MICHAEL GEIST
Thursday, May 3, 2001
Many cyberwatchers had been projecting 2001 to be the year of privacy. The writing was on the wall -- or so it seemed. Canada's new federal privacy law was about to take effect, Australia had just passed its own statute, and many American politicians had pledged to support increased privacy protection in their campaigns during the U.S. fall election.
Four months later, the landscape has changed. Perhaps lulled by a sense that legislative privacy protection is a certainty and that the world is moving toward a common privacy approach, few seem to have noticed the growing shift in global privacy policy.
The changes are best understood by grouping privacy interests into three camps: the European Union, the United States, and the rest of the world. In our networked environment, none of the camps operates in isolation.
As we entered this year, it appeared that all three camps were moving in the same direction. The EU set the minimum standard for privacy protection with its data privacy directive. It mandates strong privacy protections for EU residents, which include a requirement that data collectors obtain consent from individuals before collecting their private information and provide notice about what they intend to do with it. It also requires that non-EU countries establish "adequate privacy protections" or face the prospect of blocked data transfers.
With an eye to the EU directive, the rest-of-the-world camp, led by countries such as Canada and Australia, enacted their own privacy legislation.
The United States, meanwhile, negotiated a privacy safe harbour agreement that provided U.S. companies with the opportunity to opt into a privacy framework and eliminate the risk of having their data transfers blocked by the EU.
While those agreements remain in place, the common direction has been thrown off course. The problems began when an EU working party on data protection released its review of the adequacy of Canada's privacy law. Canadian officials had every reason to believe that the EU would rubber stamp its approval of the legislation, declaring that it met the "adequate protection" standard.
Although the EU didn't reject the Canadian legislation, it was hardly effusive with praise. It chose instead to focus on perceived limitations, such as the delayed applicability of the law for health information until 2002 and the delayed implementation of the rules for all Canadian organizations not federally regulated until 2004.
Several weeks later, the EU working party was even more critical of the Australian effort, leaving little doubt that it thought that Australia's privacy law afforded inadequate protections. This prompted an angry response from Australia's Privacy Commissioner, and seems likely to lead to a standoff over the interpretation of the adequacy standard.
The change in administration in the United States has led to even more dramatic change. Although President George W. Bush did surprise observers last month by implementing medical privacy rules, neither the President nor Republican Congressional leaders are viewed as ardent supporters of legal privacy protections.
In March, Mr. Bush called into question the privacy safe harbour agreement, voicing displeasure at the perception that the EU is dictating privacy standards to the United States. His concern over the safe harbour agreement has been matched by general U.S. corporate indifference to the agreement, with only 39 companies thus far registering themselves as safe harbour compliant.
At the Congressional level, there is little doubt that advocacy groups on both sides of the issue are girding for bloody battles over future privacy initiatives. Foreshadowing the upcoming Congressional fight over privacy, Republican Dick Armey recently sent a memo to House Republicans urging a cautious approach to implementing new privacy legislation.
Although there has been some support for privacy legislation at the provincial and state levels -- Ontario demonstrated its commitment to comprehensive privacy protection in the recent Speech from the Throne -- these discouraging developments suggest that legislation at the national level may be in for a rough ride.
The current shift in approach comes at a particularly crucial time, since the EU is slated to increase its enforcement of the adequacy standard over the summer, and controversial U.S. financial privacy rules are scheduled to take effect at just about the same time.
While there is still the possibility of renewed national commitments to privacy protection, the potential for new barriers over data privacy protection between the world's trade leaders has also emerged as a very real threat. For those who thought the privacy battle was won, it would seem it has only just begun.
Michael Geist is a law professor at the University of Ottawa Law School and director of e-commerce law at the law firm Goodmans LLP.
mgeist@uottawa.ca
