The New Wave of Privacy Protection in Canada

PRIVACY PROTECTION IN BC: THE ROAD AHEAD

Transcript of Remarks by
David Loukidelis
Information and Privacy Commissioner for British Columbia
at

"THE NEW WAVE OF PRIVACY PROTECTION IN CANADA"
FIPA Conference

March 9 & 10, 2000
Vancouver, B.C.

[Note: These oral remarks have been edited for grammar]

I am very happy to be here today. I think FIPA and the people associated with it are to be commended for having organized such a well thought-out set of panels and forums over the next few days. I think the large turnout and the broad cross-section of individuals, organizations and government agencies that I see represented here testify not only to the currency of the issues that we are struggling with today and tomorrow, but also to the excellent job that FIPA has done in pulling this together.

I am also mindful of an announcement that was made by the Minister this morning and would like to take a moment to step back from the privacy sphere and put on my information commissioner's hat. Unlike in the federal sphere, I have a divided personality: I play both roles. I was particularly pleased to learn that Cabinet has amended Schedules 2 and 3 to the Freedom of Information and Protection of Privacy Act to add some 97 public bodies to coverage of the legislation, to make it current in light of the creation of a number of public bodies over the last few years; for example, the Rapid Transit Project in the Lower Mainland, the Transportation Finance Authority of British Columbia, BC Assets and Land Corporation. A number of important public bodies that play significant roles in the public sector in B.C. have been added to the legislation and I think that Cabinet, and the government, are to be commended for having done that.

The fact that Rick Kasper, MLA, is not here today is unfortunate. I was looking forward to having him here for a number of reasons. One, I prepared remarks that are much shorter than they would have been had I known that there would only be two of us on the panel. Second, Rick is a member of the B.C. Legislature's Special Committee on Information Privacy in the Private Sector, and it would have been interesting to hear his input or thoughts on the issues that we are struggling with in these two days of sessions. Third, Mr. Kasper recently made it known that he was going to be introducing a private member's Bill to deal with deputy ministers' salaries. And so, with Stuart Culbertson - who is a deputy minister - here on the panel, I was hoping that we might have an interesting aside between them. But we will have to save that for another day, I am afraid.

I feel as if I am functioning now somewhat as a rapporteur. Having sat through this morning's session, including the question and answer period, I have had it brought home to me, in a very real way, that I have nothing new to say. Now, those of you in the audience who have heard me speak before will probably say that that is nothing new.

I would like, though, to provide you with some fairly brief overview remarks about the issues that I see confronting British Columbians as we look down the road, to see what is coming in terms of private sector regulation, be it self-regulation or legislation.

I am here, obviously, in a capacity that is not a policy-making one. I am a regulator, independent and at arm's length from government. I do, however, have a privacy watchdog role and an advocacy role in the public sector, so I will limit my comments to a non-policy-making function, and yet reserve the right - out of the other side of my mouth - to 'have at' some of the policy issues that I see potentially being on the horizon.

I am going to divide my remarks into two. First, I would like to look at the legislative context of the debate about private sector protection in British Columbia. Then I'll look briefly at the context of current public concern about privacy practices in the private sector, in order to set the stage for some comments - again in the legislative realm - about some of the approaches that are available to the province if it decides to move ahead with legislation in this sphere.

LEGISLATIVE CONTEXT

Looking at the legislative context, I think it is clear, with deference to those who might intimate otherwise, that there is no choice but to legislate in British Columbia, and I think that there is a need for it. And the reason I say that there is no choice but to do that is obvious: the federal Personal Information Protection and Electronic Documents Act ("PIPEDA"). If nothing is done by provincial legislators within three years of its coming into force, PIPEDA will be law in British Columbia in the provincial sphere. Constitutional issues aside - and I will leave that to the constitutional experts to debate - we will have private sector privacy legislation in British Columbia in fairly short order. So there is an opportunity for the legislators to design privacy protection legislation for the private sector that is tailored to the needs of the economy, and commerce, in British Columbia.

I think there are three choices open to the legislators if they move that way: they can choose to defer to the federal statute, and do nothing; they could develop provincial legislation that mirrors the PIPEDA in the interests of harmony and consistency; or they could devise legislation that is tailored to meet the special needs of commerce and economy in this province.

Whatever direction the Province chooses, there will have to be a principled approach to privacy legislation for the private sector that creatively manages to balance the legitimate, common sense, reasonable privacy needs of citizens against the needs of business for legitimate uses of information, cost-efficiency and competitiveness, both nationally and internationally.

So to recap, I would like to emphasize that I do not think there is any choice but for legislation to be given serious consideration in this Province. I think that the room to move is very slight. I'm reminded of a rather macabre saying from the late 18th Century, by Dr. Johnson: "Depend upon it sir, if a man knows he is to be hanged in a fortnight, it concentrates his mind wonderfully."

So I think if nothing else, PIPEDA ought to be an impetus for legislators in this Province to choose whichever of those three options are felt to be most appropriate: do nothing and let PIPEDA come into place; mirror PIPEDA but make it a provincial law; or tailor a law specially suited to British Columbia's needs.

PRIVACY CONCERNS OF CITIZENS

In terms of the privacy concerns context, it is obvious to state that with advances in information technology and e-commerce, and practices such as data-mining and profiling, we increasingly live, individually, in a global glass house. We leave electronic records every time we use a credit or debit card, order a pizza, rent a video, attend a university, fly in a plane, get married, or engage in any other of a number of activities, be they mundane or significant.

Many of the current privacy concerns that have had much play in the media are really about financial security: security for one's credit card number or other financial assets. This is not so much a concern about privacy in a traditionally understood sense. Having said that, the public clearly has a great deal of discomfort with a lot of privacy-invasive practices. Notwithstanding the fact that, for example, Doubleclick.com announced this week that it would not be engaging in the program of extensive data profiling and matching that it had planned to do, there are obviously potential and actual abuses out there that are leading to a great deal of consumer concern and resistance. Those are attitudes that, to use a journalistic phrase, "have legs". In other words, I think that is a story that has merit and substance. I do not think that the current level of concern over privacy issues is going to be fading anytime soon.

An Ekos survey in 1998 made it plain that 80 percent of those polled said that government ought to be working with business to devise appropriate privacy protections. In 1999, an IBM survey noted that 94 percent of consumers in the US - and I would put it to you that the numbers would be comparable in Canada - are concerned about possible misuse of their personal information. Fifty-eight percent of them have asked a company to remove their name from a marketing list and 53 percent have asked a company not to sell or give their name to another company. Again, statistics bolster the conclusion that there is a pervasive, and very firmly held, belief amongst a broad sector of the public that private sector practices are inappropriate or threaten to be so.

It is not just a question of financial security. Many have said that privacy consists of "the right to be left alone." In the public sector we have legislation - in British Columbia, federally and in other Canadian jurisdictions. That provides another example of legislative limits being placed on the ability of the state to coerce citizens to give up information about themselves to the state for its functions. Privacy is said to be essential to individualism, and that obviously has a life and aspect within private sector activities as well. Privacy is essential to individualism and it underpins our social and political order. I like the quote from Charles Fried in his groundbreaking 1968 jurisprudential article on privacy. He describes privacy as follows:

To respect, love, trust, feel affection for others and to regard ourselves as the objects of love, trust and affection is at the heart of our notion of ourselves as persons among persons, and privacy is the necessary atmosphere for these attitudes and actions, as oxygen is for combustion.

LEGISLATIVE APPROACHES

There is very much a moral and philosophical underpinning to privacy that is of import in the private sector to us as consumers, but also as citizens. It is not just a question of financial security. Whatever legislative approach might be taken in B.C. should be formulated keeping in mind not only financial security concerns, but also the legitimate philosophical, moral, psychological and socio-political aspects of the right to privacy.

Legislation also must bear in mind any constitutional aspects of the issue. This is an issue both in public sector and in private sector regulation. The Supreme Court of Canada has said on a number of occasions that privacy is fundamental to the notion of dignity and autonomy of the individual. The Supreme Court has also made it clear that the right to privacy has constitutional aspects under sections 7 and 8 of the Canadian Charter of Rights and Freedoms. Corporate privacy and individual privacy again have a constitutional dimension and not merely a theoretical or jurisprudential dimension.

The last observation about the context of privacy, as we currently understand it, is that there are business advantages to privacy laws. There are business advantages to self-regulation as well, of course, but I think it is safe to say that in the U.S., Canada and elsewhere, businesses are increasingly mindful of the competitive advantage they can gain by being seen as privacy-friendly.

Current negotiations between the United States and the European Union with a view to the 'safe harbour' approach - an idea of self-regulation, largely - point perhaps to the notion that enlightened self-regulation is probably the best way for business to move. Having said that, we have also heard this morning about the complexities of dealing with the Clinton administration's regulations from last fall, which concern health privacy and other aspects of consumer privacy.

I do not see that there is much option, quite apart from PIPEDA. I think there is something to be said for a hybrid approach - so-called 'self-regulation' backed up by legislation. We can talk about that a little further, about what models could be adopted that would have an element of self-policing, but with the regulatory backup that I think is important to keep businesses honest and to ensure that there is a minimal level of privacy protection available to consumers.

I am not a doomsayer. Not all data collection and exchange is negative. There is obviously a need for the exchange of data for commerce to function and for government to function. The challenge is to identify the limits of control. We've heard this morning about concerns surrounding PIPEDA and where the boundaries have been drawn, and where some uncertainties have been identified. The tough challenge for the B.C. government as it moves ahead is, if legislation is chosen, where those balances lie.

That brings me again to the idea of the legislative road ahead, and what I see as being critical components for a privacy protection law at the provincial level here in B.C. I would like first to address some basic principles or concepts and then address a few comments to the notion of structure or approach, given the premise that I argue in favour of a regulatory or legislative approach.

In terms of principles, I think the first obvious one is transparency. One of the core principles of any set of fair information practices is transparency, which is the notion that anyone whose information is held by an organization should have, as a starting position, knowledge of what that information is, how it is used, with whom it is shared and for what purposes or uses. These are starting premises or principles that should be borne in mind when it comes to legislative design. These objectives are, I think, best accomplished through the advance provision of sufficiently detailed information so that the data collector's intent with respect to the information can be understood by everyone, both regulators and consumers. The requirement for informed consent to the use of the information, given at the time of collection, is critical and should be the default position in legislative design. Informed consent provides individuals with, as the Quebec legislation puts it, "free and enlightened choice."

A critical component of privacy legislation also is that there should be limits placed on the collection of information. Obviously, collection is the linchpin of privacy protection: if an organization does not have personal information, then it cannot use or disclose it inappropriately. So there should be - again, as a starting point in the policy formulation process - the notion that only that information that is required to achieve the objective in mind on the part of the organization collecting it should be collected.

These are all ideals. These are the basic components, as I put it, of a good set of fair information practices. The difficult balance - which we heard in this morning's discussion and which is evident from PIPEDA - is deciding what limitations on those fundamental starting points are appropriate. Where does the balance lie? For example, the idea of explicit, informed consent for all uses at the outset - How far does one take that? Where do the limitations on consent lie? PIPEDA and other initiatives, such as the European Union Directive of 1998, have made choices that make inroads into the notion of voluntary, explicit and informed consent at the time of collection. The British Columbia private sector legislation, for example, represents an inroad into that with the idea of consistent use or consistent purpose. The starting position is that there ought to be consent, but there is some leeway given to public bodies in that they can use personal information collected for one purpose for another purpose so long as it is consistent within the meaning set out in the legislation: does it have a reasonable and direct connection with the original purpose and is it necessary for the discharge of the functions of the public body to undertake that secondary use without going back and getting consent?

So I am not for a minute advocating that the absolutes that I have put forward ought to remain unmodulated in the legislation, but I think that you have to keep in mind a very clear set of those principles, and constantly be doing an internal audit as the debate goes forward, with respect to the content of private sector privacy legislation.

In terms of the legislative structure - the second aspect that I would like to address - the question is, what regulatory approach should be taken? I do not, personally, think there is likely to be any support or appetite in British Columbia - and this is just speculation on my part - for the former U.K. approach, where you had a data registrar and any business subject to certain exemptions, that proposes to collect, use or disclose personal information, must register with the office of the data protection registrar. I do not think that is a model that would find much favour here, certainly amongst businesses, or even with consumers, frankly. I would certainly contend that that is not a good model for us to follow anyway, even if it worked in the U.K. or elsewhere.

Another question is, does one enact a piece of legislation that is specifically tailored to British Columbia's needs? One, for example, that contains in it a code of information practices comparable to those found already in Part 3 of the B.C. public sector legislation? Or does one take the approach that some element of harmony with PIPEDA and the CSA Code-based model it represents is the better way to go, recognizing that there are arguments again in favour of harmony in the interests of internal trade, but also to give advantage for external competitive reasons?

The next question is, to what extent ought there to be an independent tribunal who is both regulator and decision-maker, who oversees implementation of the legislation? Or should it be a courts-based process, which might be like the American model? If someone is of the view that their privacy has been invaded, they can then look to a statutory tort and sue in the courts for punitive damages; this is often the U.S. approach. Obviously, that is not generally seen as being the Canadian approach to things, and it is certainly not what was done with PIPEDA. Again, this is pure speculation, but one could see an argument for the PIPEDA approach here, where there is recourse to an expert administrative tribunal that is seen to be independent, neutral or impartial, and to have the resources necessary to maintain public and business confidence in the discharge of its duties.

The next question, if you go with the complaints-based model and an expert tribunal, is whether or not there ought to be audit powers, powers of random audit or inspection, or whether there should be some provision in the legislation for self-audit by businesses with reporting to the regulator. Either model has its advantages and disadvantages. PIPEDA has taken the approach where the federal Privacy Commissioner has the ability to audit and to deter abuse by the possibility of the discovery of inappropriate practices. In this model, a practical, efficient approach would be to encourage citizens to first exhaust private sector complaints processes - assuming these are informal, efficient and free - before the regulator receives and handles a complaint. Only if the citizen is not, reasonably, happy with the results of the (approved) private sector process would the regulator get involved (except in clearly serious or urgent cases).

The last element of any piece of legislation is not necessarily legislative in and of itself, but it goes to meet the concern that was raised towards the end of the last session, which is that of awareness and education. It think it is the case with many kinds of legislation, and particularly with legislation in this area, that the need to educate businesses, employees, and the public about privacy provisions - what they mean, what their scope is, how they can be complied with, how they must be adhered to - is absolutely crucial to its success. Therefore, the provision of resources to make that happen is absolutely critical to the buy-in that I think is necessary before legislation of this kind can work. I think it is also absolutely critical to undertake that kind of education and advocacy to remind businesses and the public that this kind of legislation, as is the case with the existing public sector legislation, is a floor and not a ceiling. This is the minimum that ought to be legislated - again, in a balanced way - but it is also something that is to be exceeded. If it is good businesses to do better, then it ought to be done.

The last point is that the public has to be made very aware of their privacy rights, and have to be encouraged to act on concerns they might have about private sector practices and move ahead with them. Perhaps, in the first instance, they might approach the business and try to resolve it with them - and there are elements of this in PIPEDA - and then rely as a last resort on the regulatory tribunal as a means of resolving disputes in a traditional, bilateral dispute adjudication or mediation model.

As for encouraging individuals to be proactive and informed in how they exercise their privacy rights, and going back to my opening comment that I was very pleased to see the turnout and the broad cross-section of those attending today, I would encourage everyone here, as an individual or as a representative of a business or non-profit organization, to make your views known to the Special Committee on Information Privacy in the Private Sector. I think that the effort on the part of the all-party Special Committee of the Legislature to get out and hear the views of British Columbians on what should be done in this area is a genuine one and I think there is still plenty of time to make your views known. And this legislation - if legislation is chosen - can only be as good as the input that the Committee and government get from the public. The thing that I can probably be most useful in doing this afternoon is encouraging you to get out there and make your views known.

Thank you very much.