Setting the “Bar” on Privacy Protection
Remarks for the Canadian Bar Association (CBA) Canadian Legal Conference and Expo
Quebec City, Quebec
August 17, 2008
Address by Jennifer Stoddart
Privacy Commissioner of Canada
(Check against delivery)
Less than a month ago, the Supreme Court of Canada came out with a decision in which the CBA and my Office were on opposite sides. In an important decision on solicitor-client privilege, speaking of lawyers’ role, the Honourable Mr. Justice Binnie said: “It is in the public interest that this free flow of legal advice be encouraged. Without it, access to justice and the quality of justice in this country would be severely compromised.”
We all work in different areas of law, but I think it’s fair to say that privacy considerations affect the daily work of every one of us to a varying degree.
This morning I will try to resume the radical transformation of the privacy landscape and what this means for our legal profession. I will refer to technological advances and the new online world, the blurring lines between specialists in private and public sector law, the application of PIPEDA to Canadian organizations, as well as to global privacy concerns. I will conclude with the CBA’s role in shaping privacy definitions.
A Changed Landscape
Technological advances make it cheaper and faster to collect, create, share, process and store information. Virtually every industry has become an avid personal information collector. Data is transmitted around the world for processing at a very low cost. The result: a torrent of personal information swirling around the globe.
Governments are also harnessing the power of new technologies – sometimes in privacy-invasive ways.
These trends have direct implications for us as lawyers and new privacy issues are changing our profession.
Law Offices and Privacy
Not the least of these changes is how private sector privacy legislation has had an impact on the personal information handling practices of law firms. PIPEDA applies to law firms as commercial activities and both I and Alberta Commissioner Frank Work have issued findings on complaints about the way law firms use personal information.
For example, I have found that the old practice of verifying the solvency of potential defendants by doing credit checks on them without their consent is contrary to PIPEDA and must cease.
In Alberta, Commissioner Work ruled that even though law firms may act as agents for clients, they are responsible for applying privacy legislations.
For example, the web publication of a document with the names, addresses and SIN numbers of a client firm’s employees is a clear violation of such legislation.
Law firms, as custodians of large amounts of personal information, are now also subject to the full range of personal information management obligations under PIPEDA, or substantially similar legislation, including having clear privacy policies in place, taking reasonable safeguards to protect personal data and responding to access requests.
Personal Information Online
As lawyers, our ware is our reputation. You used to be able to – for the most part – control information about yourself in speeches you delivered, arguments you pleaded, articles you published, and information you provided to directories. These were the authoritative sources of information about you.
Enter the new online world where users now generate, and essentially control, much of the information that is disseminated about you – for example, rate-your-lawyer sites have now emerged, similar to rate-your-doctor sites. (Personally, I’m bracing for the rate-your-Commissioner site.)
The Internet has helped create millions of de-facto journalists – and they are not constrained by a traditional newsroom’s ethical policies and advice from in-house legal counsel.
The CBA may want to consider joining me in voicing concerns about this new trend.
The Internet also creates a new context for the inclusion of people’s names when the decisions of judicial, quasi-judicial and administrative bodies are published.
In law school, we all learned cases by individuals’ names. We often hear that the use of names is a necessary part of truth-finding and in accordance with the fundamental “open court” principle.
This is an important part of our legal system based on the historic principle that that the public must be informed about, and be able to scrutinize decision-making processes to ensure they are fair.
However, I am not convinced that the broad public needs to know the names of individuals involved or requires access to intimate personal details through decisions posted widely on the Internet.
When these cases were accessible only in specialized legal texts, or search engines accessible to legal professionals only, or copies could be picked up by making a trip to the basement records room of a court or tribunal, the concept of practical obscurity always operated in favour of privacy protection and the need-to-know principle.
The story is now different when decisions containing highly sensitive personal information are made available to anyone with an Internet connection. I don’t believe we would take away from the educational value of these decisions by replacing names with initials, for example.
We will be discussing our findings in several investigations or complaints about personal details being posted in federal tribunal decisions in our next Privacy Act annual report this fall. I hope you’ll agree we’ve struck the right balance between the fundamental importance of the open court principle and the fundamental right to privacy.
Blurring Traditional Areas of Practice
Evolving privacy issues are also blurring our long-standing notions of legal specialties such as public versus private sector law.
Since 9-11, many of your business clients have become quasi-agents of the state.
Airlines turn over passenger information to the government. Fertilizer sellers keep records about the people who buy their products. Anti-money laundering and terrorist financing legislation requires banks, jewellers, real estate agents, stock brokers, and casino employees to tell government about clients involved in transactions they deem to be suspicious.
The CBA has been – and must continue to be – very active in its efforts to reconcile solicitor-client privilege and our society’s attempt to minimize the effect of the underground economy.
Just as we’ve seen a blurring of the dividing line between specialists in private and public sector law, lawyers whose work touches on privacy issues can no longer define themselves as practicing in a given jurisdiction, or as an expert in the law of a given province.
The new reality is that you do your client a disservice if you do not explain the global reality of regulation and data flow as well.
Increasingly, my Office is working with our provincial counterparts to coordinate regulation. As the federal and provincial governments review their private sector privacy laws, I think you will begin to see an even greater harmonization in approaches.
It is clear to me that privacy protection cannot be done on a country-by-country basis – international data flows are too great; technologies are evolving too rapidly and jurisdictional challenges are too daunting.
I am not arguing that we need a single, global standard on privacy. Societies have different approaches to privacy. What we should be striving for as a wired, global community is a basic level of privacy protection around the world and coordinated approaches to regulatory enforcement.
How is my Office trying to bring this about?
My Office recently intervened at the Appellate level in support of the Federal Trade Commission’s enforcement actions against a U.S.-based information broker operating online with respect to its advertising and selling of Canadian consumer telephone records.
I reminded Google last summer that it would need to live up to Canadian privacy laws if it went ahead with plans to roll out Google Street View in Canadian cities. In response it has agreed to obscure faces and licence plate numbers in Canada. I understand it is now doing the same in Europe and the U.S. as well.
The CBA’s Role in Shaping Privacy Protection
Lawyers seek comfort in the certainty of law and regulation – this enables them to advise clients with a certain degree of confidence what they can and cannot do. As anyone advising clients on issues of privacy law knows, legislation is quickly being outpaced by the rapid development and explosion of information technology.
While times are changing, many privacy laws have not.
The federal Privacy Act is now 25 years old and has never been substantially updated.
There is a clear need for more practical guidance for lawyers through complementary mechanisms such as guidelines and interpretation bulletins on Canadian privacy laws.
I invite you to visit our kiosk throughout the course of this great conference, where you can pick up some of the materials we’ve developed, including a book offering lessons learned from the first seven years of PIPEDA, as well as a new PIPEDA interpretation bulletin. There is also information about a Legal Essay competition we have just launched. And you will get a chance to take a look at the new Legal Corner on our web site, which we unveiled on Friday.
I want to thank the Canadian Bar Association for your active input into PIPEDA review and also for your strong support for Privacy Act reform. The CBA is a powerful, credible organization. When you speak, politicians and government officials listen. By setting “the bar” for privacy protection, you can also encourage clients to follow suit.
I encourage you to continue to take a very active role in law reform. There are many privacy issues where your input is also critical – identity theft, anti-spam and copyright legislation, for example.
Privacy is an ever more complex issue which touches us all – as lawyers, as individuals – in so many different ways. As lawyers, we are well placed, through the CBA – to play a decisive role in defining the privacy rights Canadians will have, or not, in the future.