Privacy Law and Policy Reporter
Some businesses may have thought the Canadian Government was bluffing when then Justice Minister Allan Rock announced in late 1996 that it would legislate for private sector privacy protection before the year 2000. The issue in January 1998 of a joint Industry Canada/Justice Canada discussion paper should have reminded doubters of the seriousness of the commitment. But even that paper left open the detailed form that legislation might take and may have given comfort to those who thought that a statutory recognition of self-regulatory initiatives might suffice.
But the introduction into the Canadian Federal Parliament on 1 October of a Personal Information Protection and Electronic Documents Bill (the Bill) (see http://www.parl.gc.ca/36/1/parlbus/chambus/house/bills/government/C-54/C-54_1/C-54_cover-E.html) has now put beyond doubt the government’s intentions, and its commitment to a comprehensive and effective privacy law with real teeth.
The joint sponsorship of the Bill by the two ministries reflects the Canadian Government’s recognition that privacy protection is ‘a major component of the Canadian Electronic Commerce Strategy announced [by Prime Minister Chretien in September]’ according to the news release accompanying the Bill (see http://canada.justice.gc.ca/news/index_en.html).
The statement that the Bill:
... is aimed at recreating in cyberspace the same expectations of trust, confidence and reliability that now exist in everyday commerce ...
is a useful reminder of the driving force behind privacy initiatives in many countries, including Australia, although it conveniently overlooks the fact that Canadians outside Quebec do not currently enjoy enforceable privacy protection in relation to traditional transactions with the private sector!
The information privacy part of the Bill gives statutory force to the Canadian Standards Association’s Model Code for the Protection of Personal Information (see (1995) 2 PLPR 134) which is a familiar rendition of the OECD Guidelines, covering the same ground as most modern data protection laws — collection, use and disclosure, security, quality and access and correction.
The legislation will initially apply primarily to the federally regulated private sector, including telecommunications, broadcasting, banking and inter-provincial transport, to federal Crown corporations, and even to some federal entities currently not covered by the existing public sector Privacy Act 1985. But in a surprise move, the Bill provides for application to the entire private sector after three years, unless provincial governments adopt substantially similar legislation in the meantime (Quebec is already judged to have such legislation and will therefore be exempted). This is a bolder move by the Federal Government than was suggested in the January discussion paper, which referred to constitutional difficulties and the need for a collaborative approach by all jurisdictions.
In what appears to be a direct response to the European Union’s Data Protection Directive, the law will also apply immediately to inter-provincial and international trade in personal information. For constitutional reasons, the Bill will not however apply to employee records.
The ‘threat’ of the federal legislation applying to the general private sector after three years may now prompt other provinces to bring forward their own laws. British Columbia Commissioner David Flaherty called for this in his news release welcoming the federal Bill, and the Uniform Law Conference of Canada is developing a model law based on the CSA standard for potential use by the provinces.
Using the CSA Model Code as a base is a feature of the Canadian approach which will appeal to business, since it offers the prospect of consistency and uniformity — very attractive to businesses which operate in more than one province. Industry Canada, in an email accompanying the launch of the Bill, made the point that those sectors which have already adopted the CSA Standard, such as the Canadian Bankers Association, the Canadian Direct Marketing Association, the Canadian Association of Internet Providers and the Canadian Cable Television Association, among others, will have a ‘head start’ in complying with the new law.
Whether this approach best serves the interests of consumers depends on whether the CSA Code is seen as setting adequate standards (see (1996) 3 PLPR 149). As in Australia, some advocates believe that better privacy protection will emerge from competition between jurisd-ictions, even if this may impose some additional short term costs on business.
Predictably, the Bill provides a range of exceptions in recognition of other public interests, including exemptions for journalistic, artistic or literary purposes; legal investigations; emergencies; and where the proposed action (with data) clearly benefits the individual concerned. While the exemptions will repay more detailed analysis, they appear at first sight to be quite limited and focused, and should not therefore be of too much concern to privacy advocates.
The Canadian Federal Privacy Commissioner — currently Bruce Phillips (see (1998) 5 PLPR 57 for Phillips’ latest views) — is given an enhanced role under the Bill, to receive and investigate complaints and attempt dispute resolution, and to develop and conduct information programs to foster public understanding. The Commissioner can also undertake audits, but only where he or she has reasonable grounds to believe that the organisation is contravening a provision of the Act. If the Commissioner’s attempts at dispute resolution fail, complainants will have to go to the Federal Court for a remedy, which can include punitive damages.
Phillips welcomed the Bill in a news release as helping reassure Canadians that they can enjoy the benefits of electronic commerce without trading away their control over their personal information. In a nice turn of phrase which is worth repeating for domestic use, the release says:
Without some rules of the road, e-shoppers could find themselves paying twice — relieved of both their money and their data by information highwaymen.
Phillips’ welcome is not unreserved, as he has yet to study the detail of the proposals, and he looks forward to discussing the Bill with Parliament during its passage.
The privacy provisions of the new law will be subject to review by a parliamentary committee five years after it has commenced.
Confirming its clear status as part of the essential infrastructure for electronic commerce, the Bill also contains provisions relating to electronic signatures. All federal agencies are given the authority to decide how requirements in existing laws can be satisfied by electronic means in place of paper. Agencies will need to develop the technical and operational capability to handle secure electronic signatures and will therefore be allowed to apply the new provisions as and when they are able to conduct business electronically. The government’s background statement provides the significant re-assurance that creating an electronic alternative does not mean doing away with more traditional methods of communication with Canadians, implying that no-one will be forced to acquire or use electronic signatures.
It will be interesting to follow the debate on the Canadian Bill over the next few months, as it is likely to cover the same ground as the debates in Australia over the Victorian and NSW Bills, and over the potential use of the Privacy Commissioner’s National Principles as common core standards.
Nigel Waters, Associate Editor.