Private Sector Law
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Office of the Privacy Commissioner of Canada to Dalhousie Law Hour
March 25, 1999
Halifax, Nova Scotia
(Check Against Delivery)
In Canada, the patchwork of legal protection is no match for current information technology in the hands of efficient governments, aggressive corporations and the new hybrids which may be part federal, part provincial, commercialized government, private contractors or blends of all of the above. Which law governs? The short answer is: Who knows?
The federal privacy law, which I oversee, covers only federal government operations. Most but, not all provinces have privacy laws governing their own administration.
But, only in Quebec does the law regulate the private sector. Not only does this create anomalies; it leaves the other 23 million Canadians out in the cold. For example;
- when a Montrealer goes shopping at Eaton's, she enjoys privacy rights her cousin in Halifax doesn't have at his local Eaton's store;
- when her credit information is sent to Equifax, Canada's largest credit bureau, her information is protected by law; her Haligonian cousin's information is not;
- our Montrealer has legal privacy rights if she banks with the local caisse populaire or credit union which operates under Quebec privacy law, but none if she chooses the Bank of Montreal which, although federally chartered, is private sector and so not covered under federal privacy law.
I have no right to know what information businesses hold on me, how they got it, how they use it, whether it is accurate, with whom they share it and how they will keep it.
Corporations increasingly regard client data as a resource that they own and can mine, use and sell as they wish. This week's edition of Information Week features a cover story on exploiting your company's client information to enhance business opportunities. Nowhere is any thought given to the obtaining the client's consent for what amounts to mining the client's personal information to manipulate his or her behaviour.
The more widely my information is shared, the more likely it will be used to decide what services I will be offered, what benefits I may receive and what jobs I may qualify for, all without my permission or input. Equally dangerous is that these decisions could be made based on faulty information that I have no right to correct. The legal patchwork is threadbare and drafty.
Spurred on by two factors, the government has acted. This past November, the government introduced Bill C-54 to extend privacy protection to the federally-regulated private sector.
The first factor is the European Directive and its possible impact on data transfers to countries without adequate privacy laws, of which Canada is one.
The second and, let's be frank, likely more decisive factor is the advent of electronic commerce and all the opportunities it offers.
The government has recognized that a knowledge-based economy is driving global growth and is determined to make Canada the most connected nation in the world. And it wants to create an environment that will see Canada out in front of the pack in developing electronic commerce. Fair enough, after all there are jobs and business at stake.
However, the government also understands that they have to build trust in the system, Canadians will not shop, bank and file taxes on line knowing they risk sharing their personal lives with more than 40 million people world-wide.
An ongoing survey found recently that more than 80 per cent of Canadians would refuse to provide their credit card number when buying over the Internet. The number who would not conduct transactions electronically drops below 50 per cent when they can know and control how the business would use their personal information. Even so, the advocates of e-com clearly have a lot of heavy rowing ahead of them. Bill C-54 is critical to its success. It had clause-by-clause review this week by the Commons Industry Committee.
The bill is an unusual piece of legislative drafting. It is neither simple nor elegant. But for all that, it appears to work. I will explain it briefly because, for the incipient lawyers among you, it may be a sign of new things to come.
The bill is actually in two parts. The first part binds the federally-regulated private sector to privacy law. The second part establishes a legal framework for electronic communication between government and its clients and citizens.
The packaging has struck many as curious and even led some to conclude that the privacy provisions apply only to electronic communications. That is not so. This is private sector privacy law in sheep's clothing.
Another curiosity of the bill's drafting is that the heart of the privacy part, the fair information principles, actually appears in a Schedule to the bill. That schedule is the Canadian Standards Association's Model Privacy Code (minus some elements). This may be the first time that a private sector standard has been embedded in law. It's certainly the first time in my memory.
The reasons are simple. The CSA code reflects all the basic principles in international privacy law. It was developed by business with input from consumer groups and privacy watchdogs. And it has already been implemented by some businesses.
The Code sets out all the principles, establishing legitimate collection, use and disclosure of personal information while ensuring individual access. However, the language of the Code is a series of shoulds. Bill C-54 takes that Code and turns many of the shoulds into shalls. It's a novel approach and one that probably begs judicial interpretation.
But, let's begin at the beginning. This act gives individuals, that is natural, not legal, persons, enforceable rights in their personal information. It protects their information whether recorded or not, and in whatever form it is recorded. This broad definition encompasses everything from paper, microfiche and videotape to audiotape, CDs and any machine-readable record.
And, since it is not confined to recorded information, it also allows individuals to challenge a business collecting information by surveillance devices. An example could be a camera operating in an employee change room that is monitored by someone but does not tape. This unrecorded feature is an important advance over present privacy law and one I would like to see added to the federal Privacy Act.
The law applies immediately it is passed to any federal work, undertaking or business. For those of you unused to the intricacies of federal-provincial jurisdiction, that includes interprovincial transportation like Air Canada, Via Rail, the Port aux Basques/North Sydney ferry, and presumably the little Quyon ferry that crosses the Ottawa River 80 km north of Ottawa. It includes chartered banks like the Bank of Nova Scotia and radio stations like CHNS and CIOO. And it covers works that Parliament considers for the general advantage of Canada or two or more provinces.
Of these sectors, the most important will undoubtedly be the banks. Banks hold masses of personal information on their clients. They are leaders in applying sophisticated information technology to their business. And they are rapidly expanding into other lines of business. One of these is life insurance which frequently collects sensitive medical information for risk assessment. And whether fair or not, Canadians seem to be eternally suspicious of their banks. Of course, banks already operate under some secrecy obligations.
The bill will also apply to trade in personal information across interprovincial and international boundaries. This power is available to the federal government under the trade and commerce provisions of the British North America Act.
The bill does not cover information individuals collect for personal or domestic purposes. Nor does it cover information collected, used or disclosed for journalistic, artistic or literary purposes.
As it stands, the bill moves us a significant step towards patching the holes in our national privacy protection scheme. But in three years time, it will take us the whole nine yards. Business in any province that has not passed equivalent laws will be made subject to the federal law.
Whether provincial governments choose to enact their own laws, or simply let the time elapse, the effect will be national consistency and no internal data havens. The bill will also bring us into line with international data protection standards. I realize that this may seem a nice thing to do but not really essential. Believe me, it is essential. The trade in information rather than widgets is booming. European data commissioners can block, and have blocked, information transfers from their countries to others that do not have adequate protection. At the moment, Canada is one, and the United States is another.
So, if we want to play in this international trade game, as I assume we do, then we have to play by the international trade rules.
I do not propose to go through the body of the bill in excruciating detail but I do want to highlight those ten principles which are the heart of the law.
- Accountability, organizations are responsible for personal information under their control and must designate someone to be accountable for their compliance;
- Identifying purpose, organizations must tell clients why they are collecting personal information and how it will be used. Each new use requires the individual's consent;
- Consent, individuals must know of and consent before the organization collects, uses and discloses their personal information except under limited circumstances. Those exceptions include collection to investigate fraud, disclosure to comply with a warrant or subpoena, or use for scholarly research;
- Limiting collection, the organization must limit collection to the information necessary to achieve its purpose;
- Limiting use, disclosure and retention, organizations must use and disclose the information only for those purposes for which it obtained consent. New uses and disclosures require a new consent. Information should be kept only as long as needed to achieve the original purpose;
- Accuracy, the information must be as accurate, up-to-date and complete as is necessary to achieve the original purpose;
- Safeguards, organizations must protect the information against loss, theft, unauthorized disclosure, copying, use or modification;
- Openness, organizations must inform clients about what personal information they hold, how they use it, with whom they share it, and explain how a person can get access to personal information;
- Individual access, on request, organizations must tell individuals what information exists, how it is used and disclosed, and provide access. (There are some exceptions, solicitor client privilege, confidential commercial information.) The individual can challenge the accuracy and completeness of the information;
- Challenging compliance, individuals can also challenge an organization's compliance with these principles both through an internal complaints procedure, and ultimately to the Privacy Commissioner.
One of the weaknesses of the CSA code, which has been available to the private sector for two (?) years, was its lack of any independent oversight. If you had a problem, you could only complain to the company. Consumers could be forgiven for being sceptical.
Bill C-54 has taken care of that by making Part I, the privacy part, subject to the Privacy Commissioner's oversight. Individuals can complain to me about everything from being denied access to their own information, to a company's collection, use and disclosure of personal information.
An important power for the Commissioner is the ability to lodge his own complaint. This means the Commissioner is not forced to pace on the sidelines and watch an egregious practice while waiting for someone to complain.
The Commissioner has broad investigative powers to enter premises, gather evidence and interview witnesses just as he does under the present Privacy Act. And, like the present act, it is an offence to obstruct the Commissioner. But, balanced against these substantial investigative powers is the Commissioner's status as an ombudsman.
Ombudsmen do not have order making power, and from that flows their strength and efficacy. The bill specifically provides for the Commissioner to resolve complaints by mediation and conciliation. This is the currency of an ombudsman's office. With all due respect to the lawyers, and about to be, among you, the vast majority of disputes between reasonable people can be resolved without recourse to the Courts.
But what about unreasonable people? The bill allows the Commissioner to refuse to investigate complaints that are trivial, vexatious or made in bad faith. It also provides for a review by the Court when all the Commissioner's efforts at resolution have failed. Court review is a last resort to an ombudsman, one the Office has sought fewer than 10 times in 16 years. Of course, complainants can also go to Court even when the Commissioner has failed to support their case.
The bill also gives the Commissioner the power to audit an organization's personal information management practices and to publish information about them if the Commissioner considers that would be in the public interest. As well, and it's a vital advance over the present federal law, the Commissioner is mandated to conduct public education.
In my view, the number one privacy problem in this country is ignorance. Given the mandate and the money, the Privacy Commissioner can help Canadians understand why this value is important, how it is under siege, what are their rights, and, not incidentally, what are their responsibilities. We could all benefit by becoming our own privacy commissioners.
The last level of oversight is by the federal Court. Court review is available for all those basic principles in the schedule that I listed earlier. For example, the Court may hear complaints about:
- Inappropriate disclosures to third parties;
- failure to identify the purpose for collection or to limit the collection to the appropriate information;
- making provision of a good or service contingent on the person supplying information beyond what would normally be necessary for the transaction;
- failure to properly protect the information or ensure its accuracy, currency and completeness for the purpose;
- failure to advise clients about the company's information management practices;
- failure to provide clients information they have requested;
- failure to obtain consent for collecting, using or disclosing personal information, and
- collecting, using or disclosing personal information improperly.
The Court may order an organization to provide information it has denied, to correct its information management practices and publish a notice of its actions, and to pay damages to a complainant.
The bill is not without its weaknesses of course. Some of these are inherent in Canada's federal system; others flow from the structure of the bill itself. For example, it is not clear whether non-profit organizations would be covered since the bill talks of those engaging in commercial activities. There is also confusion as to whether the bill applies to the professions.
I would like to close by highlighting something that is not in the bill but which is part and parcel of privacy and electronic commerce. That is encryption.
Encryption scrambles an electronic communication so we know only the intended recipient can read it; we know who sent it, and we know it has not been altered in transit. Our trust in the system is fundamental to our engaging in electronic commerce. Also critical to Canadians' participation will be our freedom to choose and use different encryption tools. The more restrictive the government controls on those tools, and the more the encrypted communications are subject to law enforcement override, the less we will use electronic commerce.
The government now proposes a public key encryption scheme that would put everyone's private keys in the hands of a trusted third party. Law enforcement agencies could then apply to the third party to obtain your private key and read your electronic transactions.
Law and policy makers should weigh carefully the claims that access to encrypted communications is essential for law enforcement. Giving unfettered access by law enforcement agencies to the tools to read encrypted communications will both reduce the trust in the system and make all electronic communications potentially available.
Law enforcement interests must respect the privacy of Canadians, and must not abrogate or encroach on fundamental civil liberties. Broad interception and decryption capabilities may not be the most appropriate solution to the problem of criminal activities, and may violate Canada's Charter of Rights and Freedoms.
All of these issues I have mentioned are critical to all of us in an information age. But for those of you now embarking on a legal profession they are something else. If I may be so crass, they are also a business opportunity. Information law lags seriously behind the technology, the practices and the problems. As far back as 10 years ago, a lifetime in information technology, the Supreme Court found that, in effect, stealing information was not a crime.
There are good reasons and certainly hoary precedent for the finding. But think what that means in an age when data is a product, a service, a resource, in fact, the raison d'etre, of much of our economy.
Information law and its practice need a serious overhaul. And individuals will need all the help they can get in the face of threats we haven't even begun to imagine. The opportunities are exciting and no-doubt lucrative. They are also that rare thing, a chance to advance human interest and social good. They are there for the asking. You could do worse than seize them.
- Date modified: