Columns Archive

Revise privacy law to expose offenders, block snoops

Last week’s Law Bytes column, which urged Canada’s privacy commissioner to lift the veil of anonymity on targets of well-founded privacy complaints, generated some pointed feedback. Some letter-writers expressed support for the current system, arguing that Canada is better suited to an ombuds-type approach, rather than the more litigious system found in the United States. They maintain that under our current system, “naming names” would not further the privacy interests of Canadians.

Others wrote to voice their support for greater transparency in the privacy enforcement process. The most compelling of these was a letter from one of the 618 individuals who had their e-mail address inadvertently disclosed by a loyalty program. The individual sought compensation from the company and was offered 5,000 frequent-flyer miles. When he responded that he believed his personal privacy was worth more than that, the loyalty program held firm, indicating that that was their best offer.

Unable to pursue a lawsuit against the company, he launched a complaint with the Privacy Commissioner instead. While he now has the satisfaction of a well-founded complaint, he has little else, as the current rules do not provide for compensation. Moreover, the well-founded complaint is merely a finding. Obtaining an enforceable order will require the lawsuit he sought to avoid in the first place.

For this individual, as well as others who have written with similar experiences, Canada’s privacy legislation is simply not good enough. Although the ombuds-type approach provides Canadians with easy access to a privacy advocate, those who have had their privacy rights infringed find that the pursuit of a complaint leaves them without much to show for the effort.

While Canadian businesses would undoubtedly prefer to avoid privacy investigations — they can be time consuming and internally embarrassing — the emerging reality is that for many organizations privacy compliance has ceased to be a serious legal obligation. Instead, for many it is considered a business risk that carries no realistic expectation of serious financial consequences or diminished reputation — a risk that can be managed through minimal compliance and contrition if caught.

It should be noted that Canada is not alone in this regard. Europe, often touted as the global privacy leader, is dotted with countries that have undermined their strong privacy statutes with weak enforcement. The United States, lauded for its tough action in a select number of instances, still does not even feature a national privacy law.

With Industry Minister David Emerson scheduled to lead a parliamentary review of Canada’s privacy legislation in 2006, it is time to consider how Canada can break from the pack by establishing a privacy law framework that combines the societal benefits of a strong privacy commissioner with an enforcement approach that leaves no doubt that privacy compliance is not to be taken lightly.

A starting point in this regard would be to provide the federal privacy commissioner with order making power to award fines and other penalties. The threat of a public order — no anonymity in this new system — would send a powerful message about the value attached to protecting personal privacy. It would also provide individuals with a far more satisfying course of action, removing the feeling of helplessness that the current system engenders.

Order making power would also serve as an important response to the privacy concerns associated with the application of the U.S. Patriot Act. Canadians have expressed fear in recent months that U.S. law could be applied to both U.S. organizations operating in Canada as well as Canadian organizations featuring a U.S. presence. In such situations, a U.S. court could compel the release of personal information to U.S. law enforcement authorities and prohibit the organization from alerting the affected individual to the disclosure.

The British Columbia government last week moved swiftly to address this issue by passing new legislation that places restrictions on the outsourcing of personal information that could fall into U.S. law enforcement hands. The B.C. law provides only a partial solution, however, since it strictly covers personal information collected by the B.C. government.

To address the issue on a national basis, Canadian law must be changed to create what U.S. courts refer to as a “blocking statute.” This places an organization between a proverbial rock and a hard place by establishing competing legal obligations. Canadian privacy legislation could be amended to meet some of the blocking statute requirements by prohibiting organizations from complying with secret U.S. court orders under threat of financial penalty. By empowering the Privacy Commissioner with order making powers, the claims that Canadian organizations cannot comply with U.S. law would carry far more credibility.

Providing the Privacy Commissioner with order making power is not without its risks, however. Foremost among these are the likelihood that more decisions will be challenged in the courts and that targets of complaints will be far less co-operative than they would otherwise be in a less adversarial system.

The current Canadian privacy law framework sits perilously close to alienating individual complainants who see little hope in being made whole after a privacy violation. Canadian businesses, including those who take their privacy commitments seriously, risk being lumped together as non-compliant. While shifting toward a stronger enforcement regime carries risks, the risk of maintaining the status quo is far greater.

Comments are closed.