Article for “Community Law Matters”
by Philippa Lawson, Counsel, Public Interest Advocacy Centre, Ottawa
It may have taken a desire to position Canada in the forefront of global electronic commerce, but the federal government should nevertheless be congratulated for finally moving to protect Canadians’ personal information from unauthorized commercial use. Bill C-54, the Personal Information Protection and Electronic Documents Act, was introduced on October 1st, 1998, to coincide with Ottawa’s hosting of an OECD Ministerial conference on electronic commerce. The Bill has passed second reading, and is now being debated in Committee.
First, some background: for some time now, Canadians have been protected from government misuse of their personal information through federal and provincial legislation applicable to public bodies (e.g., the B.C. Freedom of Information and Protection of Privacy Act). However, with the exception of Quebec,(1) no jurisdiction in Canada has legislated protections against misuse of personal information by private sector actors.(2)
Yet, public concern over unauthorized collection, use and disclosure of personal information by commercial entities has been growing, as Canadians find themselves bombarded by direct marketing, discover that their confidential information has been published, and, in the case of low income consumers, find themselves subjected to invasive and degrading practices (e.g., thumbprinting) in order to transact business.
As new abuses are uncovered daily, people are demanding more control over their personal information. At the same time, the federal government recognizes that electronic commerce will not succeed without the trust and confidence of consumers. Such trust requires legislative intervention; market forces have proven themselves incapable of addressing privacy concerns to the satisfaction of consumers.
Enter Bill C-54, “An Act to support and promote electronic commerce by protecting personal information this is collected, used or disclosed in certain circumstances…” Part I of the Bill sets out privacy rights, and is based on a voluntary code of practice which was developed by a multi-stakeholder group under the aegis of the Canadian Standards Association (CSA), and adopted two years ago by the Standards Council of Canada. In fact, the CSA Model Privacy Code is simply replicated, word for word in a Schedule to the Bill. Compliance with this Schedule is mandatory.
The CSA Code’s ten principles contain the core rights and obligations of the legislation. Most importantly, they require the individual’s knowledge and consent to any collection, use or disclosure of his or her personal information. “Personal information” is defined as “information about an identifiable individual that is recorded in any form”. Consent need not always be express, at least with respect to non-sensitive information. (What constitutes “sensitive” information, however, is left to a case-by-case analysis.) Exceptions to the rule of informed consent are specified in the body of the statute, and include collection, use and disclosure for purely domestic purposes, as well as for journalistic, artistic or literary purposes.
Individuals have the right to access their personal information in the possession of organizations at minimal or no cost, and to do so in alternative formats where necessary.
Complaints regarding non-compliance with the Act are made to the federal Privacy Commissioner, who has broad investigatory and audit powers. The Commissioner is provided with powers to publicize and coerce, but not to make binding orders. Instead, complainants (or the Commissioner himself) must go to the Federal Court for binding remedies, which include corrective practice orders, publication orders, and damages (including damages for humiliation).
The Bill is limited in application to “organizations” (defined broadly as associations, partnerships, persons and trade unions) which collect, use or disclose personal information “in the course of commercial activities”, and to federal employers in respect of employee information. While the term “commercial” is not defined, there will clearly be many non-commercial uses of personal information which do not fall into the scope of this legislation.
Perhaps the most controversial aspect of this Bill is its jurisdictional scope: while limited initially to inter-provincial data flows, it automatically extends to intra-provincial data flows after three years. At the same time, however, Cabinet can issue an exemption order where satisfied that substantially similar provincial legislation will apply. In other words, the federal government is giving the provinces three years to enact their own legislation, but will use the federal trade and commerce power to extend protections to all commercial activities after that time. Some provinces have expressed serious opposition to this perceived intrusion on their jurisdiction.
The Bill has received support from many quarters, including the B.C. and federal Privacy Commissioners. It is viewed by privacy advocates as a significant but incomplete step forward. Criticisms focus on deficiencies in the CSA Code (e.g., no limit on the purposes for which information can be collected); some overly broad exceptions to the rule of informed consent; and lack of an accessible regime for enforcement and remedies. It has been pointed out that organizations can choose not to comply, knowing that only the most determined and financially able individuals will pursue them in court. Hence, some parties advocate the establishment of a more accessible tribunal, instead of relying on the Federal Court for binding orders.
This legislation promises to help Canadians recover control over the use of their personal information in the private sector. It is an important development, that will hopefully spawn similar initiatives in B.C. and other provinces. The Bill, and proceedings of the Industry Committee, can be accessed from the Parliamentary website at http://www.parl.gc.ca. PIAC’s commentary on the Bill can be accessed from the PIAC website at http://www.piac.ca
1. Bill 68: An Act respecting the protection of personal information in the private sector, passed and assented to June 15, 1993.
2. B.C.’s Privacy Act does create a statutory tort of privacy invasion, but this legal tool seems to have been rarely invoked: see Ian Lawson, Privacy and Free Enterprise, 2nd ed. (PIAC, 1997), pp.72-78.