undertakings, or businesses-principally banks, telecommunications, broadcasting, and interprovincial or international transportation.
It also applies to personal information-again, other than health information-when it's disclosed across provincial or national boundaries for consideration-including sale, lease, or barter-and when the personal information itself is the subject of the exchange.
In about a month and a half-January 2002-the exclusion of personal health information will end. The act will then apply to personal health information about employees or customers of federal works, undertakings, or businesses, or that's disclosed across borders for consideration.
The final phase-in stage for the act is 2004. At that time, it will extend to all commercial activities in Canada. Where provinces have passed substantially similar privacy legislation, the federal government may exempt organizations and activities in the province from the application of the federal law to the collection, use, and disclosure of personal information within the provincial boundaries, and the provincial law will apply.
Federally-regulated businesses in those provinces will continue to be governed by the federal law. So will personal information in all interprovincial and international transactions by organizations in the course of commercial activities.
The upshot is that, before too long, we'll have seamless privacy protection in Canada.
All of the private sector will be required to comply with the federal law or a substantially similar provincial one. That's why I said a moment ago that you should familiarize yourselves with the federal law even if it doesn't apply to you directly. Whether it's the federal law or a similar provincial one, this is how business will be done in Canada.
Under the act, I'm an ombudsman. My approach to the investigation and resolution of complaints is generally non-confrontational. I don't have direct order-making powers. I try to resolve complaints through mediation and discussion.
The law does have teeth. I can subpoena witnesses, and, if necessary, enter and search premises. But in twenty years of administering the Privacy Act, the public sector law, my office has never had to use those powers, because voluntary cooperation was always forthcoming. So far, that's been the case with the private sector as well, and I'm optimistic that it will continue to be.
I also can act where I find that an organization is violating privacy rights and refuses to modify its conduct or remedy the situation.
There's the power of disclosure. I can make public-in a report to Parliament or in a press release, for example-that I find an organization's practices to be in violation of the law.
I can also go to the Federal Court and ask it to order an organization to do, or cease doing, whatever is necessary to come into compliance with the law and I can ask the court to award damages to anyone whose privacy rights have been violated.
I won't hesitate to use these powers if I have to, but I think most private sector companies will recognize, if they haven't already, that good privacy is good business.
I expect that many of you are wondering how the new legislation will affect electronic commerce, and specifically American businesses. The biggest impact is likely to be felt by any American business that has a presence in Canada. As I've said, Until 2004, the act only applies to federal works, undertakings, and businesses and any organization that discloses personal information across a border for consideration. Since they are federally regulated, the act now applies to banks, including American banks operating in Canada, such as Citibank Canada and The Chase Manhattan Bank of Canada.
So customers of Citibank Canada will have greater privacy protections than customers of Citibank in the U.S. In 2004, when the act will apply to any organization involved in a commercial activity, the number of American-based businesses affected will dramatically increase.
By virtue of this same jurisdiction over federal works, internet service providers are covered by the act. That means that they can only collect, use, or disclose personal information with consent, and they have to protect the information, provide access to it if requested, and adhere to the other provisions of the act. In other words, in Canada we already have a type of online privacy protection, limited though it may be. That kind of protection has been the subject of much debate in the U.S.
As I said, at the moment, the act also applies to any organization that discloses personal information across a border, or outside of Canada, for consideration. Among other things, this means that a Canadian organization could not sell or trade personal information to an American-based company without consent. So, an American-based credit card company that wanted to acquire a mailing list of Canadians who are good credit risks might find it harder to obtain this information.
Under the act, an organization that wants to send personal information to a third party for processing has to ensure that the third party protects the information. If the organization wanted to send the information to the U.S. for processing, the same requirement would apply. If the organization didn't ensure that the information being processed in the U.S. was adequately protected, my office could investigate and issue a report.
I expect that you'll also see a significant indirect impact. The passage of the act has generally increased awareness of privacy issues and made Canadians more aware of their privacy rights. It's contributing to what I call a "culture of privacy." That effect of the act won't be limited by the Canada-U.S. border, because it's not just Canadians who have rights under the act, but anyone whose personal information is collected, used, or disclosed by an organization subject to the act.
And I'm confident that this culture of privacy will also have an impact on businesses that are not covered by the legislation.
In short, you can't ignore this law.
But compliance shouldn't be onerous, and getting well acquainted with it has benefits besides staying on the right side of my office. That's because of two important points about this legislation.
First, it's a law that reflects good business practice as much as consumer demands or government's regulatory objectives. As I said earlier, it grew out of consultation with business, consumer groups, and government. Business representatives helped the legislators get it right, so that the act's requirements are grounded in the real world.
Compliance with the act has its challenges, but in general it's the kind of thing that businesses are good at anyway.
Second, this law doesn't set Canada apart. The principles on which it's based are widely recognized and accepted, and U.S. companies are going to be confronting them almost anywhere they do business. Virtually every other industrialized nation in the world either has legislation like this, or is putting it in place.
Even in the U.S., it seems to me, the debate isn't about whether the principles are valid, but about the best way to put them into practice. You've chosen so far to go with voluntary compliance rather than legislation or regulation as the means of ensuring the principles are observed. If that works, you are to be congratulated. I'm not here to sell you Canada's model.
But this is how we do it in Canada, and, as I say, it's similar to how it's done in many other countries. You'll find there are challenges in complying, but you'll find them worthwhile challenges.
We're living through a time where respecting privacy, defending it, strengthening it, is not necessarily seen as a top priority. Indeed, some people are going to try to make it look as though it's positively unpatriotic.
I think, on the contrary, that protecting and strengthening the fundamental right of privacy is fundamentally patriotic. I think it's an affirmation of everything in our democratic societies that we value and think worth protecting, worth fighting for.
- Date modified: