Sunday, August 22, 2004

Top of a privacy lawyer's wish list

One of the things that you can get almost all privacy lawyers to agree on is that the current system of summarized findings does not provide the detail that lawyers are comfortable with basing their opinions on. At present, the Privacy Commissioner releases very brief summaries of findings that have been made in response to complaints under PIPEDA. (See the Commissioner's findings here.) They do not name the complainant and they do not name the organization complained about. But, more importantly, they are cleansed of any details that would tend to identify any of the parties, so that the resulting summary is relatively vague on details and also vague on analysis.

Some time ago, the Public Interest Advocacy Centre in Ottawa complained to the Commissioner about a number of large corporations. PIAC published all the complaints and related correspondence on their website (see PIAC's Privacy Page here). The "findings" of the Commissioner, nicely scanned are published and provide a great wealth of information about how the Commissioner approaches these complaints and also shows the significant degree of "back and forth" among the parties during the investigation process.

For individuals and corporations who are trying to figure out the details of compliance and their rights, the present findings do not provide a strong foundation for understanding. For lawyers advising clients on matters related to PIPEDA, the lack of detail may often result in vague advice or educated guesses by counsel. Even though the Commissioner is not bound by previous decisions, readers do rely upon the findings to determine how the Commissioner is likely to respond to a particular set of facts in the future.

PIPEDA is coming up for review in 2006 and it is expected that the deficiencies of the findings will be the subject of some debate. Most privacy lawyers are hoping that this will be considered in greater detail.

I also note that a number of prominent members of the Canadian privacy community have called for the Commissioner to "name names" in her findings. (See Michael Geist's "Name names, or privacy law toothless" and PIAC's letter to Commissioner Jennifer Stoddart.) This approach is favoured by some so that fully-informed consumers can vote with their feet and companies are appropriately shamed into compliance. I'm not 100% sure if I agree with this, but publicly naming companies would likely help in getting recalcitrant companies to take privacy more seriously.

No comments: