Electronic Commerce & Privacy 2000
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Speaking notes prepared for Riley Information Conference
February 21, 2000
Privacy Commissioner of Canada
(Check Against Delivery)
Good morning everybody.
You mentioned the fact that I've been at this job for a while. In fact, looking at this group this morning, I'm reminded that I think the very first time I ever stood on a platform to talk about this issue was at this very hotel at a conference that was organized by the very man who has organized this one, Tom Riley. Now both of us are a little older.
In fact, I feel a little like one of those schoolmasters welcoming a whole new class because I see a lot of new faces here. Probably a lot of you in the federal government in one capacity or another and who weren't even involved with this issue at the time I first became acquainted with it.
This month is the tenth anniversary of my entry into the Office of the Privacy Commissioner. I spent a year as an Assistant Commissioner before I took on this job and it's interesting to see how far we've come as well as contemplating perhaps a little later in my talk on how far we yet have to travel. But ten years ago this date, the words are now commonplace in the argot of the computer universe weren't even in the lexicon of the time. "Dot.com", "search engine", "cookies" were still something you stole at night. with milk out of the refrigerator.
We have traversed in the course of one short decade both a technological and a social revolution. In the course of that time, things that I was talking about early on in my term and which were seen at the time by a good many observers as essentially extreme, radical, impractical and unlikely have all come to pass. And the thing that I urged most fervently over those years in terms of meeting the challenges of the revolution through which we are passing are now also coming to pass.
The conference has been told that it's here for an examination of "e.com" and its relationship to Bill C-6 and in a broader sense its relationship to our wider world. And it is the wider world I think that we most ought to reflect upon, at least as we begin this exercise.
I've said on previous occasions - and because I think I have a substantial number of new listeners present at this conference - [we need] to reflect, at least for a moment, on the underlying issue that is involved here. And why it is terribly important not just as a vehicle for the easier management and facilitation of commerce, but why it is not only important, but absolutely indispensable, to the preservation in the future of a civilized society in the country and around the world.
For that purpose, I want to take just a few seconds to tell you what my definition was, is, and always will remain the definition of what privacy is. It is the measure of the degree to which we as individuals will respect each other as autonomous, free, human beings, entitled to the respect of our brothers and our sisters. If you find the concept a little too sweeping, I want you to reflect for a moment on the kind of society in which you would be living if we did not have the right to some control over the information about ourselves: how it's going to be collected, used and disclosed by our fellow citizens.
We have had enough experience through the most tumultuous century through which mankind has ever passed, in which every vestige of a human being's right to control his or her own life has disappeared across much of the face of this world, with the most catastrophic consequences imaginable.
This is not simply some little convenient thing for business, it is not some little inconvenience for bureaucrats to have to cope with in the course of a busy day, it is central to the preservation of a decent society. So everybody who is connected with this, please try to remember a little bit of that message.
I want to say here, because I know there are a large number of public servants here, probably some of you involved in access and privacy coordination in your departments. You are the troopers, in the front line in a battle that is going to go on certainly as long as you live and certainly as long as you are working in this area, either in government or in business. I congratulate those of you who understand this issue, who believe in it and who will fight for it.
It is not an easy thing and I hope the business community here will forgive me if I take just a moment to talk about the federal bureaucracy. It is not an easy thing to be in the ATIP business in the Government of Canada. It is seen all too frequently by some managers as an inconvenience, as an intrusion upon their right to do things the way they want to do. You, therefore, are an essential locus between the governed and the governor. If you take you job seriously, if you work hard at it, you will have performed one of the most noble services that anybody in public service can perform, which is to ensure that the citizens who are paying your salary, who are the fundamental aspect of our society, are having their rights protected and observed. You've got a very important job to do and I wish you well with it.
Now let me get on to the business of the morning. It's terrible to try to work off the Monday blues by coming to a serious subject like this, so I'll try not to put you back to sleep!
Bill C-6, which is now, I hope, in the final throws, convulsions - call them what you will - of passing through Parliament, I expect soon will be law. It was passed by the House of Commons and the Senate before its Christmastime adjournment. The Senate attached one amendment, it's now back in the House and all the prospects are that it will certainly become law - be passed though parliament - before the House rises for its summer recess and will become law by the end of this year.
I take personally, some restrained satisfaction in C-6. It is certainly the most important piece of privacy legislation that has been enacted in this country, at least since the creation of the Office of the Privacy Commissioner and the passage of a Privacy Act fifteen years ago and perhaps even longer than that, because Bill C-6 carries forward the view that respect for the rights of individuals to control their personal information is not just a government responsibility. It's a responsibility that should be shared across the entire community including, particularly, business.
That Bill I have described as a "little miracle". I say that because in North America particularly, the pressures against this kind of legislation in an essentially anti-regulatory environment - which has persisted now for some time, perhaps not without some justification - the odds against it, right from the outset were very heavy.
When I first personally started promoting the idea of coverage of the private sector by the federal government, frankly, I didn't think the odds were very good. Perhaps to some extent, the onrush of computer technology, and particularly its implications for private business - people now anticipating that commerce over Internet will reach the level of trillions of dollars in a very few years has helped. If so, so much the better. But now it's happened, so we have our little miracle.
There are some interesting features about this Bill, it is probably the first piece of legislation which essentially was written not by lawyers of the Justice Department, or by a lot of bureaucrats scribbling away. It was written by businessmen who got together under the aegis of the Canadian Standards Association six or seven years ago to write a general privacy code which they thought would be applicable to all of the members who wished to have certification from the CSA for their products and their services.
And Bill C-6 essentially is that code with a couple of extra lines written in which say this is your Bill, you wrote it, now my friends, let's see you live with it.
I don't want to suggest any disrespect to the business community but I've sometimes wondered it one of the reasons they wrote that code was because they thought it would be sufficient for the time and that it would not pass into law. And you could almost argue, as some have, that they shot themselves in the foot as a consequence. I'm prepared to take the more generous view that business did see where this was heading and wisely decided, while they still had the opportunity, to participate in the means by which they could meet the challenges that were coming along from the Year 2000 and beyond.
This is not a perfect Bill, its proponents have argued that one of its merits is that it represents a delicate compromise - that's the words they use - between the views of the regulator and the requirements of private business to be able to do its work. Now, I'll accept that definition. Anybody who has taken the time to read Schedule 1 of the Bill, which essentially is the CSA Code, will see that it does offer ample opportunity for corporate lawyers and others in that line of business to keep themselves busy and to enrich their law firms if companies make the very serious error, which I hope they will avoid, of viewing this first and foremost as a legal issue, instead of looking at it first and foremost as an opportunity to improve their business.
And if the public servants will allow me a few moments to address a few remarks to those people of you here that represent the business community. What I think Bill C-6 represents - and what I think the nature of the times demand - is that business will see privacy as one of those signposts along the evolution of society which tell you that you have got to expand your thinking on the subject and develop a different state of mind with respect to the way you are approaching your work.
Bill C-6 should tell them, a little light should go on, they have got now to see that their clientele, their customers, the people with whom they do business, are not just clients and customers, but in a way they are partners in the business. They are more than just an essential raw material, they are the very stuff of the business itself and what they bring to any business is information without which the business cannot function and they bring information which in a very special sense never, ever belongs to the business itself.
The final, residual ownership of that resource rests with the people who bring it, namely their own personal information. Therefore, it is something to be treasured, treated with the greatest care and respect and if it is treated that way, business will be greatly rewarded. Because believe me, before another ten years have passed and before there is another Commissioner standing up here, I'm willing to bet you right now that those businesses which are right now the most deeply respected and the most deeply patronized by the people of this country, and this continent and this world, will be those business who have shown they have understood that message, taken it aboard and revised their business practices to reflect it.
Now what is the attitude of the Privacy Commissioner of Canada. I have never seen my job as a job in which my primary function is to go around apportioning blame. The biggest enemy of privacy - that wholly inadequate word to encompass a much more pervasive and comprehensive human right. Its biggest enemy, in my time, has been ignorance. Simple ignorance.
It have found this over and over again in our dealings with the public service that when bad things happen, 90 percent of the time they have happened because people do not understand, have not fully embraced the culture of privacy, have not really reflected on what it means; issues of that kind and answers of that kind.
I have found very few examples of willful contravention or avoidance of the Privacy Act. My contacts with the public at large tell me the same thing. And indeed, why should be otherwise? Privacy is a basic human and civil right. And like most human and civil rights, people tend not to get overly excited until it affects them personally.
And privacy is one of things where nearly always the things that offend your privacy and things about which you do not know, largely because there is a bureaucratic veil or there is a commercial veil over nearly all of the practices which need to be addressed by such things as Bill C-6. But they're happening nevertheless and every poll has shown that there is a deep and pervasive uneasiness in the entire community about what is happening around them - that's ignorance. And I am sure, thanks to one provision in Bill C-6, an education mandate, that we will help to remove that ignorance. I think a more informed, transparent society will be very helpful in that respect.
What is my Office's attitude toward these things? It is, with respect to the business community, the same one we have always taken in our dealings with the federal bureaucracy, which is, as I say, not to find blame, but to find problems and if possible correct them.
Consequently, the first and most important job when Bill C-6 becomes law, is for the Office of the Privacy Commissioner to sit down with all the interested parties in the commercial world starting, of course, with federally-regulated companies and institutions such as banks and transportation, to discuss their problems, to see where we can find a suitable ground on which to operate to ensure that they understand their obligation to tell them what we think are the underlying issues here and above all, for business to educate us about their problems.
The success or the failure of the exciting, challenging opportunities offered by Bill C-6 will be measured not by the number of people who are found at fault and taken out for a public "wood-shedding", it will be found in the slow, patient, correction and adjustment of the systems to meet these new obligations and whether it's me, or somebody else coming along in my place, so long as that attitude animates the Office of the Privacy Commissioner as the overseer or the monitor, if you like, I am sure that Bill C-6 will be a success.
Now I want to take a minute or two to assure you that if there is anybody here representing business that wants to talk to our Office, the door is wide open. We want to talk to you as much as you want to talk to us, we have to learn a whole lot about each other, the whole point of this exercise is not to impede business, not to harass business, but to help business improve itself, that's all. I know that you've heard that kind of statement from people in my kind of position before - all I can say to you is: try me.
Now there are a lot of public servants here, who are working with the Privacy Act; I have news for you too. The Privacy Act has now been in operation for fifteen years. It's not a bad piece of legislation; it served well in its time, but it is very badly frayed around the edges. Now I know that that's all you want now is to have to go through the whole lovely business of reading, absorbing and working with a whole new statute. You've already got one, Bill C-6, although that would be of less interest to you than it would be to the business people in this conference.
But the Privacy Act has shown now, particularly in the last three years, that it is badly in need of an updating. I've always seen one of the principle deficiencies of the Privacy Act is that it enjoys no paramountcy on the statute books of Canada. It is easily circumvented by creative ministries and bureaucracies and is frequently. There are even built in invasive mechanisms in it which have had the effect over the course of fifteen years of having the bureaucracy take far too much of the personal information of the information holdings over which it has custody and responsibility and moving them out beyond the ambit or purview of the Privacy Act. That situation has got to be fixed.
We believe that the Act should be amended to state that it has primacy over all other laws with respect to the collection, use and disclosure of personal information - that's what a privacy act is. It also needs an update on the definition - what is personal information? Our Act says that it's information about an identifiable individual record in any form. This doesn't any longer cover the real world. It doesn't cover activities such as real time electronic monitoring and the collection of biological samples, for example, that can infringe on individual privacy. Bill C-6 is not limited to recorded information, neither should the Privacy Act.
It is an interesting fact, now, that the government has sitting before Parliament a statute, which in some respects, imposes obligations on the private sector that it has not imposed upon itself. For example, under the Privacy Act, the only recourse to the courts that any aggrieved individual has over the limited issue of access to information. Use, disclosure and collection issues are beyond any remedy through the courts. That is not true in Bill C-6. Bill C-6 not only allows access to the courts on all those headings, but it sets up a regime where the Federal Court can, if it wishes, assess damages by way of relief. And I will think, before long, that people will see that the government is not saying "business, you've got to be better than us". That's a kind of role reversal. The government should certainly impose upon itself the very highest conceivable standard for protection and respect for human civil rights and not stand second position to the business community. That will have to be fixed.
We have done now a review of our statute. It's just in its final stages and will very shortly be in the hands of both officials and the general public. And we have brought forward about one hundred amendments. I'm sure you'll be cheered by that news and so will the Justice Department that has to read it. We are making one recommendation or two that touch directly on the rights of federal public servants. Although we have tried through one or two court cases to get a better definition, but there is still ambiguity. For example, should the performance appraisals of public servants be publicly available? The logic for such arguments - and they are being made by many access advocates (and I am an access advocate, but I don't make that argument) - the logic is based on the public's right to know and the need for transparency and accountability in government.
We think that information about public servants should be treated as a "permitted disclosure", that is to say, that it would require, before any department could release that kind of information, disclose it, it would give you the right upon notice, the right to challenge such disclosures. If the Access to Information Act, for example, allows a company to challenge the proposed disclosure of information about their operations and they do get a prior notice of such intended disclosure, should not, after all, the same right not pertain to employees of the federal government? I think it should.
Finally, I want to touch upon the issue of data matching, which is a real bone in the throat of the Office of the Privacy Commissioner. The policy directive governing data matching in the Government of Canada has been in place since 1989. It is only a Treasury Board Guideline and these rules do not have the force of law.
I suspect, and I have good grounds for holding such a suspicion, that far more data matching is taking place than is being reported to my Office. And for any of you that have anything to do with it, please remember the Treasury Board Guideline requires that any proposed data match be brought to the Privacy Commissioner for review. We can't stop it, but you are required to bring it to us to ask what we think about it.
I think maybe one of those reasons may be that there is a lack of clarity about the definition of data matching that is contained in the Treasury Board Directive. Data matching raises very significant privacy concerns. Most notably, it challenges, almost every time, one of the fundamental principles of good privacy observance - that information should only be used for the purpose for which is was originally collected. One of our recommendations is that the Act contain a much clearer definition of data matching along with rules to assess future data matching initiatives.
The privacy implications of data matching are abundantly evident in what we in the Office call the "E-311 case". Some of you may be familiar with this issue. Canada Customs was disclosing to Human Resources data from the declaration form E-311 that Canadian fill out when they return to Canada from travelling abroad. They were giving that information to HRDC so that HRDC could police its employment insurance program to see who was out of the country while still claiming benefits.
The Federal Court has now overturned a lower court ruling that this disclosure was not authorized by law. We understand that HRDC's motive, we think, that the breadth of the data matching is out of proportion to the problem, I am nevertheless concerned that the Federal Court's decision will now open the door to wholesale data matching fishing expeditions, because that is all that was every involved with E-311 was going through the files of hundreds of thousands of totally innocent people who, as responsible citizens, had given up their own personal "geo-positioning" data - if you want to put it that way - their mobility data to the Government of Canada for the clear, understood purpose of the enforcement for the tariff and duty laws to find snoops from HRDC rambling through all these files to see whether there were some HRDC people in there, some UIC people in there. That's a fishing expedition; there's no other definition for it.
The Federal Appeal Court has now held that such fishing expeditions, in its opinion, are o.k. We can understand, and I don't further have to elaborate my own opinion of that decision - regret would be a most modest and restrained word I could think of. As a consequence, of course, we are seeking leave now to appeal this to the Supreme Court of Canada. But in any case, whatever the final judicial disposition of this case may be, it clearly reveals very serious weaknesses in the Privacy Act and they've got to be fixed and we now have a number of amendments just about ready to go to the Justice Department seeking those cures.
O.k., that's the end of my harangue this morning, I just wanted to bring you up to date on a few of these issues, to wish you well, to complement you once again on the obvious interest that so many of you are taking - we've got a full house here - you are out there doing one of the most important jobs that anybody could ever have the privilege of doing in this country. You are out there in defense of the rights of your fellow citizens. Good luck to all of you. Thanks.
- Date modified: