Privacy Law and Policy Reporter
On 1 January 2001, Bill C-6, the Personal Information Protection and Electronic Documents Act (PIPEDA) comes into force in Canada. With this legislation, Canada has taken a significant step towards providing a more complete set of privacy rights for its citizens. This law fills in some very important gaps in the existing patchwork of federal and provincial statutes that have been passed over the last 30 years or so. Australian observers may see many interesting parallels with their own experience of trying to develop privacy legislation for the private sector.
It is important for overseas observers to understand that Canada’s federal Constitution, which devolves some very important powers on the provinces and territories, influences any public policy initiative, including privacy protection. This new law, therefore, does not and cannot regulate the entire Canadian private sector. On 1 January 2001 only the following businesses will be obliged to comply: banks, telecommunications and broadcasting companies, airlines and transportation companies, as well as any company that sells personal information across provincial or international borders. After three years, the law will apply to all commercial activities by the private sector, including companies under provincial or territorial jurisdiction, unless they are covered by ‘substantially similar’ provincial or territorial law; the Federal Government has already declared the 1993 private sector legislation in Quebec as meeting this standard. So if the provinces and territories fail to pass ‘substantially similar’ legislation in the next three years, PIPEDA will apply by default to the retail sector, the manufacturing sector, some financial institutions, video rental outlets, and indeed to most businesses that have face to face relations with consumers. Thus the provincial governments are now deciding whether they want to pass their own statutes, or do nothing and surrender an important constitutional power to the federal government, a decision that would possibly have implications for federal/ provincial relations beyond that of privacy.
PIPEDA does not apply to areas under exclusive provincial jurisdiction, such as provincial governments, municipalities, universities, school and hospitals — most of which are already covered by public sector legislation — nor to any government institution to which the federal Privacy Act applies. It is also important to note that the legislation will not cover employee records held by the provincially regulated private sector; so the consumer mailing lists of a big retail chain will be covered, but the information it holds on employees will not.
I do not expect overseas observers to understand these complexities; most Canadian experts are still quite confused. But much of this confusion is not the fault of the Government. It results from the need to apply the Canadian federal Constitution to the regulation of a resource (personal information) that does not know the difference between Ontario and Quebec, nor for that matter between Canada and the United States. The passage of this law has, therefore, been accompanied by some strident exhortations on the part of privacy advocates and officials for the private sector to ignore the tricky jurisdictional questions and just ‘get with the program’ — that is, comply with PIPEDA now.
‘Getting with the program’ means, in essence, adopting the 10 principles that form the basis of the Model Code for the Protection of Personal Information by the Canadian Standards Association (CSA). This standard was passed back in 1996 with widespread support from many stakeholders within the private sector. That level of broad support then convinced the Federal Government to base PIPEDA on this existing consensus. The standard is then reproduced in Sch 1 of the law, and the most important provision of the entire legislation states that ‘subject to Sections 6 to 9, every organization shall comply with the obligations set out in Schedule 1’.
Sections 6-9 attempt to clarify and reinforce the language of the CSA standard, some of which was left somewhat vague. For example, Principle 3 of the standard states that ‘the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate’. Section 7 of the legislation tries to define the circumstances under which collection without consent would be appropriate: where the collection is clearly in the interests of the individual; where it is reasonable to expect that the collection with the knowledge or consent of the individual would compromise the availability or the accuracy of the information and the collection is reasonable for purposes related to investigating a contravention of a law of Canada; where the collection is solely for journalistic, artistic or literary purposes; or where the information is publicly available and is specified by the regulations. This is an exhaustive set of exceptions. By inference, every other form of collection would require both the knowledge and consent of the individual. A similar set of requirements are provided for both the use and disclosure of information without consent. Principle 9 of the standard, on individual access and correction, is also given greater precision by s 8 of the legislation. Therefore, anyone that wants to understand the full requirements of this legislation needs to comprehend the obligations inherent in both the standard and the law.
Oversight of the legislation is given to the federal Office of the Privacy Commissioner, the agency established in the late 1970s to oversee the Federal Privacy Act. PIPEDA, like the Privacy Act, is based on a complaints driven, or ombudsman, model. The Privacy Commissioner is therefore given extensive powers to investigate complaints, call witnesses, compel evidence and inspect business premises. He is also empowered to audit an organisation’s practices on ‘reasonable grounds’ and make recom-mendations. He has the power to make his findings public if he believes it would promote the public interest (arguably a significant threat for a private business). He is also able to undertake public education and awareness programs. But he has no binding powers. He must apply to the federal court for enforcement, which can impose penalties and award punitive damages, with no upward limit.
This legislation relies very much on processes of mediation and conciliation. In his initial comments on Bill C-6, the current Commissioner, Bruce Phillips, has been very careful to stress that neither he nor his staff wanted powers of enforcement:
The 15 years of experience that my office has had with an ombuds role for complaint investigation has shown that heavy-fisted enforcement is not necessary to secure the privacy rights of Canadians. Rather than emphasising confrontation, the ombuds role emphasizes resolving complaints. Perhaps ultimately more important, it emphasizes correcting the underlying problems that lead to those complaints.
PIPEDA, therefore, has been long in the making. In retrospect, one can discern a clear national strategy for privacy protection that goes back to the mid-1980s: an encouragement of self-regulation based on the OECD Guidelines; a harmonisation and updating of those codes through the Canadian Standards Association, and an embodiment of the result (the 1996 Model Code for the Protection of Personal Information) in federal law. Employing a bottom-up approach to the privacy problem, this law builds upon the existing attempts to encourage self-regulation. This process has, however, produced some distinctive legacies which in turn will pose some future challenges for implementation.
First, basing the legislation on the standard has produced what some consider a quite cumbersome statute. The drafters have tried to clarify the words of the standard, but there are still many grey areas. Moreover, the major trade associations such as the Canadian Bankers Association, the Canadian Direct Marketing Association and the Insurance Bureau of Canada have already adopted codes of practice based on the standard. There will undoubtedly be a temptation for member companies to argue that they are in compliance with the sectoral code, which is in turn based on the CSA standard, which in turn forms the basis of the legislation. The prior efforts at self-regulation have certainly forced the more responsible companies in Canada to pursue higher standards of privacy protection. But there will undoubtedly be discrepancies between the law and the those earlier codes. The Privacy Commissioner and his staff will need to be very vigilant of attempts by associations and companies to use compliance with the standard as leverage with consumers and regulators.
A second issue has arisen with regard to personal health information. The passage of PIPEDA was characterised by a highly politicised conflict over the application of the law to health institutions and health information. Overseas observers might find this dispute very strange, given the general agreement in Canada and elsewhere that health information can be extraordinarily sensitive and therefore deserving of very high standards of protection. The lobbying by health care stakeholders focused on an attempt to provide an exemption for health information on the grounds that health care is a provincial responsibility. Moreover, it was pointed out that the CSA standard was negotiated with little input from the health care community, and with the general expectation that the standard was really more applicable to consumer information than health information. This lobbying produced a highly politicised dispute in the Senate, characterised by unnecessary and exaggerated rhetoric from all sides, and disputes over the interpretation of competing legal opinions. In the end, the Senate amended the House version of the bill to give the health sector a further year to comply with the legislation. The Industry Minister reluctantly accepted this amendment for fear that a further debate in the House of Commons would exhaust available parliamentary time. But this dispute about health information has left some bitter feelings.
A third legacy stems from the Government’s explicit attempt to link privacy protection to its more general effort to promote electronic commerce. On passage of the Bill, Industry Minister Manley claimed that ‘the new law provides the privacy protection that is the foundation of electronic commerce, moving Canada to the forefront of the digital economy ... It will help build trust in electronic commerce with its assurance of protection for personal information in digital form.’ There is no doubt that private sector privacy protection would not have reached the federal agenda without the advent of the internet and associated information transactions. The unintended consequence of this strategy, however, is that many people (including some in the media) have received the impression that PIPEDA is solely an internet related law. In fact, it makes no distinctions on the basis of the technology with which personal information is collected, stored and disclosed. Some critics have also adopted the position that PIPEDA is not really a privacy protection law at all, but merely a ‘data protection’ strategy designed to support and legitimate existing business practices. This view has motivated one Canadian senator to introduce a ‘Privacy Rights Charter’ which would, in her opinion, emphasise the importance of privacy as a human right and serve as an overarching framework for other legislation, including PIPEDA.
Finally, there is a lingering possibility of a constitutional challenge to PIPEDA in the courts. Whether this occurs will likely have more to do with larger issues in Canadian politics than privacy. But some provinces do resent the attempt by the federal government to force their hand on this issue. Some constitutional experts have testified that this law is unprecedented in setting a time limit within which provincial governments would be expected to pass similar legislation. As a strategy to build a more complete set of privacy rights in Canada, however, the law is having its desired effect, as there has already been consultation exercises in some provinces, including British Columbia and New Brunswick.
When the Canadian Justice Minister announced at the 1997 Annual Meeting of the Privacy Commissioners in Ottawa that the Government would have a private sector privacy law in place by the year 2000, many, including myself, were sceptical that they would meet that deadline. But the Federal Government, and Industry Canada in particular, has worked very hard to pass this legislation. It would have been nice to have been able to construct a Canadian privacy statute without having regard to federalism, and without having to worry about existing regulatory and self-regulatory mechanisms. But there is never a blank slate. Given the existing landscape, the Government has perhaps done as well as might be expected. They have created a quite distinctive law, which has much of the same content as data protection statutes in Europe, but which is embedded within the Canadian administrative culture and privacy tradition.
But PIPEDA is very much a beginning rather than a conclusion. Responsibility now lies with the provinces to pass their own laws, with the Federal Privacy Commissioner to educate, mediate and investigate, and with the private sector to ‘get with the program’.
Colin Bennett, Department of Political Science, University of Victoria, Canada.