Privacy Law and Policy Reporter
Canadian privacy protection policy, like that in Australia, is incoherent and incomplete. Legislation embodying the standard set of ‘fair information principles’ applies to public agencies at the federal level and in most provinces. With the exception of Quebec, which passed a data protection Act based on the European model in 1993, privacy protection in the private sector has been largely dependent on the implementation of a set of voluntary codes of practice developed according to the framework of the 1981 OECD Guidelines. A number of political, international, technological and legislative developments have now convinced federal policy makers that this incoherent policy cannot be allowed to continue.
The passage of the European Union’s Data Protection Directive will mean that no jurisdiction in Canada (save Quebec) can plausibly claim an ‘adequate level of protection’ and therefore safely process personal data transmitted from EU countries.
The passage of the Quebec legislation has created an ‘unlevel playing field’ within the Canadian federation, creating uncertainties and transaction costs for businesses that operate in different provinces.
The publication of a series of public opinion surveys has demonstrated that the general public regards privacy protection as a matter of major concern.
The commercialisation and privatisation of governmental functions have undermined the implementation of public sector data protection law and the ability of Canada’s privacy commissioners to ensure the protection of personal data when it is transferred to a private contractor.
The debates over the development and character of the Canadian ‘information highway’ have exposed the need for a common set of ‘rules of the road’ for the networked and distributed computing and communications environment of the 21st century and demonstrated that people need to be assured that their privacy will be protected within an electronic commerce environment.
Policy development for privacy protection has occurred within three interrelated arenas: within the Advisory Council for the Information Highway, operating under the auspices of Industry Canada; within the Uniform Law Conference of Canada organised through the Department of Justice; and initially within the Canadian Standards Association (CSA), Canada’s major standards development and certification organisation.
The motivations for the development of the first comprehensive privacy standard have been shifting and variable. In 1992, representatives of the major trade associations joined with key government officials and consumer representatives ostensibly to harmonise the codes of practice that had already been developed according to the 1981 OECD Guidelines. Later that year, it was decided to formalise the process by using the more institutionalised process of standard development under the CSA, which then acted as facilitator and secretariat. The major participants contributed financial support to the process.
For the government participants, the CSA offered a useful arena for consensus-building and a way to by-pass potentially controversial constitutional conflicts between the federal government and the provinces. In time, the process also offered a potential way to forge an accommodation that might form the basis for a legislative framework. For consumer representatives, the CSA process offered a potential improvement on the existing voluntary codes because of the potential to certify business practices to a common standard. For business (and especially representatives from the banking, insurance, direct-marketing, telecommunications, credit-reporting and cable sectors), the process offered an opportunity to develop a common and Canadian-made yardstick for the development of codes, a way to harmonise rules across provinces and sectors, but also of course a way to avoid regulation.
The negotiation proceeded through a CSA Technical Committee, which finally comprised around 40 different representatives from government, industry and consumer groups. Initial drafting of the code was delegated to a smaller Drafting Committee, which from 1993 to 1995 worked diligently to update and revise the OECD Guidelines with reference to the Quebec legislation and the emerging EU Directive. An Implementation Committee also studied issues concerning oversight, enforcement, communication and especially the development of a certification process, and commissioned a research report on the various implementation options.
The process was not without conflict and the occasional threat to walk from the table. Nevertheless, the overwhelming imperative to make the process succeed produced steady, if halting, progress. The Model Code for the Protection of Personal Information was finally passed by the Technical Committee without dissent on 20 September 1995, was subsequently approved as a ‘National Standard of Canada’ by the Standards Council of Canada, and was published in March 1996.
Although the standard uses certain prescriptive language (‘shall’ and ‘must’) it is clearly described as a voluntary instrument. Different participants have, however, different interpretations of what this means. For most private sector participants, it serves as no more than a ‘template.’ The major trade associations are in the process of ‘tayloring’ their codes of practice to the CSA model with the intention that any further oversight would take place mainly within the industry concerned. For many others, the standard has been attractive because of the potential to certify an organisation’s policies and practices and thus give a ‘good housekeeping seal of approval.’ The CSA, like its equivalents overseas, certifies companies and other organisations to a wide variety of technical standards. Within CSA, the Quality Management Institute (QMI) registers companies to the series of ‘quality assurance’ standards, principally those within the increasingly popular ISO 9000 series. There are some interesting parallels between the goals of ‘total quality management’ and the implementation of fair information principles.
The tricky task in the implementation of standards is to develop a scheme that is not so hopelessly bureaucratic and expensive that no organisation would adopt the standard, and simultaneously avoid the possibility of organisations’ making purely symbolic claims that their practices measure up. The QMI announced in September 1996 a recognition program which hopefully is sensitive to the needs of both large and small businesses. Thus, unlike under the OECD Guidelines, what it means to ‘adopt’ the CSA Model Code is clearly specified. At the very least, a business would have to develop its own privacy code consistent with the CSA model, produce a set of operational guidelines for its employees to follow and be subjected to regular and independent auditing. The CSA Model Code is potentially, therefore, a different type of instrument from the typical ‘voluntary’ code of practice. It can encourage a greater consistency of policy, higher levels of consumer awareness of privacy rights, a better yardstick for the measurement of the adoption of data protection, and an enhanced responsibility for the collection, storage and disclosure of personal data. Standards implementation is based on the very simple adage: say what you do, do what you say, and be verified by an independent agency.
If, as many claim, good privacy protection is also good business, then there should be a desire to allay consumer and client fears by adopting the standard, claiming that the standard has been adopted, and thus being subjected to audit. The CSA Model Code is potentially a more efficient way for consumers to know which businesses are privacy-friendly, although there has to be an effective publicity mechanism and an appropriate symbol or cachet of privacy-friendliness. Other more coercive inducements might also operate. A standard (unlike a code of practice) can be referenced in contract either between private enterprises or between government and a private contractor. For instance, if a private contractor processed personal data under government contract, a simple way for the government agency to ensure the adherence to the same data protection standards as apply in government would be to require the contractor to register to the CSA Model Code. The same would apply to international contracts and the transborder flow of data. European data protection agencies might also enforce Art 25 of the new EU Data Protection Directive by requiring any recipient of European data in Canada to be registered to the CSA Model Code.
Many, however, realised that the adoption of the code would still be incremental and piecemeal even though pressures can be exerted by government, international data protection authorities, and by market forces. For this reason, the federal Information Highway Advisory Council’s (IHAC) recommendations to ‘ensure privacy protection on the Information Highway,’ both encouraged the adoption of the model code, but also advised the federal government to:
create a level playing field for the protection of personal information on the Information Highway by developing and implementing a flexible legislative framework for both public and private sectors. Legislation would require sectors or organisations to meet the standard of the CSA Model Code, while allowing the flexibility to determine how they will refine their own codes.
This contemplates ‘framework’ or ‘shell’ legislation at the federal level; a statement of principles and obligations, leaving the functions of complaints resolution, investigation, auditing, and so on, as a matter for further analysis in cooperation with the CSA privacy committee. The Canadian Direct Marketing Association became the first industrial group to endorse legislation by supporting this proposal in their October 1995 call for national legislation based on the CSA standard.
On 23 May 1996 federal Industry Minister John Manley released the government’s response to the IHAC report in which it was concluded that ‘the right to privacy must be recognised in law, especially in an electronic world of private databases where it is all too easy to collect and exploit information about individual citizens.’ In September 1996, Justice Minister Allan Rock addressed the Annual Conference of the International Privacy and Data Protection Commissioners in Ottawa and clarified this commitment: ‘By the year 2000, we aim to have federal legislation on the books that will provide effective, enforceable protection of privacy rights in the private sector.’ The Government of Canada has reconsidered its two-tiered approach of legislation for the public sector and voluntary self-regulation for the private: ‘The protection of personal information can no longer depend on whether the data is held by a public or a private institution.’ There is no doubt that the negotiation of the consensus around the CSA standard facilitated this change in policy.
Since that time, attention has focussed on the work of the Uniform Law Conference of Canada (ULCC), a mechanism designed to foster federal/provincial cooperation. The federal government is only responsible for regulating the financial, telecommunications and transportation sectors. All else, including insurance, consumer credit, retail is strictly the responsibility of Canada’s provincial and territorial governments. The ULCC tries then to negotiate a model uniform statute with provincial, and other stakeholder, input. As of November 1977, we are currently awaiting a new draft of the model law from the Department of Justice, as well as a discussion document from the Department of Industry.
There will be much in the foregoing story that is familiar to those who have been watching the Australian privacy scene. Both countries have patchwork protection. The patchworks are different, but they have similar marketplace implications in both societies. Moreover, the reasons why the issue has come to the policy agenda seem to very similar. Clearly both countries face stiff challenges in the face of, albeit dwindling, private sector opposition. Both face the challenge to create national policy within federal systems with shared constitutional responsibilities for private sector regulation. There is much that Canadians and Australians can learn from each other. Beyond these obvious similarities, however, I would point to six differences between the Canadian and Australian privacy scenes.
First, it seems that while Canada has a pledge of legislation but little happening, Australia has the reneging of a pledge and a good deal happening. It appears that the decision of the Commonwealth government to go back on the promise originally made by the Attorney-General in 1996 has focused attention on the issue, galvanised privacy advocates, motivated a sense of urgency and perhaps put the private sector on the defensive to demonstrate that self-regulation can indeed work. In Canada, the 1996 pledge has been greeted with a deathly silence. It barely went reported in the media. But for the efforts of key officials in Industry and Justice, private sector data protection could easily move from the radar screen.
Secondly, there is far more activity at the state level in Australia than at the provincial level in Canada (with the obvious exception of Quebec). The NSW Privacy Committee has helped keep the issue alive in that state. The recent pledge of the Victorian government to pass legislation regardless of the Commonwealth government’s inaction, and the efforts by the Privacy Commissioner to negotiate a National Privacy Scheme, is something that would be inconceivable in any Canadian English-speaking province at the moment, where the issue has been barely debated.
A third difference concerns the presence of an identifiable ‘privacy lobby’ in Australia. Despite the small and disparate numbers, the Australia Card experience did galvanise a group of privacy advocates and cement in public and political consciousness the idea that there is a privacy lobby in Australia. No such event has ever consolidated the divergent group of academics, advocates, experts and officials into a recognisable Canadian privacy lobby.
Fourthly, Australian advocates and reformers are operating with more of a ‘blank sheet’ than we are in Canada. Several policy instruments currently appear on the Canadian landscape: the CSA code (the National Standard of Canada); the Federal Privacy Act; provincial privacy and information acts; Quebec’s Bill 68; provincial consumer credit laws; and a range of sectoral codes of practice. Each of these instruments has pushed the ‘level of protection’ in Canada probably beyond that in Australia. But each also creates a set of vested institutional interests. Any new legislation has to be reconciled with these instruments and with the agencies that implement them. This challenge poses a considerable hurdle, and one which partially explains the lack of action over the last year or so. The complexities of the regulatory challenge, obvious for some time to privacy experts, are now sinking in to the minds of politicians and officials.
Finally, there is the abiding reality of Quebec separatism. But for a few thousand votes in 1995, Quebec would now be negotiating secession. The privacy issue, like so many, could be easily pushed from the political radar screen by the overwhelming and on-going constitutional problems about the relationship between Quebec and the rest of the country. The development of an ‘adequate’ privacy protection policy could be obstructed, not through opposition to privacy, but through the inherent and unique structural barriers that have impeded the construction of coherent public policy in so many areas of Canadian life.
So at the end of 1997, while it appears that Canada is ahead of Australia in terms of the amount of privacy legislation on the books and in terms of the concrete pledge for legislation, I would actually be more optimistic about the Australian prospects of achieving an ‘adequate level of protection’ in the near future. Ultimately, however, the test for both countries is not whether we have satisfied European expectations, but whether we have met Canadian and Australian ones. And those expectations can rise and decline with every new surveillance practice that is pursued by our public and private organisations.
Colin Bennett, Department of Political Science, University of Victoria, British Columbia.
This paper was presented at IBC’s 1997 Australian Privacy Summit, Sydney, 21 and 22 October 1997.