The Privacy Commissioner of Canada's approach to implementing the Act
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Speaking notes prepared for the CENTRUM Conference
December 10, 1999
Privacy Commissioner of Canada
(Check Against Delivery)
I hope that not too many of you will shudder as I make that oft-derided assurance, I'm here to help you. Yet I want to make it clear from the outset that I am not here to antagonize. I am not here to impose and I am not here to confront. I am here to help you understand and work with one of the most significant pieces of federal privacy legislation in the past 15 years. This goes for my staff as well. We are not out to make our mark by terrorizing the commercial organizations of this country. That would not serve us, it would not serve you and it would not serve the Canadians whose privacy Bill C-6 seeks to enhance.
It is to your benefit that you understand this legislation. It imposes new obligations on you and it offers new privacy protections for individuals. Some of you may object to having new obligations imposed on you. You already conduct business in a heavily regulated environment - perhaps too heavily regulated, according to your thinking. This legislation, which seeks to give Canadians greater protection of their personal information when dealing with the private sector in this country, may initially appear to add to that regulatory burden. But let me offer an anecdote from New Zealand, which has lived successfully with broadly similar legislation for several years.
Last week, one of the most experienced privacy lawyers in New Zealand came to Ottawa to discuss the impact of introducing private sector data protection legislation in New Zealand. One of the key points she emphasized was the need to help the business community become educated about such legislation. A very unexpected byproduct of this education process was an upsurge of interest by business executives themselves in asserting their rights to the protection of their own personal information held by others. What they learned about the handling of personal information by the private sector made them much more aware of the need for them as individuals to ensure that their own personal information was protected. I suggest that the same result will occur in Canada. As representatives of business, you may have some anxiety about the impact of private sector data protection legislation on your operations. But as individual citizens, many of you will welcome the enhanced privacy protection that such legislation provides.
And lest you think that these provisions are being forced on you, let me remind you that at the very heart of Bill C-6 is the Canadian Standards Association's Model Privacy Code, which the private sector helped create and over which it can claim some ownership. This bill therefore does not constitute the heavy-handed imposition on an unwilling business community of principles foreign to their thinking. Rather, perhaps more so than almost any other piece of federal legislation in recent years, it reflects the consensus of significant sectors of Canada's business community.
I would like to begin this process of helping you understand data protection legislation in Canada by explaining my functions and those of my office. I am an Officer of Parliament. That means that I do not report to or through any one Minister. Rather, my responsibility lies to Parliament.
My main responsibility at present is to supervise the application of the federal Privacy Act. That act, which came into force in 1983, regulates how federal government institutions collect, use and disclose personal information about you and me. It also provides us with a right of access to information held about us by the federal government, and a right to request correction of any erroneous information. Under the Privacy Act, I also have powers to audit federal government institutions to ensure their compliance with the act, and I am obliged to investigate complaints by individuals about breaches of the act. The federal Privacy Act and its equivalent legislation in most provinces are the expression of internationally accepted principles known as "fair information practices". Although my office has no mandate to conduct extensive research and education under the current Privacy Act, I believe that we have become a leading educator in Canada about privacy issues. We have also conducted significant and forward-looking research on the serious privacy issues that will confront us in the coming years.
Perhaps the most important thing to understand about my work is that I function as an ombudsman. I have no powers of enforcement and, although this may surprise you, I want no powers of enforcement. Neither I, nor my staff, want these powers. The great advantage of this ombuds structure lies in my ability to audit and investigate conduct of government institutions without automatically importing the adversarial atmosphere that would arise if I had specific powers of enforcement. My chief strengths in the ombuds role lie in effective research and negotiation with government institutions. As a last resort, and to be used only with clear justification, I have what I will call the power of embarrassment.
Given the concerns that Canadians express about threats to their privacy, disclosure of organizational practices that are disrespectful to their privacy may prove a very efficient means of securing compliance with the privacy principles set out in the bill. I repeat, however, that I do not intend to use publicity recklessly. I also believe that the vast majority of private sector organizations will realize the value for their customer and client relations of correcting practices that unjustifiably violate privacy, so publicity will often be unnecessary.
The 15 years of experience that my office has had with an ombuds role for complaint investigation has shown that heavy-fisted enforcement is not necessary to secure the privacy rights of Canadians. Rather than emphasizing confrontation, the ombuds role emphasizes resolving complaints. Perhaps ultimately more important, it emphasizes correcting the underlying problems that lead to those complaints. You will note, of course, that my powers under Bill C-6 are similarly restricted to those of an ombudsman. The approach that has been taken to the application of the federal Privacy Act is therefore very much the approach that will apply under Bill C-6.
Of the 20,000 complaints my office has handled since 1983, fewer than a dozen have prompted our recourse to the courts. The office is less a police department than a problem solver. Our approach has always been non-confrontational and non-adversarial - an approach that will be even more necessary in the private sector. I have no intention of arbitrarily crashing through the doors of businesses. To do so would only doom the cause of promoting respect for privacy from the start. Recourse to the courts remains, but as a last resort.
How the Complaints Process Works
Bill C-6 permits an individual to file a written complaint with me against an organization for contravening a provision dealing with the protection of personal information or for failing to follow a provision set out in the Schedule to the bill. As well, the bill permits me to initiate a complaint if I am satisfied that there are reasonable grounds to investigate a matter.
The bill requires me to conduct an investigation in respect of a complaint and gives me the power to summon witnesses, administer oaths, receive evidence, enter premises and examine documents. Except in specific circumstances outlined in the bill, I must then issue a report containing my findings and recommendations.
I have no power to issue a binding order. However, the bill permits a complainant, after receiving my report, to apply to the Federal Court, Trial Division for a hearing in respect of any matter in respect of which the complaint was made, or that is referred to in my report, and that is referred to in certain clauses of the bill or the Schedule.
The Federal Court has broad powers to grant remedies. These include ordering an organization to correct its practices to comply with the bill, ordering an organization to publish a notice of any action taken or proposed action to be taken to correct its practices, and awarding damages to the complainant, including damages for any humiliation that the complainant has suffered.
Bill C-6 is therefore not without some teeth. It is a criminal offence to obstruct the Commissioner during an investigation or audit or knowingly dispose of information that is the subject of a request by an individual. The bill also makes it a criminal offence for employers to take various retaliatory actions against employees. Employers cannot dismiss, promote, discipline or otherwise disadvantage employees who report a contravention of the bill to the Privacy Commissioner, who refuse to contravene the data protection provisions, or who have done or stated an intention to do anything to prevent a contravention of the bill's privacy provisions.
Some of these provisions may sound particularly harsh. In fact, they reflect the importance that is attached to protecting personal information. However, as my remarks to this point have shown, I do not intend to pursue the goals of this legislation through unnecessary confrontation. Nor, I believe, will my successors, if they wish to see truly effective private sector data protection.
My powers under Bill C-6 also include the right, on reasonable notice and at any reasonable time, to audit the personal information management practices of an organization. This power to audit, however, only comes into play if I have reasonable grounds to believe that the organization is contravening the privacy provisions of the bill. If I conduct an audit, I have the power to summon and enforce the appearance of any person before me. I may administer oaths, receive evidence and, at any reasonable time, enter premises other than a dwelling house on satisfying the security requirements of the organization. I may also examine or obtain copies of records found in any premises.
After conducting an audit, I must provide the audited organization with a report containing my findings and recommendations. I may also include this report in the annual report that I am obliged to make Parliament under the bill. I have no power to impose penalties for breaches of the act, nor do I want them. However, the ability to report my audit findings in my annual report to Parliament gives me the tool of publicity, a tool that I will use only if warranted.
Key decisions on privacy
Perhaps the most significant decision that has been made about privacy is philosophical. That is the decision to promote an ombuds approach to resolving privacy issues. Confrontation should be a last resort. Bill C-6 does provide me with the power to proceed to court. However, I hope to be able to use that power most sparingly. It is not my intention to impede legitimate business interests in personal information. It is simply my intention to protect personal information from excessive prying by the private sector. I need only remind you of the purpose provision in Bill C-6 relating to the part of the bill dealing with privacy issues. The purpose of that part is to establish rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances. In a sense, I hope to function as a surrogate for that "reasonable person". A reasonable person will not take every business to task for collecting personal information. A reasonable person will welcome the collection of personal information in some situations, since it will serve the person in his or her dealings with that business. However, a reasonable person will challenge the excessive and persistent collection of information about them, the indiscriminate or careless sharing of that information with others and the shrouding of that information-handling process in secrecy.
Why it Makes Sense for Corporations to Respect Privacy
Perhaps your initial instinct is to view privacy regulation as an impediment to your business. After all, information is often seen as the Holy Grail. The more you know about your customers and potential customers, the better it is for your business. Information helps you identify potential customers and understand their behaviour and needs. It helps you assess the effectiveness of your advertising. It helps you determine who is a credit risk. This may appear to be all to the good of your business operations.
But obtaining personal information about individuals also carries with it a significant cost. That is the cost in relations with the individuals affected. Canadians have consistently over the past decade expressed concern about intrusions into their privacy, both by governments and by the private sector. They don't want their lives to become an open book for government or for the private sector. They accept the value of some privacy intrusions; for example, many people hold credit cards that generate frequent-flier points, but at the same time they want to control the flow of information about them in other circumstances.
It is my firm belief that companies that ride roughshod over the privacy interests of individuals face far greater penalties in terms of lost customer trust than they will ever suffer as a result of the penalty provisions of Bill C-6. For what they are losing is the goodwill of their customers and their potential customers.
Let me give you an example. One market rating company has patented a facial recognition system which secretly identifies shoppers to track their buying habits. Perhaps this is an effective form of market research. But how many in this room would be anxious to reveal to their customers that such monitoring was taking place? I suspect that those customers would leave in droves.
Let me give you another example. Several chain stores admit revealing to law enforcement agencies the shopping habits of their loyal customers. The large majority of these customers, of course, are completely innocent of any crime. How many of them would be pleased to find that the store with which they are conducting business is acting as a police agent by sharing their personal information with the police. This is not the former East Germany. Neither governments nor private sector organizations should behave as if it is. We should not be reluctant to uncover behaviours, whether in the private or public sectors, that are reminiscent of secretive, authoritarian regimes. And we should not, whether Bill C-6 becomes law or not, tolerate such behaviours.
My assessment that Canadians are concerned about their privacy is buttressed by recent data. The spring of 1993 saw the release of the first major national study of public attitudes on privacy issues. The study provided hard statistical evidence that Canadians were alive to privacy issues. This survey, sponsored and financed by a consortium of private and public sector organizations (including my Office) revealed that some 52 percent of the population voiced "extreme concern" with the state of personal privacy.
An overwhelming majority said they wanted some control over the gathering of information about them; to be told in advance when it is being collected, by whom and for what purpose, and to have the right to consent to or refuse any transaction involving information about them. 72% said that being in control of who can get information about them was extremely important, and 67 % feel controlling what information was collected about them was extremely important. In short, the survey respondents wanted those rights that are the foundation of fair information practices, and that are absent from so much of today's traffic in personal data. As you well know, Bill C-6 is intended to address these very concerns.
Sixty per cent of those who responded to the 1993 survey agreed that they have less privacy in their daily lives than they did ten years ago. And 61 per cent strongly agreed that "consumers have lost all control over how personal information about them is circulated and used by companies." I hope that this sounds a warning bell for those here today. This survey provided dramatic confirmation of people's awareness and concern about the threats from technological, commercial and social changes.
The survey also revealed a very strong desire for action. Respondents were prepared to consider some creative approaches such as partnerships between government and business. However, self-regulation by business (the status quo) was the least acceptable. The strongest support was for the active involvement of government. Bill C-6 reflects the desire for the active involvement of government in protecting the privacy of Canadians.
A 1999 survey conducted by the same company will soon be made public. Although there are some surprising changes in people's attitudes towards privacy since the 1993 survey, their concern about the need to protect personal information remains high.
I urge you not to look at private sector data protection legislation as an unwarranted impediment to the conduct of business. We are well aware of how government can suffocate business initiative and innovation if it does not tread carefully. At the same time, during my almost decade long-term as Privacy Commissioner, I have witnessed the steady growth in the capacity to erode a fundamental human right - the right of privacy. All the business efficiency in the world, the untramelled freedom to conduct business as you wish, will not compensate for the disservice to our democratic society and to you as individual citizens of that society if we do not secure this right. As representatives of Canada's corporate world, you are indispensable to the process of protecting an essential democratic value. Surely there can be no better example of good corporate citizenry than to participate in that process.
- Date modified: