An Overview of the Upcoming Privacy Legislation
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Canadian Federation of Independent Business
May 28, 2003
Senior Director General, Communications & Policy
(Check against delivery)
It's a pleasure to be with you here today. As a former entrepreneur myself, I have great empathy for the challenges the small business owner faces as well as tremendous respect for the vital role they play in our economy and our society.
I think that the new PIPED Act is good news for us as Canadians and I hope by the end of my talk to allay any fears some businesses may have about its implementation in January 2004.
As entrepreneurs, members of the Canadian Federation of Independent Business are concerned that their companies are well-managed, competitive, and profitable. As of January 2004, they'll also have to be concerned about protecting the privacy of their customers.This is because as you know next January 1, all businesses in Canada that collect, use and disclose personal information will have to comply with the PIPED Act-new legislation implemented by the federal government to protect the privacy of Canadians in the private sector, or with a substantially similar provincial law.
The PIPED Act sets out ground rules for how private-sector organizations may collect, use and disclose personal information in the course of their commercial activities.
There are some businesses that may already be familiar with the PIPED Act because they are engaged in activities covered by the Act-such as sharing information across borders for consideration.
But for those who aren't familiar with it, there's no time like the present-because in the next few months this will be the business environment in which all your members will be operating.
In an increasingly competitive marketplace, we understand that businesses rely on personal information to identify and stay in touch with their customers. However, businesses must be mindful about respecting and protecting privacy.
It's not an abstract legal concept. It's simple consideration, respect and courtesy-the essence of a good relationship with your customers and employees.
Before I talk about the Act, let me say a word or two about the meaning and importance of privacy.
So, what exactly is privacy?
It's often called "the right to be let alone." That's a good enough definition, as far as it goes. It reflects people's visceral reaction to being monitored or scrutinized or bothered. That's what "invasion of privacy" means to many people.
But there's another kind of privacy invasion that's less obvious, and that's the collection, use and disclosure of information about us without our knowledge or consent.
That's why George Radwanski, the Privacy Commissioner of Canada, defines privacy as the right to control access to one's person and information about oneself.
This concept is useful for understanding how our privacy is threatened. Privacy used to be protected by default.
As long as information about us was in paper records scattered over a lot of locations, someone would have had to go to a lot of trouble to invade our privacy. Unless you were famous or important, or "notorious", your privacy was pretty safe.
But those barriers of time, distance and cost are gone. With developments like computerized data bases, surveillance technologies, biometric identification, and genetic testing, a stranger at a computer can compile a detailed dossier on our whole life in a matter of minutes.
Now we, as individuals and as a society, must go to considerable trouble to ensure that our privacy is respected. The choices we make in facing this challenge will determine not only what kind of society we live in, but the kind of society we will leave to our children and grandchildren.
Now, why do I say that? What's so important about privacy?
To begin with, it's a fundamental human right, recognized as such by the United Nations. It's sometimes called "the right from which all our freedoms flow," and it's easy to see why.
You can't have freedom of speech, association, or thought, for example, in a society where your every move is watched, your every activity known, and your every preference monitored. As former Justice La Forest of the Supreme Court of Canada once wrote, privacy is "at the heart of liberty in a modern state."
Privacy is an innate human need. When you go home at night, you probably close the blinds. It's not that you're trying to hide something. You just instinctively need your privacy, your freedom from being observed.
If you're on a bus or a plane, and someone starts reading over your shoulder, you probably feel uncomfortable. What you're reading isn't secret-it's just that your privacy is being invaded.
If you've ever had your home or even your car broken into, you'll know that the sense of intrusion, of having your privacy violated, can be even more painful than the loss of whatever was stolen.
Suppose a police officer decided to walk directly behind you on the street all day, quite obviously and deliberately following you everywhere you go. I'm sure you'd find that unacceptable, even if he wasn't saying a word to you or bothering you in any direct way. You'd feel very self-conscious - because he was invading your privacy.
In Canada, we, as free citizens, have the right to anonimity as we go about our business.
Almost every day, in some new and creative way, this innate human need and fundamental human right is being chipped away by advances in technology an dthe ever-shifting balance between privacy and security.
Sometimes it's subtle, sometimes it's a direct attack. In either case, we have to answer the challenge.
Which brings me to the PIPED Act, because one of the ways that Canadians have responded to the challenge is to legislate to protect privacy.
I said a moment ago that any of your members who collect, use, or disclose personal information in the course of commercial activities in Canada will be subject either to this Act or a substantially similar provincial one.
When you're talking to your members about this, some of them may breathe a sigh of relief and say, "Thank goodness, that doesn't include us. We don't collect, use or disclose personal information."
I'd suggest that you get them to make absolutely sure.
They might be surprised by how much personal information they do in fact collect, use, or disclose, and what they do with it. Just because they're not a bank or a retailer that participates in a loyalty program doesn't mean that they can assume that the Act doesn't apply.
A close examination of how they run their business might well reveal that they do in fact hold and use personal information. Think of things like mailing lists of customers or prospects.
Or think of a convenience store, which you might not think of as collecting or using personal information-until you realize that it also rents out videos andkeeps lists of customers.
If each business were to conduct a privacy audit to determine what personal information they collect, use and disclose in the course of their business, they would likely be surprised at the extent of it all.
Once your members have figured out that the Act is going to apply to them, you may hear some groaning at the thought of one more regulatory burden.
I can understand business people's concern about being overwhelmed by privacy regulators, privacy problems, and privacy complaints. But I think you can set them at ease by pointing out two things.
First, the PIPED Act reflects the realities of the business world, rather than some abstract Ottawa thinking. It's based on the Canadian Standards Association's Model Code for the Protection of Personal Information.
That Code, which is actually incorporated into the legislation, came out of a collaborative effort by representatives of government, consumers, and business groups. These groups met and discussed the development of a code as a way of enhancing the business environment.
Canada is actually the first country in the world to have private sector privacy legislation that is based on a collaboratively-developed national standard. These groups recognized that good privacy is good business, and that protecting their customers' rights and treating their personal information with respect gave them a competitive advantage.
Second, if an organization is subject to the PIPED Act, then yes, it will be subject to oversight by the Commissioner and our Office-but we're here to help business, not to hinder it.
The Act ensures that organizations' legitimate needs for personal information can be balanced with the privacy rights of individuals. The Commissioner's role in that is to be an ombudsman, not an enforcer. He's interested in finding solutions to privacy problems, not in finding someone to blame for them.
So what is the PIPED Act all about then and what will your members have to do to implement it?
Basically it means that an organization that wants to collect, use, or disclose personal information about people needs their consent, except in a few specific and limited circumstances.
It can use or disclose people's personal information only for the purpose for which they gave consent.
Even with consent, the organization has to limit its collection, use, and disclosure of personal information to purposes that a reasonable person would consider appropriate in the circumstances.
Individuals have the right to see the personal information that an organization holds about them, and to correct any inaccuracies.
There's oversight, through the Commissioner and his Office, to ensure that the law is respected, and redress if people's rights are violated.
A common misconception to be aware of is that some believe that the PIPED Act applies only to Web sites, e-commerce or businesses operating on the Internet. This is simply not the case.
The PIPED Act applies to all businesses whether they conduct their business electronically or not.
Right now, the Act applies to all personal information that's collected, used, or disclosed in the course of commercial activities by federal works, undertakings, and businesses. Those are primarily banks, airlines, telecommunications companies, broadcasters, and interprovincial or international transportation companies.
It also applies to the personal information of employees in those organizations. And it applies to personal information that's held by provincially-regulated organizations when it's sold, leased, or bartered across provincial or national boundaries.
Beginning in January 2004, the Act will apply right across the board-to all personal information collected, used, or disclosed in the course of commercial activities by all private sector organizations, except in one special circumstance.
The special circumstance is where provinces have passed privacy legislation that's "substantially similar" to the PIPED Act. Where that's happened, the federal government can exempt all or part of the provincially-regulated private sector from the application of the Act, for commercial activities that take place within the province's boundaries.
The Act will continue to apply to federal works, undertakings, and businesses, and to personal information that's collected, used, or disclosed across provincial or national boundaries.
There's a frequent misunderstanding about this point. The application of the Act will expand in 2004 to commercial activities that normally fall under provincial jurisdiction.
But it won't extend to employment in those activities. The only place the PIPED Act will apply to employment will be in federal works, undertakings, or businesses.
You might want to stress this with your members, because we've found that a lot of people miss it. For those of your members who are operating federal works, undertakings or businesses-I would think you have some, like small airlines or interprovincial transportation companies-the PIPED Act is going to apply to their employment practices.
For the others, probably the majority of your members, it will not, though of course it will affect the way they handle their customers' or clients' personal information.
You might also want to stress to your members that it's a good idea for them to review their privacy practices in employment anyway. It's very likely that provincial privacy laws will apply to employment.
In fact, the Commissioner's view is that they will have to, or they won't be considered substantially similar to the PIPED Act.
You may want to stress to your members the importance of appointing an individual to have overall responsibility for privacy throughout their organization. In large organizations, the Chief Privacy Officer fills this role, but for most businesses, it would be reasonable to have an individual fulfil this role as a part-time responsibility. This would assure that privacy responsibilities and issues are addressed.
I'll come back to the question of substantially similar provincial legislation in a moment, but I want first to describe what we at the Office of the Privacy Commissioner do.
The Commissioner is an independent Officer of Parliament, with two major aspects to his mandate.
The first is oversight. That includes investigating and adjudicating complaints under the PIPED Act and the Privacy Act, which is a similar law that has applied to the federal public sector for the last twenty years.
In his oversight role, the Commissioner acts as an ombudsman. He uses negotiation and persuasion to find solutions. He's not interested in blaming or punishing organizations.
He has full investigative powers, and if it's necessary in an investigation he can order the production of documents, enter premises, and compel testimony. But in twenty years of the Privacy Act, the Commissioner has never had to use those powers.
We've always been able to get voluntary cooperation. That's been the case so far with the PIPED Act as well, and we're confident that it will continue to be the case.
If the Commissioner concludes at the end of an investigation that an organization is violating privacy, he recommends how the problem can be fixed.
He doesn't have order-making powers, although he has a number of means at his disposal to ensure that privacy rights are respected and that his recommendations are not ignored.
For example, if an organization won't comply, he has the sanction of being able to make the problem known publicly and then rely on public opinion to move things forward.
Or he can ask the Federal Court to order compliance, and even to award damages to people whose privacy rights have been violated.
The second major aspect of his mandate is to educate Canadians about their privacy rights and promote respect for privacy.
That includes things like putting summaries of all his findings on our Web site, developing business guides and fact sheets, and meeting groups likeyours.
The Commissioner has a very active speaking schedule, which reflects the priority that he puts on communications activities. We're also undertaking some new communications initiatives specifically geared to helping small and medium-sized businesses implement the PIPED Act.
For example, we are developing a special e-kit that will be posted to our Web site which will include a check-list for businesses , fact sheets, a PowerPoint presentation and other material specifically geared to SMEs, to help them get ready.
We plan on preparing an article specifically for your members to put on the CFIB Web site and include in your newsletter.. And we're undertaking a major cross-Canada community newspaper article campaign.
I'd like to discuss our plans with you later and get your feedback as to what you feel would be most helpful.
Coming back now to the question of substantially similar legislation: Since several provinces have begun legislative initiatives in this area, you probably want to know what substantially similar means.
Simply put, provincial privacy legislation will have to be as strong or stronger than the PIPED Act to be considered substantially similar.
At this point only Quebec has legislation that has been deemed substantially similar. Both BC and Alberta have introduced new legislation, but they are not, in the Commissioner's opinion, substantially similar. The final decision rests with the Minister of Industry and the Federal Cabinet.
The result will be that the principles of the PIPED Act will be part of the business environment throughout Canada. Many of your members will have brought their practices into line with them already.
Obviously, one reason they've done that is because they want to be in compliance with the law right from the word "go." But there's another good reason, and that's that respecting and protecting privacy is a significant element of competitive advantage.
Their customers want privacy, their employees need it-and, most importantly, some of their competitors are going to provide it.
In fact, a research report conducted by U.S.-based Harris Interactive in 2002 indicated that privacy concerns were included in the top three "major concerns" consumers expressed, 75% of respondents were worried that companies that they patronize would provide their information to other companies; 69% worried that hackers could steal their personal data; 70% that their transactions may not be secure.
The report also indicted that overall consumer trust in companies is low and that businesses that violate consumers' privacy expectations have reason to worry. 83% said they would stop doing business with a company entirely if they heard or read that the company misused customer information.
We recognize that gearing up to protect privacy this way isn't easy. It takes time, attention, and resources. But part of our job is to help you with it. That's why we encourage consultation between our Office and the business community, we've produced public education material, and the Commissioner meets frequently with business organizations.
The PIPED Act came about because the government recognized that the lifeblood of modern business is personal information.
Businesses depend on personal information, to stay in touch with their customers, seek out new customers, and find out what the market is looking for and what it will bear. And they want information about their employees, so that they can administer benefits and ensure a safe and productive workplace.
Getting and using that personal information in ways that don't offend privacy-that's the challenge for modern businesses. The proper treatment of personal information is key - it helps to maintain a business' image, gains and retains the trust of customers, assures that there is accurate information for marketing purposes and ultimately gives the business a competitive advantage in the market place.
They have to do that, or they'll drive away their customers.
Let me give you a couple of examples.
Take the Aeroplan program, where people earn and redeem points every time they fly on Air Canada planes or do business with partners in the program. Some six million people participate. In June 2001, Aeroplan sent 60,000 of them-about one per cent-a brochure called "All about your privacy."
That brochure caused Aeroplan a lot of problems.
It didn't communicate clearly, simply, in plain language what Aeroplan would do with members' personal information. It was vague about what information was to be shared, with whom, and for what purpose.
It appeared to say that potentially highly sensitive information about personal and professional interests, use of products and services, and financial status would be shared.
Members could opt out, by indicating each situation where they didn't want their information shared, and then mailing the brochure back to Aeroplan. If they didn't opt out, Aeroplan would consider them to have consented.
Not surprisingly, members objected when they received Aeroplan's brochure.
In fact, our Office was flooded with e-mails and letters from people objecting. Given the overwhelming public interest, the Commissioner publicly stated his concerns about the program. That didn't make things pleasant for the people at Aeroplan.
The good news is that Aeroplan was able to work with us to remedy the situation. But it was a painful lesson for them.
In spite of all their efforts to ensure that they were respecting privacy, they fell down on this very basic requirement-the requirement to communicate their practices clearly to their members and get their informed consent.
A similar situation happened with Canada Post's change of address service. Canada Post, for a fee, will redirect people's mail from their old address to their new one. That's a useful service, but until recently, it came with a significant privacy price-tag.
The problem was that, unless people had read the fine print, they wouldn't know that Canada Post did more with their names and addresses than just redirect their mail. It sold their new addresses, and the buyers included list brokers, mass mailers, and direct marketers.
So when they moved to their new addresses and asked Canada Post to redirect their mail, they would get their mail, alright-along with marketing brochures, junk mail, and telephone solicitations. To avoid this, they had to opt out in writing.
When this came to light, the public was really indignant. As had been the case with Air Canada, corporate good sense eventually prevailed. Canada Post moved to make the process more transparent and switch to a system of opt-in consent.
This is what can happen to organizations that trip up on privacy. People are getting angrier and angrier. They want control over their personal information.
When you're talking to your members, you might get them thinking about what that means for a company that's seeking a competitive edge.
If people don't trust businesses, if they see businesses twisting consent or unjustifiably inferring it, they'll undermine the system. They'll refuse to give information, or will give false information. They'll swamp companies with complaints. They'll reject things that might be of benefit to them, out of frustration and resentment. And they'll look for competitors who do respect their privacy.
That's one of the reasons we say that respecting privacy is a key element of good customer relations-and that makes it a key element of competitive advantage.
Our view, is that good privacy is, in the end, good business.
That may be the most important implication of Canada's privacy law for your members.
I look forward to working with you in the months ahead. I hope you will tell your members about our upcoming e-kit for SMEs, which should be posted to our Web site in the next few weeks. And I hope you will assure your members that our Office is always here to help.
- Date modified: