The Evolution of Canada's Privacy Laws
Speaking notes prepared for the Canadian Bar Association - Ontario Institute 2000
January 28, 2000
Privacy Commissioner of Canada
(Check Against Delivery)
Much of the discussion about Bill C-6, the Personal Information Protection and Electronic Documents Act, has focused on practical issues relating to its implementation. I do not intend to address only the practical aspects of the bill. This may disappoint some of you, since your professional role is to offer practical advice about the legislation. However, it is equally important that you fully appreciate the value of this legislation and its place in a modern democratic society. I would therefore like to talk about some privacy fundamentals. I would also like to discuss the evolution of Canada's privacy laws - how we got to where we are today.
The modern formulation of the concept of privacy was stated by two young American jurists, Warren and Brandeis, in an 1890 article in the Harvard Law Review. Warren and Brandeis described privacy as "the right to be let alone". From that basic formulation of the right has emerged a series of refinements that encompass the right or interest in being protected from many of the unjustified intrusions that afflict modern society. The concept of privacy now encompasses a collection of interests: protection of personal information, physical privacy, freedom from surveillance, privacy of one's surroundings, and privacy of one's personality - that is, the right not have one's personality appropriated.
Instruments at the heart of modern international law have accorded prominence to privacy. The Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights, the European Convention on Human Rights and the American Convention on Human Rights have all recognized privacy as one of the essential human rights.
The preamble to the Universal Declaration of Human Rights proclaims the document as a "common standard of achievement for all peoples and all nations". Article 12 explicitly states a privacy right:
No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.
The International Covenant on Civil and Political Rights contains privacy provisions similar to those found in the Universal Declaration. The European Convention on Human Rights also speaks of the right to respect for private and family life, home and correspondence, as does the American Convention on Human Rights.
These are the explicit international statements of privacy. Privacy rights are also woven into the fabric of these international instruments as necessary elements of other rights - among them, the right to life, liberty and security of the person and the right to be free from unreasonable search or seizure. These "hidden" privacy rights have also been read into Canada's Charter of Rights.
Of course, none of these explicit or implicit privacy rights are absolute. For example, Article 8 of the European Convention prohibits interference by a public authority with the exercise of the right of privacy. However, that right may be interfered with in accordance with the law and if the interference is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, the prevention of disorder or crime, the protection of health or morals, or the protection of the rights and freedoms of others.
Among the most influential modern formulations of the desire to protect against excessively curious governments and businesses has been the OECD's 1980 Guidelines for the Protection of Privacy and Transborder Flows of Personal Data. In 1984, Canada joined 22 other industrialized nations by adhering to the guidelines. The guidelines were intended to harmonize data protection laws and practices among OECD member countries by establishing minimum standards for handling personal data. The guidelines were not themselves enforceable, but they became the starting point for data protection legislation in countries around the world, including Canada.
The OECD Guidelines have now been superseded by national laws or, in some cases, by supranational laws such as the European Union Data Protection Directive.
How did privacy gain such prominence in these international instruments? Clearly among the most significant reasons was the history of the harms associated with a lack of privacy. The authoritarian regimes that have traumatized the world this century have all been marked by a profound lack of privacy. One of the greatest protections against the excesses - or, indeed, the emergence - of such regimes is respect for privacy.
There remain many reasons for continuing to promote respect for this fundamental human right. I would like to suggest two in particular - the ever-increasing intrusiveness of technology, and the seemingly insatiable appetite of even democratic governments and the private sector for intruding into the lives of individuals.
From my vantage point as Privacy Commissioner of Canada, I see an ever-growing thirst among government departments to obtain personal information, match it with other personal information and expand the purposes for which it is used. I also see a private sector that thrives on personal information and other forms of surveillance. Drug testing, surveillance cameras, monitoring of employee computers are only a very few among the great number of forms of such surveillance. Both these forces threaten to draw the curtains on privacy. Left unchecked, they make take the exaggeration out of the The Economist's recent rumour that privacy was dead.
Canada's first response at the government level to the call for protection of personal information - or data protection, as it is frequently called in Europe - was to introduce data protection provisions into the Canadian Human Rights Act. However, in 1982, Parliament enacted purpose-specific legislation - the federal Privacy Act. The Act came into force the following year.
Many of you may be somewhat familiar with the Privacy Act and with the duties of the Privacy Commissioner of Canada. However, given the many different directions of your legal practices, I must also assume that some are not entirely conversant with the Act or my duties.
I am an Officer of Parliament. I do not report to or through any one Minister. Rather, my responsibility lies to Parliament. My main responsibility is to supervise the application of the federal Privacy Act. The Act regulates how federal government institutions collect, use and disclose personal information. It also provides individuals with a right of access to information held about them by the federal government, and a right to request correction of any erroneous information. Under the Privacy Act, I also have powers to audit federal government institutions to ensure their compliance with the act, and I am obliged to investigate complaints by individuals about breaches of the act. The federal Privacy Act and its equivalent legislation in most provinces are the expression of internationally accepted principles known as "fair information practices." Although my office has no mandate to conduct extensive research and education under the current Privacy Act, I believe that we have become a leading educator in Canada about privacy issues. We have also conducted significant and forward-looking research on the serious privacy issues that will confront us in the coming years.
Perhaps the most important thing to understand about my work is that I function as an ombudsman. I have no powers of enforcement and, although this may surprise you, I want no powers of enforcement. The great advantage of this ombuds structure lies in my ability to audit and investigate conduct of government institutions without automatically importing the adversarial atmosphere that would arise if I had specific powers of enforcement. My chief strengths with the ombuds role lie in effective research and negotiation with government institutions. As a last resort, and to be used only with clear justification, I have what I will call the power of embarrassment.
The 16 years of experience that my office has had with an ombuds role has shown that heavy-fisted enforcement is not necessary to secure the privacy rights of Canadians. Rather than emphasizing confrontation, the ombuds role emphasizes resolving complaints. Perhaps ultimately more important, it emphasizes correcting the underlying problems that lead to those complaints.
The federal Privacy Act and its provincial counterparts are Canada's initial response to the international consensus about the need to promote fairness in the handling of personal information generally, and not just in certain sectors, such as credit reporting and banking. These laws largely fulfil Canada's commitment to establish fair information practices for personal information handled by governments. However, until the introduction of the Personal Information Protection and Electronic Documents Act last year, Canada's response to the call for fair information practices in the private sector was woefully inadequate. To date, only Quebec has enacted comprehensive private sector data protection legislation. I am happy to say that Bill C-6 is about to remedy this deficiency.
Bill C-6 is very much about protecting the right to be let alone. It is about ensuring a fair balance between the legitimate information needs of the private sector and the essential rights of individuals in a democracy.
It is not the objective of the bill to impede business. The objective is to help create a state of mind in which business routinely considers client, customer and employee privacy rights in developing products and administrative practices. This will not happen overnight. But business depends on satisfied clients and customers. Its reputation is any company's most important asset, and no one will want to risk being singled out for wilfully flouting the rights of individuals.
Presuming it becomes law, the bill will be the most important legislative tool defending privacy since the passage of the Privacy Act in 1982.
Although not perfect - what piece of legislation ever is? - this bill represents a great leap forward. It will require business to respect a code of fair information practice requiring individual consent for the collection, use and disclosure of personal information. Equally important, it provides a mechanism for independent oversight. The Privacy Commissioner of Canada is given statutory authority to investigate complaints, issue reports and conduct audits. As a last resort, the bill provides recourse to the Federal Court and empowers the court to award damages.
You could of course look at the bill in very clinical, professional terms. You would then describe it simply as legislation regulating the processing of personal data by Canada's private sector. Or you could see it, as I urge you to see it, as legislation that seeks to enhance respect for one of the underpinnings of a democratic society - the right to control what others can learn about us. Let us not forget what is at the core of the discussion about this bill. We are speaking about human dignity, about human autonomy.
The bill provides individuals with rights with respect to their personal information. At the same time, it respects legitimate business needs to gather and use personal information. Individuals need their personal information protected, but this can be done without a heavy-handed approach that ignores legitimate business interests in personal information.
Some of you may question whether we need expanded privacy protection. After all, many laws already protect personal information - credit reporting legislation, medical records legislation and professional codes of conduct that have been incorporated into legislation. However, such protections are piecemeal and inconsistent.
The issue is not whether we need to expand privacy protection, but rather how we intend to do so. In October 1998, the European Union Data Protection Directive came into force. The EU Directive, as many of you know, was intended to facilitate transfers of personal data among EU member countries. The Directive facilitates personal data transfers by requiring member countries to offer equivalent levels of data protection. As a result, the transfer of personal data across borders should not result in lesser protection of the data.
But the EU Directive does not stop at the borders of its members. Article 25 of the Directive imposes an "adequacy" requirement for transfers of personal data from an EU member country to a third country. EU members must provide that the transfer to a third country of personal data may take place only if the third country ensures an adequate level of protection. Adequacy is to be assessed in the light of all the circumstances surrounding a data transfer operation. These include the nature of the data, the purpose and duration of the proposed processing operation, the countries of origin and final destination, the rules of law in force in the third country and the professional rules and security measures in that country. If the EU Commission finds that the third country does not ensure an adequate level of protection, EU member states must take the measures necessary to prevent any transfer of data of the same type to the third country.
Some observers initially scoffed at the notion of the European Union imposing rules on data transfers to third countries. Yet even the mighty United States is now seeking to satisfy the requirements of the EU Directive.
Unlike Canada, the U.S. has not embraced comprehensive data protection legislation governing the private sector. Instead, it prefers a sectoral approach that relies on a mix of legislation, regulation and self-regulation. It has chosen to work through the U.S. Department of Commerce and develop what it terms "International Safe Harbor Privacy Principles". These principles are intended for use by U.S. organizations receiving personal data from the European Union. The principles attempt to satisfy the adequacy requirements of Article 25 of the EU Directive. Decisions by U.S. organizations to qualify for the safe harbor are entirely voluntary. However, organizations that decide to adhere to the principles must comply with them in order to obtain and retain the benefits of the safe harbor. In other words, to secure the presumption that their treatment of personal data received from the EU will pass the "adequacy" test of the EU Directive, they must comply with the safe harbor principles. The U.S. Safe Harbor Privacy Principles remain the subject of negotiation with the EU and are therefore still evolving.
Canada has instead chosen a legislative route that combines existing sector specific legislation and comprehensive data protection legislation. The heart of Bill C-6 is the Canadian Standards Association's Model Privacy Code. The private sector helped create this code and can claim some ownership of it. This bill therefore does not constitute the heavy-handed imposition on an unwilling business community of principles foreign to their thinking. Rather, perhaps more than almost any other piece of federal legislation in recent years, it reflects the consensus of significant sectors of Canada's business community.
Bill C-6 does provide me with the power to proceed to court. However, I hope to use that power sparingly. It is not my intention to impede legitimate business interests in personal information. It is my intention to protect personal information from excessive prying by the private sector. I need only remind you of the purpose provision in Bill C-6 relating to the part of the bill dealing with privacy issues. The purpose of that part is to establish rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances. In a sense, I hope to be able to function as a surrogate for that "reasonable person". A reasonable person will not take every business to task for collecting personal information. However, a reasonable person will challenge the excessive and persistent collection of information about them. A reasonable person will also challenge the indiscriminate sharing of that information with others and the shrouding of the information-handling process in secrecy.
My office intends to help, not hinder business, in applying the new legislation. It is not my goal to be confrontational. But privacy rights must be respected in the way required by the legislation. I believe that in the vast majority of cases we will be able to secure this respect without confrontation, without litigation and without rancour.
Bill C-6 is far from the end of the process of protecting privacy in this country. There remain enormous gaps in the protection of individuals from inappropriate intrusions, be they brought about by dealings with personal information or by other forms of surveillance.
Remember that data protection - the protection of personal information - forms only one part of the whole scheme of privacy protection. Advances in technology, and the thirst of governments and the private sector for other forms of surveillance, will continue to challenge those who seek to protect the basic dignity and autonomy of individuals in our society. I need only remind you of the words of Mr. Justice La Forest in R. v. Wong, citing the author of a seminal comment on the Fourth Amendment to the American Constitution:
[I]n view of the sophistication of modern eavesdropping technology we can only be sure of being free from surveillance today if we retire to our basements, cloak our windows, turn out the lights and remain absolutely quiet.
I hope that, collectively, we will demonstrate the wisdom and determination to prevent extreme measures from becoming an indispensable requirement for protecting private life in Canada.