The Impact of Canadian Privacy Legislation
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Canadian Corporate Counsel Association
National Spring Conference
April 23, 2002
Privacy Commissioner of Canada
(Check Against Delivery)
I very much appreciate this opportunity to talk to you today about the Personal Information Protection and Electronic Documents Act, or the PIPED Act as it's known.
I want to talk in particular about what the Act means for you as corporate counsel-not just what you'll have to do to help your clients comply with it, but how the Act brings you and your clients into a partnership with my Office in the enterprise of protecting privacy. Because the fact of the matter is that, while I have a mandate as an Officer of Parliament to protect privacy, I don't work alone. I work shoulder-to-shoulder with individual Canadians, industry associations, and businesses.
Some of you will already have some experience advising your clients about the PIPED Act. If you haven't yet, you will. If an organization conducts commercial activities in Canada, within the next couple of years either the PIPED Act or a substantially similar provincial law will apply to it.
The implications of this are far-reaching. Let me give you some examples.
If your clients collect personal information from customers in the course of concluding a commercial transaction, it will have to be treated in accordance with the requirements of the PIPED Act.
Contracts will have to ensure that personal information in the custody of third-party processors is handled in accordance with the Act.
In a sale or purchase of corporate assets that include customer data, your client is going to have to know precisely what personal information is included in the transaction, what it's expected to be used for, and how and when to get consent for its use.
You as counsel will have to give consideration to the use and disclosure of personal information held by a corporation in a winding-up or bankruptcy.
If your clients are trying to protect their interest in copyright material, particularly when it's disseminated over the Internet, you'll need to know the privacy implications of things like collecting information on end-users.
You'll also need to understand the privacy aspects of employment.
The requirement for compliance, and your role in advising your clients on how to comply, in all these areas is a very good reason for you to focus your attention on the PIPED Act. But let me add another reason, one that's even more important: Respect for privacy is a fundamental element of competitive advantage in today's economy. Help your client respect privacy, and you help your client's bottom line.
Privacy was a business concern well before the PIPED Act began coming into effect in January of 2001. In fact, privacy is an inescapable feature of the contemporary business environment.
Businesses need personal information to operate. They need it about their employees, of course, just as they always have-they have to know whom they're hiring and how they do their job.
And, more than ever, they need it about their customers.
Markets are increasingly fragmented, and businesses have to continually sharpen their focus, distinguishing sets and subsets of their customer base, if they want to stay alive. The competitive environment is even tougher when markets are global. And it's tougher yet with electronic commerce, when consumers have instant access to a vast array of competing suppliers.
The more information a business has about its customer base, the greater its ability to compete-to design and market products that will interest its customers, and capture the attention of potential new customers.
Personal information has become a commodity in its own right, as businesses recognize the exchange value of bits and pieces of their own customer databases. A whole industry has developed around the collection, analysis, reformatting, and selling of personal information.
This is not in and of itself a "privacy problem"-more to the point, it doesn't have to be one. When businesses collect, use, and disclose the personal information of customers or potential customers, it's not necessarily bad.
Indeed, it's easy to argue that it's good. If I drive a Ford pickup, I may well be interested in offers of products or services that interest other Ford drivers. And I'm more likely to want to hear about those than about products and services that interest Lexus drivers. Marketing that's aimed at me, based on information about me, is less likely to waste the marketer's money and my time and patience.
But personal information is at the heart of privacy. Our right to control access to ourselves and information about ourselves is in fact the definition of privacy.
That's why consumers are concerned about exactly this kind of collection, use, and disclosure of personal information. They know it's crucial to modern business methods, and they know it can be of real benefit to them. But they are not willing to give up their privacy, their right to control information about themselves.
It's interesting to note the results of Yahoo and ACNielsen's most recent quarterly survey of consumer confidence in the Internet. The survey revealed that the more people engage in e-commerce, the more likely they are to have a negative privacy experience of one sort or another-a credit card fraud, an identity theft, a security failing that exposes their personal information, or simply a blatant grab and unauthorized use of their personal information. As the electronic economy grows, so do privacy concerns.
A recent report prepared for the Digital Media Forum found that privacy concerns translated into losses to Internet retailers of up to $18 billion. It noted the opportunities lost to US firms when they can't assure their trading partners that personal information will be protected. And it commented on the costs that firms incur protecting their unregulated personal information databases against subpoenas from law enforcement, competitors, and private litigants.
In every speech I've given since I was appointed Privacy Commissioner, I've made a point of emphasizing the importance of privacy to individuals and to society. Privacy is a fundamental human right, a critical element in the basic freedoms that make our society worth living in, including freedom of speech, of association, and of conscience.
But, as I've just outlined to you, it's also very important to business. It's not just a matter of ensuring compliance with legislation, or of making sure that your client doesn't get bad publicity from a privacy disaster. Good privacy is, quite simply, good business. Respect for and protection of the privacy of customers and employees confers a competitive advantage on the firm that understands it and honours it.
Respecting privacy has to be more than just protecting against possible litigation, and your advice to your clients can be a lot more valuable to them than just that. Privacy is intrinsic to building and maintaining relationships with customers and employees. In particular, it's the key to successfully establishing new relationships with new customers.
Businesses want to know who is going to want their products and promotions. They get that by getting customers' solid, affirmative consent to the use of their personal information. Some of you may be familiar with the phrase "permission marketing." That's what businesses should be aiming for.
If people don't trust businesses, if they see businesses abusing their privacy, they'll undermine the system. They'll refuse to give information, or give false information. They'll swamp companies with complaints. They'll reject things that might be of benefit to them, out of sheer anger and frustration and resentment. And they'll look for competitors who do respect their privacy.
This is why privacy is, as I said, an inescapable feature of the business environment in a globalized economy. And that's a fact recognized in every developed nation.
If your client has offices in Europe or if does a lot of business with Europe, you'll know that privacy protection comes with the territory. The EU's member states prohibit the transfer of their citizens' personal information to jurisdictions lacking adequate privacy protection.
The EU Directive and the PIPED Act are part of a worldwide trend. In countless jurisdictions, legislators know that without data protection and privacy laws, consumers simply won't give businesses the personal information they need. The only significant exception is the US. And while their anti-regulatory tradition has so far held off general privacy legislation, there's no dispute in the US that they have to address the impact of privacy on commerce somehow. Whether they continue with self-regulation and a patchwork of laws or else decide to legislate broadly remains to be seen, but no one disputes that it has to be addressed.
So, for you as corporate counsel, just as for your clients, privacy will present opportunities if you've made an effort to familiarize yourselves with it, and hazards if you're unacquainted with it.
Let me turn now to the PIPED Act, its purpose and provisions, and how it will affect organizations subject to it.
The purpose of the Act is to balance the privacy rights of individuals with the needs of organizations to collect, use, and disclose personal information.
What the Act says can be summed up as follows:
Apart from limited exceptions, a private sector organization cannot collect, use, or disclose personal information about an individual without consent.
An organization can collect, use or disclose that information only for the purpose for which the individual gave consent.
Even with consent, an organization can only collect, use, or disclose information for purposes that a reasonable person would consider appropriate under the circumstances.
Individuals have the right to see the personal information that is held about them, and to correct any inaccuracies.
There is oversight, through me and my Office, to ensure that the law is respected, and redress if people's rights are violated.
Right now, the Act applies to all personal information, including personal health information, that's collected, used, or disclosed in the course of commercial activities by federal works, undertakings, and businesses. That's primarily banks, airlines, telecommunications companies, broadcasters, and transportation companies. It also applies to the personal information of employees in those organizations. And it applies to personal information that's held by provincially-regulated organizations when it's sold, leased, or bartered across provincial or national boundaries.
Beginning in January 2004, the Act will apply right across the board-to all personal information collected, used, or disclosed in the course of commercial activities by all private sector organizations, except in one special circumstance.
The special circumstance is this. In provinces that have passed privacy legislation that's "substantially similar" to the PIPED Act, the federal government can exempt all or part of the provincially-regulated private sector from the application of the Act, for commercial activities that take place within the province's boundaries. The Act will continue to apply to federal works, undertakings, and businesses in all provinces. And it will also continue to apply to personal information when it's sold, leased, or bartered across provincial or national boundaries.
That's why I said at the outset that your clients will be affected either by the PIPED Act or by a substantially similar provincial law.
A few words now about my role.
I'm an independent Officer of Parliament, appointed to champion the privacy rights of all Canadians. My mandate has two major facets.
First, oversight: It's my duty to ensure respect for individual rights under the PIPED Act, and under the Privacy Act, which governs the federal public sector. That includes investigating and adjudicating complaints from individuals.
In this role, I'm an ombudsman. When an organization and its customers or employees get into a dispute about privacy, my objective is to find a solution that works for everyone.
I do have full investigative powers. I can order the production of documents, enter premises, and compel testimony. But in nearly twenty years of overseeing the Privacy Act that applies to the federal public sector, neither I nor my predecessors have ever had to use these powers. We've always been able to get voluntary cooperation. I very much hope that the same will be the case with the new private sector legislation.
If I find that an organization is violating privacy, I'll suggest how the problem can be fixed.
I don't have order-making powers. But I do have means of persuasion.
I can make the problem known publicly-and then rely on public opinion to move things forward.
Or I can ask the Federal Court to order compliance, and even to award damages to people whose privacy rights have been violated.
The ombudsman model, in my opinion, is the best one for protecting privacy. I say this for a number of reasons.
For one thing, an ombudsman, unlike a court, doesn't have to wait until privacy is violated before defending it. Once someone's privacy has been violated, it's very difficult, if not impossible, to restore it. An office like mine can intervene to address threats to privacy, whether from proposed legislation or from some new corporate strategy, before they become violations.
Another reason is that the nature of privacy, and the threats to it, demand something other than a narrowly legalistic view of the law. I have a law degree, and I have a deep respect for the courts. But black-letter law just can't always meet the challenge of the nuances of privacy. It doesn't permit the level of discretion, sensitivity, and flexibility required to give effect to privacy as a right.
We've seen a lot of instances over the last few years where something that's deeply offensive and privacy-invasive is in fact not a violation of the letter of the law. Things like the Longitudinal Labour Force File developed by Human Resources Development Canada, or the routine opening of international mail by Customs agents, were not violations of the law. But they were grave privacy infringements nonetheless. These would have been difficult to challenge in court. But persuasion, flexibility, and reasonableness led to victories for privacy, and for all the parties concerned.
That kind of outcome, where you move beyond the letter of the law to better capture its spirit, is specific to the ombudsman model. It's much harder to do it when a privacy commissioner has actual order-making powers, and is precluded from reading the law in a sensitive, purposive way.
The other major aspect of my mandate is education and promotion: The PIPED Act gives me a mandate to educate Canadians about their privacy rights and promote respect for privacy.
Now that we've got a year of the PIPED Act under our belts, let me talk briefly about a couple of significant findings in complaints. They'll illustrate what I've said about the Act and the ombudsman role: common sense, fairness, consciousness of the public interest, and balancing privacy rights with the legitimate informational needs of organizations.
In one case, a physician complained to me that an information brokering company was improperly collecting and disclosing his personal information by gathering and selling data on his prescribing patterns without his consent.
The information broker gathers information about prescriptions from pharmacies and other sources. It uses the information to produce customized information products, which identify physicians and rank them by prescribing activity for various drugs. Those information products are then sold to pharmaceutical sales representatives, who use them to target marketing to physicians.
Clearly, there was no consent. But was this personal information-within the meaning, scope, and purpose of the Act?
My finding was that it was not. The Act defines personal information simply as "information about an identifiable individual." But the key is that it must be about an individual.
A prescription is not information about the physician as an individual. It's information about the professional process that led to its issuance.
To regard it as personal information would lead to absurdities. If prescribing patterns are information about a physician, then so are identifiable patterns in any work products. Does a contractor use the newest roofingmaterials, or stick with what was popular 10 years ago? Does a garage mechanic fix only the problem that was reported, or discover other purported problems that run up the bill? To regard such things as "personal information" could have been the end of all sorts of legitimate commercial consumer reporting. And it would be a truly absurd result if a roofing contractor could escape consumer reporting simply by operating under his own name, like "John Doe Roofing."
So I needed to interpret the PIPED Act flexibly and sensibly, rather than literally, to prevent an outcome that would not be in the public interest.
In another case, a person complained to me that a bank refused to grant her access to her credit score.
Credit scoring is a method of assessing an individual's likelihood of repaying debt on time. A credit score is determined by means of an algorithm that "runs" an individual's personal information against a credit scoring model.
Each financial institution develops and uses its own unique credit scoring model. A particular bank's model is shaped by factors such as its corporate policies, business strategies, and corporate and product objectives.
The bank that was the subject of this complaint argued that the disclosing the individual's credit score could allow a competitor to deduce the scoring model it used. That wouldn't happen if just the one score were released. But the bank provided a study showing that it could happen if as few as 24 individual credit scores were obtained.
It seemed highly unlikely to me. But we had an expert in algorithms look at it, and he confirmed that technically it would be possible. And the bank's competitors assured us that this was indeed how they would do business.
The Act specifically allows organizations to refuse to disclose personal information that would reveal confidential commercial information. I concluded that the Act permitted the bank to refuse the complainant access to her score.
In this case, the overall purpose of the Act influenced my decision. The complainant's privacy rights and those of Canadians at large are not significantly harmed by inability to obtain access to credit scores. What counts is that financial institutions explain to individuals their credit standing or why credit has been denied or limited. They can do that without disclosing actual credit scores.
I want to turn now to a very important case dealing with consent. Consent-the simple idea that, if you want to collect, use, or disclose my personal information, you need my permission-is fundamental to privacy. Most of the important provisions of the PIPED Act relate to consent.
There are different ways consent can be given. The Act recognizes that consent need not be explicit in absolutely every case. But like most privacy advocates I believe that it should be explicit whenever possible.
Some six million people earn and redeem travel miles or "points" within Air Canada divisions and affiliates (known as the "Air Canada Family") and with various partners in the Aeroplan Frequent Flyer Program. In June 2001, Air Canada sent 60,000 of them a brochure called "All about your privacy."
The brochure listed five situations in which the Air Canada Family and partners could share personal information of Aeroplan members among themselves and with external sources. Members were instructed to check off a box for each situation where they did not want their information shared. It was then left up to each plan member to mail the brochure back to Air Canada.
This opt-out consent is what people complained to me about.
The PIPED Act explicitly recognizes that opt-out consent is appropriate in some very limited situations. But it's still pretty poor privacy. It puts the onus on the wrong party. Someone who wants to use our information should get our permission. Inviting people to actively opt in to something, as opposed to requiring them to opt out of it or suffer the consequences, is simply a matter of basic human decency.
It was bad enough that this brochure marked the first time that members were told, after the fact, of the sharing and use of their personal information. But in addition the brochure was vague about what information was to be shared, with whom, and for what purpose. Plan members would have a hard time knowing what they would be consenting to if they didn't opt out. A plan member who out of sheer perplexity refrained from checking the opt-out box could be consenting to almost anything.
The vagueness meant that consent was not informed. But even if it had not been vague, was the use of opt-out consent reasonable?
The Act says that the form of consent to be used must reflect the information's sensitivity and the individual's reasonable expectations.
What was to be shared included information about personal and professional interests, use of products and services, and financial status. This can be highly sensitive personal information. A reasonable person would consider it inappropriate to collect that kind of information about plan members for those purposes without their express consent.
My conclusion was that Air Canada was in contravention of the Act. I recommended that Air Canada inform all Aeroplan members as to the collection, use, and disclosure of their personal information, clearly explain the purposes for the collection, use, and disclosure of their personal information, and seek opt-in consent regarding all information-sharing situations.
The lesson from this is not just that opt-out is bad. It's that opt-in is better. If organizations want to satisfy the expectations of their customers, they should use opt-in. They should be up-front about what they're doing.
You'll recall my earlier comment about permission marketing. If a firm's customers are likely to approve of what the firm wants to do with their personal information, they'll be gratified if it shows them the respect of asking them anyway. There's a competitive advantage in being known as a company that respects privacy. If they're unlikely to approve, the company simply shouldn't be doing it, because there's a distinct competitive disadvantage in being known as a company that violates privacy.
Many of you will be involved with your clients in responses to complaints under the PIPED Act. Let me conclude my talk today with a few words of practical advice about the process.
This is what I tell Chief Privacy Officers and others who are the first line of contact in a complaint. It shouldn't be necessary for me to say it, but it is, because all too often, the complaint process is seen as an adversarial, win-lose process. It's not. As an ombudsman, I'm trying to find a workable solution for everyone.
My advice to the Chief Privacy Officers is this: If we call you about a complaint, don't call in the lawyers.
That's not meant to denigrate, in any way, the very important role of corporate counsel.
But our informal system is to your clients' advantage, to the complainants' advantage, and to ours. Turning it into an adversarial process doesn't benefit anyone. Creating confrontation in circumstances that are much better served by cooperation wastes your time and your clients' money.
Obstructive behaviour won't stop me from investigating a complaint, because the law requires me to. It won't stop me from issuing whatever finding I conclude is appropriate, because that's my duty. All it does is risk creating public controversy-the very thing your clients are eager to avoid.
Since good privacy is good business, your role as corporate counsel goes hand-in-glove with mine. Your role as counsel, obviously, is to help your clients comply with the law and respect privacy rights. My Office does the same, and we've undertaken a lot of initiatives in that respect. I encourage consultation between my office and the business community, and I've met with many business organizations. We've produced a business guide and a backgrounder to the Act, and a number of factsheets. Summaries of all my decisions under the Act are posted on our website to serve as guides to interpretation.
And so, with that said, let me simply end by saying that I am looking forward to a harmonious and productive working relationship with all of you.
- Date modified: