Monday, April 11, 2005

The Three Stages of Canadian Privacy Law

Michael Geist, in his most recent Law Bytes column, writes that he believes Canadian privacy law is soon to enter a third stage. Self-regulation (stage one) and weak enforcement (stage two) will give way to more aggressive enforcement, particularly after the Personal Information Protection and Electronic Documents Act comes up for review next year. There is no doubt that the enforcement of the law has been very low key up to this stage, leading to very uneven compliance and many businesses dismissing the necessity to become compliant with the law.

The Three Stages of Canadian Privacy Law:

"Canadian privacy law has developed in three stages. Stage one involved the adoption of a self-regulatory approach to privacy protection, as the Canadian Standards Association brought together industry, government, and public interest groups in the early 1990s to develop a non-binding code of privacy best practices based on international standards.

While CSA Model Code was initially hailed a self-regulatory success, within a few years it became apparent that few companies were willing to bind themselves to the Code’s principles.

With the growing interest in privacy protection, Ottawa moved to stage two by introducing the first national private sector privacy statute (PIPEDA) in 1998. That law, which took effect in 2001, directly incorporates the CSA Model Code into the legislation, supplemented by a series of enforcement provisions.

The result is a light regulation model that emphasizes mediation of privacy disputes. Administration rests with the Privacy Commissioner of Canada who issues “findings” that are not binding on the parties. Unlike some of her provincial counterparts, the Federal Commissioner does not currently enjoy order-making power. Rather, she must apply to the federal court, which is not bound by her findings, for enforcement. In addition to the statutory shortcomings, the Commissioner has been reluctant to engage in an aggressive application of the law, protecting the targets of privacy complaints by refusing to disclose their identity.

As Canada heads toward a review of the current law led by Industry Minister David Emerson, it is likely moving toward the third stage of privacy law that will be characterized by greater emphasis on transparency and aggressive enforcement.

Recent developments point to three potential reforms that illustrate this evolution. First, as frustration mounts over the Commissioner’s lack of order making power as well as the policy of shielding the targets of privacy complaints, the third stage of privacy law will feature growing pressure to address these issues through a statutory amendment. Although order making power might result in more contentious investigations and challenges to the Commissioner’s findings, it would also send a much-needed message about the importance attached to privacy protection in Canada.

Moreover, a commitment to disclosing the names of organizations that breach Canadian privacy law would create an important incentive for greater compliance. According to a recent, unreleased finding involving spam, the Commissioner reminded the target of the complaint that failure to abide by Canada’s privacy legislation created “a risk that its business reputation will be tarnished.” This statement will only become reality if the Commissioner begins to name names.


Third, the B.C. outsourcing case points to the need for increased statutory protections for personal information that may be secretly disclosed to foreign law enforcement authorities. Although the recent court case was a nominal victory for the outsourcing company, a careful examination of the decision reveals a dramatic change in the protections afforded to the personal information in question.

The B.C. judge affirmed the importance attached to privacy protection but allowed the outsourcing arrangements largely because of a series of significant new protections introduced by Maximus in response to the public outcry. These included a $35 million penalty for breach of confidentiality, extensive provisions to ensure that the data remained in the province, and a contractual term prohibiting disclosure of the data.

The Maximus case will set the benchmark for future outsourcing arrangements in Canada with similar safeguards likely to be introduced on a national level in the months ahead. If accompanied by order making power and greater transparency, it will go a long way to ushering a new age for Canada’s privacy law framework. The days of light regulation for Canadian privacy appear to be numbered."

No comments: