Canada's privacy law landscape has been a busy place in recent months.
With Canada's Privacy Commissioner George Radwanski issuing new reports and making speeches, and the Ontario government releasing draft privacy legislation, there are some important new lessons on what is "in" and what is "out" in Canadian privacy law.
The most dramatic development comes from the recent privacy finding involving Air Canada's Aeroplan.
Mr. Radwanski concluded that the frequent flier program ran afoul of Canada's privacy law when it failed to adequately inform its members about its plans for their personal data. Moreover, even in cases where members were informed, the commissioner found that Aeroplan did not obtain adequate consents for its intended use of the data.
While Aeroplan has agreed to alter its program to address the commissioner's concerns, commentary from the findings may have significant implications on how Canadian companies deal with their customers.
At issue in the Aeroplan case was its "opt-out" approach to garner consent. This requires individuals to take the initiative to inform companies that they do not wish to have their personal information used, whereas an "opt-in" approach forces companies to ask for individuals' permission to use or disclose their personal data.
Canada's privacy legislation recognizes that either approach may be appropriate depending upon the sensitivity of the data. Financial or health data, for example, are generally viewed as highly sensitive, and thus require opt-in consent.
The commissioner's finding suggests that opt-out is very much "out" in his view, as he goes so far as to argue that inviting a person to opt-in was "simply a matter of basic human decency." While he acknowledged that the statute contemplates the use of opt-out consents, he warned that he intends to ensure that their use remains limited.
Recent developments in Ontario indicate that provincial privacy legislation may be "in."
Ontario introduced draft privacy legislation in February and has been actively soliciting public comment ever since.
With 75 per cent of the Canadian Marketing Association's members based in Ontario, the legislation is bound to have a major impact on Canadian marketing practices that extend well beyond the province's borders.
The draft legislation, which is more comprehensive than its federal counterpart because it deals with all forms of personal information — most notably personal health information — takes an aggressive pro-privacy approach.
At a public forum late last month in Ottawa, Consumer and Business Services Minister Norm Sterling made an impassioned case for an opt-in system as part of stronger privacy protection in the province.
The most surprising "in" and "out" also comes from Mr. Radwanski.
In a speech to many of the country's privacy leaders in British Columbia last month, he made it quite clear that when it comes to analyzing and interpreting Canada's privacy laws, he is "in" and everyone else is "out."
Kicking off a two-day conference that brought together officials from provincial privacy commissions, corporate chief privacy officers and privacy law practitioners, the commissioner began by noting that "you'll be hearing a lot of opinions over the next couple of days about what the act means and how it works. As interesting as those may be, it's important to always keep in mind that, because of the role given to me under the act, I and my office are really the only authority who can give you definitive readings on the act."
The commissioner's comments were disturbing on several levels. First, from a legal perspective, he is wrong. While Mr. Radwanski indeed has the power to interpret Canada's privacy law when complaints are launched, he does not actually have the power to definitively decide anything. Rather, Canada's privacy law requires the commissioner to issue a report of his findings. The parties to the complaint are then free to apply to the federal court for a hearing on the matter. In other words, it is the Canadian courts that ultimately provide the definitive interpretations of the act, not the Commissioner.
Second, beyond the legal issues, Mr. Radwanski's comments disregard the joint participation of business, government and the public over the past decade to craft appropriate Canadian privacy rules.
Canada's privacy law framework is a work-in-progress developed through the efforts of dozens of people. Continued progress should ensure that everyone is "in," and that no one is left "out."