Mon. Nov. 17, 2003. | Updated at 07:52 AM
  Today's Features
More search options
Ticker Name
H 8 / L 4 

Search the Web Google Search
Previous Story
Print Story
E-mail Story
Nov. 17, 2003. 01:00 AM
Name names, or privacy law toothless


The Canadian privacy community has long circled January 1, 2004 on its collective calendar as the privacy equivalent of Y2K.

The Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's national private-sector privacy legislation, kicks into full swing on that date, following three years of limited applicability to federally regulated entities such as banks and broadcasters.

Despite a widespread campaign warning organizations to examine their data collection and disclosure practices to ensure compliance with the law, the consensus is that the majority of Canadian organizations will not be compliant come January 1.

Although some organizations may still be unaware of the law, many others may have deliberately decided to not comply, having concluded that non-compliance is a rational, albeit unfortunate, approach.

The emerging problem does not lie in the substantive provisions found in the law — PIPEDA sets out time-tested privacy principles that have been adopted around the world — but rather it lies in the way the law has been enforced.

Although PIPEDA contains penalty provisions that establish the potential for both actual and punitive damages, the most powerful weapon in a privacy commissioner's arsenal is public disclosure of non-compliant organizations.

Extensive media coverage understandably generates far more fear in the hearts of organizations than any prospective penalties or fines could cause since the harm to reputation inflicted by a front page headline detailing privacy abuses can cause damage that may take years to undo.

A review of the more than 200 findings released thus far reveals that the Federal Privacy Commissioner has been unwilling to name names. Although the cases have dealt with a wide range of critical privacy issues including the nature of consent and the appropriate standard for protecting personal information, with the exception of one case involving Aeroplan, the parties to the privacy complaints have themselves been kept private.

This approach hurts both companies that maintain good privacy practices as well as the general public.

For companies with good privacy practices, the anonymous approach cheats them of the reputational benefit associated with respecting their customers' privacy.

Similarly, the public is harmed since they lose access to valuable information that would allow them to make better-informed decisions about which organizations best respect their personal privacy.

In fact, while Canadians often point to their national privacy law as evidence of a more progressive approach to privacy than that found in the U.S., the truth is that the aggressive enforcement of the patchwork of privacy laws found in the U.S. may actually lead to better corporate privacy practices there.

A comparison of Canadian and U.S. approaches to inadvertent privacy errors is instructive. In one Canadian case, a consumer launched a complaint after his bank released the personal information of five other customers to him.

The bank argued that the mistake was an isolated incident. The Commissioner sided with complainant yet did not disclose the name of the bank nor levy any punishment.

In another recent case, a bank admitted accessing customer account information after using the call display feature to identify an anonymous caller. The bank again claimed that this was an isolated incident. The Commissioner sided with the complainant but again did not identify the bank nor award damages.

By comparison, in the U.S. in 2002 pharmaceutical giant Eli Lilly disclosed the e-mail addresses of 669 people subscribed to a Prozac reminder service.

The U.S. Federal Trade Commission launched an action against this isolated, inadvertent mistake, ordering the company to limit employee access to its e-mail program, to conduct an audit of its entire Internet operations for other potential security risks, and to submit an annual review of its practices.

The difference between Canadian and U.S. privacy enforcement underlies the dramatically different expectations about the consequences of privacy compliance.

While Canada may have enacted comprehensive privacy legislation, there are minimal expectations that the law will be enforced aggressively.

The United States, meanwhile, may not have similarly comprehensive legislation, but there is every expectation that their current laws will be enforced in a serious manner.

The lesson for the Canadian privacy community is that privacy laws alone are not sufficient to ensure good privacy practices.

Rather, privacy compliance depends upon establishing the expectation that privacy practices that run afoul of the law will be punished and publicly identified.

We should expect nothing less.

Michael Geist is the Canada

Research Chair in Internet and

E-commerce Law at the University of Ottawa and technology counsel with the law firm Osler Hoskin & Harcourt LLP. He is

on-line at and (mgeist The opinions expressed here are personal and

do not necessarily reflect those

of the University of Ottawa or Osler, Hoskin & Harcourt LLP.

Additional articles by Michael Geist

› Get 50% off home delivery of the Toronto Star.

Previous Story
Print Story
E-mail Story

Legal Notice:- Copyright 1996-2003. Toronto Star Newspapers Limited. All rights reserved. Distribution, transmission or republication of any material from is strictly prohibited without the prior written permission of Toronto Star Newspapers Limited. For information please contact us using our webmaster form.