The Spanish Data Protection Authority and Latin-American Centre of Data Protection Conference
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
May 20, 2002
Privacy Commissioner of Canada
(Check Against Delivery)
I'm very happy to be able to be helpful to this conference, because it is likely to lead to more countries extending privacy protection to their citizens.
That is of the greatest importance, because privacy is a fundamental human right. The United Nations recognizes it as such. Privacy is often described as the right from which all our other freedoms flow-freedom of speech, freedom of association, freedom of thought, virtually any freedom you can name.
As Justice Gérard La Forest of the Supreme Court of Canada has written, "privacy is at the heart of liberty in a modern state." To me, that's almost self-evident: How can we be truly free if our every move can be watched, our every activity known, our every preference monitored?
Privacy lets us live as free individuals. It means we have a right to a private sphere of thought and action that's our own business, and no one else's. It means that we don't have to go through life with persons unknown watching over our shoulders-watching and assessing every move, every purchase, and every human interaction.
And privacy is more than a fundamental human right. It's also an innate human need. When you go home at night, you probably close the curtains. It's not that you're trying to hide something. You just instinctively need your privacy, your freedom from being observed.
If you're on a bus or a plane, and someone starts reading over your shoulder, you probably feel uncomfortable. What you're reading isn't secret; it's just that your privacy is being invaded.
If you've ever had your home or even your car broken into, you'll know that the sense of intrusion, of having your privacy violated, can be even more painful than the loss of whatever was stolen.
And yet, almost every day, in some new and creative way, that innate human need, that fundamental human right-the right to privacy-is being chipped away. Businesses and governments have more curiosity about us than ever before. Every day someone wants more information about us. Every day someone has some new use for our personal information, or some new way of collecting it without our consent.
But privacy is not just an individual right. It's also a public good. It goes to the heart of decisions that people make collectively about how they want to live as a society.
In Canada, we've had privacy protection in the public sector since 1983. The Privacy Act puts important limits on the Federal government's ability to collect, use, and disclose information about Canadians. It gives Canadians the right to see what information federal government institutions hold about them. And it gives me, as Privacy Commissioner, broad powers to initiate and investigate complaints and audit compliance. Most of our provinces have followed the example of the federal government, and enacted similar laws applying to their public sectors.
But for a long time Canadians have been concerned about privacy in their dealings with the private sector, too. Computer networking, sophisticated surveillance technologies, commercial trade in customer information, and the explosive growth of the Internet have heightened their concerns.
In 1984, Canada joined 22 other nations in adhering to the OECD's Guidelines for the Protection of Privacy and Transborder Flows of Personal Data.
In 1991, a committee of the Canadian Standards Association undertook to develop a model privacy code for the private sector, using the OECD Guidelines as a starting point. The committee included representatives from business, government, labour, and consumer groups. They completed their model code in 1996. It would become the basis of Canada's privacy legislation for the private sector.
What really pushed Canada to develop privacy protection in the private sector was the European Union's Data Protection Directive. As you know, it came into effect in October 1998. It stipulates that businesses in EU countries may only transfer personal data to countries that ensure an adequate level of protection.
In the fall of 1998, the Federal Government incorporated the Canadian Standards Association's Model Privacy Code into the Personal Information Protection and Electronic Documents Act. This new law for the private sector came into effect in January, 2001.
This Act strikes a balance between the legitimate information needs of the private sector and the fundamental privacy rights of individuals. It has been able to achieve that balance partly because the Canadian Standards Association's Code on which it is based was the result of a consultative, cooperative process.
What the act says, basically, is this:
Apart from some very limited exceptions, no private sector organization can collect, use, or disclose personal information about an individual without his or her consent.
It can collect, use, or disclose that information only for the purposes for which the individual gave consent.
Even with consent, it can only collect, use, or disclose information for purposes that a reasonable person would consider appropriate under the circumstances.
Individuals have the right to see the personal information that an organization holds about them, and to correct any inaccuracies.
There is oversight, through me and my office, to ensure that the law is respected. And there is redress if people's rights are violated.
I'm sure most of you are familiar with provisions like these. They're found in almost all data protection laws around the world.
There are some unavoidable complications in the way in which the Act is applied. They're unavoidable because Canada's constitution divides powers and responsibilities between the federal and provincial governments. But with a fundamental right like privacy protection, it's critically important to have uniformity across the country because privacy is indivisible. It cannot be respected federally and violated provincially, or vice versa.
Right now, the Act applies to all personal information that's collected, used, or disclosed in commercial activities by federal works, undertakings, and businesses. That means, primarily, banks, airlines, telecommunications companies, broadcasters, and transportation companies. These are all industries that, under the constitution, are the responsibility of the federal government. It also applies to the personal information of employees in these organizations. And it applies to personal information held by provincially-regulated organizations if it's sold, leased, or bartered across provincial or national boundaries.
Beginning in January 2004, the Act will apply across the board-to all personal information collected, used, or disclosed in the course of commercial activities by all private sector organizations.
There's one special circumstance, however, that's an exception. That's where a province has passed privacy legislation that's "substantially similar" to the PIPED Act. Where that's happened, the federal government can decide that the Act doesn't apply to all or part of the provincially-regulated private sector, for commercial activities that take place within the province's boundaries. The Act will still apply to federal works, undertakings, and businesses, and to any personal information that's collected, used, or disclosed across interprovincial or international boundaries.
The end-result of this will be that all of the private sector will have to comply with the federal law or a substantially similar provincial one. At that point, we'll have seamless privacy protection in Canada.
My mandate flows from these two laws that I've mentioned, the Privacy Act and the PIPED Act. I'm an independent Officer of Parliament, appointed for a seven-year term, reporting, not to the government, but directly to the people of Canada, through Parliament.
There are two major aspects to my mandate. The first is oversight. That includes investigating and adjudicating complaints under the Privacy Act and the PIPED Act.
In this role, I'm an ombudsman. That means that I don't make orders. I try instead to find solutions. I work to persuade organizations to respect privacy. I think that's a more useful approach than blaming or punishing them for violating it.
I do have full investigative powers. I-and through me my investigators-can order the production of documents, enter premises, and compel testimony. But in almost twenty years of overseeing the Privacy Act in the federal public sector we've never had to use those powers. We've always been able to get voluntary cooperation. So far, that's been the case with the private sector as well.
After an investigation, if I conclude that an organization is violating privacy, I'll recommend how the problem can be fixed. Usually my recommendations are accepted. If they are not, I can publicize the matter and let public opinion push the organization to change its practices and respect privacy. Or I can ask the Federal Court to order the organization to do what it needs to do, and to pay damages to someone whose privacy it's violated. These are very effective ways of ensuring that privacy rights are respected, and that my recommendations aren't ignored.
The second major aspect of my mandate is to educate Canadians about their privacy rights and promote respect for privacy. This is a very important priority for me.
So, for example, I address audiences across Canada to raise awareness of privacy and speak out against violations of it. Since I started a year and a half ago, I have given over 62 speeches. We have a lively, informative website where speeches and summaries of complaint findings are posted. We provide things like compliance guides and fact sheets for businesses, consumers, and community groups.
As I'm sure you're aware, Canada is one of the few countries outside the European Union with a data protection law that the EU considers adequate to protect the personal information of EU citizens. Last December, the European Commission recognised that the Act meets the demands of the EU's Data Protection Directive and provides adequate protection for personal information transferred from the EU to Canada.
In addition to complying with European trade requirements, the Personal Information Protection and Electronic Documents Act is a major step forward for privacy in Canada. It is also an important element in the competitive strength of Canadian businesses. For Canadians, respect for their privacy is an essential requirement for doing business. Businesses that demonstrate respect for their customers' privacy do more than just avoid complaints under the Act. They make an important investment in customer loyalty.
The greatest benefit of protecting privacy is that is that it safeguards a fundamental human right. That right is at the heart of our freedoms. When we strengthen privacy, we strengthen freedom. If you legislate to protect privacy in both the public and the private sectors, you will have advanced the cause of freedom and human dignity. I hope that you will seize that opportunity. And if I and my office can help you in any way, I will be delighted to do so.
Best wishes with the rest of your conference. Thank you.
- Date modified: