Making Privacy Laws Work for Canadians
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Remarks at the Karen Spector Award Ceremony and Dinner organized by the Ontario Bar Association
October 18, 2010
Address by Jennifer Stoddart
Privacy Commissioner of Canada
(Check against delivery)
Good evening. It’s a great pleasure to be here with you. I would like to thank the Ontario Bar Association for honouring me with the Karen Spector award.
The fact that the association created this award is clearly an indication of how important the Bar considers the development of privacy law.
As a result of receiving this award, I’ve had the opportunity to learn more about Karen Spector and her role as a privacy champion. Robin Gould-Soil, our Director of PIPEDA, describes how Karen devoted a great deal of her personal time to help connect and mentor people entering the privacy field. I understand she encouraged these connections by throwing a party at her condo each year and inviting CPOs, lawyers, consultants, regulators and anyone she knew who had an interest in privacy.
I’m particularly grateful to the OBA for selecting me as the 2010 winner – in spite of the fact that members of the Canadian bar and my Office have been on opposite sides of the fence in a series of legal proceedings in recent years!
This evening I’d like to talk about a couple of those proceedings.
First, however, I wanted to announce that our Toronto office is now up and running! This is a very exciting development in the history of my Office. Being on the ground here will allow us to increase our efforts to help small- and medium-sized businesses in the region to meet their privacy obligations. As well, we expect that having a stronger presence will help to prevent misunderstandings from developing into full-blown PIPEDA complaints.
I’d like to speak with you about the fallout resulting from what the courts have said about solicitor-client privilege and access requests.
Those cases – which wound their way through the courts for years – also serve both to illustrate, and contribute to, my growing concern about the fact that the legislative process and traditional legal system are not keeping up with the pace of evolving privacy issues – particularly those resulting from new technologies.
The incredible rate at which technologies have been developing – in the online context and elsewhere – continues to astonish me. I’ve been Privacy Commissioner for almost seven years. When I first took on this role, the concept of online social networking didn’t really exist. We also didn’t tweet, share via Flickr and YouTube or track one another on Foursquare and Facebook Places. And few of us had heard of cloud computing.
Protecting privacy in this rapidly transforming landscape demands agile and creative responses.
The reality is, however, that we have a situation where legislative amendments wind their way through the Parliamentary process at a glacial pace in comparison to the rate at which the world is changing. A dispute over a point of law can take several years to resolve through the courts.
I don’t think it’s realistic to anticipate dramatic change in how the wheels of the legal and Parliamentary systems move in the foreseeable future.
Therefore, it is incumbent upon us – my Office and you as members of the Bar – to think about how we can make existing laws work in the best interests of Canadians.
Just how we can most effectively do that is what I’d like to explore with you.
It is striking how little litigation there has been under PIPEDA. The one case that has made it all the way to the Supreme Court of Canada involved, to my mind, something of a sleeper issue. Few could have predicted that the country’s highest court would have to weigh in on the issue of solicitor-client privilege and access to personal information.
Most of you are no doubt familiar with the Supreme Court’s 2008 decision in the Blood Tribe case. The Court confirmed that the right of individuals to access their personal information in order to verify its accuracy is an important corollary to the protection of privacy.
However, the Court disagreed with our position on the question of who is legally able to independently verify organizations' claims of privilege at first instance.
The Court concluded that the statutory language of PIPEDA does not give the Commissioner the authority to compel an organization to produce documents over which a claim of solicitor-client privilege has been made, in order for me to review the document in the course of an investigation into an access to personal information complaint.
Rather, this role of verification should be reserved for the courts.
As a result of the decision, we amended our internal processes and stopped requesting the actual documents over which an organization claimed privilege.
Instead, we requested that organizations provide sufficient evidence in support of a claim of privilege, which could include affidavit evidence that would allow me to have some credible basis for finding this information was privileged.
This approach was put into question by a recent case – Air Canada – in the context of a complaint concerning a refusal of access to personal information contained in a number of documents prepared by various employees of Air Canada.
We asked Air Canada to set out its claim of solicitor-client privilege by way of affidavit but the airline refused. We deemed the complaint well-founded and filed an application in Federal Court.
Ultimately, the Federal Court determined earlier this year that I lack the jurisdiction to rule on an assertion of privilege and therefore am not entitled to inspect documents over which privileged is claimed. Instead, it found that the Federal Court is the decision-maker in such cases.
We decided against filing an appeal of the Air Canada decision, largely in light of the Blood Tribe decision.
The Way Forward
As a result of these recent decisions, we’ve determined that, in cases where a respondent organization refuses access to personal information on the basis that such information is subject to solicitor-client privilege, and the matter cannot otherwise be disposed of, we will be referring disputed claims of solicitor-client privilege for independent assessment by the Federal Court by way of interim reference.
However, there remain a number of interesting issues, including:
- Will my Office – and ultimately taxpayers – be responsible for costs in the event that a claim of solicitor-client privilege is valid, although Parliament clearly did not envision such consequences in PIPEDA?
- What will the role of my Office be in any such reference, given that the Federal Court has been clear that the OPC has no role in assessing solicitor-client privilege?
- Considering that the average amount of time it takes for references to be considered before the Federal Court, how will I ensure that I respect my legal duty to prepare an investigation report within one year?
A Better Way?
The University of Ottawa’s Professor Adam M. Dodek offers us some interesting analysis around the evolution of the concept of solicitor-client privilege.
In a recent paper, Professor Dodek argues that contemporary justification for solicitor-client privilege remains largely grounded in 19th century legal assertions, which do not involve any contextual interpretation, balancing of competing interests or rights in determining privilege issues. As well, courts are unwilling to revisit the theoretical underpinnings for privilege.
As such, he argues that the two dominant characteristics of judicial treatment of solicitor-client privilege in Canada are: heightened protection; and a lack of critical reflection about its purposes and function.
Ultimately, Professor Dodek argues it is time for critical analysis of privilege, and that it should be recast in a rights-based approach anchored by dignity, autonomy and privacy – one directly linked to the right to counsel which protects such rights.
Most notably, Professor Dodek argues that privilege should no longer be extended to organizations – corporations, governmental bodies and other associations – on the grounds that such entities are not human and therefore have no claim to dignity, autonomy and privacy as human rights.
As a privacy advocate, I find that argument extremely compelling and I hope that legal thought will evolve in that direction.
Consequences for the OPC
In the meantime, the court rulings on solicitor-client privilege have some practical consequences for my Office.
For us, it means that the moment an organization makes a claim of solicitor-client privilege, our investigation work comes to a stop and we will, in some cases, have to go to court.
There’s a huge public cost here – going to court is expensive. There is a cost in terms of the impact on court time. The current situation also isn’t desirable for business – either in terms of the cost involved and the time it will take to resolve issues.
My request to lawyers advising the organizations that my Office deals with, is to think of the big picture. As members of a profession that contributes to the development of Canadian law, you have a responsibility to think about where issues are taking us in a broader sense. Is the way a particular case is being argued going to put Canada on the appropriate legal path?
I would also urge to advise your clients responsibly; to ensure that your clients do not apply solicitor-client claims overly broadly. Ensure that any claims are real and serious.
Responding to Rapid Change
I’d also like to speak to the growing responsibility of individual members of the Bar in the broader context of the development of privacy law and regulation in an era of dramatic technological development.
As I described at the outset, legal and Parliamentary systems are struggling to keep up with the pace of technological change.
This situation places a requirement on those of us working in privacy to consider how we can help to ensure that we continue to have effective privacy protections in place for Canadians.
What I see happening already is that rule-making processes in the area of privacy are shifting to a more “on the ground” approach. We see that the role of “soft law” or informal rule-making is growing in prominence – in Canada and beyond.
Lawyers at global conferences have told me that soft law – essentially realistic guidance from regulators – is increasingly important. This is because few issues in privacy law ever go to litigation, which is seen as too long and too risky and often the wrong place to try to resolve highly complex IT issues.
This is happening in other areas as well. In a number of countries, we see that administrative bodies mandated to address government integrity issues – auditors general, for example – are emerging as important players in the regulatory scheme.
My own Office is increasingly developing guidance documents for organizations. In the last few years, we’ve issued guidance on covert surveillance; the collection of driver’s licence information by retailers; and cross-border processing of personal information.
Another trend is that data protection authorities and other regulators are increasingly involved in developing rules that flow from a continuing dialogue with technological innovators, with consumers and with legal scholars and specialists.
For example, the U.S. Federal Trade Commission has held a series of consultations on privacy issues and the Europeans have also launched a dialogue on how to amend their Directive on data protection.
Here in Canada, my Office held public consultations this year on issues we feel pose a serious challenge to the privacy of consumers.
Our consultations focused on two areas – the privacy issues related to the online tracking, profiling and targeting of consumers by marketers and other businesses and cloud computing practices.
As well, in 2009, we engaged two noted academics – Dean of Osgoode Hall Law School Lorne Sossin and France Houle, of the Université de Montréal – to examine the effectiveness of the ombuds model in protecting personal information in the private sector, particularly in light of changes in the technological, economic and legal context since PIPEDA was first enacted.
In their analysis, these authors suggest that the current ombuds model has had mixed success.
On the positive side, the authors take the view that my Office has succeeded in accomplishing important goals related to compliance by working with large industry sectors such as banking and insurance, building trust across the private sector, providing guidance on the interpretation and application of PIPEDA, responding to complaints, inquiries and concerns, raising awareness of PIPEDA and generally enhancing the profile of privacy issues.
However, they are also of the view that the ombuds model may have been less effective in promoting compliance where small and medium sized businesses are concerned.
The professors have suggested as an option going forward, that my Office could acquire targeted and limited power to make orders, including the ability to impose penalties such as fines. They also propose explicit guideline-making power, to assist with the fair and transparent implementation of new order-making powers.
My office is currently in the process of assessing the authors’ analysis, mapping it onto what we believe has been our experience under PIPEDA to date, and comparing it with our own views of the merits and effectiveness of the ombuds model. The authors’ analysis will undoubtedly make a significant contribution to the public discourse on future evolutions of PIPEDA.
Both the report from Professors Sossin and Houle and our public consultations will help shape my Office’s input during the next mandated review of PIPEDA, which is expected to begin in 2011.
The first five-year review began in 2006, however, the amendments put forward as a result of that work still have not been passed into law.
They are contained in two bills currently before the House of Commons.
As part of anti-spam legislation, the government has proposed amendments providing my Office greater discretion to refuse or discontinue complaints and to permit us to share information with our domestic and international counterparts.Footnote *
Other important privacy legislation is a bill to amend PIPEDA. One of the most important changes it offers is a requirement for organizations covered by PIPEDA to notify my Office and affected individuals following data breaches.
Hopefully those two pieces of legislation will be passed into law in the relatively near future.
The current environment also places an increased responsibility on members of the Bar who practice in the area of privacy.
Earlier, I mentioned the need to advise clients responsibly – and with the “big picture” in mind – on the issue of solicitor-client privilege and access requests. The same advice applies in the broader context of privacy law.
I think this could be encouraged with more professional discourse on critical matters.
These are weighty issues to be considering at this time of night! However, I do hope that this evening is the continuation of a dialogue about what we can do to encourage an effective privacy regime.
I thank you very much for your attention and I would welcome any questions or comments ….
- Date modified: