Last year the British Columbia government announced plans to outsource the management of its health care system’s personal data to a private sector company based in the United States. The plan sparked a remarkable chain of events – the affected union raised concerns that the data could be accessed by U.S. law enforcement officials without proper notice, the B.C. privacy commissioner David Loukidelis launched a public consultation that generated hundreds of responses, and the B.C. government ultimately enacted legislation designed to restrict the likelihood that the data could fall into foreign law enforcement hands.
This high-profile case quietly came to a close several weeks ago when a B.C. court gave the go-ahead to the outsourcing of the data to Maximus, a U.S. data management company. The long-term impact of this case will be felt long after the contract expires, however, as it will encourage a move toward a much-stronger regulatory approach for Canadian privacy law.
Canadian privacy law has developed in three stages. Stage one involved the adoption of a self-regulatory approach to privacy protection, as the Canadian Standards Association brought together industry, government, and public interest groups in the early 1990s to develop a non-binding code of privacy best practices based on international standards.
While CSA Model Code was initially hailed a self-regulatory success, within a few years it became apparent that few companies were willing to bind themselves to the Code’s principles.
With the growing interest in privacy protection, Ottawa moved to stage two by introducing the first national private sector privacy statute (PIPEDA) in 1998. That law, which took effect in 2001, directly incorporates the CSA Model Code into the legislation, supplemented by a series of enforcement provisions.
The result is a light regulation model that emphasizes mediation of privacy disputes. Administration rests with the Privacy Commissioner of Canada who issues “findings” that are not binding on the parties. Unlike some of her provincial counterparts, the Federal Commissioner does not currently enjoy order-making power. Rather, she must apply to the federal court, which is not bound by her findings, for enforcement. In addition to the statutory shortcomings, the Commissioner has been reluctant to engage in an aggressive application of the law, protecting the targets of privacy complaints by refusing to disclose their identity.
As Canada heads toward a review of the current law led by Industry Minister David Emerson, it is likely moving toward the third stage of privacy law that will be characterized by greater emphasis on transparency and aggressive enforcement.
Recent developments point to three potential reforms that illustrate this evolution. First, as frustration mounts over the Commissioner’s lack of order making power as well as the policy of shielding the targets of privacy complaints, the third stage of privacy law will feature growing pressure to address these issues through a statutory amendment. Although order making power might result in more contentious investigations and challenges to the Commissioner’s findings, it would also send a much-needed message about the importance attached to privacy protection in Canada.
Moreover, a commitment to disclosing the names of organizations that breach Canadian privacy law would create an important incentive for greater compliance. According to a recent, unreleased finding involving spam, the Commissioner reminded the target of the complaint that failure to abide by Canada’s privacy legislation created “a risk that its business reputation will be tarnished.” This statement will only become reality if the Commissioner begins to name names.
Second, with the avalanche of privacy breach disclosures involving data companies such as Choicepoint, the next stage of privacy law is likely to include the uniform adoption of legally-mandated disclosures of privacy breaches. The State of California leads the way in this regard with a law that provides that companies and agencies that do business in the state or possess personal information of state residents must report breaches in the security of personal information in their possession. Companies are required to act quickly, notifying customers in writing, electronically, or by prominently posting the information of the breach on their website.
Tony Ruprecht, an Ontario MPP, recently introduced a private members’ bill that would apply a similar disclosure requirement to credit bureaus. In the months ahead, expect to see calls for a broad-based national reporting requirement on all organizations that collect Canadians’ personal information.
Third, the B.C. outsourcing case points to the need for increased statutory protections for personal information that may be secretly disclosed to foreign law enforcement authorities. Although the recent court case was a nominal victory for the outsourcing company, a careful examination of the decision reveals a dramatic change in the protections afforded to the personal information in question.
The B.C. judge affirmed the importance attached to privacy protection but allowed the outsourcing arrangements largely because of a series of significant new protections introduced by Maximus in response to the public outcry. These included a $35 million penalty for breach of confidentiality, extensive provisions to ensure that the data remained in the province, and a contractual term prohibiting disclosure of the data.
The Maximus case will set the benchmark for future outsourcing arrangements in Canada with similar safeguards likely to be introduced on a national level in the months ahead. If accompanied by order making power and greater transparency, it will go a long way to ushering a new age for Canada’s privacy law framework. The days of light regulation for Canadian privacy appear to be numbered.