Privacy in Canada: A new private sector law that makes good business sense
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Calgary Chamber of Commerce
May 7, 2002
Privacy Commissioner of Canada
(Check Against Delivery)
I want to talk to you today about privacy and why it's important. But I'm not speaking as some regulator or enforcer descending on you from Ottawa to tell you how to run your businesses, or to burden you with some new bureaucratic rules. I want to talk about privacy, first, as something that's important to all of us, and second, as a valuable aspect of your business strategies-as something that will give you a competitive advantage.
Privacy is important to all of us because it's what lets us live as free individuals-free to read what we please, think as we please, associate with whom we please. It lets us be who we are. It means that we don't have to go through life with someone watching over our shoulders-watching our every move, every purchase, every human interaction; someone analyzing patterns in our behaviour; interpreting, and maybe misinterpreting, our actions; judging, and maybe misjudging, our intentions.
Freedom of thought, association, conscience, and speech, to name just a few, are all grounded in our right to privacy.
Privacy in this country got a great boost when Parliament passed the Personal Information Protection and Electronic Documents Act, or PIPED Act as it's known. Some of you may be familiar with the Act. Those of you who aren't will be soon. Within the next couple of years, if you conduct commercial activities in Canada, either this Act or a substantially similar provincial one will apply to you.
I wouldn't be surprised if your reaction to that is, "Great. More laws. More regulations. More compliance issues."
I appreciate that concern, and I want to assure you that part of my job is to help prevent privacy laws from being that kind of burden.
I actually think the effect of the PIPED Act and similar provincial legislation is quite the opposite. I think it's really good news for businesses in Canada.
As I'm sure you're aware, the European Union's member states insist on adequate privacy protections in any jurisdiction to which they transfer personal information of their citizens. Firms in Canada wouldn't be able to do business involving the personal information of EU citizens without consistent privacy legislation in Canada.
But it's good news for reasons beyond that, because the basic fact is that good privacy is good business.
The essence of privacy is personal information, and in fact I define privacy as the right to control access to oneself and to information about oneself.
Obviously, that makes privacy a business issue, because personal information is, increasingly, the lifeblood of modern businesses. And for your businesses, privacy can be either an enormous banana peel waiting for you to step on it, or the basis of a strong relationship with your customers.
The PIPED Act balances individual privacy rights with the needs of businesses to collect, use, and disclose personal information.
Here's what the Act looks like:
If you're an organization covered under the Act and you want to collect, use, or disclose personal information about people, you need their consent, except in a few specific and limited circumstances.
You can use or disclose people's personal information only for the purposes for which they gave consent when you collected it.
Even with consent, you've got to limit your collection, use, and disclosure of personal information to purposes that a reasonable person would consider appropriate in the circumstances.
Individuals have the right to see the personal information that you hold about them, and to correct any inaccuracies.
There's oversight, through me and my Office, to ensure that the law is respected, and redress if people's rights are violated.
Right now, the Act applies to all personal information, including personal health information, that's collected, used, or disclosed in the course of commercial activities by federal works, undertakings, and businesses. That's primarily banks, airlines, telecommunications companies, broadcasters, and transportation companies. It also applies to the personal information of employees in those organizations. And it applies to personal information that's held by provincially-regulated organizations when it's sold, leased, or bartered across interprovincial or international boundaries.
Beginning in January 2004, the Act will apply right across the board-to all personal information collected, used, or disclosed in the course of commercial activities by all private sector organizations, except in one special circumstance.
The special circumstance is this. In provinces that have passed privacy legislation that's "substantially similar" to the PIPED Act, the federal government can exempt all or part of the provincially-regulated private sector from the application of the Act, for commercial activities that take place within the province's boundaries. The Act will continue to apply to federal works, undertakings, and businesses in all provinces. And it will also continue to apply to personal information when it's collected, used, or disclosed across interprovincial or international boundaries.
I should caution you at this point about a frequent misunderstanding. While the application of the Act will expand in 2004 to commercial activities that normally fall under provincial jurisdiction, it won't extend to employment in those activities. The only place the Act will apply to employment will be in federal works, undertakings, or businesses. It's very likely, however, that provincial privacy laws will apply to employment, because my view is that they will have to, or they won't be considered substantially similar to the PIPED Act.
So those are the broad outlines of the Act. Now let me give you a brief description of what I do.
I'm an independent Officer of Parliament, with two major aspects to my mandate.
The first is oversight. That includes investigating and adjudicating complaints under the PIPED Act and the Privacy Act, which is similar legislation that has applied to the federal public sector for almost twenty years.
In my oversight role, I'm an ombudsman. That means I'm there to find solutions, not to blame or punish people.
I have full investigative powers, of course. I-and through me my investigators-can order the production of documents, enter premises, and compel testimony. But in almost twenty years of overseeing the Privacy Act, which covers the federal public sector, we've never had to use these powers. We've always been able to get voluntary cooperation. I very much hope that the same will be the case with the new private sector legislation.
If I find that an organization is violating privacy, I'll recommend how the problem can be fixed.
I don't have order-making powers. But I do have instruments at my disposal to ensure that privacy rights are respected and my recommendations are not ignored.
If an organization refuses to comply, I can make the problem known publicly-and then rely on public opinion to move things forward.
Or I can ask the Federal Court to order compliance, and even to award damages to people whose privacy rights have been violated.
The second major aspect of my mandate is education and promotion. Under the PIPED Act, I have a mandate to educate Canadians about their privacy rights and promote respect for privacy.
As I mentioned a moment ago, the PIPED Act will apply to all commercial activities as of 2004, except where a province passes substantially similar legislation. What that means is that the principles of the PIPED Act will be part of the business landscape, and we'll have a seamless web of privacy protection in this country.
Many of you will have brought your practices into line with these principles already. Maybe that's because you want to get a head start on compliance. But I suspect that it's just as likely that you know that your customers want privacy, your employees need it-and, most importantly, your competitors are going to provide it.
Nothing this important is easy. It takes time and attention-and resources. But you're protecting what's often called "the right from which all freedoms flow." That, I'm sure you'll agree, is worth a little effort.
Part of my job is to help you with that effort. I am committed to consultation between my office and the business community, and I've met with many business organizations. We've undertaken a lot of initiatives to help businesses. We've produced a business guide and a backgrounder to the act, for example, and a number of factsheets. Summaries of all my findings under the Act are put up on our website to help you with interpretation.
I want to turn now to one of the critical issues in interpretation of the Act, and that's consent. If you want to collect, use, or disclose someone's personal information, you need their permission. That's fundamental to privacy, and to the PIPED Act.
Consent can be given in different ways. Like most privacy advocates I prefer it to be explicit, wherever possible. But the Act recognizes that it doesn't have to be in every case.
That brings us to the question of opt-out consent, where a firm that wants to collect, use, or disclose people's personal information gives them the option to say no. If people don't exercise the option, the firm takes that to be consent, and proceeds.
This isn't necessarily a terrible thing, and the Act allows it in certain circumstances where it's appropriate. But you have to be careful, because unless the circumstances are right, you could be putting the onus on the wrong party.
And that could be bad for business, because your customers may perceive it as disrespectful.
If your customers are likely to approve of what you want to do with their personal information, and you show them the respect of asking them anyway, they'll be gratified-and that pays off for you. There's a competitive advantage in being known as a company that respects privacy.
If they're unlikely to approve, you probably won't want to do it. Sometimes it looks to me as though some companies use opt-out consent as a way of slipping something by the customers. If they are, it's understandable, I guess-they're thinking about the bottom line. But I think that concern for the bottom line should push them in the direction of using explicit opt-in consent. It seems to me that there's a distinct competitive disadvantage in being perceived by customers as a company that violates privacy.
My recommendation is that you err on the side of caution whenever there's any doubt about whether opt-out is appropriate. Your customers will recognize that you're respecting their privacy if you invite them to actively opt in to something, rather than requiring them to opt out of it.
You may have heard about a complaint I received involving Canada Post. It's covered by the Privacy Act, rather than the PIPED Act, but the principles are the same. We've been able to get this resolved, so I won't discuss the case in detail. But the story is instructive about the risks of using opt-out consent.
For a fee, Canada Post will redirect your mail from your old address to your new one. Until we got it sorted out, this came with a hefty privacy price-tag: Canada Post sold your name and address to list brokers, mass mailers, and direct marketers.
If you didn't want this, you had to notify Canada Post in writing within seven days-in other words, opt-out consent.
I've talked about this mostly from the perspective of someone who is mandated to protect privacy. But let me put myself in your shoes and present it from the perspective of a businessperson.
Canada Post is a monopoly, but no company, not even a monopoly, wants a privacy uproar on its hands. People were outraged when it recently came to light what Canada Post was doing.
Think about how much more troubling that is for a company that's seeking a competitive edge. You risk your competitive position if your customers perceive you as careless about privacy.
And you have to ask yourself: for what? Why would any marketer want a list of potential customers made up of people who may not want to be marketed to? That's not going to be very useful.
Organizations collect and analyze personal information to find out who is going to want their products and promotions. The key to that is getting people's solid, affirmative consent to the use of their personal information.
If people don't trust businesses, if they see businesses twisting consent or unjustifiably inferring it, they'll undermine the system. They'll refuse to give information, or give false information. They'll swamp companies with complaints. They'll reject things that might be of benefit to them, out of sheer anger and frustration and resentment. And they'll look for competitors who do respect their privacy.
The competitive advantage goes to the firm that respects privacy. Good privacy is, in the end, good business.
Normally, this is where I'd end a talk like this. But there is something else I want to raise with you, in your capacities, not just as businesspeople, but as community leaders.
Privacy is more than good business. It's a fundamental right, and a cornerstone of a free society. As I'm sure some of you are aware, I've invested a lot of time and energy recently to challenging what I see as one of the most urgent threats to privacy in Canada, and that's police video surveillance of public streets.
We have a long-standing right in this country to go about our lives without constant scrutiny by the state. We mustn't trade this away for a fantasy of greater security.
I say "fantasy" for two reasons.
First because, contrary to what some people believe, Canada's crime rates are not soaring. In fact, they've been declining steadily since 1992.
Calgary is no exception to that trend. The rate of criminal code offences in Calgary in 2000, the last year for which we have proper statistics, was 35% lower than what it had been in 1991. And it was lower than the rate in any other major western Canadian city-lower than Winnipeg's, lower than Vancouver's, lower than Victoria's and Saskatoon's and Regina's.
Second because, even if we were in the midst of a crime wave, video surveillance wouldn't be an effective response. There's absolutely no evidence that video cameras reduce crime. At best they displace it - move it from where the cameras are, to where they aren't.
So there's no reason to believe that video surveillance cameras here in Calgary will reduce crime or make you safer. But there is every reason to believe - to know - that they will reduce privacy, and permanently diminish our fundamental rights and freedoms.
I'm raising this with you because I've read that your police force here in Calgary is considering installing a public video surveillance system. That means that you, as community leaders, have a choice-one that will help determine what kind of society we have in Canada.
So my final suggestion to you, as community leaders, is to consider this very carefully, base your decisions on facts-and make your voices heard.
As business people, you're the ones who can strengthen privacy in commercial activity and employment to give full effect to Canada's new privacy law. As community leaders, you're the ones who can strengthen and protect privacy and help build a genuinely safe free society.
I urge you to do both.
- Date modified: