Privacy: The Defining Issue of This Decade
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Canadian Community Newspapers Association
May 30, 2003
Vancouver, British Columbia
Privacy Commissioner of Canada
(Check against delivery)
It's a pleasure to be here today to address you. As a former journalist myself, I always enjoy talking to newspaper people. And as Privacy Commissioner of Canada, with a mandate to inform and educate Canadians about their privacy rights, I'm an enthusiastic supporter of community newspapers, which play a particularly important role in getting a message out to the grass roots.
I want to talk to you about Canada's privacy law for the private sector, the Personal Information Protection and Electronic Documents Act, or PIPED Act as we call it.
This law began coming into effect in 2001, and has had a significant effect on Canadians' lives. In less than a year its scope will expand dramatically. I want to enlist your help in dealing with that-in ensuring that citizens understand their rights under the Act, and in helping businesses understand that privacy is both a fundamental human right and good business practice.
There's a widespread perception that privacy is a selfish interest, one that's at odds with the collective interests of society. You even hear that from some journalists, who say that privacy laws diminish openness in society. And you certainly hear it from people who advocate more government intrusion in our lives in the interest of security against crime and terrorism.
My answer to those voices is that privacy is vitally important, not just to individuals but to society as a whole, and in particular to a free and democratic society.
Privacy, which I define as the right to control access to one's person and information about oneself, is a fundamental human right, recognized as such by the United Nations. It's sometimes described as "the right from which all freedoms flow." Freedom of speech, freedom of association, freedom of thought, virtually any freedom you can name, all are based on the right to privacy, and are unthinkable without it.
To me, that's almost self-evident: How can we be truly free if our every move is watched, our every activity known, our every preference monitored?
And yet, almost every day, in some new and creative way, this fundamental human right is being chipped away. Sometimes the diminution is subtle, sometimes it's a full frontal attack-but the process is begun and it is a challenge we must answer.
To do that, we must take the view that privacy is not just an individual right-it is a public good. It reflects decisions we have made as a people about how we will live as a society. Privacy is, as Justice La Forest of the Supreme Court of Canada has said, "at the heart of liberty in a modern state." And we are, all of us, the loser if individual liberty is lost.
That's particularly important to remember in our current situation, when we're under pressure to sacrifice privacy in the interest of security against crime and terrorism.
We tend to attribute this to the reaction to the terrorist attacks of September 11, 2001. But it predates those attacks. The fact is that law enforcement and other state agencies have seized on the attacks as an opportunity to advance their privacy-invasive agendas-including video surveillance of public streets, monitoring of our communications, removal of our right to anonymity, and tracking us as we travel.
I've been very active on this front, opposing these threats to the privacy of Canadians.
I've never claimed that privacy is an absolute right. I have repeatedly made clear that there are circumstances where it is legitimate and necessary to sacrifice some elements of privacy in the interests of security. And I have never once raised privacy objections to any genuine anti-terrorist or security measures.
But the burden of proof must always be on those who say that such a sacrifice is necessary.
I believe that any proposed measure to limit or infringe privacy must meet four very specific criteria. First, it has to be demonstrably necessary to meet a specific need-an actual need, not a potential or speculative one. Second, it must be demonstrably likely to be effective in addressing that problem. Third, the loss of privacy must be proportional to the security benefit to be derived. And, finally it must be demonstrable that no less privacy-invasive measure would suffice to achieve the same result.
I believe we must rigorously apply these four criteria to any new security or anti-terrorist initiative that threatens to infringe or limit privacy. I've applied them to the Canada Customs and Revenue Agency's proposed "Big Brother" database of the travel patterns of innocent Canadians-and the Government, to its credit, stepped back and scaled down the database to make it much more respectful of privacy.
I've also applied the criteria to the Government's "Lawful Access" proposals to monitor our Internet communications and activities, the Minister of Immigration's suggestion of a national identity card with biometric identifiers, the RCMP's video surveillance of public streets, and the provisions of Bill C-17, the Public Safety Act, that would put Canadian air travellers through a virtual police line-up to ensure that they're not wanted for anything. None of these initiatives begins to meet the test. For that reason, my fight to stop these unjustified intrusive measures will continue.
But let me turn now to the good news-the PIPED Act, which brings privacy protections to Canadians in their dealings with organizations engaged in commercial activities.
This law is becoming more important in the lives of Canadians every day. Beginning in January of next year, any organization conducting commercial activities in Canada will be subject either to the PIPED Act or a substantially similar provincial one.
So let me give you an outline of the Act's purpose, provisions, and application.
The Act is intended to balance individual privacy rights with the needs of businesses to collect, use, and disclose personal information.
The heart of it is the Canadian Standards Association's Model Code for the Protection of Personal Information, originally a voluntary code put together by business, government, and consumers, and incorporated into the Act.
The basic outlines of the Act look like this:
If an organization covered under the Act wants to collect, use, or disclose someone's personal information, it needs their consent, except in a few specific and limited circumstances.
It can use or disclose personal information only for the purpose for which the person gave consent when the organization collected it.
Even with consent, the organization has to limit its collection, use, and disclosure of personal information to purposes that a reasonable person would consider appropriate in the circumstances.
Individuals have the right to see the personal information that an organization holds about them, and to correct any inaccuracies.
There's oversight, through me and my Office, to ensure that the law is respected, and redress if people's rights are violated.
Right now, the Act applies to all personal information, including personal health information, that's collected, used, or disclosed in the course of commercial activities by federal works, undertakings, and businesses. That's primarily banks, airlines, telecommunications companies, broadcasters, and transportation companies. It also applies to the personal information of employees in those organizations. And it applies to personal information that's held by provincially-regulated organizations when it's sold, leased, or bartered across provincial or national boundaries.
Beginning in January 2004, the Act will apply right across the board-to all personal information collected, used, or disclosed in the course of commercial activities by all private sector organizations, except in one special circumstance.
The special circumstance is this. In provinces that have passed privacy legislation that's "substantially similar" to the PIPED Act, the federal government can exempt all or part of the provincially-regulated private sector from the application of the Act, for commercial activities that take place within the province's boundaries. The Act will continue to apply to federal works, undertakings, and businesses in all provinces. And it will also continue to apply to personal information when it's collected, used, or disclosed across provincial or national boundaries.
As journalists, you can rest assured that the Act doesn't prevent you from doing your jobs. The Act doesn't apply to personal information that's collected, used or disclosed for journalistic, artistic or literary purposes, as long as it's not collected, used or disclosed for any other purpose. In its commercial activities, of course, a newspaper is covered by the Act just like any other organization. So personal information about subscribers, for example, is covered by the Act.
Those are the broad outlines of the Act. I'll come back to the question of substantially similar provincial legislation in a moment, but first let me briefly describe what I do.
I'm an independent Officer of Parliament, with two major aspects to my mandate.
The first is oversight. That includes investigating and adjudicating complaints under the PIPED Act and the Privacy Act, which is similar legislation applying to the federal public sector.
In my oversight role, I'm an ombudsman. That means I'm there to find solutions, not to blame or punish people.
I do have full investigative powers, of course. I can order the production of documents, enter premises, and compel testimony. But in twenty years of overseeing the Privacy Act in the federal public sector, I and my predecessors have never had to use these powers. We've always been able to get voluntary cooperation. The same has been the case so far with the new private sector legislation, and I very much hope that it will continue to be so.
If I find that an organization is violating privacy, I'll recommend how the problem can be fixed.
I don't have order-making powers. But I do have instruments at my disposal to ensure that privacy rights are respected and my recommendations are not ignored.
If an organization refuses to comply, I can make the problem known publicly-and then rely on public opinion to move things forward.
Or I can ask the Federal Court to order compliance, and even to award damages to people whose privacy rights have been violated.
The second major aspect of my mandate under the PIPED Act is to educate Canadians about their privacy rights and promote respect for privacy.
That's where you come in.
I know how crucial a role community newspapers can play. In the lead-up to the 2001 Census, my staff prepared a feature story entitled Your Privacy and the Census to respond to Canadians' concerns on this issue. We distributed the article to community newspapers across Canada through this Association and Les hébdos du Québec. More than 100 community newspapers picked up the article, and we reached hundreds of thousands of Canadians
This is one of the best ways to get in touch with people. Community newspapers give us a great geographic cross-section of Canada, and a mix of rural and urban readership that's hard to match. As well, a single story in community newspapers has a lot of impact, since they tend to be shared around the household, and kept around longer than big-city dailies.
We're hoping to work even more closely with your members as we approach 2004 and the extension of the PIPED Act to all commercial activities. This summer we want to launch the first of a series of feature stories, in order to help small and medium-sized enterprises understand their responsibilities, and citizens their rights, under the Act. Once again, we're hoping to distribute the articles through your organization and Les hébdos, and encourage community newspapers to publish them.
I mentioned that the PIPED Act will apply to all commercial activities as of 2004, except where a province passes substantially similar legislation. That brings me to what's actually a third aspect of my mandate.
The Governor in Council, on the recommendation of the Minister of Industry, will ultimately make the determination as to whether to consider a given provincial law as substantially similar. But I have an obligation under the Act to review and comment on provincial privacy legislation and report annually to Parliament on the extent to which the provinces have enacted substantially similar legislation. I expect my recommendations to be a key factor in the Minister of Industry's determination.
So what does "substantially similar" mean? I interpret it as meaning equal or superior to the PIPED Act. In reviewing provincial legislation, I'll be looking for, at a minimum, the ten principles of the CSA's Model Code. I'll look particularly closely at consent, the reasonable person test, access and correction rights, oversight, and redress. Provincial privacy legislation will have to be as strong or stronger than the PIPED Act in those areas to be considered substantially similar.
That's a high standard, but it's quite attainable. In May 2002, I reported to Parliament that Quebec's Act Respecting the Protection of Personal Information in the Private Sector is substantially similar to the PIPED Act.
Here in British Columbia, the provincial government has introduced Bill 38, the Personal Information Protection Act. A very similar Bill has been introduced in Alberta. Both Bills have many positive qualities. But they also have serious flaws, and unless those flaws are addressed, I will not be able to recommend that the Bills be considered substantially similar.
Both Bills fail to recognize the importance of privacy rights in employment. They specifically allow the collection, use and disclosure of employee personal information without consent-completely depriving an employee or a prospective employee of any control over his or her information.
The collection, use or disclosure has to be reasonable for the purposes of establishing, managing or terminating an employment relationship. But that's a low standard-it could mean almost anything-and, worse, it only operates after the fact, which is not much use.
Here's what I mean. An employer might think that it's reasonable to collect and disclose information about an employee's health, say, or religion, or sexual orientation. The Bills would allow the employer to do that, without consent.
The employee could complain that this wasn't reasonable-maybe file a grievance, maybe complain to the provincial privacy commissioner. But even if a grievance or complaint were successful, it wouldn't amount to much, because the information would have already been collected, used, and disclosed, against the employee's will. The employee's privacy would have been violated. The damage would have been done. You can't give someone back their violated privacy, any more than you can put toothpaste back in the tube.
These Bills also fail to ensure that their most important protections apply to personal information that was collected before they come into force. In other words, there's no need for consent to use or disclose information that has already been collected.
This is a serious weakness. The PIPED Act, in contrast, doesn't distinguish between personal information collected before and after its coming into effect. To use or disclose information collected before the Act came into force, organizations require consent-it's as simple as that.
Next, any good privacy law has to give individuals the right to find out what personal information organizations have about them and to correct any information that's incomplete or wrong. Both of these Bills fall short of the standard set by the PIPED Act.
Individuals would be prevented from obtaining access to information about themselves if it would reveal the identity of the person who provided the information. Without access to this information, the individual wouldn't even know it existed, let alone be able to challenge its accuracy.
And when an individual disputes the accuracy of information about him or her, there's no requirement that the organization in control of the information inform other organizations of that fact. That means that other organizations that have access to the information can retain, use and disclose it, without even knowing that its accuracy is disputed.
The Alberta Bill has some additional weaknesses with respect to access. Individuals can be denied access on the grounds that disclosure might result in that type of information no longer being provided to the organization. This is an amorphous basis for denying access, and it would be almost impossible for an individual to challenge. There's nothing like it in the PIPED Act.
The Alberta Bill also differs from the PIPED Act in that it allows an organization to charge an individual "reasonable" fees for access to his or her information. The PIPED Act requires that access be provided at "minimal or no cost."
The B.C. Bill has some particular problems about consent.
The concept of consent is at the heart of privacy law. It's through consent that individuals control personal information about themselves.
The B.C. Bill specifically refers to implicit consent-a weak form of consent that is acceptable only in certain limited circumstances-but says nothing about express or written consent.
This could lead an organization to assume that it can rely entirely on implicit consent. There is nothing in the legislation to prevent an organization from doing so, nor anything that the B.C. Commissioner, who would have oversight responsibility for the law, could use to require express consent.
The PIPED Act strongly recommends the use of express consent with respect to the collection, use or disclosure of sensitive information. A privacy law that allowed organizations to rely entirely on implicit consent would provide a significantly lower level of protection than the PIPED Act.
The Alberta Bill doesn't have this specific weakness, but it has another that could turn out to be even worse. It gives discretion to the Cabinet to issue regulations dealing with consent, as well as for procedures for access requests, collection, use or disclosure without consent, and the personal information to which the law doesn't apply.
This gives the Cabinet power to dramatically lower the level of protection provided by the Bill, without full and open public debate. Regulation-making authority should be limited to unforeseen housekeeping matters. No broad regulatory discretion of this sort exists in the PIPED Act.
The Alberta Bill would also permit the Cabinet to delay the application of the law to professional regulatory bodies and non-profit organizations, or even exempt them entirely. At first glance that might not seem to be a problem. But some non-profit organizations collect highly sensitive information, including information about medical conditions. To allow them to disclose this information for gain without consent would provide a lower level of protection than under the
PIPED Act. The obvious solution is for the Bill to apply to them to the extent that they engage in commercial activities. That would be consistent with the PIPED Act. But to exempt them entirely is another matter.
Finally, both Bills would allow collection, use or disclosure without consent for the purposes of an investigation or proceeding. This is a necessary feature of any privacy law, but the wording of the Bills is far too open-ended. They define the terms "investigation" and "proceedings" very broadly, and in doing so, they give a discretion that's much wider than what's found in the PIPED Act. The result is that they allow too many situations in which personal information can be collected, used or disclosed without consent.
In short, these two Bills simply don't afford Canadians privacy protection at a level they are entitled to expect. If the legislatures of Alberta and B.C. enact these Bills without addressing these weaknesses, I will not be able to recommend that they be considered substantially similar to the PIPED Act.
That doesn't invalidate the Bills, of course. If the Governor in Council doesn't find them to be substantially similar, they'll remain in effect. But effective January 1, 2004, they'll operate concurrently with the federal law. Where the PIPED Act sets higher standards than the provincial laws, it will take precedence, and all organizations carrying out commercial activities will have to comply with its provisions.
Whether it's the PIPED Act itself that applies or substantially similar provincial laws, the PIPED Act's principles will be part of the business environment throughout Canada as of January. Many businesses have brought their practices into line with these principles already. That's partly because they know that they have to be in compliance. But it's also because they recognize that respecting and protecting privacy is a significant element of competitive advantage. Their customers want privacy, their employees need it-and, most importantly, their competitors are going to provide it.
Businesses rely on personal information to identify and stay in touch with their customers. They use it to seek out new customers who might be interested in their products. They want to find out what the market is looking for and what it will bear. And they want information about their employees, so that they can administer benefits and ensure a safe and productive workplace.
Getting and using that personal information in ways that don't offend the fundamental human right of privacy-that's the challenge for modern businesses. And they have to rise to that challenge, or they will alienate their workforces and drive away their customers.
It's complicated by the fact that people more than ever insist on control over their personal information.
In a world where so much is taken out of our control, one of the few things that people still feel that they can control is their personal information. So they're sensitive on the subject of businesses collecting it. They want to know what happens to it and how it's used.
When businesses don't respect people's rights, it strikes at their sense of control over their lives.
Think about what that means for a company that's seeking a competitive edge.
If people don't trust businesses, if they see businesses twisting consent or unjustifiably inferring it, they'll undermine the system. They'll refuse to give information, or give false information. They'll swamp companies with complaints. They'll reject things that might be of benefit to them, out of sheer anger and frustration and resentment. And they'll look for competitors who do respect their privacy.
That, to my mind, is the largest single reason why respecting privacy is good business. It's a key element of good customer relations-and that makes it a key element of competitive advantage. Conversely, there's a distinct competitive disadvantage in being known as a company that violates privacy.
Adjusting to this isn't a cakewalk, and part of my job is to give businesses a helping hand with it. So I encourage consultation between my Office and the business community, and I've met with many business organizations. We've produced a business guide, a backgrounder to the Act, and a number of fact sheets. Summaries of my findings under the Act are put up on our Web site to help with interpretation.
All that helps, but it may not be enough, especially with extension of the PIPED Act to the entire private sector. That's why I'm hoping that community newspapers will get the message out to individuals and organizations-the message that my Office is there to help businesses and individuals, and that good privacy is good business.
I need your help in the coming months and years to get those messages out and promote the right to privacy. I'm looking forward to working with you.
- Date modified: