Protecting Privacy under the Umbrella of Administrative Law

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Presentation at the Université de Montréal

September 16, 2011
Montreal, Quebec

Address by Jennifer Stoddart
Privacy Commissioner of Canada

(Check against delivery)


INTRODUCTION

Introductory Remarks

Thank you for inviting me here today. I would like to use this opportunity to share some ideas about the importance of protecting privacy and to talk about the work that my Office does to help protect the privacy of Canadians.

I would like to concentrate on four main issues:

  • the concept of “personal information” and why it is deserving of protection;
  • the mandate and structure of my Office;
  • how we co-operate with our provincial counterparts; and
  • the need for greater co-operation at the international level.

I will conclude with a few thoughts about what the future holds for privacy protection in Canada.

Personal Information

Canadian courts have recognized the two federal privacy and personal information protection acts as being “quasi-constitutional.” They thereby acknowledged the fundamental role the two acts play in protecting privacy in CanadaFootnote 1. Without respect for privacy, we would live in a society where anyone could know everything about you—without your knowledge or consent.

The concept of “personal information” is a central concept in Canadian privacy legislation.

Generally speaking, "personal information" is any information about an identifiable individual.

The concept of “personal information” is interpreted broadly; it can apply both to information about an individual that is mundane and in the public domain and to very sensitive, private information. Your personal information includes not only your name, age and address, but also your Social Insurance Number, medical records, opinions, your likes and dislikes and so forth.

This approach is different from that taken in the United States, where information in the public domain is not usually protected by legislation.

Information about an “identifiable” individual

Even if information does not on its own identify an individual, an individual can still be considered to be “identifiable” where there is a serious possibility that the individual could be identified through the use of that information in combination with other available information.Footnote 2

For example, in Gordon v. Canada (Health) the Federal Court considered the field “province” in the Canadian Adverse Drug Reactions Information System to be “personal information,” because the information could permit or lead to the identification of an individual when combined with information for sources otherwise available, including sources publicly available.

Similarly, my Office concluded that an IP address can be considered personal information if it permits an organization to identify an individual.

Information is “about” an individual

To be considered “personal information,” information must be “about” an individual.

As regards information “about” an identifiable individual, the Federal Court has ruled that “about” means that the information is not just the subject of something, but also relates to, or concerns the subject. The idea that personal information is about an individual connotes concepts of intimacy, identity, dignity and integrity. These are considered core philosophical values underpinning privacy rights.Footnote 3

In order to determine if information is about an individual, my Office sometimes has to decide whether demographic information about an identified homogeneous group has reached such a refined level that it is “about” an individual. This is a sometimes challenging analysis.

Contemporary Challenges

One of the greatest challenges facing privacy protection today is that Canadians are increasingly leading their lives online.

When personal information is in digital form and accessible via the Internet, it is easily searchable, easily disseminated and very hard to delete once it has been shared.

Moreover, personal information can be more easily aggregated to form detailed profiles of an individual’s tastes and habits.

For instance, an online advertiser might be able to collect information from your Facebook profile and monitor which websites you visit and which purchases you make online to create a detailed picture of you in order to send you targeted advertising.

Some say that the popularity of online social networking sites means that social norms have changed and that privacy is no longer important to people.

I certainly do not believe that privacy is no longer important, but there is no doubt that my Office needs to be innovative and creative in order to deal with these new challenges.

What authors have referred to as new or alternative forms of regulation are essential in this work. I know this is one of the themes in Prof. Houle’s course. Public law, in general, is moving away from a purely positivist conception of law and regulation. In very practical terms, alternative forms of regulation are essential in the privacy realm. Over and above standard recourse to the federal courts, my Office recognizes the need for user guidelines, best practices manuals, certification by third parties and self-regulation. These are all essential tools, especially in the increasingly online world.

The underlying objective of federal and provincial privacy legislation is to regulate the flow of personal information in the private and public sectors, i.e., the circumstances in which personal information can be collected, used and disclosed by government institutions and businesses.

I note that you have all read a document issued by the Quebec government entitled “La réglementation par objectifs.”Footnote 4 The paper discusses regulation by objective versus regulation of the means. In many ways, the Privacy Act and PIPEDA both seek to regulate by a combination of these: but ultimately, the protection of personal information is the objective of both statutes. Of course, specific means are targeted in the provisions of the act, but my Office’s work tends to focus on the overarching objective.

Part I – PRIVACY COMMISSIONER OF CANADA

Overview

I would now like to talk a bit about how my Office works to protect personal information

I note that you read an excerpt from Lester Salamon’s book The Tools of Government for last week’s class. Although the book sets forth ideas that apply specifically to the United States, they nevertheless have relevance in Canada. Because the concept of government action has changed, as Salamon explains, my Office must now mobilize different “technologies” of public action.

First the basics: as you will have read in preparation for today, my Office oversees two pieces of federal legislation aimed at protecting personal information: the Privacy Act, which applies to federal institutions, and the Personal Information Protection and Electronic Documents Act (PIPEDA), which applies to the private sector, except in provinces, like Quebec, where there is substantially similar legislation.

I am an Officer of Parliament, which means that I report directly to Parliament and not to a department.

The independence of my Office from government is essential so that we can investigate complaints against government institutions in an impartial manner.

Complaints, Investigations and Audits

My Office is set up according to the ombudsman model; that is, we receive complaints from individuals, we investigate, and, through our investigation and communications with the parties, we attempt to reach a resolution of the matter between the complainant and the respondent organization.

In most cases, my Office is under a positive legal obligation to investigate complaints that it receives and to issue a report of findings. Very recently, under PIPEDA, my Office was given the discretion to decline to investigate or to discontinue an investigation. This is an extremely important development in a context where resources are limited and there is an increasing level of complexity in investigations. My Office must devote its attention to the root causes of privacy breaches.

I am also empowered to initiate my own complaints if I think there are reasonable grounds to investigate.

My Office can also conduct audits of organizations and government institutions if there seems to be a systemic problem that needs to be addressed.

On the one hand, given the non-adversarial and confidential nature of the process, I do not have the power to issue orders or impose fines. (I will speak about this in a moment.) On the other hand, I have been given relatively broad investigative powers under the two acts.

In particular, I can subpoena witnesses and visit the premises of the respondent organization if necessary.

At the conclusion of an investigation, my Office generally issues a preliminary letter of findings, which sets out our conclusions and recommendations. This offers the parties the opportunity to correct any factual inaccuracies and the respondent organization to make any arguments as to why the recommendations cannot or should not be implemented.

Once these representations have been taken into account, my Office issues a final report.

The roles I have just described are part of what your readings might refer to as the “old paradigm” of government activity: implemented through the legislative framework and in accordance with the regulations, my Office receives complaints from the public and investigates. However, the PIPEDA model goes beyond an investigation-complaints-based regime and provides an opportunity to approach privacy regulation in a more multi-faceted way.

Enforcement Powers

In many cases, by the time the investigation concludes, organizations will have taken steps to implement my Office’s recommendations and address the complainant’s concerns.

Whenever possible, we attempt to resolve complaints through mediation and negotiation between the parties. Of course, in some cases this is not possible and a full investigation is necessary.

Under PIPEDA, I also have the express power to publically name organizations if I think it is in the public interest to do so; in some circumstances publicity alone can be a powerful incentive for an organization to comply with my Office’s recommendations.

Reports issued by my Office are not legally binding and I have no ability to impose penalties on respondents who contravene the law.

However, under PIPEDA, if an organization fails to comply with the recommendations of my Office, either the complainant or my Office—with the complainant’s consent—can apply to the Federal Court in order to have the recommendations enforced, although certain conditions set out in section 14 of PIPEDA must be met.

The Federal Court can order an organization to comply and can also award damages as has been done in a number of recent cases.Footnote 5 Note, however, that the damage awards remain relatively small when compared with the awards issued by Quebec courts.Footnote 6

However, under the Privacy Act, an individual or my Office can apply to the Federal Court only if a federal institution refuses access to personal information.

Guidelines, Fact Sheets, Industry Regulation

In addition to investigations and audits, my Office spends a lot of time and effort working in alternative regulatory spaces. We recognize that following the standard regulatory process whereby complaints are investigated and pursued through the courts does not always ensure results. The most significant advances we have made have come through working with industries to develop guidelines to ensure best practices.Footnote 7

My Office also spends a lot of time and effort on research, education and outreach. We are a major sponsor of research into new and emerging privacy issues through our Contribution Program.

My Office also believes that independent audits of privacy protection mechanisms can help organizations prove that they are meeting their data protection obligations.

As Prof. Houle noted in a report she wrote with the Dean of Osgoode Hall Law School, my Office has accomplished important goals working with large industry sectors such as banking and insurance, building trust across the private sector, providing guidance on the interpretation and application of PIPEDA, raising awareness of PIPEDA and generally enhancing the profile of privacy issues. Many of these were accomplished through alternative forms of regulation.

Part II — FEDERAL-PROVINCIAL COOPERATION

The need for co-operation

Online privacy issues are becoming an increasing focus for my Office—and addressing them is not without its challenges.

The issues are often complex and highly technical. Websites seem to change every day, so it requires a great deal of effort to keep up with what’s happening. The online world that Canadians access for products and services is global—we are often dealing with organizations with little or no physical presence in Canada.

Clearly we are going to have to find many tools to help us meet all those challenges: in particular, co-operation with other privacy commissioners’ offices and regulatory agencies.

An important part of the solution will be co-operation. Working with my counterparts—within Canada's borders and beyond—has been a top priority for me from the very start of my mandate.

Before I say more about co-operation, I would like to give a brief overview of the provincial and territorial commissioners in Canada.

Federally, there is a commissioner who is responsible for overseeing access to information legislation and another commissioner who is responsible for privacy legislation.

In the provinces and territories, however, there is one commissioner in each jurisdiction who oversees both freedom of information and privacy legislation. Three of these provinces have privacy legislation that applies to the private sector—Quebec, Alberta and British Columbia.

The federal, provincial and territorial commissioners usually meet in person once a year to discuss issues of mutual interest. In recent years, we have issued resolutions on certain issues. These have included: the Passenger Protect Program, or no-fly list; enhanced drivers’ licences; and the protection of children online. We believe that expressing the same point of view reinforces the message sent to government and the private sector.

When it comes to matters that concern my Office and the provinces that have a personal information protection act substantially similar to PIPEDA, i.e. Alberta, British Columbia and Quebec, we make a point of working together in many different ways.

Recent amendments to PIPEDA have given my Office a clear framework under which we can consult and share both interprovincially and internationally. We may enter into agreements or arrangements:

  • to coordinate our activities, including the handling of complaints in which we may have a common interest;
  • to undertake and publish research or develop and publish guidelines on protecting personal information;
  • to develop instruments for protecting personal information collected, used or disclosed interprovincially or internationally; and
  • to develop procedures for sharing information within the context of an investigation or audit.

Prior to these changes, we could receive information about a complaint investigation, but could not share information we had obtained during the course of our investigation.

There is a memorandum of understanding, signed by Alberta, BC and my Office, on co-operation and collaboration in private-sector policy, privacy enforcement and public education. Over the years, we have worked together to try to offer consistent guidance to organizations and, where appropriate, conduct joint investigations.

  • for example, the TJX case (the Alberta Commissioner and I both initiated investigations following a massive breach of the company's databases) and the Law School Admissions Council case (complaints were filed in Alberta, BC and with my Office).

In terms of guidance, our three offices have issued guidance on collecting driver’s licence information in the retail sector; the use of street-level imaging technology (Quebec also participated in the development of those guidelines); presenting photo identification; and most recently, a checklist for organizations on securing personal information. Further guidance is in the works.

We also have held joint conferences for our investigators. This has enabled us to share best practices, to discuss specific closed cases, and to get to know one another—an important aspect in building co-operation.

Given the design of the federal constitution, some overlap between provincial and federal jurisdiction is inevitable in the privacy realm. As you have seen in Janice Gross Stein’s article for today’s class,Footnote 8 a situation of overlapping jurisdictions can be “messy” but can also lead to greater results through collaboration. While not necessarily going as far as the concept of “Networked Federalism” that Stein speaks of in her article whereby there is constant collaboration at all levels of government on any given issue, my Office continues to work closely with access to information and privacy offices in Quebec, Alberta and British Columbia. This work is substantive and results-oriented.

Part III — Broadening co-operation at the international level

As I’ve mentioned, online privacy issues are becoming an increasing focus for my Office. Addressing these issues is challenging. The online world is global but our privacy laws are local. Accordingly, my Office has to think outside the standard juridical and regulatory box. We are constantly looking at alternative means of addressing new issues that emerge with each new technological advance. This is even more important because the Internet usually ignores international borders.

More and more, we find that the companies we are receiving complaints about have little or no physical presence in Canada.

We are able to investigate these organizations under PIPEDA, as confirmed by the Federal Court in Lawson v. Accusearch Inc.Footnote 9 In that ruling, the Federal Court ruled that PIPEDA applies to transactions involving personal information when there is a real and substantial connection to Canada. This ruling stretches the application of PIPEDA in a manner we did not anticipate.

We are now receiving complaints about large multinational companies such as Google and Facebook. Furthermore, the issues we are dealing with are very similar to the issues facing my international colleagues. For example, last year several commissioners investigated Google after it was discovered that Google’s Street View vehicles were collecting snippets of information being transmitted over WiFi networks. Google was collecting this information without the knowledge or consent of the individuals involved.

Increasingly, commissioners across jurisdictions are examining the privacy practices of the same global companies. The massive data breach experienced by Sony involving the records of more than 75 million user accounts affected individuals around the world. In addition we are increasingly looking at common technologies—Google's search technology, facial recognition technology and the use of "cloud" computing.

True, PIPEDA differs from European national laws and there are differences between PIPEDA and the privacy legislation of other countries such as New Zealand and Australia. For instance, PIPEDA allows sharing across international borders but holds Canadian organizations accountable for breaches. But it is easy to exaggerate the differences. We must work beyond our borders. Canada on its own cannot possibly tackle the plethora of privacy concerns cropping up across the World Wide Web.

Thus, as a federal regulator in Canada, I am increasingly becoming part of a network of national and international regulators. This network—which takes the form of bilateral and multilateral associations and relationships—is part of the new and emerging field of Global Administrative Law (which I know you are studying extensively in this course). To this end, we are involved in several international organizations whose objectives include furthering co-operation.

We participate in meetings of the OECD’s Working Party on Information Security and Privacy. I had the honour of leading a volunteer group that helped develop a 2007 recommendation on cross-border co-operation, and that is currently providing advice on the review of the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

The OECD is organizing a Conference in Mexico City in late October that will look at "Current Developments in Privacy Frameworks: Towards Global Interoperability." One of the objectives of the Conference is to obtain a better understanding of the commonalities and differences among the various approaches to data protection to help us understand how we can move towards greater global interoperability.

Later today, I am leaving to attend meetings of the Asia Pacific Economic Cooperation (APEC) forum. At APEC, we are working with other economies in the Asia-Pacific region to develop a process to ensure that personal information is protected as it moves across borders.

Next week, our Assistant Commissioner, Chantal Bernier, will be attending a meeting of the Association Francophone des Autorités de Protection des Données Personnelles, at an annual conference that brings together more than 25 data protection authorities from Europe, North America and Africa. This is a very important forum because it includes developing states that are only beginning to introduce data protection and privacy regimes.

We are making progress in terms of co-operating but we still have a long way to go.

I am particularly pleased at the increased global dialogue that I have witnessed since I became Commissioner, and that American authorities, primarily the US Federal Trade Commission, are now part of that process.

While we would all benefit if the United States adopted meaningful comprehensive privacy legislation, the FTC has reached a number of important privacy-related settlements. For example, following its investigation of the Google Buzz rollout, the FTC reached a settlement requiring the company to submit to regular, independent privacy audits once every two years for the next 20 years.

Cooperation involves sharing information and expertise. As I mentioned earlier, our new information-sharing provisions apply on the international level as well as on the interprovincial level. We will be able to share information under a written arrangement that limits the information to be disclosed and restricts how it can be used. The Commissioner will also be able to enter into arrangements to engage in other activities such as developing standards, conducting joint research and participating in staff exchanges.

A concrete example of co-operation is a case involving an American online data broker, Abika.com, which was operating in Canada in violation of our laws. My Office was granted leave to file an amicus curiae brief in support of the position of the US FTC in a proceeding before the United States Tenth Circuit Court of Appeals. We were also able to bring our investigation of Abika.com to a conclusion based on information provided to us by the US FTC.

Conclusion — And what does the future hold?

I think my Office is a good example of an administrative body that uses alternative forms of regulation to accomplish many of the goals associated with protecting personal information.

Enforcing privacy laws in Canada is incredibly challenging given the technological advances that are made on a daily basis. My Office often struggles to keep up. As things currently stand, the Privacy Act is outdated, having been originally drafted in the early 1980s. To make up for the problems found in the out-of-date black-letter law, my Office has worked hard to find alternative means of achieving the Act’s objectives.

Similarly, under PIPEDA, keeping up with technological advances has been a challenge. In response, we have implemented alternative forms of regulation including user guidelines, efforts to ensure regulation at the industry level, and best practices manuals. Since the beginning of my mandate, I have also recognized the need to build up the technological capabilities of my Office. This allows me to keep abreast of new technology-related issues and to be part of new conversations in privacy law.

Looking forward, I will be watching closely as the federal government moves towards a second parliamentary review of PIPEDA. There will also be a parliamentary review of the Privacy Act. I believe both reviews are extremely important. While alternative forms of regulation are an essential part of government activity, there must always be a balance between these methods and the more positivist aspects of law. Black-letter law still has an important place in governance. Our most challenging task will be to find the proper balance between the black-letter law and alternative forms of regulation as we move further into the twenty-first century.

Date modified: