Report on E-business
Privacy compliance is the new priority
New act enshrines significant rules
on personal-data collection that will alter
the way businesses operate on the Web
MICHAEL GEIST
Friday, November 10, 2000
Only a year ago, many Canadian businesses were scrambling to ensure that their computer systems were Y2K-compliant. Now many face another new year's deadline, though one with considerably less hype.
On Jan. 1, e-commerce privacy legislation -- the Personal Information Protection and Electronic Documents Act (Bill C-6) -- takes effect. It enshrines significant new rules on personal-data collection that will alter the way businesses operate on the Web.
The bill -- introduced in October, 1998, in response to growing public concern about personal privacy -- establishes a series of protections, with the heart being the Canadian Standards Association Model Code for the Protection of Personal Information.
The code, the subject of intense negotiation among business, consumer groups and the government in the early and mid-1990s, is a compromise between the need to protect individual privacy and the desire of organizations to collect personal data for marketing and other commercial purposes.
With Jan. 1 fast approaching, businesses must move swiftly to ensure that they are privacy-compliant. Among the most important steps to take:
Assess whether they are subject to the new law. It will take effect in several stages and so will have an impact on some businesses quicker than on others. Federally regulated businesses, such as broadcasters, banks and airlines, face the full brunt Jan. 1. Other businesses, however, are not subject to the law until Jan. 1, 2004.
Notwithstanding that three-year exemption for non-federally regulated businesses, many of those still will be affected right away because personal information that travels across provincial or national boundaries will be subject to the law immediately. This means many businesses will need to adapt their data-collection practices to meet privacy-compliance requirements.
Conduct a data-collection audit. Many businesses collect a wide range of personal information. Data collection, such as the names and addresses needed for order fulfillment, is simply a part of doing business. Other information, such as demographic or personal financial data, is frequently requested as businesses seek to find out as much as possible about their clients. The law will force businesses to obtain consent before collecting, using and/or disclosing such personal data.
Consider the law's exemptions. Several important ones place certain information outside the scope of the law. First, the law applies only to personally identifiable information. If the data cannot be traced back to a particular individual, it probably is exempt.
Second, the law contains an exemption for personal information that lies in the public domain. This was recently defined to include information found in a telephone, professional or business directory, information found in a registry collected under statutory authority, a court record and information appearing in the media where an individual has provided the information.
Third, the law contains a series of exemptions directed at specific professions or classifications of data. These include journalistic or artistic uses, as well as scholarly study and research.
Develop a privacy policy. The central obligation under the legislation is the need for data collectors to provide transparent privacy policies so Canadians are accurately informed about who is collecting their data, why it is being collected and how it will be used.
Although organizational privacy policies are increasingly common, many businesses have yet to post theirs on-line. In fact, a recent study I conducted on nearly 300 of Canada's leading Web sites found that an astonishing 51 per cent did not post a privacy policy. Canadian businesses need to address this shortcoming by developing publicly accessible policies that accurately reflect their data-collection practices.
Appoint a privacy-policy point person. The law requires each business to appoint a person to handle all privacy-related inquiries. The rule is designed to ensure that inquiries don't get the corporate runaround. Interested parties should be able to easily identify and contact the appointed privacy person.
Review consent provisions. No aspect of the new law is more important than the rules that require businesses to obtain user consent before collecting, using or disclosing personal information.
The law provides a range of permissible types of consent, including implied consent for relatively unimportant data and explicit consent for more important and more sensitive data collection. Businesses should review how they currently obtain consent to ensure the method is commensurate with the type of data being collected.
Consider data-security systems. The law not only requires consent for data collection, it also places the onus on the collector to ensure that the information is properly secured. The level of security is also tied to the sensitivity of the information, with health or financial information requiring strong protections.
Although no catastrophes are being predicted for Jan. 1, Canadian business will not be the same once the clock strikes midnight: It must act quickly to ensure that it is ready for the new legal framework.
Michael Geist is a law professor at the University of Ottawa Law School, director of e-commerce law at Goodman Phillips & Vineberg and the author of Internet Law in Canada.
| 
