PIPEDA and its Impact on e-commerce and e-economy

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Transcend Business Services IT & Privacy Symposium

August 25, 2004
Ottawa, ON

Address by Jennifer Stoddart
Privacy Commissioner of Canada

(Check against delivery)


Introduction

Good morning and welcome to Ottawa . It is a pleasure to be here today to address so many front-line professionals in the IT community. I am pleased to see the industry is talking about privacy issues and concerns, and is taking action on privacy risks with some innovative and creative solutions in information management and security.

Most of you here today have an insider's view of information technology and information management. You may be in charge of the information databases of large companies or government departments. You may supply the software or create the programs that manage, mine, sort and store that information. Maybe you are on the cutting-edge of designing network security systems to ward off the ever-increasing threats of hacker intrusions, spy ware, spam, viruses, worms, and malicious codes. You may be involved in Government On-Line projects, and are actively working towards the integration of databases of information held by government departments and institutions. As such, you are certainly familiar with the promise of technology to revolutionize business and government services. You are also well aware of the latest threats to data security and privacy.

It's not quite the same for the Internet using general public. We receive calls in our Office daily from Canadians who are frustrated with being bombarded daily on their own PCs with pop-ups they don't want, banner ads they wince at, explicit emails they really hope their kids don't see and misleading offers for "free software" that invades their computers and hi-jacks their modems. They are bewildered by the array of patches, filters, and firewalls they are offered as protection. And they are concerned about the increase in identity theft, Internet fraud and various electronic money-making scams.

These are some of the concerns expressed to our Office by average Canadians who worry that businesses may misuse the personal information they submit during online transactions. It's a concern that holds people back from doing more business online.

According to a 2002 Leger Marketing survey, issues of security and privacy continue to be the biggest barrier to Canadians making purchases online. These fears are fuelled by forecasts of an identity theft problem galloping out of control — which are estimated to result in losses of $2 trillion worldwide by the end of 2005.

Canadians are also worried that their personal information, given in good faith or by law to government institutions, may be combined with commercial databases from banks, department stores, insurance companies, video stores, and pharmacies. They are concerned that the resulting complete personal dossier could be used by governments to make decisions about their lives or by law enforcement agencies here or abroad.

Would you want the details of what you buy, where you travel, what churches or clubs or political parties you join, what books you read or prescriptions you use being part of a massive government or commercial database?

This idea frightens many people. In many ways, the very efficiency and integration of information that the IT industry strives to achieve may be perceived as a threat to individual privacy. You may see an opportunity for your company to make a profit from data-mining — but your next door neighbour may see an unacceptable invasion of privacy.

The Office of the Privacy Commissioner of Canada is responding in several ways. We are working closely with Industry Canada on the issues of spam, spyware, Internet fraud and other cyberspace privacy risks. We are collaborating with Industry Canada 's Special Task Force on Spam to assess whether Canadian organizations collecting and using e-mail addresses — which may be considered personal information under the Act — are complying with the law. We will work with Industry Canada to take corrective action where it is needed.

On the issue of combining personal information collected commercially with government held personal information in pooled data bases, we objected strongly to this approach in Bill C-7, the Public Safety Act . Part of our objection focussed specifically on the co-opting of private sector organizations to collect information for law enforcement.

On a related matter that I know is of great interest to the IT community, the Department of Justice's consultation paper on lawful access to e-mail and Internet data proposes a lower standard of protection for email communications and other electronic messages than for telephone calls, letters, or any other type of private communication under the Criminal Code . The type of access that is proposed raises serious financial, logistical and ethical concerns for IP providers as well. The type of access that is proposed has been compared to the government asking Canada Post to photocopy the address on every envelope any Canadian sends.

Our office has raised a series of objections to specific proposals in the consultation paper. We are continuing our discussions with Justice Canada . We do not believe that Canadians who use new communications technologies deserve to be monitored more closely or subject to greater scrutiny than other citizens. These are your customers, and they are already wary of electronic commerce.

On the issue of protecting Canadians' privacy rights when personal information crossed borders — and the implications of the USA PATRIOT Act -- our Office is working actively to safeguard privacy rights. It's an issue that goes to the heart of Canada 's position as a leader in international standards of privacy protection.

So, your industry, government, and Canadian society in general, have a challenging balancing act to perform that is not getting any easier. How do we move forward to grasp the opportunities and benefits of new information technologies while retaining the trust of customers and the Canadian public? It is in that context that I would like to discuss Canada 's privacy legislation, and how it affects information technology and e-commerce.

Who We Are and What We Do

My job as Privacy Commissioner is pretty straightforward. I am an advocate for the privacy rights of Canadians. I am an independent Officer of Parliament, reporting directly to the House of Commons and the Senate. Our Office has oversight of two important consumer protection laws. We oversee compliance and investigate complaints about personal information held by federal government institutions under the Privacy Act. We are also responsible for oversight of the Personal Information Protection and Electronic Documents Act — also known as PIPEDA — and it is mainly in that capacity that I am speaking to you today.

PIPEDA is Canada 's contribution to a wider international movement to ensure people have better control over their personal information. The European Union has been a world leader in this regard. The EU Data Protection Directive permits the transfer of data containing personal information from its member nations only to businesses in countries that offer a similar level of privacy protection. PIPEDA allows Canada to be on that list and participate in the international information economy.

As you know, e-commerce knows no boundaries. Internationally recognized privacy policies are essential to growing your business and taking advantage of emerging markets. This is particularly important for outsourcing. Businesses have an obligation under PIPEDA to ensure that personal information sent out for processing is protected under contract from inappropriate use or disclosure, the same as if it were processed in-house.

PIPEDA is not an impediment to e-commerce and e-business. It is defined in its title very clearly as "An Act to suppor t and promote electronic commerce by protecting personal information..." Our intention is not to stand in your way, but to help you provide your customers with assurances that you are protecting their personal information appropriately. The Act is in place so that e-commerce can flourish. Without the assurance that personal information and privacy rights will be protected, e-commerce will not fulfill its multi-billion dollar potential. Good privacy practices will help you grow your business and prevent loss of customers through lack of trust, or lack of knowledge of your policies.

As the Leger marketing survey points out, trust is an issue of the greatest importance to on-line shoppers. The price may be right, they may be intrigued by the convenience of on-line shopping, but if they don't believe their personal information is safe — they won't do it. An Ipsos-Reid survey done in 2000 found 84 per cent of Canadian Internet users were concerned about giving out personal information such as credit card numbers on a website. It was the most important barrier to the growth of online purchasing. A survey by the same company in 2003 found Canadians to be more concerned about Internet security than they were the previous year.

Businesses must get consent for all uses of the information they collect; it must be collected for a reasonable purpose; it must be accurate and easy to correct by the consumer; and it must be stored and disposed of securely.

Security and Privacy

I'd like to take a moment to talk about the difference between security, confidentiality, and privacy. Privacy, as we define it, means having control over the collection, use and disclosure of personal information. Security, on the other hand, refers to how well that information will be protected with physical barriers or technical systems while it is collected, stored, used or disclosed. Confidentiality reflects the duty to honour the personal nature of the information entrusted to you, and to ensure it is not misused.

All these values are essential to the success of e-commerce — but they are different. Let's say an organization — maybe an insurance company — collects personal information about an individual from another source, and without that individual's consent, and uses that information to make life-affecting decisions.

It doesn't matter how secure this information is — locked in a filing cabinet or protected by sophisticated firewalls. It doesn't matter how confidential the information is. Your privacy has been invaded. The picture changes when consent is given or when personal information is collected by law — for example, tax information collected by CCRA, or information collected under regulations to investigate a crime. This is when the focus changes to the confidentiality and the security of the system that houses the information.

We are sometimes obligated to provide highly personal, sensitive information to organizations in order to obtain services. This information is a commodity to marketers, who mine it for those precious nuggets of demographic gold. It's also potentially a powerful tool for law enforcement agencies and governments to use for profiling large segments of the population for security risk assessments.

Developers and sellers of data management software may be tempted to feel that they are just providers of a service or a product and it's up to the customer to use the software in a privacy responsible manner. But I would propose that you think beyond that for a moment; your company's name and reputation are tied to your product. If the product is seen to break individual control over personal information, your company could be seen negatively by consumers.

The technology you create and promote is not good or bad, and it can be used in many beneficial ways to make business more efficient, to increase profitability, to provide better customer service and more responsive government programs. But it can also be used inappropriately. I believe we all have a corporate and social responsibility to do all that we can to ensure information technology products are used in ways that are sensitive to the privacy rights of consumers.

Cross-Border Data Transfers

As I mentioned earlier, concerns have been raised about how the USA PATRIOT ACT affects personal information of Canadians outsourced for processing or storage to U.S. based affiliated companies. Our Office is very concerned about this issue and has called for an open and transparent dialogue with the private sector and our other government partners. I'd like to outline some of the steps we are taking to bring clarity to this issue.

The cross border transfer of data is a fact of modern life. Globalization connects economies around the world, including the information economy, in ways that are beneficial to all of us. However, Canadians expect and deserve a reasonable standard of protection of their personal information. They don't want that protection to evaporate when that personal information is transferred across borders, whether for security or commercial purposes.

Companies that are subject to PIPEDA or similar provincial legislation must comply with the legislation. The Act requires personal information to be protected by security safeguards appropriate to the sensitivity of the information, including when it is transferred across borders. Our Office is involved in a number of initiatives that we hope will help to shed light on this issue. We are planning an audit in 2004-2005 of cross-border data flow of information given by Canadians to their government. We are involved in ongoing discussions with Public Safety and Emergency Preparedness Canada about how personal information is handled in the context of security concerns. We will also be working with the National Security Committee of Parliamentarians, to ensure the trans-border protection of Canadians personal information is on the political front burner. And this issue will also be top-of-mind in the planned legislative review of PIPEDA in 2006.

Our Office will also continue its outreach initiatives with industry leaders and professional associations to ensure that they understand their obligations under PIPEDA when it comes to cross-border information flow. We expect the Commission of Inquiry into the Actions of Canadian Officials in Relation to Maher Arar may shed some light on the transfer of Canadians' personal information across borders in a national security context. Our Office believes that other government departments should also examine their own policies and procedures relating to the cross-border transfer of personal information.

I would also like to point out that the whistle-blowing provisions of PIPEDA provisions protect employees who notify our Office that a company intends to transfer information abroad in violation of the Act. PIPEDA specifically protects employees against retaliation from employers, including harassment, dismissal, or demotion.

Conclusion

In closing, I'd like to take a moment to mention the Contributions Program of the Office of the Privacy Commissioner of Canada . In June, we announced the launch of a new privacy research program, with significant funding from our Office. We called for projects to focus on the intersection of technology and privacy, and for projects that would promote good privacy practices under PIPEDA as a key component of responsible commercial practices.

I was very pleased by the enthusiastic response we received. I think it is extremely important to expand Canada 's national privacy research capacity and the Contributions Program is a positive step in that direction.

As IT experts, you know that innovations in technology create profound changes in society, and that extends to our perceptions of privacy. Innovations such as camera phones, global positioning systems and black boxes in cars, challenge our views of privacy and of what is acceptable. Camera phones have been banned in some locations, due to specific privacy concerns. Is your car a private place? Black boxes that collect information on our driving habits and red light cameras that catch law-breakers create debates about acceptable limits to privacy -- but our courts have accepted black box information as admissible for determining civil liability.

National security imperatives and the measures deemed necessary for dealing with organized crime also test the boundaries of out society's limits between personal privacy and public interests.

But while our view of privacy in an information society is evolving, it remains a deeply held value in Canadian society. Recognizing that social value and respecting the privacy rights of customers and clients promotes trust and loyalty in e-business.

The trust and loyalty of the customer base are recognized as key factors for the growth and survival of e-commerce. Yours is an industry that continually pushes the technology envelope and societal views of information and connectivity. Our Office's responsibility is to raise potential privacy implications of that technology, and to work with you to assist in providing Canadians with assurances that their personal information is protected. I am looking forward to collaborative partnerships between our Office and your industry to ensure a balanced approach to personal information protection.

Thank you for your time and attention.

Date modified: