The Impact of the Different Regulatory Models in the World Scenario
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Privacy: Cost to Resource International Conference
Italian Data Protection Authority
December 5, 2002
Privacy Commissioner of Canada
(Check Against Delivery)
I'm very happy to be able to participate in a conference on the advantages to business of respecting privacy. That's a subject about which I speak frequently to business audiences in Canada. It is my firm belief that respect for the privacy of customers and employees is a fundamental element of competitive advantage for businesses.
It's also a great pleasure to be at a conference hosted by the Italian Data Protection Commission, which is headed by one of the most respected Data Protection Commissioners on the international stage, Dr. Stefano Rodota. You here in Italy are very lucky to have privacy and data protection in such capable hands.
That is of the greatest importance, because privacy is a fundamental human right, recognized as such by the United Nations. Privacy is often described as the right from which all our other freedoms flow-freedom of speech, freedom of association, freedom of thought, virtually any freedom you can name.
As Justice Gérard La Forest of the Supreme Court of Canada has written, "privacy is at the heart of liberty in a modern state." To me, that's almost self-evident: How can we be truly free if our every move can be watched, our every activity known, our every preference monitored?
Privacy lets us live as free individuals. It means we have a right to a private sphere of thought and action that is our own business, and no one else's. It means that we don't have to go through life with persons unknown watching over our shoulders-watching and assessing every move, every purchase, and every human interaction.
And privacy is more than a fundamental human right. It's also an innate human need. When you go home at night, you probably close the curtains. It's not that you're trying to hide something. You just instinctively need your privacy, your freedom from being observed.
If you're on a bus or a plane, and someone starts reading over your shoulder, you probably feel uncomfortable. What you're reading isn't secret; it's just that your privacy is being invaded.
If you've ever had your home or even your car broken into, you'll know that the sense of intrusion, of having your privacy violated, can be even more painful than the loss of whatever was stolen.
And yet, almost every day, in some new and creative way, that innate human need, that fundamental human right-the right to privacy-is being chipped away. Individuals have the sense that businesses and governments have more curiosity about them than ever before. Every day someone wants more information about them. Every day someone has some new use for their personal information, or some new way of collecting it without their consent.
That thirst for personal information has become almost insatiable, and the pressures on privacy almost overwhelming, since the terrorist attacks of last year in the U.S. While this is primarily a business conference, it is difficult to talk of privacy and the need to protect it without referring to this broader context.
As many of you will know, since September 11, 2001, Dr. Rodota has been very much a leader in the ongoing struggle to protect and enhance privacy while ensuring security. I'm very proud to be alongside him in that struggle. It's certainly the most difficult privacy challenge facing us all right now.
The essence of the problem is that privacy is not an absolute right. All of us involved in privacy protection acknowledge that fact. We all accept that there may be a need for privacy-invasive measures to meet the kinds of security threats our world is facing. But these choices must be made calmly, carefully and case by case. The burden of proof must always be on those who suggest that some new intrusion or limitation on privacy is needed in the name of security.
In Canada, I have suggested that any such proposed measure must meet a four-part test. It must be demonstrably necessary to meet some specific need. It must be demonstrably likely to be effective-in other words, it must be likely to actually make us significantly safer, not just make us feel safer. The intrusion on privacy must be proportional to the security benefit to be derived. And it must be demonstrable that no other, less privacy-intrusive, measure would suffice to achieve the same purpose.
Necessity, effectiveness, proportionality, and lack of a less privacy-invasive alternative-that's the test that I believe can allow us to take all appropriate measures to enhance security, without unduly sacrificing privacy.
Compared to the threat that governments pose to privacy, the risks of private businesses collecting, using, and disclosing and our personal information may seem minor. But they should not be underestimated. The threat may be less dramatic, but the fact is that a vast amount of our personal information finds its way into the hands of private businesses.
Of course, it's perfectly understandable why businesses want personal information. They depend on it. In an increasingly competitive globalized marketplace, they rely on personal information to identify and stay in touch with their customers. They want to use it to seek out new customers who might be interested in their products. They want to find out what the market is looking for and what it will bear. And they want information about their employees, so that they can administer benefits and ensure a safe and productive workplace.
Getting that personal information, and using it, in ways that don't offend the fundamental human right of privacy-that's the challenge for modern businesses. And they have to rise to that challenge, or they will alienate their workforces and drive away their customers.
This challenge is complicated by the fact that people more than ever insist on control over their personal information.
In a world where so much is taken out of our control, one of the few things that people still feel that they can control is their personal information. So they're sensitive on the subject of businesses collecting it. They want to know what happens to it and how it's used when they deal with businesses.
When businesses don't respect our rights, it strikes at our sense of control over our lives. And people respond very, very negatively to that. Let me give you a couple of examples from Canada.
Air Canada, our major airline, operates a program called Aeroplan, where people earn and redeem "points" every time they fly on Air Canada planes or do business with partners in the program. Some six million people participate. In June 2001, Aeroplan sent 60,000 of them-about one per cent-a brochure called "All about your privacy."
That brochure caused Aeroplan a lot of problems.
It didn't communicate clearly, simply, in plain language what Aeroplan would do with members' personal information. It was vague about what information was to be shared, with whom, and for what purpose. It appeared to say that potentially highly sensitive information about personal and professional interests, use of products and services, and financial status would be shared.
Members could opt out, by indicating each situation where they did not want their information shared, and then mailing the brochure back to Aeroplan. If they didn't opt out, Aeroplan would consider them to have consented.
Not surprisingly, members objected when they received Aeroplan's brochure.
In fact, my Office was flooded with e-mails from people objecting. As a result of the overwhelming public interest, I had to publicly state my own concerns about the program. That didn't make things pleasant for the people at Aeroplan.
The good news is that my Office was able to work with Aeroplan to remedy the situation. It was a painful lesson for them. In spite of all their efforts to ensure that they were respecting privacy, they fell down on this very basic requirement-the requirement to communicate their practices clearly to their members and get their informed consent.
A similar situation happened with Canada Post, the public sector corporation responsible for moving the mail in Canada. It offers a change of address service, for a fee, if people want their mail redirected from their old address to their new one. That's a useful service, but with a significant privacy price-tag.
The problem was that, unless people had read the fine print, they wouldn't know that Canada Post did more with their names and addresses than just redirect their mail. It sold their new addresses, and the buyers included list brokers, mass mailers, and direct marketers.
So when they moved to their new addresses and asked Canada Post to redirect their mail, they would get their mail, alright-and they'd also get marketing brochures, junk mail, and telephone solicitations. To avoid this, they had to opt out in writing.
When this came to light, the public was utterly indignant. As had been the case with Air Canada, corporate good sense prevailed. Canada Post moved to make the process more transparent and switch to a system of opt-in consent.
These are the types of incidents than can plague a company that is not respectful of privacy. People are getting angrier and angrier. They want control over their personal information, including, and maybe especially, when it's connected with their financial transactions.
Think about what it means for a company that's seeking a competitive edge, if its customers perceive it as careless about privacy.
And you have to ask yourself: what are some of these companies thinking? What use is a mailing list made up of names of people who may very well not want to be marketed to? Why would any marketer want a list like that?
Organizations collect and analyze personal information to find out who is going to want their products and promotions. The key to that is getting people's solid, affirmative consent to the use of their personal information.
If people don't trust businesses, if they see businesses twisting consent or unjustifiably inferring it, they'll undermine the system. They'll refuse to give information, or give false information. They'll inundate companies with complaints. They'll reject things that might be of benefit to them, out of sheer anger and frustration and resentment. And they'll look for competitors who do respect their privacy.
That, to my mind, is the largest single reason why respecting privacy is less and less regarded as a business cost. Smart businesses are coming to see that respecting privacy is a key element of good customer relations-and that makes it a key element of competitive advantage.
And what, fundamentally, is respect for privacy? In the business world, it's really nothing more complicated than respect for the golden rule-do unto others as you would have them do unto you. It's not an abstract legal concept. It's simple consideration, respect, and courtesy-the essence of a good relationship with your customers and employees.
Of course, protecting privacy is more than just a wise business move. And privacy is more than just an individual right. Privacy is a public good. It goes to the heart of decisions that people make collectively about how they want to live as a society. That's why privacy and data protection legislation are so fundamental to the fabric of our societies.
In Canada, we've had privacy protection in the public sector since 1983. The Privacy Act puts important limits on the Federal government's ability to collect, use, and disclose information about Canadians. It gives Canadians the right to see what information federal government institutions hold about them. And it gives me, as Privacy Commissioner, broad powers to initiate and investigate complaints and audit compliance. Most of our provinces have followed the example of the federal government, and enacted similar laws applying to their public sectors.
But for a long time Canadians have been concerned about privacy in their dealings with the private sector, too. Computer networking, sophisticated surveillance technologies, commercial trade in customer information, and the explosive growth of the Internet have heightened their concerns.
That's why, over the past fifteen years or so, Canada has worked on developing privacy protection that will apply to the private sector. In 1984, we adopted the OECD's Guidelines for the Protection of Privacy and Transborder Flows of Personal Data. The Canadian Standards Association, with representatives from business, government, labour, and consumer groups, used the OECD Guidelines as the starting point for a model privacy code for the private sector. The Code was completed in 1996, and incorporated by the government into the Personal Information Protection and Electronic Documents Act, which came into effect in January, 2001.
This law strikes a balance between the legitimate information needs of the private sector and the fundamental privacy rights of individuals. It has been able to achieve that balance partly because the Canadian Standards Association's Code on which it is based was the result of a consultative, cooperative process.
The Act incorporates provisions that are common to data protection laws around the world-the requirement for consent to collection, use, or disclosure of personal information; the requirement that personal information collected for one purpose not be used or disclosed for other purposes without consent; the right of individuals to see the personal information that an organization holds about them and to correct inaccuracies; oversight, through me and my office, to ensure that the law is respected, and redress if people's rights are violated.
In addition, the Act contains a very important provision that is not always found in data protection laws. Even with consent, an organization can only collect, use, or disclose information for purposes that a reasonable person would consider appropriate under the circumstances.
That provision- "the reasonable person test" as it's known-is what makes the Act a true privacy protection statute, rather than just a code of fair information practices. It's particularly important in situations like employment, where there's a power imbalance between an individual and an organization that wants to collect, use, or disclose his or her personal information. The organization can't use its greater bargaining power to coerce the individual to consent. It has to be able to justify what it wants to do, and show that it's reasonable.
Of course, what's reasonable varies from one situation to another. Video surveillance of employees in a diamond polishing operation, for example, might be reasonable. But it's not likely to be reasonable in an insurance company-whether or not employees consent to it.
The Act applies at the moment to industries that, under the constitution, are the responsibility of the federal government-primarily banks, airlines, telecommunications companies, broadcasters, and transportation companies. It also applies to personal information held by any organization if it's sold, leased, or bartered across provincial or national boundaries.
Beginning in January 2004, the Act will apply across the board-to all personal information collected, used, or disclosed in the course of commercial activities by all private sector organizations-except where provinces have passed their own privacy legislation.
At that point, we'll have seamless privacy protection in Canada.
As I'm sure you're aware, Canada's privacy law is one of the few outside the European Union that the EU considers adequate to protect the personal information of its citizens. Last December, the European Commission recognised that the Act meets the demands of the EU's Data Protection Directive and provides adequate protection for personal information transferred from the EU to Canada.
This is a major step forward for Canada. It's an important element in the competitive strength of Canadian businesses.
But when I say that, in fact I'm selling privacy a little short. As important as it is to affirm that good privacy is good business, it's not enough. Privacy is much, much more.
Privacy is a fundamental human right, and it's the safeguarding of that fundamental right that is the real achievement of our privacy laws, in your country as in mine.
And so, when businesses respect the privacy of their customers and employees, yes, they are improving their own competitive position. Yes, they are demonstrating consideration and courtesy and basic respect. But they are doing much more.
When businesses respect privacy, they are enhancing individual autonomy, and advancing the cause of freedom and human dignity. That is what privacy really means.
This presents businesses, not with a burden, but with an opportunity, a duty and a challenge. It is an opportunity, a duty and a challenge that I'm sure the Italian business community, with the help of my esteemed colleague Dr. Rodota, will be able and eager to meet.
- Date modified: