IP: Canadian Privacy Commish needs a change in privacy policy

[David Farber <dave () farber net>]

> Date: Thu, 31 May 2001 09:55:46 -0400
> To: farber () cis upenn edu
> From: Michael Geist <mgeist () uottawa ca>
> Subject: Canadian Privacy Commish needs a change in privacy policy
>
> Dave,
>
> I thought your readers may be interested in my cyberlaw column today which 
> focuses on the Canadian privacy commissioner's decision to keep most of 
> his decisions interpreting Canada's new  privacy law secret. In doing so, 
> companies and individuals are missing out on critical information 
> regarding their privacy rights and obligations.  The column calls on the 
> Privacy Commissioner to change his policy by at least making all decisions 
> publicly available on a "no-names" basis.
>
> MG
>
> http://www.globetechnology.com/servlet/GAMArticleHTMLTemplate?tf=globetechnology/TGAM/EBusinessFullStory.html&cf=globetechnology/tech-config-neutral&slug=TWGEISY&date=20010531
>
> globeandmail.com, Thursday, May 31, 2001
> Privacy law needs open disclosure
>
> MICHAEL GEIST
>
> Friends and foes of Canada's new federal privacy legislation tend to agree 
> on at least one issue -- the law is deceptively complex. Although the 
> basic principles of privacy protection are relatively straightforward -- 
> organizations must obtain consent for the collection, use, and disclosure 
> of personal information as well as provide individuals with information 
> about the data collection practices used and access to their personal 
> information files -- the implementation of these principles is subject to 
> different interpretations.
>
> George Radwanski, Canada's privacy commissioner, is the arbiter who 
> determines how to interpret and implement these privacy obligations. The 
> law requires the privacy commissioner to investigate each privacy 
> complaint filed with his office and to issue a report on the complaint 
> within one year. This places a huge burden on the privacy commissioner's 
> shoulders, since everyone with an interest in personal privacy -- from 
> organizations seeking to ensure they comply with the law to individual 
> Canadians asserting their privacy rights -- turns to Mr. Radwanski for 
> guidance.
>
> In light of the importance of the privacy commissioner's decisions, it 
> comes as a shock to learn that Mr. Radwanski's current policy is to keep 
> his decisions and interpretations secret, with the exception of a few 
> decisions that may be highlighted in his annual report or used to 
> encourage greater privacy compliance by recalcitrant organizations.
>
> While this approach reflects a longstanding policy at the privacy 
> commissioner's office, one that may have been appropriate when it dealt 
> only with privacy complaints involving the federal government, the 
> expansion of the privacy commissioner's duties to include on-line matters 
> should also bring with it a change in Canada's disclosure policy.
>
> In contrast to this federal approach, provincial privacy commissioners, 
> such as Ann Cavoukian in Ontario or David Loukidelis in British Columbia, 
> regularly publish their decisions on the Internet for everyone to see. 
> This provincial open approach ensures that organizations can gauge how to 
> comply with the law and that individuals can better understand their 
> privacy rights.
>
> For example, consider the application of the federal privacy law's consent 
> requirements. The current law contains a flexible provision that mandates 
> an explicit consent for the collection, use and disclosure of sensitive 
> data, but allows for an implied consent for less sensitive information. 
> Organizations will be looking to the privacy commissioner for what 
> constitutes sensitive data or what is considered acceptable implied consent.
>
> Under the current non-disclosure policy, there will be precious little 
> public guidance, leaving organizations vulnerable to expensive 
> investigations and higher compliance costs. Individual Canadians will also 
> be hurt by the policy of non-disclosure.
>
> Under the new law, organizations must provide Canadians with access to 
> their personal information file. Unfortunately, the law is short on 
> specifics when it comes to implementing this new access right. For 
> example, how quickly must an organization respond to an access request? 
> What, if anything, may be excluded from the report? Answers to questions 
> such as these must come from the privacy commissioner.
>
> The privacy commissioner has publicly defended his position by arguing 
> that keeping his decisions private provides him with greater leverage over 
> non-compliant organizations. He notes that adverse publicity is his most 
> powerful weapon and that a position of non-disclosure enables him to 
> threaten violators with public disclosure in order to ensure better and 
> quicker compliance with the legislation.
>
> The privacy commissioner neglects to mention, however, that the costs of 
> this approach are borne by everyone.
>
> Organizations seeking to comply with the law face the additional costs of 
> not knowing how the law has been interpreted. Individual Canadians, 
> meanwhile, are denied the information they need to fully take advantage of 
> their newly enshrined privacy rights.
>
> The policy is particularly puzzling since an obvious compromise exists: 
> Information that might identify a violator could easily be removed from 
> decisions, leaving only the fact scenario -- along with the decision and 
> reasoning -- to be released. Such an approach would provide everyone with 
> what they seek -- the public would gain a better understanding of how the 
> legislation is being applied, while the privacy commissioner would retain 
> his power to threaten organizations with public disclosure if they don't 
> comply with the law.
>
> In fact, the privacy commissioner could and should do more than just begin 
> to post his compliance decisions. He should also post unofficial guidance, 
> providing organizations with the opportunity to pre-clear their corporate 
> privacy policies with his office and making those guidelines public on a 
> "no-names" basis.
>
> The appropriate policy on public disclosure is as simple as the law is 
> complex. Whatever steps can be taken to make it easier for organizations 
> and individuals to understand their rights and obligations under the new 
> legislation should be pursued.  A policy of openness is undoubtedly 
> another issue that friends and foes of the legislation can agree upon.
>
> Michael Geist is a law professor at the University of Ottawa Law School 
> and director of e-commerce law at the law firm Goodmans LLP. His Web site 
> is http://www.lawbytes.com.
>
> --
> **********************************************************************
> Professor Michael A. Geist
> University of Ottawa Law School, Common Law Section
> 57 Louis Pasteur St., P.O. Box 450, Stn. A, Ottawa, Ontario, K1N 6N5
> Tel: 613-562-5800, x3319     Fax: 613-562-5124
> e-mail: mgeist () uottawa ca
> URL:    http://www.lawbytes.com
>
> Looking for Internet and technology law resources?  Check out:
> - the Canadian Internet Law Resource Page (CILRP) at: http://www.cilrp.org/
> - my bi-weekly Globe & Mail Cyberlaw column at http://www.globetechnology.com
> - my new Internet law textbook at 
> http://www.captus.com/Information/inetlaw-flyer.htm
> - Butterworths monthly newsletter Internet and E-commerce Law in Canada at 
> http://www.butterworths.ca/sampleinternetandecommercelawincanada.htm.
>
> My daily Internet law news service is now BNA's Internet Law News. Visit 
> http://www.bna.com/ilaw to subscribe to this free service.



For archives see: http://www.interesting-people.org/