A Consultation Paper: Proposed Ontario Privacy Act

Comments on A Consultation Paper: Proposed Ontario Privacy Act

From:
Public Interest Advocacy Centre
1204 – 1 Nicholas Street
Ottawa, Ontario
K1N 7B7
www.piac.ca
Contact:
Angie Barrados, barrados@web.ca
or
Philippa Lawson, pippa@web.ca

Question 1

We agree that the proposed Privacy Act should include rules on whether minors can give consent and that 13 is a reasonable age to be considered able to give this type of consent. The Canadian Marketing Association (CMA) Code of Ethics is good model to follow on this issue. The CMA Code considers someone under 13 to be a child, but also specifies that CMA members should use “discretion and sensitivity” in marketing to young people (people between the ages of 13 and 19) “to address the age, knowledge, sophistication and maturity of this audience”.
We recommend that there be some limitations on the collection of information from young people (ages 13 – 19) for marketing purposes. As the discussion paper notes, the collection of personal information in the private sector has become more and more intensive, for the purposes of both targeting promotions and providing personalized services. In many instances, an incentive will be offered to disclose personal information, which presents a trade-off between privacy and other benefits. Young people may not be equipped to fully assess this type of trade-off. Therefore, young people should be not be subject to offers of benefits in exchange for permission to build up a profile about them. For instance, unlimited Internet service should not be offered to a fourteen-year old in exchange for creating a profile of her Internet use.
Also, we recommend that there be some safeguards in place to protect vulnerable adults. The legislation should specify that contracts with consumers that involve building up a profile about them should allow a consumer to withdraw from the contract without penalties. For instance, if a consumer wishes to withdraw from a loyalty program, they should be able to do so, as well as withdraw their consent to having the information already collected being used, without having to pay the organization any compensation.

Question 2

The Act should allow for the indirect collection of personal information only in circumstances where consent can reasonably be implied.

Question 3

We agree that the Act should limit the use of “opt-out” consent. As the discussion paper suggests, an “opt-out” is meaningful only if it is clearly worded, brought to the attention of the consumer, and made with full information as to the implications of the choice. We therefore recommend that the Act specify the following requirements for valid consent via “opt-out” provisions:

The opt-out option should be clearly worded, and should explain the implications of the choice which the consumer is being asked to make.
The opt-out consent should be separate and distinct from any other consents given by the consumer or agreements made by the consumer.
The consumers’ attention should be directed to the opt-out option, either verbally or via large, bold type in a written document.
Opting out should require no extra effort on the part of the consumer. For instance, the consumer should not be required to make a separate telephone call or a separate written request in order to opt out. It should be no more difficult for the consumer to exercise the opt out choice than it is for him or her to exercise the converse choice, which involves consenting to the collection of the information.
In the case of ongoing customer relationships (e.g., telephone service), the opt-out option should be offered to existing customers who have not chosen to opt-out at regular intervals, and at least every two years.

Question 4

We agree that the Act should allow for implied consent in limited circumstances. The approach to this issue outlined in the discussion paper is sound. The key point is that consent should only be implied for uses of information that relate to the primary purpose for which the information was collected, and for uses that a person would reasonably expect in the circumstances.

Question 5

We agree that the Act should require organizations to explain their security safeguards. As the discussion paper suggests, it is important that information security is not compromised by requiring overly specific information. On the other hand, enough information should be available for consumer to be able to understand generally the security safeguards, and to compare the safeguards offered by different organizations.
5A Openness Principle
Although Question 5 did not ask about the proposal that the legislation not adopt the CSA Code’s Openness Principle, we would like to make some comments on this subject. The discussion paper suggests that an organization’s privacy practices will be made clear by requiring an explanation of security safeguards, and by requiring disclosure to individuals of the sources of its personal information and the organizations to which it has disclosed personal information. In our view, this proposal lacks important consumer safeguards that are provided by the CSA Code’s Openness Principle.
There are many instances in which individuals will have an interest in knowing about the more general information management policies and practices of the organization, in addition to the specific information about them held by the organization, for instance. Individuals should have a legal right to such information, and organizations should be legally obliged to disclose such information upon request.
For example, individuals have the right under the Consumer Reporting Act to inspect their own credit reports and thereby to find out what information it contains and with what organizations it has been shared. Yet these disclosures do not answer many other important and legitimate questions the consumer may have relating to the privacy of their credit information, such as:

What types of organizations may obtain access to my credit report in the future?
What type of information does the credit reporting agency intend to collect about me in the future?
Can I consent to having my credit report disclosed without having my SIN disclosed?
Is my husband’s credit report linked to my own, or not?

In fact, to truly be able to assess whether it is in their interest to allow certain information to be shared with credit reporting agencies, or allow their credit report to be shared, consumers need to know how the credit reporting system works. Without knowledge of the ground rules, consumers cannot fully appreciate the implications of either giving or withholding consent, and hence, their right to withhold consent is significantly less meaningful. As long as the data protection regime is based on the concept of individual knowledge and consent, openness is an absolutely critical piece of the puzzle.
The discussion paper seeks to regulate outcomes rather than processes. Requiring organizations to draft policies can be viewed as a process, but requiring certain key disclosures about their practices is surely an outcome, not merely a process. It is unrealistic to assume that organizations will make such disclosures of their own accord. Credit reporting agencies, for example, do not publish information that answers the four questions enumerated above, and are not willing to give complete answers upon request. It is even harder to obtain information about data protection practices from some other organizations that deal with personal information(1).
Without the disclosure of information that follows from the Openness and Accountability principles of the CSA Code, public scrutiny of organization practices will be considerably more difficult. In the area of privacy, public scrutiny is particularly important because privacy invasions by their very nature occur largely without the knowledge of affected individuals and are difficult to detect. Public scrutiny is essential in order to encourage compliance with privacy laws and to facilitate their enforcement.
The Openness Principle serves an important purpose within the CSA Code. Without it, the consumers’ consent is considerably less informed, and thus less meaningful. Without statutory requirements for openness, the Ontario legislation will be significantly weaker than the CSA Code and Bill C-6. Indeed, it may not meet the “substantially similar” requirement of Bill C-6.

Question 6

The accuracy of personal information should be subject to an additional statutory requirement reflecting the CSA Code’s requirement that information be as accurate as necessary for the purposes for which it will be used. Such a statutory requirement is important because it places a responsibility on the organization to devote an appropriate level of resources to ensuring the accuracy of its databases. For organizations holding large databases, the extent to which the data is accurate is directly proportional to the amount of routine data checking and verifying. Under the government’s proposed approach, the regulator would not be able to compel an organization to improve its database accuracy, even if the organization was clearly not devoting enough attention to maintaining an accurate database. The legislation need not instruct organizations on how to achieve ongoing accuracy, but it should require a certain level of accuracy as an outcome of the organization’s information management practices.

Question 7

Yes, the Act should require contractual safeguards when personal information is sent to another jurisdiction. In addition, it should be clear that consent is required for such inter-jurisdictional disclosures. This is important given the difference in informational privacy rights among different jurisdictions.

Question 8

Yes, the proposal for transition is appropriate, although it should take into account that organizations subject to the federal legislation should be ready to comply with it in January 2001, and thus would not need the year-long transition period to comply with the Ontario legislation.

Question 9

We agree that clear, workable rules are desirable. We also agree that some “process” (vs. outcome) requirements of the CSA Code, such as the requirement for staff training, need not be included in legislation. However, we feel strongly that substantive, outcome-oriented aspects of the Accountability, Openness and Accuracy Principles in the CSA Code should be included. Two specific concerns we have in this regard are:

that the proposed approach does not provide consumers with the ability to obtain enough information about an organization’s practices to make meaningful choices about whether to consent to the collection, use and disclosure of their personal information; and
that the proposed approach does not protect consumers from organizations that do not take reasonable measures to ensure the accuracy of their databases.

Question 10

Sectoral codes must not be allowed to dilute legislated standards nor to weaken existing processes for enforcement and consumer redress. On the other hand, properly constructed sectoral codes can achieve even more effective regulation than general cross-sectoral legislation. It is important in this respect to appreciate that the proposed sectoral code approach will require additional effort to ensure that the legislated standards are being met, and that consumers are not being short-changed as a result of less rigorous or more permissive sectoral codes. In order to achieve effective regulation via sectoral codes, it is essential that:

the standards set out in sectoral codes be no lower than those set out in the general statute;
consumers continue to have access to the same legislative protections and processes that they would otherwise have (i.e., the codes should be enforceable in the same way as the principles set out in the legislation);
the sector be defined as clearly as possible, and there must be a clear and simple method of determining which codes apply to which organizations;* the regulatory process for developing such codes include:
- an open, transparent process that involves equal representation of industry and non-industry stakeholders;
- participant funding to allow non-industry stakeholders to participate effectively in the process; and
- rigorous advance notice to the public of the code approval process and an opportunity for public input;
once approved under the legislation, codes be easily accessible by the public; and
there be follow-up public education and awareness programs.

The example of credit reporting illustrates both the potential advantages and the potential pitfalls of the sectoral code approach. On one hand, it makes sense to apply more detailed rules (such as those contained in the Consumer Reporting Act) to credit reporting agencies, since credit reporting involves complex transactions of personal information as well as technical issues specific to that industry. On the other hand, a major player within the credit reporting industry is aggressively seeking to be exempted from general data protection legislation. A process to develop a sectoral code would clearly present an opportunity for this industry to pursue lower standards of data protection than required by the general legislation, and to avoid addressing the many privacy concerns raised by the industry’s current operations(2). Developing a fair sectoral code consistent with the protections set out in general data protection legislation will be a major challenge in the case of credit reporting.

Question 11

Generally, the exemptions and exceptions to the proposed Act are reasonable, but we do have concerns in three areas:
Private Enforcement of Contractual Rights:
While we agree that certain contractual enforcement activities involving the collection, use or disclosure of personal information should not be impeded by data protection legislation, it is important that this exemption is not overly broad. Private enforcement of contractual rights should not be an excuse for unnecessary uses or disclosures of personal information. In particular, creditors and collection agencies should not be permitted to use or disclose any personal information collected in the course of debt collection for secondary purposes (i.e., purposes other than collecting the specific debt). This would include disclosure to credit bureaus, since such disclosure is not necessary for the purpose of collecting the debt.
In order for interested persons to respond fully to this proposal, the government should list examples of exemptions that would fall under this provision.
Public Domain Information:
We strongly oppose a broad exemption for “public domain information”. Indeed, this is one area in which we consider current practices of the Ontario government and Ontario municipalities, while permitted under the Freedom of Information and Protection of Privacy Acts, to be in clear violation of fundamental privacy principles. Specifically, we strongly object to the disclosure by governments of public registry data to third parties for marketing or other secondary purposes. Section 27 of the Municipal Freedom of Information and Protection of Privacy Act and section 37 of the Freedom of Information and Protection of Privacy Act exempt “personal information that is maintained for the purpose of creating a record that is available to the general public” from the full set of provisions protecting individual privacy in those statutes.
This exemption is overly broad; it fails to recognize that just because a record is publicly available does not meant that it should be “fair game” for anyone seeking to use the information for any purpose. In fact, most, if not all, of the registries in question were created and made publicly available at a time when the information therein could not be easily compiled, manipulated, sold, and used for commercial purposes. Times have changed. With the advent of computers and information technology, it is possible for entire databases to be transferred at the click of a mouse. No longer do researchers have to pore over handwritten records in chronological order to find what they are seeking; a simple keyword search will pull up the entry in seconds.
The implications for public registries of this transformation are enormous. Suddenly, the mere fact of technological capability has changed the meaning of “publicly available”. It is up to our lawmakers to ensure that the original intention of making such registries publicly available is identified and achieved, but not broadened. In particular, the Ontario government should take this opportunity to limit the use and disclosure of information in public registries; secondary purposes such as products marketing should not be permitted.
At a minimum, the Ontario government’s exemption for “public domain information’ should be consistent with the federal government’s regulation on the same topic, to be finalized later this year.
Statutory Authorization:
The proposed exemption for collection, use or disclosure authorized by another law is deficient, and clearly does not meet the standard set by the federal legislation which exempts disclosures only where “required by law” (subs.7(3)(i)). Simply because another statute authorizes certain collection, use, or disclosure of personal information does not mean that such collection, use or disclosure is appropriate in the circumstances. If data protection rights (i.e., to knowledge and consent ) are to be meaningful, they must not be so easily overridden. Individuals deserve to be notified and given an opportunity to refuse the collection, use or disclosure of their personal information whether or not such activities are authorized by statute. Indeed, data protection rights should take precedence in all cases of statutory authorization. Only where another statute requires collection, use, or disclosure should the requirement for knowledge and consent be lifted.
This is an important area in which the proposed approach falls short of the federal legislation, and thus where the Ontario government risks failing to achieve substantial similarity with the federal statute.

Question 12: Enforcement Regime

We view as one of the weaknesses of the federal data protection legislation its requirement that any legal enforcement be accomplished via the court system. This is a problem for individual consumers because court actions are too costly for the vast majority of complainants in privacy cases. It will be the very rare individual who deems it worthwhile to pursue a privacy invasion in court, especially where no measurable damages have occurred. Thus, enforcement of the law will be weak. For this reason, we support a legislative framework which includes the ability of government authorities to make binding orders, non-compliance with which is both punishable by fines and/or other penalties, and actionable either by the state or by the affected individual.
A key provision for compliance and enforcement purposes is that empowering the oversight agency to publicize its findings. An essential corollary to this power is statutory protection from liability for any such public statements or disclosures. Publicity can be the most potent tool of enforcement, at least with respect to businesses who deal with the public or who operate in the public eye. Some businesses dealing with personal information, however, are not well-known by the general public and do not deal with consumers directly. Publicity may not be such a powerful tool in respect of their non-compliance. Hence, publicity should be considered as just one of many available enforcement tools.
Question 12 asks specifically about the desirability of an administrative appeals process. It seems to be suggesting an appeals mechanism for corporate defendants in enforcement actions. If such an appeal process is put in place, it should be available to both complainants and respondents. Given that most such appeals are likely to be taken by respondents, however, the value of it for complainants is likely to be minimal. Indeed, there is a risk that such an administrative tribunal would become “captured” by the industry it is meant to regulate, an unfortunate reality with which administrative lawyers have been grappling for years. The easiest way to avoid such a result is simply not to create the tribunal in the first place, and to rely instead upon the court system. If a tribunal is established, it should be staffed not by political appointees but rather by Ontario Court judges, or at least by legally trained persons familiar with concepts of due process as well as privacy rights.

Question 13

We agree with the proposals on enforcement powers, but would emphasize that the results of the enforcement agency’s activities should in all cases be made public. Mediation reports, compliance orders and assurances of voluntary compliance should be published, and done so in a manner that is easily accessible to the public. Such publication of enforcement activities will ensure that:

consumers have access to important information about the organizations they deal with;
the enforcement agency will be publicly accountable, and thus held to a high standard of performance; and
other organizations will see that government is serious about enforcing the legislation, which will in turn encourage compliance.

The enforcement agency should have the mandate to investigate all privacy issues under its jurisdiction which come to its attention. As mentioned above, privacy invasions occur in secret and are difficult to detect. The nature of privacy makes it likely that a complaint is just the “tip of the iceberg” in terms of a privacy issue. The enforcement agency should not be limited to addressing the specific complaint, but should also have the power to investigate further issues arising from the complaint.
Also, the enforcement agency should be able to initiate investigations in the absence of a formal complaint if it has any reasonable grounds to suspect non-compliance. We were appalled to discover recently that unregistered consumer reporting agencies (tenant blacklists) were operating openly in Ontario. These agencies had been openly advertised in the Yellow Pages under “credit reporting agencies” for several years, yet no-one tasked with enforcing the Consumer Reporting Act had noticed this flagrant violation of the law. This example shows that a complaints-based investigative power is not enough, and that the oversight agency itself needs the power to conduct proactive monitoring and enforcement activities.
There also needs to be a serious commitment by the government to ensuring strong enforcement of the legislation, if the consumer protection contained in it is to be meaningful. In our report on the consumer reporting industry(3), we raise serious concerns about the Ontario government’s apparently weak enforcement of its Consumer Reporting Act, including the facts that:

Most consumers do not know that the Ministry of Consumer and Commercial Relations takes complaints about credit reporting agencies. There is little effort to raise consumer awareness of this, and, in fact, current practices at the Ministry make it difficult for consumers to reach the appropriate official.
There is little public accountability in respect of the government’s enforcement of the Consumer Reporting Act. We were forced to make a Freedom of Information request to get basic information about the governments’ investigations of consumer reporting agencies.
A tenant blacklist was found to be operating in flagrant violation of the laws of Ontario, yet the responsible government authority made no investigation of its database to ensure that the information it contained had not been collected and/or disclosed illegally.

Clearly, the proposed Ontario Privacy Act needs to improve significantly upon the current Ontario Consumer Reporting Act in respect of enforcement.
1. Recently, in the course of a research project we contacted 40 companies that had good privacy policies. Of these, only 11 agreed to answer questions about their practices for our research project.
2. For more information about the privacy concerns raised by the consumer reporting sector, please refer to PIAC’s forthcoming report, Protecting Consumers’ Privacy in the Consumer Reporting System that will be available shortly.

Letter to Minister Anne McLellan regarding the Privacy Act review

The Honourable Anne McLellan P.C., M.P.
Minister of Justice and Attorney General of Canada
284 Wellington Street
Ottawa, Ontario K1A 0H8
Dear Minister McLellan,
We are writing to applaud your recent commitment to review the federal Privacy Act, and urge you to ensure that the review is a thorough one.
Like many Canadians, we were dismayed to find out that Human Resources Development Canada (HRDC) was keeping a database like the Longitudinal Labour Force File (LLFF). We were pleased that the Minister of Human Resources and Development responded quickly to the deep public concern about the LLFF by announcing that it would be dismantled, and that better information management practices would be introduced in HRDC. The Minister of Human Resources and Development’s commitments address data protection in the context of HRDC’s social and labour market policy research, but a greater problem remains, which is that the federal Privacy Act actually permitted a database like LLFF to be amassed with little internal government oversight or clear disclosure of its existence to the public.
The LLFF controversy has shown that the Privacy Act needs to be strengthened to better protect consumers’ privacy rights. In particular, limitations on data matching need to be clarified and included in the Privacy Act. Also of great concern is the legal uncertainty about whether citizens’ rights as set out in the Act apply in the context of all federal government activities, or whether these rights can be infringed upon when permitted by other federal legislation.
The recent passage of the Protection of Personal Information and Electronic Documents Act was a great step foward for privacy protection in Canada. Now it is important to ensure that a similar standard of privacy protection is in place in the federal public sector. We urge you to undertake the Privacy Act review without delay, and to take seriously the results of the Privacy Commissioner’s review of the Act and his comprehensive recommendations on its amendment.
Yours sincerely,
Michael Janigan
Executive Director/
General Counsel
cc.
The Honourable John Manley, Minister of Industry
The Honourable Jane Stewart, Minister of Human Resources and Development
Bruce Phillips, Privacy Commissioner

Letter Re: Uniform Electronic Commerce Act and Consumer Protection

TO: Provincial Ministers responsible for Consumer Affairs;
Provincial Ministers of Justice
Dear Ministers:
Re: Uniform Electronic Commerce Act and Consumer Protection
In October 1999, the Uniform Law Conference of Canada adopted the Uniform Electronic Commerce Act (“UECA”), a model statute designed to facilitate electronic commerce throughout Canada. Provinces are now being urged to enact legislation based on this model. We are writing to express concerns about the potential effect of this proposed legislation on consumer protection, and to urge you to address these concerns through either your province’s general electronic commerce legislation or its specific consumer protection legislation.
The Public Interest Advocacy Centre (PIAC) is a federally incorporated non-profit organization which provides legal advice, representation and research to groups and organizations who represent vulnerable Canadian consumers and who lack the ability to be heard when decisions are made that affect their interests. PIAC’s membership includes over 800 individuals and group members representing over 1.5 million Canadians. Since its inception in 1976, PIAC has made issues associated with communications policy and regulation a priority. Over the past few years, consumer issues in electronic commerce have been a focus of our attention.
The UECA has been carefully drafted so as not to change existing contract law, but rather to permit the use of a new medium of communication in commercial transactions. However, a practical effect of permitting businesses to use electronic means of communicating with their customers, without further safeguards against abuse, may be to undermine existing consumer protection law.
We are wholly supportive of the goal of facilitating electronic commerce between businesses and consumers. However, we also want to ensure that households without the means to engage in electronic commerce are not penalized by new laws which give this new medium the status of a norm – a status that electronic commerce has not yet reached. At a minimum, it is essential that existing laws designed to protect consumers from unfair or deceptive business practices are not circumvented through the use of electronic communications.
Accordingly, we ask you to consider the following recommendations for amendments to the UECA and/or supplementary consumer protection laws.

Existing Requirements to Provide Information to Consumers

Consumer protection laws typically include requirements for certain key information to be provided to the consumer (for example, by the vendor in advance of a purchase transaction). The purpose is to ensure that the consumer is in possession of the information.
Clauses 8 and 9 of the UECA address this issue by stating as follows:
8. A requirement under [enacting jurisdiction] law for a person to provide information in writing to another person is satisfied by the provision of the information in an electronic document,
(a) if the electronic document that is provided to the other person is accessible by the other person and capable of being retained by the other person so as to be usable for subsequent reference;
9. A requirement under [enacting jurisdiction] law for a person to provide information in a specified non-electronic form to another person is satisfied by the provision of the information in an electronic document,
(a) if the information is provided in the same or substantially the same form and the electronic document is accessible by the other person and capable of being retained by the other person so as to be usable for subsequent reference;
These clauses leave unclear the question of what “provision” entails. Specifically, it is unclear whether mere posting of the information to a website can satisfy the requirement of provision. Yet, such an interpretation would undermine the functional objective of consumer protection laws which require actual transfer of information in to the custody of the consumer.
Enacting jurisdictions should therefore ensure, through appropriate drafting, that the term “provision” means actual transfer into the other’s custody, as opposed to mere notice of availability.

Consumer consent to receive information electronically

Clause 6(1) of the UECA states:
Nothing in this Act requires a person to use or accept information in electronic form, but a person’s consent to do so may be inferred from the person’s conduct.
This rule is meant to ensure that the Act is not used to compel people to accept electronic documents against their will. It is effective in the context of individually negotiated contracts between parties of relatively equal bargaining power. It provides very little protection, however, to the average consumer who is faced with standard form contracts and “take it or leave it” offers in which consent to replace paper disclosures with electronic disclosures is required as a condition of entering into the transaction. Instead, the UECA leaves up to courts the question of whether consent in such situations is meaningful and therefore legally binding.
This approach may seem reasonable insofar as the UECA is not meant to change the law of contract, but rather to ensure that the same rules of contract apply to a new medium of communication. However, leaving the question of when consumer consent to electronic disclosures and records is binding to a case-by-case determination by the courts will create uncertainty and necessitate costly litigation in cases where the question could easily have been settled in advance by statute. It is also fundamentally unfair to vulnerable consumers who do not have the means to litigate in the first place.
For these reasons, consumer protection laws (or the UECA itself) should specify that:

electronic delivery of legally required notices, and of any information that is required by law to be in writing, is permitted only where the consumer transaction is negotiated electronically, or where the consumer’s consent to receive such information electronically originates from the consumer’s email address to which the electronic records will be delivered.

In this way, disputes over the validity of standard form consents to electronic communications will be limited, and consumers will be clearly protected from unintentional consent in the most egregious situations (e.g., when the consumer does not even own a computer, or does not have Internet access). It is important to note in this respect that approximately half of Canadian households still do not have Internet access, and that three-quarters of low income households remain unconnected.
Paper disclosures required by law are designed to provide consumers with information critical to making informed choices in the marketplace, to understanding their rights and obligations during commercial transactions, and to enforcing their rights when transactions go sour. Consumers can benefit from receiving information electronically, and should be permitted to do so, but the law should not create a situation in which consumers without the ability to receive electronic communications may be required by contract to do so.
It is particularly important that any electronic notices, failure to reply to which will lead to loss of service or property, actually reach the consumer. Unlike receipt of mail via Canada Post or courier service, receipt via email requires access to a working computer with Internet access. Home internet access remains a luxury service for many consumers, and is likely to be one of the first services discontinued when a household without such access runs into financial difficulty. In such situations, the customer’s failure to respond to the creditor’s email notice should trigger a requirement that the notice be provided in paper form. We therefore recommend establishment of a rule that:

in respect of notices of impending default by or penalty to the consumer, electronic delivery is legally effected only where the consumer recipient has affirmatively acknowledged receipt of the notice

Another, related, problem with reliance on electronic records in consumer transactions occurs when consumers find that they are unable to access or retain the electronic record in question. This can happen as a result of computer breakdown, or incompatible software programs, for example. It is important in such situations that consumers be able to obtain paper copies of the records in question. For this reason, we recommend statutory requirements that:

regardless of the terms of the contract, the consumer is entitled to receive paper copies of electronic records upon request, for which providers may charge no more than their actually incurred costs of accommodating this request.

Consequences of Refusing to Deal Electronically

It is likely, assuming passage of laws based on the UECA, that businesses rely increasingly on electronic communications. Indeed, given the low cost of electronic communications as opposed to paper communications, it is likely that businesses will take various measures to encourage consumer acceptance of electronic communications, including preferential pricing for those consumers who agree to deal electronically.
While such pricing strategies are understandable in light of underlying cost considerations, they will in effect penalize unconnected consumers (disproportionately low income) and will tend to further marginalize those who cannot afford to deal electronically in the first place. Such implications of the UECA need to be seriously considered in the overall policy context.
At a minimum, consumers transacting non-electronically should always be entitled to refuse electronic receipt of contractual records and statutorily required notices without incurring extra charges as a result. Until Internet household penetration has reached the level of telephone penetration, it is premature to establish laws and policies which assume electronic capability. There is no compelling policy reason to favour consumers with electronic access over those without, in respect of important commercial disclosures.

Integrity of Electronic Signatures

Electronic commerce requires the development of reliable methods of verifying the identity and capacity of contracting parties. The UECA provides electronic signatures the same legal status as handwritten signatures and leaves it up to each enacting jurisdiction to decide whether or not to establish regulations regarding the reliability of electronic signatures. Moreover, the UECA does not attribute liability for losses arising from good faith use of electronic signatures.
In deciding how to address this issue, it is important to recognize, first, that different forms of electronic signatures will have different levels of security and that the standard of care for the use of electronic signatures is unclear at this early stage of development. At the same time, most consumers using electronic signatures will have no sophistication in electronic security procedures, and could unwittingly expose themselves to liability despite due diligence and good faith.
Second, businesses have access to information about electronic commerce-enabling technologies and the ability to limit and plan for the risks created by electronic commerce. Consumers, in contrast, have neither the access to information nor the expertise necessary to evaluate the reliability of a given technology.
Third, unless fraud and error losses associated with online transaction technologies (and not attributable to carelessness on the part of the consumer) are allocated to technology providers and online vendors, there will be little incentive for investment in the further improvement of authentication technologies.
For all these reasons,
Legislation should clearly place the responsibility and liability for technology failures on certificate authorities, manufacturers, or the businesses dictating the authentication technology to be used.
A good baseline model to consider in this respect is the Canadian Code of Practice for Consumer Debit Card Services, prepared by the Electronic Funds Transfer Working Group in 1992, and revised in 1996. This voluntary code outlines the respective responsibilities of industry players and consumers in the use of debit cards.

Conclusion

Consumer protections equivalent to those found in the offline world must be built into the online marketplace, at the same time that rules facilitating the conduct of commerce electronically are enacted. In this way, we will ensure the emergence of a robust infrastructure for electronic commerce in Canada. We trust that you will consider and act upon the concerns and recommendations raised in this letter.
Yours truly,
Philippa Lawson
Counsel
cc: John Gregory, Chair, ULCC Working Group on Uniform Electronic Commerce Act ; David Waite and Rob Harper, Co-Chairs, Consumer Measures Committee Working Group on ECommerce

Electronic Authentication: An Element of Canada’s Trust Agenda

Comments on Electronic Authentication: An Element of Canada’s Trust Agenda

Public Interest Advocacy Centre
1204 – 1 Nicholas Street
Ottawa, Ontario
K1N 7B7
Contact:
Angie Barrados, Researcher
barrados@web.net

General

To date, issuing authoritative forms of personal identification has been the exclusive prerogative of government. Similarly, it has been governments alone that have traditionally made rules about who can use infrastructure, particularly infrastructure that is important to its citizens’ standard of living. In public key infrastructure (PKI), it is proposed that private certification authorities (CAs) will both issue identification and potentially control access to the information highway. Implementing this proposal would transfer powers that have historically been the realm of governments to private entities. Electronic Authentication: An Element of Canada’s Trust Agenda does not acknowledge this fundamental shift in power, and does not meaningfully consider what it means for individual citizens.
The proposed transfer of traditionally public power to the private sector could have very important implications for individuals. For instance, it is quite possible that the main CAs will be major banks, and that the certificates they issue would be used by consumers to communicate with many other companies on-line. Banks will certainly want to limit who they issue certificates to; perhaps they will issue certificates only to consumers who keep a certain balance in their bank accounts. In this way, banks’ policies could become a limitation on who has access to the information highway. Those consumers who are disadvantaged by bank policies will have little power to change them. In contrast, when government limits access to certain benefits, such as determining who is permitted to drive, or to own a dog, it is democratically accountable for these limitations, and citizens can potentially change them through the democratic process.
The power imbalances between corporations, such as banks, and private individuals are immense, and for this reason, governments set ground rules for how corporations must deal with individuals in the private sector. There are, as yet, few ground rules for the transactions between individuals and CAs. CAs may well be part of or associated with established corporate interests. How individuals’ interests will be protected in a digital environment dominated by corporate interests is a very important issue, but the discussion paper does not address it.
The goals of the proposed approach to authentication services focus on the need to build up trust in authentication schemes, and the need to ensure that businesses are not subject to conflicting requirements. What the discussion paper does not state is that individuals will only trust authentication schemes if their rights to privacy and consumer protection are respected in the context of authentication The discussion paper does not deal with how either privacy rights, or consumer rights embodied in hard-won consumer protection rules, would be protected in this context. For instance, the discussion paper does not deal with the danger that certificates could become universal identifiers, and the privacy implications of this. Also, it does not consider the consumer protections embodied in physical signatures, and how to maintain these for digital signatures. Nor does it mention the goal of ensuring universal access to important public infrastructure, a longstanding Canadian value in many fields.
The protection of individual rights in the context of digital authentication has not been fully covered by other government initiatives related to the information highway. The Personal Information and Electronic Documents Act will likely apply to CAs, and be important for ensuring that CAs follow good data protection practices. However, the new law will not determine whether PKI overall is privacy-respectful or privacy-invasive. Also, the consumer protection issues raised by setting up CAs go far beyond the Principles of Consumer Protection for Electronic Commerce. These principles address the relationship between retailers and customers, not the one between individuals and CAs.
Ensuring that privacy is protected, consumer protection rules are maintained and that universal access to new digital systems is promoted should be the most important of the government’s goals in developing PKI.
It is hard to know what the future digital world will be like, but it is clear that the potential widespread introduction of public key digital authentication systems raises many new concerns for individuals that have not previously been encountered. These new concerns should be better understood, and taken into account as PKI is developed. Our preliminary understanding of the major concerns for individual consumers is provided below(1). However, it is clear to us that far more work needs to be done to study some of the emerging issues in this area.

Certification Authority Power

The discussion paper mentions that CAs will potentially assume powerful social roles but does not explore the implications of this. CAs could have a great deal of power over individuals by virtue of their function in issuing/withholding certificates, and revoking certificates. In particular, a CA will probably be able to record everyone with whom an individual transacts using a particular digital signature(2). In creating PKI, careful attention needs to be paid to limiting the power of CAs, both through the structure of the system, and through consumer protection rules. In terms of PKI structure, the following factors that will determine the extent of CAs’ power over individuals:

whether individuals must obtain a certificate in order to engage in important or essential transactions;
whether individuals have a choice as to which CA they deal with;
whether CAs create a diversity of services that respond to consumers’ needs;
whether eligibility requirements for certificates are determined by the certificate authority, or are regulated in some way;
whether identification requirements and criteria used to judge applications for certificates are publicly disclosed.

In terms of consumer protection, the most important rules will involve assigning liability to parties in a transaction. This is especially true in the area of security and potential misuse of certificates. Only if CAs bear the liability for misuse of certificates will they have the incentive to take all possible precautions against such misuse. This assignment of liability would be analogous to the liability banks have for misuse of ATM cards. Banks bear the liability for misuse of ATM cards provided customers take reasonable security precautions, so they use good security methods at ATM machines.
Consumer will also potentially need protection from unreasonable restrictions in obtaining certificates, and from being pressured to obtain certificates with privacy-invasive features. In the future, consumers may be pressured to obtain certain certificates in a number of ways: important or essential transactions may require a certain certificate, there may be mandated use of certificates, and/or there may be cost differentials among certificates (with privacy-respecting certificates being unaffordable for some consumers). Certificates will be more privacy invasive if they identify someone by a universal or near-universal identifier (which facilitates data matching), and if they disclose personal information in the certificate itself.

Competition

On several occasions, the discussion paper repeats the following statement:
There are compelling arguments to allow the market, through its competitive forces, to determine how CAs and their services will evolve.
Yet, there is little evidence that competition alone will produce good outcomes for consumers. CA services would form part of the infrastructure for the information highway; competition to provide CA services would therefore be analogous to competition for the provision of other utility services. Competitive utility markets usually benefit business more than individual consumers, and often suffer from weak competition(3). Even in utility markets in which workable competition develops, an array of regulatory safeguards are still required to protect consumers. Careful thought needs to be given to how real competition could be fostered among CAs, and to the limitations of market forces in providing full protection for consumers. This is especially true if CA functions are taken on by companies, such as banks, that already dominate other retail markets.

Will PKI be Privacy Respecting or Privacy Invading?

The development of electronic systems that use public key authentication could lead to unprecedented centralization of individuals’ personal information, both in the hands of those that run the systems, and in hands of CAs. In this context, there are two main ways to make sure that PKI does not become an instrument for privacy invasion:

Ensure that CAs have good information management practices (i.e. that they conform to the Personal Information and Electronic Documents Act);
Ensure that individuals maintain control over their personal information.

Ensuring that individuals maintain control over their personal information is the most important way of protecting individuals privacy. Individual control over personal information could be maintained in the context of PKI by:

Providing consumers with adequate information to be able to choose amongst service providers;
Ensuring that consumers are not forced to opt into using digital signatures and the like, but can opt in when they have confidence that the system offers adequate consumer protection;
Setting up the system so that individuals will tend to have a number of certificates for different purposes rather than one multipurpose one. If it becomes the norm to use a digital signature for all transactions, that signature would become a de facto universal identifier, and there would be a very real potential for privacy-invasive data matching;
De-linking identification from authentication. To protect individuals’ privacy, individuals should only be identified in digital transactions when it is necessary to do so. This will require the development of blind signatures, or signatures that convey eligibility or attributes rather than identity.

Principles

Principles for the development of authentication services in Canada should address the issues of limiting CA power and designing a privacy-respectful PKI. To develop the principles, there needs to be a broader discussion that includes more public input, and that clearly addresses the ways that widespread use of digital authentication will change the way in which many consumer transactions are conducted. Clearly there is a need for a “balanced and neutral process” in establishing the principles, but public sector involvement should not be limited to facilitating the process. Government should also ensure that individual’s rights are adequately protected in any principles and standards generated by the process. In other words, the government should be preparing for its role as the “competent authority” (regulator) of PKI.
The principles should not focus on the use of authentication for identity purposes as the discussion paper suggests, since this type of authentication is potentially the most privacy invasive. Instead, the principles should reflect a balance between the need for consumers to identify themselves in digital transactions and the need of consumers to control their personal information. The principles should ensure that PKI allows consumers to obtain certificates that do not identify them, and that consumers are not forced to identify themselves unnecessarily.
The concept of CAs cooperatively registering users as suggested in the discussion paper needs to be treated with caution. Cooperative registration would centralize personal information more than a system in which CAs have separate registration systems. This kind of centralization increases potential privacy concerns. Also, such cooperative registering suggests a system in which individuals would have one certificate for all purposes. As mentioned above, a “one certificate” system is more privacy invasive than a system that allows for many certificates to be used for different purposes.

Standards

If standards are to be developed to operationalize the principles, common standards should apply to all CAs that deal with individual consumers. Ideally, regulated standard contracts between CAs and consumers would be developed. The distinction between open and closed models would appear to be more relevant for business-to-business transactions than business-to-consumer transactions. Individual consumers always face a power imbalance in dealing with major corporations and thus need some protection whether the model is open or closed.
Standards are only effective if they include an adequate compliance component. A recent Industry Canada sponsored publication stated this quite clearly:
For fairness and credibility, the parties themselves and the greater affected community must have information about the state of compliance with code provisions and how non-compliance is being addressed. The code’s information-related provisions should include some combination of self-reporting obligations for adherents, powers of monitoring, compliance verification or auditing, impact assessments and the ability to publicize data on compliance on non-compliance(4).

Government PKI

Public key authentication could become very important for government services delivery in the future. The computerization of health records, for instance, may require public key methods of authentication. In fact, large-scale use of public key authentication may emerge for government services before it does in private sector e-commerce, given the preponderant use of credit cards in the latter (since consumers will have little reason to acquire digital signatures if they can use credit cards). Therefore, the government should consider developing CA standards for CAs involved in citizen-to-government transactions, which could the be used as a model for private-sector PKI.

Raising Consumer Awareness and Use

The questions posed by the discussion paper on how to promote the use of “strong” authentication techniques among individual users are premature, since it is far from clear that public key authentication will actually benefit individual consumers. Public key authentication can only be meaningfully promoted to consumers in the context of some assurance that the new systems will not be privacy invasive, and will not involve significant new liabilities for consumers.

Next Steps

More work needs to be done to study the implications of large-scale use of public key authentication in consumer-to-business and citizen-to-government transactions. How individual interests will be affected by implementation of public key authentication needs to be well understood before principles for authentication are developed. Also, there is a need to develop a clear, non-technical explanation of digital authentication and PKI so that a wider audience can participate in discussions about it.
1. Our paper Digital Authentication and Consumers’ Privacy provides more commentary on this subject based on the proceedings of the Tenth Conference on Computers, Freedom and Privacy held in Toronto from April 4-7, 2000. It is available on our web site at www.piac.ca.
2. This potential arises from the CAs management of the revocation lists. Anyone relying on digital signatures would have to check the revocation list each time they accept a signature. In the process of checking the revocation list, a data trail would be created that would show every inquiry about a particular certificate.
3. See PIAC’s paper on residential long distance service, Still A Long Distance to Go, or our paper on energy deregulation, Utility Shopping: Are Consumers Ready?
4. Government of Canada, Voluntary Codes: A Guide for Their Development and Use, March, p.22.

PIAC Submission to Senate Committee, on Privacy and Security on the Internet

Privacy and Security on the Internet
Submission to the Senate Subcommittee on Communications

Philippa Lawson, Counsel
Public Interest Advocacy Centre
1204 – 1 Nicholas St., Ottawa, ON K1N 7B7
pippa@web.net
http://www.piac.ca

Background on PIAC

PIAC is a federally incorporated non-profit organization which provides legal advice, representation, and specialized research to groups and individuals who are voicing public concern on issues of broad national interest and matters involving public utilities and essential services. Since its inception in 1976, the Centre has developed a reputation for providing effective consumer advocacy in the regulation of telecommunications, cable TV, broadcasting, energy, and transportation, as well as in the field of privacy and consumer protection generally.
In addition to its wide clientele and partner organizations, PIAC has a membership of organizations covering over 2 million Canadians. PIAC’s member organizations include the Alberta Council on Aging, Canadian Pensioners Concerned, Consumers Fight Back Association, Manitoba Society of Seniors, Ontario Coalition of Senior Citizen Organizations, One Voice – The Canadian Seniors’ Network, PEI Council of the Disabled, and Rural Dignity of Canada. PIAC also has a donor list of approximately 900 individual Canadians.
PIAC has been involved in privacy issues since the early 1990’s, when new telecommunications services affecting personal privacy (e.g., Call Display) were first offered. Since then, PIAC has developed significant expertise in the field of privacy: publishing a legal text, overseeing a national opinion survey, participating in the development of our national standard on data protection, CAN/CSA-Q830, and working with government and stakeholders to develop effective data protection legislation in Canada. PIAC counsel is frequently quoted by the media on privacy issues.

Consumer Privacy on the Internet

My comments today are from the perspective of a consumer advocate, and are therefore focused on privacy concerns of individuals in their roles as consumers in the marketplace, and in particular, the electronic marketplace. That is not to say that there are not enormous privacy concerns with respect to data collection and use by governments, or by private parties engaged in research or other non-commercial activities. These are equally important issues that governments should be addressing.
When we shop in the real world, nobody is watching our every move, monitoring the stores we visit, what we buy, the clothes we try on, or the products we look at. But when we go online, this is exactly what is happening. Through the use of computer technologies, private companies are collected detailed personal data about us, using it to target their advertising to us, and trading it in the marketplace. In fact, a huge industry in personal data collection has developed and is growing by leaps and bounds. Many websites depend on revenue from selling user data to third parties, or delivering specific demographics to advertisers. Ecommerce business models are often based on the collection and sharing of personal information. The more information they have about you, the more money they make. As one ecommerce CEO said, “if it’s a question of profit versus privacy, profits come first every time”.(1)
Consumer profiling is by no means unique to the online world: mail-order firms track consumer purchases in order to send catalogues specific to the consumer’s interest; supermarket chains offer club cards that keep detailed records of individual purchases, and magazines trade and sell subscription lists for profit. But Internet technology permits a whole new level of consumer surveillance that is not possible in the physical world. Websites can track not only every item you purchase, but also every site you visit, every page or product you look at. Combined with other, often publicly available data, Web-generated information creates an unprecedented level of detail regarding individual behaviour, tastes, habits, and interests – a profile like no other. Yet many – probably most – consumers are not aware of the extent to which they are being watched online.
Let me mention briefly some examples of the kind of systematic privacy invasions we are beginning to confront with the growth of ecommerce:

“Cookies” are now considered an essential tool of ecommerce. They are files sent by a website to your computer when you visit that website. When you return to that website, the cookie tells the site who you are (a unique computer ID), what your expressed preferences are with respect to that site, and where you’ve been on the Net. Cookies can therefore eliminate the need to repeatedly fill out a registration form every time you visit a website, and help online service providers to customize their service offerings based on the consumer’s preferences. But they also permit online advertisers and websites to surreptitiously track individual web surfing behaviour.

This month’s Consumer Reports magazine focuses on the use of cookies in online marketing. The lead article warns: “Bit by bit and click by click, intimate details of your personal life are piling up in enormous commerical databases – often without your knowledge or consent.”

Doubleclick is an online advertiser that uses cookies to track the surfing habits of Internet users. You don’t even have to click on the banner ad to be monitored in this way; every time you visit a webpage with a Doubleclick banner ad on it, that information is passed back to Doubleclick, which now has a database of the surfing habits of over 100 million Internet users. Last fall, Doubleclick bought an offline market research firm by the name of Abacus Direct, with the intention of linking its non-personal clickstream data with personal names, email addresses, offline purchasing habits, and other personal information held by Abacus. A huge consumer backlash in the USA caused the company to suspend its plans, at least temporarily.
Two other high profile websites, RealNetworks and Alexa, a subsidiary of Amazon.com, also stand accused of linking personally identifiable information with users’ Web trails. While these companies deny the charges and have taken measures to block such data matching, it is clear that the only thing stopping them from the privacy invasions of which they are accused is public pressure.
FreeAtLast.com, a new ISP, recently announced plans to offer free Internet access to people who agree to install software that, like Doubleclick, tracks their online behaviour and then uses the information to send targeted advertisements to them. While the ISP assures critics that it sill not connect individual names with clickstream data, it will have the capacity to do so.(2) This business model – offering free services in exchange for personal information – is becoming more and more common. It raises the question: do consumers appreciate the implications of this kind of exposure?
Along with the trend toward personalization and customization of products and services to individual consumers, companies are increasingly engaging in “weblining”, a practice similar to the practice of “redlining”, in which lenders and other businesses marked certain neighbourhoods off-limits. “Weblining” uses your online profile to determine your choices in products and services, and even the price at which they are offered to you. Geographic stereotypes are giving way to market segmentation based on all sorts of factors, including ethnicity, age, gender, and religion. The information-gathering capabilities of the Internet, together with the information-sorting capacity of computers, now permit companies to maintain the equivalent of profit and loss statements on every customer. Those judged of minimal value receive fewer offers, and fewer opportunities. The choices presented to you will be based on a computer program’s determination of what you would most like, which in turn is based on your data profile.(3)

Online Data Security

In addition to intentional information gathering, ecommerce has opened up new opportunities for unintentional leaks and outright theft of personal information. Once personal information is amassed in a computer database, a single security breach can release a huge amount of very sensitive information. Thieves can get access to credit card information; stalkers can find out where their victims reside; vandals can interfere with stored data. It is estimated that one half to three-quarters of all commercial websites can be hacked. Some hacking experts claim to have found a way in to every site they have examined, accessing sensitive customer data, and sometimes even executing financial transactions using someone else’s account.(4)
It’s therefore not surprising that hardly a week goes by without reports of security breaches at some major website – just last week, Microsoft had to shut down its Hotmail service for four hours while it fixed a problem that permitted attackers to penetrate user accounts via email.(5)

Online Investigative Services

And then there are the investigative companies that specialize in collecting data on specific individuals and selling it to anyone who will pay the fee. If you are a frequent email user, you will likely have received at least one message claiming to “Find Anything About Anyone On The Net!” These companies are able to pull up addresses, phone numbers (even unlisted ones), physical descriptions, details of property ownership, past employment information, and social insurance numbers, for example. While this kind of service can be useful to creditors looking for evasive debtors, it can also be used by stalkers to locate their victims, as was the case in the death of a New Hampshire woman last fall.

Identity Theft

Not surprisingly, all this collection and disclosure of personal information has resulted in a new wave of identity theft, as Internet sites offer easy access to financial and other personal information with little attempt to verify the customer’s legitimacy.(6) Once they’ve got your name and social insurance number, together with other personal information about you, imposters can open up charge accounts in your name and destroy your credit. It is estimated that 400,000 Americans will suffer identity theft this year, according to a report in PCWorld Magazine.(7)

Responses to the Privacy Problem

In light of all of this, many just throw up their hands and say “there is no privacy on the Web – get used to it”. That’s certainly one way to look at it, but I would say that it is unnecessarily defeatist. It is possible, through a mix of legislated groundrules, voluntary codes of practice, and mass-marketed technological tools, to change the way that the Internet is evolving in respect of consumer privacy and to regain control over our personal information.

Technological Fixes

Privacy-enhancing technologies and tools already exist to help consumers navigate the Internet without giving away more personal information than they wish to. Web browsers allow users to control the use of cookies on their computer – you can set your browser to warn you that a cookie is about to be deposited in your computer, at which point you can choose whether or not to accept it. Alternatively, you can set your browser to refuse all cookies, in which case you may not be able to access certain websites. According to a recent survey by Cyber Dialogue, an Internet customer relationship management company, over 46% of all Web browsers are set to accept all cookies indiscriminately, without any warning to the user. Most users simply don’t know how to adjust this feature, and even if they do, most users are unable to distinguish between good and bad cookies.
At the other end of the scale are programs like Zero Knowledge System’s “Freedom”, which permits users to remain anonymous as they surf the Net or send email. But most of these programs cost money, and don’t yet protect the user once he or she wants to transact online (Zero Knowledge is working on a system to do just that). Moreover, they put the onus on users to protect their personal information without giving them the legal rights to such protection.
Privacy-enhancing technologies are an important component of the solution to the problem of privacy and security on the Internet, but they cannot do the job themselves.

Voluntary Codes of Practice

Industry self-regulation is another piece of the puzzle. Many businesses now recognize that protecting customer privacy and respecting the right of individuals to informational self-determination is good business practice in the long term, even when the immediate gains from unauthorized trading of personal information are large. Just this week, a number of the biggest American online providers together urged their compatriots to reign in data collection and trading practices, and to show government that they can and will self-regulate through effective codes of practice.
But voluntary privacy policies don’t seem to be working: a recent poll of web users found that only 38% think that most privacy policies are easy to understand.(8) Whether or not they are understandable, most voluntary privacy policies are incomplete, and come nowhere near meeting fair information standards, as set out in Canada’s new data protection legislation, for example. Moreover, many sites do not comply with their own policies: a recent study of health advice sites in the USA found that personal information was transferred to third parties in direct violation of stated privacy policies.(9) Efforts such as TRUSTe and BBBOnline’s Privacy seal in the USA have met with strong criticism by privacy advocates who point out that neither of these programs has yet withdrawn an endorsement from an approved site.

Legislation

Legislation is clearly needed to back up self-regulatory efforts and to guide technological and market developments in the direction of socially desirable and acceptable information practices. This fact is gradually coming to be recognized in the US, as polls show an increasing public demand for law regulating how personal information can be collected and used on the Internet.(10) Just this past week, for example, the FTC published a rule requiring financial institutions (broadly defined) to notify customers about the collection of personal information and to offer choice as to how that data is subsequently shared. President Clinton recently announced proposals for legislated privacy protection aimed at giving consumers more control over their personal information. Canada is clearly ahead of its major trading partner in this respect, with the recent passage of Bill C-6 – a legislative initiative for which this government should be congratulated.

Implementation of Bill C-6

However, the passage of Bill C-6 is just the beginning. Rules are of little value unless they are enforced. Indeed, tolerance of non-compliance with legislation such as this can be damaging to the rule of law generally. It is essential therefore that government put its money where its mouth is, and back up the Protection of Personal Information Act with a strong compliance plan, including adequate resources to the Privacy Commissioner, who is now faced with the enormous task of educating industry and the public, helping and coercing businesses to comply, using his powers of publicity to obtain compliance, and taking cases to court where necessary.
Without sufficient resources to do this job effectively over the next few years, there is a serious risk that we will fall flat on our faces – that widespread violations of Bill C-6 will remain the norm, that businesses will see that they can get away with it, that consumers are no better off, and that the rule of law is irreparably damaged.
We have allowed technology and market forces to get ahead of our laws and social principles over the past several years. Business plans have been built up on the basis of unauthorized gathering and sharing of personal information. This makes it all the more difficult to implement fair information practices as set out in Bill C-6. There will be resistance, and there will always be those market players who try to get away with disrespect for the law – just as with misleading advertising, for example. If we are to create a culture of respect for privacy in the new wired world, the government must do more than just lay out the rules. It must take proactive steps to ensure that this legislation is honoured not only in the breach.
Bill C-6 gives complainants the right to sue for damages in Federal Court, where companies refuse to comply with the law. Instead of state prosecution, the regime shifts the burden of enforcement to citizens, who are now expected to take non-compliant companies to court. We are skeptical, to say the least, about the effectiveness of this approach. Nevertheless, if it is to be at all effective, complainants will need assistance. It will be the rare person who is able and willing to fund a lawsuit against a company for failure to comply with this Act. If the government is going to shift the burden in this manner, it should at the very least provide some kind of funding program, such as exists for Charter challenges under the Court Challenges Program, to permit individuals to exercise their rights under the new law.
Finally, we need to monitor the effectiveness of this new legislation in dealing with the privacy and security concerns of the new wired world. We should start thinking now about what kind of information we will need in order to conduct the five year review of the Protection of Personal Information Act, and we should start tracking that information as soon as the law is enacted. We will need to know if this law deals effectively with the various threats to privacy that continue to arise. Does it, for example, adequately reign in the use of cookies, for example? (Cookies use computer identifiers, not personal identifiers.) Does it ensure that consumer consent to secondary uses of their personal information is adequately informed and truly voluntary? Do any of the exceptions, such as disclosure for the purpose of debt collection, open up huge, unintended loopholes? This is a first attempt at legislating a whole new area of marketplace activity; it is unlikely to be perfect. We should be prepared to improve it after a few years of experience.

The International Context

With the growth of the Internet-based economy, national borders are increasingly meaningless. Privacy invasions cannot be stopped at the border. Canada cannot act alone in order to effectively protect its citizens from abusive practices. Not only is this a practical impossibility; it could raise trade barrier issues if countries do not move in tandem with each other. We should continue to work with our trading partners and multilaterally within international organizations to establish common standards of data protection world-wide.
The Canadian model, set out in the CSA International Privacy Code and Bill C-6, is a good basis on which to build international consensus. Canada should take advantage of its unique situation and move now to encourage the adoption of an international data protection standard based on its widely accepted model code and law. All that is needed is financial support to the Standards Council of Canada, in order for it to take on the job of developing international consensus around a data protection standard.
In this way, Canada would not only achieve a more level playing field for Canadian business and more meaningful protections for Canadian consumers – it would do so using the Canadian model as the basis for international agreement. Canada is uniquely poised to provide international leadership in this field. It would be a pity if we squandered this opportunity.

Privacy as a Human Right

At the same time, we must recognize the fundamental nature of privacy as a human right – something that is essential to individual dignity and autonomy. Data protection standards for businesses should therefore flow from a recognition that individual privacy, at some point, should not be treated as a negotiable commodity in the marketplace. In this respect, we look forward to legislative initiatives aimed at establishing a general right to privacy.

Recommendations

We therefore recommend:

that the Privacy Commissioner be provided with sufficient financial resources to effectively publicize, educate, obtain compliance and pursue non-compliant actors under the new data protection legislation;
that the effectiveness of the new law be monitored closely over the next five years, with a view to its Parliamentary review at that time;
that a fund be established, possibly as a new component of the existing Court Challenges program, to assist individual complainants in exercising their rights and enforcing the law via court actions, where appropriate;
that Canada take a leading role in the development of international standards of data protection through ISO, the International Organization for Standardization; and
that a general right to individual privacy be established in law.

Newsletter – April 2000, Vol.7, No.1

IN THIS ISSUE
Privacy Protection on the Way – Bill C-6 Finally Passes!
Keeping Police Powers in Check
Protecting Consumers Online: Standards for ECommerce
Telecommunications Regulation: What’s Up?
Internet “Have” and “Have-nots” in Canada split along Social Class Lines!

PRIVACY PROTECTION ON THE WAY – BILL C-6 FINALLY PASSES!

After 1½ years of Parliamentary review and delay, Bill C-6, the Protection of Personal Information and Electronic Documents Act, was passed on April 4, 2000. It will be made law as of January 1, 2001 and will initially apply to banks, telephone companies, airlines, and other federally regulated industries, as well as to the trade of personal information across borders. As of January 1, 2004, the Bill will apply to all industries, except those already covered by similar provincial legislation such as already exists in Quebec.
This is a tremendous step forward in consumer protection, and one for which PIAC worked hard. Canadians outside of Quebec will now have legal rights to control over their personal information in the private sector, rights that should have been established in law long ago, before consumer data mining developed into the huge business that it now is. Finally, consumers will be able to complain about the unauthorized collection, use or disclosure of their personal information by private sector companies, and to obtain redress where they have suffered as a result of the privacy invasion.
Bill C-6 requires that companies obtain the individual’s consent to any collection, use or disclosure of that individual’s personal information, except in specific instances such as emergencies, criminal investigations, scholarly research, or for artistic, literary or journalistic purposes. Consent may be obtained via negative option (onus on consumer to refuse consent) where the information in question is not sensitive. However, companies cannot require, as a condition of sale or service, that consumers provide personal information (such as SIN) unless that information is actually necessary to provide the good or service requested. The Bill also requires that organizations give individuals access to their information upon request, and that consumers have the ability to correct inaccurate information about them held by the company.
Individuals can make complaints under this Act to the federal Privacy Commissioner, who has the power to investigate, report on, and publicize infractions of the law. Whistleblowers are specifically protected. Unresolved complaints can be taken by the complainant or the Privacy Commissioner to the Federal Court for a binding order. The Court can order the organization to correct its practices, to publish notices of such correction, and/or to pay damages to the complainant.
For more information on the new law, see Industry Canada’s “primer” and “backgrounder” on the privacy provisions of Bill C-6, available online at http://www.strategis.ic.gc.ca/virtual_hosts/e-com/english/privacy/632d1.html#doc

KEEPING POLICE POWERS IN CHECK

At the same time that Bill C-6 was being passed, the federal government was moving forward new legislation to combat money laundering. Bill C-22, the Proceeds of Crime (Money Laundering) Act, is part of an international effort to crack down on organized crime. It establishes a regime under which banks, insurance companies, accountants, lawyers and others must report regularly to a new federal agency (the “Financial Transactions and Reports Analysis Centre of Canada”) on any “suspicious transactions” occurring in the course of their business. The law creates stiff penalties for failure to report, ensuring that companies subject to the Bill will err on the side of reporting more than necessary. As well, it requires secrecy in reporting, so that criminals do not get wind of any investigation. The new Agency collects and analyses the information from these reports, in order to better detect money laundering activities. It then provides the police with information on suspicious activities.
While recognizing that consumer privacy must be compromised in order to achieve law enforcement goals, PIAC expressed concerns about the extent of covert information collection and analysis regarding innocent individuals under this regime, and urged that the Privacy Commissioner be given effective oversight powers to ensure that individual privacy is not unduly infringed in the course of the new Agency’s operations. Our suggestions were welcomed and acted upon.

PROTECTING CONSUMERS ONLINE: STANDARDS FOR ECOMMERCE

With the rise of electronic commerce and the expectation that more consumers will be shopping online, PIAC and others have been working to develop standards for governments and businesses to use when developing laws and self-regulatory schemes for consumer protection in this new medium.
Together with a number of other consumer advocates, government officials, and business representatives, we have developed a set of principles, entitled “Principles of Consumer Protection for Electronic Commerce: A Canadian Framework” (available online at http://strategis.ic.gc.ca/oca). In brief, they require that:

Consumers be provided with clear and sufficient information to make an informed choice about whether and how to make a purchase;
Online vendors take reasonable steps to ensure that the consumer’s agreement to contract is fully informed and intentional;
Online vendors and intermediaries respect the privacy principles set out in the CSA International’s Model Code for the Protection of Personal Information (now law);
Online vendors and intermediaries take reasonable steps to ensure that transactions in which they are involved are secure;
Online consumers have access to fair, timely, effective and affordable means for resolving problems with any online transaction;
Consumers be protected from unreasonable liability in online transactions;
Online vendors not transmit commercial e-mail without the consent of consumers, unless a vendor has an existing relationship with a consumer; and that
Government, business and consumer groups promote consumer awareness about the safe use of electronic commerce.

We are now working to expand and operationalize these principles through, perhaps, a “seal of seals” program, under which the proliferating array of private sector trustmarks and seals would be themselves assessed against our criteria for effective consumer protection.
One of the most well known private sector seal programs is that of the Better Business Bureau. PIAC recently completed a detailed analysis of BBBOnline’s draft Code of Online Business Practices, comparing it to a number of other standards and voluntary codes in use. That report is available from PIAC’s website.

TELECOMMUNICATIONS REGULATION: WHAT’S UP?

RATES FOR BASIC SERVICE: THE SAGA CONTINUES
The thorny issue of how to ensure, in a competitive environment, that all Canadians have access to affordable, high quality telecommunications service continues to vex regulators and governments. Without appropriate regulatory intervention and/or government subsidies, competition threatens to result in reduced service and significantly higher rates in rural and remote areas, as well as higher rates for residential customers generally.
On behalf of Action Réseau Consommateur, the Consumers’ Association of Canada, and the National Anti-Poverty Organization, PIAC continues to press hard for an effective solution which minimizes the burden on consumers. We are active in a number of CRTC proceedings bearing on this issue, providing suggestions for replacement of the current “toll contribution” mechanism with a more sustainable subsidy scheme, and for a fair spreading of the burden among industry, business customers, and residential consumers.
$100 MILLION IN RATE INCREASES PREVENTED!
In a recent proceeding, we successfully prevented the telephone companies from raising the basic residential price cap by app.5% in order to reflect a reduction in the “direct connection” charge they apply to long distance service providers accessing their local facilities. The CRTC agreed with us that such “rate rebalancing” was neither necessary nor appropriate. The overall impact of this rate change amounts to $146m. in Bell Canada territory alone, of which $100 m. would have been applied to the residential price cap (potential rate increases) if Bell had had its way. Other telcos wanted similar price cap adjustments.
DIRECTORY SERVICE CHARGES CONFIRMED
Our appeal of the CRTC decision to permit Bell Canada to charge for directory assistance (at 75¢ per call) even when the operator can’t find the number was denied, but by the slimmest margin – we had a number of Commissioners on our side. We are currently considering an appeal of this ruling to the Minister of Industry.
QUALITY OF TELEPHONE SERVICE: NEW INDICATORS BEING CONSIDERED
One of the results of competition in telecommunications has been that companies focus their attention on high-end customers. This can mean that the quality of basic service, especially that provided to captive, lower-end customers, suffers. On behalf of ARC/CAC/NAPO, PIAC recently made submissions to the CRTC urging adoption of more effective service quality indicators for business office response time, customer complaints response time, and directory assistance.
CRTC PROCESS OF “NEGOTIATED RULE-MAKING”: ENSURING THAT THE PUBLIC INTEREST IS REPRESENTED
For the last few years, the CRTC has relied extensively on a network of industry working groups (the “CISC process”) to develop detailed rules for the implementation of local competition in telecommunications. On behalf of ARC/CAC/NAPO, PIAC was an active member of the group that developed rules for the transfer of customers between local phone companies – with the goal of minimizing disruption of customer service and ensuring that all such transfers are properly authorized.
Our experience made it clear that this process, while public and open in theory, is in practice inaccessible by groups without large resources behind them. Unlike traditional processes, negotiated rule-making through cooperative working groups requires a tremendous amount of time and money, which consumer groups simply do not have at their disposal. PIAC therefore urged the CRTC to ensure that the traditional regulatory process involving public notices and the opportunity for public comment continue to apply to all issues or consensus recommendations arising out of the CISC process, especially on matters of interest to consumers.

Internet “Have” and “Have-nots” in Canada split along Social Class Lines!

A new study, The Dual Digital Divide: the Information Highway in Canada produced by PIAC in collaboration with Ekos Research Associates, clearly documents that while there has been growth with the Internet in Canada over the past three years, at the same time access to, and the use of, the Internet and other new technologies is now highly polarized along social class and generational lines.
The study, based on quantitative and qualitative research of Canadian households and social trends, found that from 1997 through 1999, higher income households were three times more likely than lower income households to have access to the Internet from home. By 1999, about two thirds of upper income households had access as opposed to one in four low income households. The report also found that in addition to a digital divide between those connected and not connected, another divide exists between identifiable non-user groups. One group clearly desires access but faces major cost and literacy barriers. The second group of non-users have little interest or perceive no need for Internet access. The report identifies these two aspects of the digital divide (users and non-users; and segmented non-user groups) as a “Dual Digital Divide”.
These findings have major implications for industry and policy makers. In spite of expectations or assertions that all Canadians will be connected, the reality is that a large number of Canadians are likely to remain unconnected. As well, the study found that both Internet users and non-users desired a choice in the means they use to access information and services. These circumstances will require organizations to ensure that information and services are provided in both electronic and other formats (e.g., paper, in-person, mail, etc.). Moreover, to avoid creating a two-tiered information society (first and second class citizens) information must be of similar high quality regardless of how it is made available and accessed. Other report findings: it will be necessary for governments to devote more resources for the creation of diverse socially and culturally relevant information, both in electronic and other formats; federal government departments will have an ongoing role to provide support for community access and networking services to ensure that Canadians have some form of access available, and to help develop relevant community-based information and communication resources. The report will be available to the public during May.

Consumer Privacy Implications of Bill C-22

Consumer Privacy Implications of Bill C-22: Proceeds of Crime (Money Laundering) Act

Report to the Office of Consumer Affairs, Industry Canada
Philippa Lawson
Public Interest Advocacy Centre
#1204 – 1 Nicholas St.
Ottawa, Ontario K1N 7B7
pippa@web.net
TABLE OF CONTENTS
I. INTRODUCTION II. PURPOSE, CONTEXT AND HISTORY OF BILL C-22
Objective of the Bill
The Problem of Money Laundering
Existing Anti-Money Laundering Legislation in Canada
The International Context of Bill C-22
III. STRUCTURE AND KEY PROVISIONS OF BILL C-22 IV. IMPACT OF BILL C-22 ON CONSUMER PRIVACY
General Criticisms of Bill C-22
Privacy Protective Features of Bill C-22
Specific Privacy Concerns:
Reporting Regime
Collection of Personal Information by FTRAC
Disclosure of Personal Information by FTRAC
Accuracy, Access and Transparency
Internal Accountability
External Oversight
V. RELATIONSHIP OF BILL C-22 WITH BILL C-6 VI. CONCLUSION 14

I. INTRODUCTION

The following report examines the proposed federal legislation to combat money laundering, Bill C-22: Proceeds of Crime (Money Laundering) Act, from a consumer privacy perspective. It reviews the objectives of the Act, its structure, obligations, and mode of operation, and its effect on consumer privacy, with reference to another proposed federal Bill: the Protection of Personal Information and Electronic Documents Act (Bill C-6).

II. PURPOSE, CONTEXT AND HISTORY OF BILL C-22

Objective of the Bill
The broad purpose of Bill C-22 is to better prevent and detect money laundering. More specifically, the objects of Bill C-22 are, as stated as follows in s.3 of the Act,
(a) to implement specific measures to detect and deter money laundering and to facilitate the investigation and prosecution of money laundering offences, including:
(i) establishing record keeping and client identification requirements for financial services providers and other persons that engage in businesses, professions or activities that are susceptible to being used for money laundering,
(ii) requiring the reporting of suspicious financial transactions and of cross-border movements of currency and monetary instruments, and
(iii) establishing an agency that is responsible for dealing with reported and other information;
(b) to respond to the threat posed by organized crime by providing law enforcement officials with the information they need to deprive criminals of the proceeds of their criminal activities, while ensuring that appropriate safeguards are put in place to protect the privacy of persons with respect to personal information about themselves; and
(c) to assist in fulfilling Canada’s international commitments to participate in the fight against transnational crime, particularly money laundering.
The Problem of Money Laundering
Money laundering is “the process by which ‘dirty money’ generated by criminal activities is converted into assets that cannot be easily traced back to their illegal origins.”(1) According to Finance Canada, a significant proportion of this money is linked to illicit drug trade, but other crimes such as burglaries and cigarette smuggling, are also involved. The magnitude of money laundering in Canada is estimated by Finance Canada at between $5 billion and $17 billion annually, although some have questioned the authenticity of these figures.(2) Internationally, it is estimated that $600 billion is ‘laundered’ for criminal purposes, producing “a host of deleterious effects”, including economic instability, organized crime, and undermining of the rule of law.(3) In any case, no one disputes that money laundering, like all crimes, needs to be deterred, detected and prosecuted where it occurs. What is disputed is whether any new legislation is needed to deal with this problem, and if so, whether Bill C-22 is the right legislation for that purpose.
Existing Anti-Money Laundering Legislation in Canada
Money laundering is already a criminal offence in Canada. Under s.462.31(1) of the Criminal Code, dealing with property or proceeds of property with the intent of concealing or converting them, while knowing or believing that all or part are derived, directly or indirectly, from the commission of certain offences, is an offence punishable by up to ten years of jail. Money laundering offences are also found in the Controlled Drugs and Substances Act, and the Corruption of Foreign Public Officials Act.
Moreover, Canada already has legislation which, like Bill C-22, is designed to detect money laundering offences – the 1991 Proceeds of Crime (Money Laundering) Act. Under the existing rules, financial institutions and others engaged in a business or profession where cash is received for payment or transfer to a third party are required to keep records of transactions in which they receive cash of $10,000 or more, and a register of “suspicious transactions”. The identity of customers must be verified in certain circumstances. Failure to comply carries a penalty of up to $500,000 and/or up to five years prison. However, there is no requirement to report suspicious transactions to authorities; such reporting is purely voluntary.
Bill C-22 is intended to create a regime under which money laundering offences can be more easily detected. It would significantly strengthen the provisions of the existing Act by:

requiring financial institutions and others to report certain types of transactions (to be determined by regulation), as well as any transactions “in respect of which there are reasonable grounds to suspect that the transaction is related to the commission of a money laundering offence;
establishing a centralized agency, the Financial Transactions Reporting and Analysis Centre (FTRAC) to which all such information must be reported;
authorizing the release of information to both domestic and foreign law enforcement agencies (subject to certain restrictions);
establishing a system of reporting large cross-border transactions.

This proposed new regime would result in significantly more reporting of personal financial transactions to government, and would make significantly more personal financial information available to government and law enforcement agencies in their efforts to detect and investigate criminal activities. It is important to note, however, that Parliament considered and rejected a system of compulsory reporting in the 1980s, after concluding that the US experience with such requirements did not appear to have produced significant improvements in detection of money laundering crimes.(4) The USA has since created a special agency, the Financial Crimes Enforcement Network (FinCEN) to review and analyze transaction reports, and provide relevant information to law enforcement agencies.(5)
The International Context of Bill C-22
The impetus for Bill C-22 is most definitely international: in 1989, the G-7 leaders set up an inter-governmental body known as the Financial Action Task Force on Money Laundering (FATF), of which 26 states, including Canada, are members. In 1990, the FATF issued forty recommendations aimed at enhancing and coordinating international efforts to counter money laundering.(6) These recommendations, revised in 1996, encouraged countries to:

criminalize money laundering itself, and to provide for sufficiently serious penalties;
enable competent authorities to identify, trace, freeze, seize, and confiscate criminally derived proceeds;
ensure that financial institutions take necessary steps to ascertain, and keep records on, their clients” identities and transactions;
require that financial institutions promptly report to competent authorities any funds suspected to stem from criminal activity;
consider implementing measures to monitor the cross-border transportation of cash and bearer negotiable instruments, without impeding the free movement of capital;
consider adopting a system where financial institutions and intermediaries are required to report all currency transactions above a certain amount to a central agency, whose information would be available to the appropriate authorities, subject to strict safeguards to ensure proper use of the information; and
promote maximum inter-state cooperation by exchanging information on international cash flows and suspicious transactions, and by facilitating mutual legal assistance and extradition with respect to money laundering activities.(7)

Most European countries comply with the recommendations, as do the USA, Hong Kong, Australia, Iceland and Turkey. Canada, Austria, and Japan are among the countries that do not comply. In June 1998, the FATF noted a number of shortcomings of the Canadian anti-money laundering regime, including:
1. Canada”s inability to enforce forfeiture orders directly with respect to foreign criminal proceeds;
2. Canada’s need to establish a system for the mandatory reporting of suspicious transactions and to create a new financial intelligence unit to deal with the collection, management, analysis, and dissemination of transaction reports and other relevant data;
3. the need to provide for reporting of significant cross border transportation of cash and monetary instruments;
4. the need for greater customer identification measures, particularly in relation to corporations and beneficial owners of accounts; and
5. the need to extend record-keeping and customer identification requirements to businesses such as money remitters, cheque cashers and casinos.(8)
The FATF concluded that Canada’s voluntary reporting regime does not appear to be working effectively, and that the internal review process used since 1993 urgently needs revision, in part through the establishment of an centralized agency to handle money laundering information. Just one month earlier, in May 1998, at the G-8 summit in England, the Prime Minister committed Canada to adopting strong national arrangements to combat money laundering.
The Proceedings of Crime (Money Laundering) Regulations were revised later that year in response to points 4 and 5, but points 1-3 remained unaddressed. Bill C-22 is designed to fill that gap, by providing for mandatory reporting of suspicious financial transactions by a wide range of financial institutions and professionals; the reporting of large cross-border financial movements; and the creation of the new FTRAC.
There is thus strong international pressure on Canada to bring its legislative regime into line with the FATF recommendations. Bill C-22 is meant to meet Canada’s international commitments in the context of the G-8 and the FATF.

III. STRUCTURE AND KEY PROVISIONS OF BILL C-22

As set out in Finance Canada’s Backgrounder,(9) Bill C-22 has three main components:
1. Mandatory suspicious transactions reporting
Regulated financial institutions, casinos, currency exchange businesses, as well as other entities and individuals acting as financial intermediaries (such as lawyers and accountants) [clause 5], will be required to report any financial transactions that they have reasonable grounds to suspect are related to a money laundering offence [clause 7]. As well, these institutions and individuals will be required to report information regarding particular types of transactions (for example, very large amounts of cash in small denominations being exchanged for larger denominations) to be specified in regulations [clause 9].
The maximum penalties for failing to report suspicious financial transactions under the Bill include fines of up to $2 million and imprisonment for up to five years.
2. Reporting of large cross-border movements of currency
Individuals and entities that import, export or transport large amounts of currency or monetary instruments (such as traveller’s cheques) across the Canadian border will be required to report such activities to a Canada Customs officer. Failure to report may result in the seizure of the cash or monetary instruments being transported. However, any seized currency or monetary instruments will be returned upon payment of a monetary penalty unless Canada Customs has reason to suspect that the currency represents proceeds of crime. The measures dealing with cross-border movements also include review and appeal mechanisms in relation to all seizures and penalties paid.
3. New Financial Transactions and Reports Analysis Centre of Canada
The proposed legislation will establish an independent government body to receive and analyze reported information about the suspicious transactions and cross-border currency movements described above. This new body, to be known as the Financial Transactions and Reports Analysis Centre of Canada, will be a central repository for information about money laundering activities across Canada. The Centre will analyze and assess the reports, together with other information available to it, and provide leads to law enforcement agencies.
The Centre will operate independently from law enforcement agencies, and the disclosure of information by the Centre will be strictly controlled. The proposed legislation authorizes the Centre to provide key identifying information of suspicious transactions (e.g. name, date, account number, value of the transaction) to the appropriate police force if it has reasonable grounds to suspect that the information would be relevant to investigating or prosecuting a money laundering offence. The same identifying information may be provided to Revenue Canada, the Canadian Security Intelligence Service, and Citizenship and Immigration Canada if the information would also be relevant to, for example, a tax evasion offence or a threat to national security. For the police to have access to additional information from the Centre, they would first have to obtain a court order for disclosure and meet the standard of reasonable and probable grounds to believe that a money laundering offence has been committed.
The Centre will also have primary responsibility for monitoring the compliance of financial intermediaries with the record-keeping, know-your-client, and mandatory suspicious transactions reporting requirements of the proposed legislation.”
Clearly, important details of the reporting regime (e.g., what kind of transactions will have to be reported regardless of whether there are grounds for suspicion) remain to be settled via regulations. Indeed, the regulations under this legislation will be as significant as the statutory provisions, if not more so, from the perspective of consumer privacy.
The establishment of an arm’s length agency, subject to the Privacy Act and to limits on permitted disclosures, for the purpose of collecting, analyzing, and disclosing personal financial information with a view to detecting and preventing money laundering is certainly preferable to a regime under which entities report directly to law enforcement agencies. The privacy of personal information collected can be better protected in this manner.
However, the meaningfulness of FTRAC’s accountability to the Privacy Commissioner is diluted by weaknesses in the Privacy Act itself, legislation which has long been due for overhaul. For instance, the Privacy Commissioner has no binding powers, and individuals whose privacy rights under the Privacy Act have been violated have no statutory rights to redress.
In Part V, the Act establishes offences for contravention of various sections. Most importantly, failure to report suspicious transactions may result in a fine of up to $500,000 and/or imprisonment of up to six months.

IV. IMPACT OF BILL C-22 ON CONSUMER PRIVACY

General Criticisms of Bill C-22
Some commentators have strongly criticized Bill C-22 for the new privacy invasive powers that it would grant government. In a recent editorial for The Financial Post, Terence Corcoran wrote:
“If passed, Bill C-22 would give Ottawa fresh authority to trap the innocent, infringe on privacy, collect mountains of information on citizens and put routine money transactions under suspicion. It would also conscript lawyers, banks, accountants and others into a national subculture of informants and snitches…..
Bill C-22 proposes a new legal regime to investigate private activities of Canadians. The information collected through the national snitch network, a massive volume of stats and data on thousands of Canadians and transactions, would in fact be a giant fishing pool for government investigators, prosecutors and even tax collectors.”(10)
The Canadian Bar Association has expressed strong misgivings about the mandatory reporting of confidential information, and the “gross intrusion into a previously protected sphere” that the Bill represents.(11) Even with the exemption for information subject to solicitor-client privilege, the Bar Association notes that the Bill would require lawyers “to act in a manner inconsistent with both their professional and lawful duty of preserving solicitor-client confidentiality”, with the result that clients will turn elsewhere for legal assistance.
The Criminal Lawyers’ Association goes further, suggesting that the mandatory reporting regime proposed in an earlier version of the Bill may violate the Charter of Rights and Freedoms guarantee of reasonable search and seizure, that it threatened to “regularly and constitutionally invade the privacy of all citizens”, and that it would create “a countrywide network of spies and informers”.(12)

Privacy Protective Features of Bill C-22

In response to concerns such as those expressed above, the drafters of Bill C-22 have included a number of measures designed to limit the otherwise enormous systemic individual privacy invasions it authorizes. In particular, the Bill now:

does not require lawyers to disclose any communication that is subject to solicitor-client privilege (s.11);
strictly limits the use and disclosure of information collected under Part 2 (reporting of large cross-border movements of currency) (ss.36, 37);
prohibits the disclosure of information by FTRAC that would identify an individual who prepared a report or provided information to the FTRAC, or a person or entity about whom a report or information was provided (ss.53 and 58(2));
limits the permitted disclosure of information by FTRAC to certain kinds of information and certain circumstances (s.55, s.58(1));
requires the police to obtain a judicial warrant in order to obtain detailed information from FTRAC regarding any particular transaction (s.60);
limits the use of information collected from or provided to foreign agencies to “purposes relevant to investigating or prosecuting a money laundering offence or a substantially similar offence” (s.56(3));
limits the use of information by FTRAC or other officials under s.55 to purposes of exercising powers or performing duties and functions under the Act (s.57);
where information is collected by FTRAC from other government databases, it must be done under an agreement which specifies the nature of and limits with respect to the information collected (ss.54(b) and 66); and
makes a punishable offence the improper disclosure of information (s.74).

In addition, s.90 of the Bill explicitly makes the FTRAC subject to the federal Privacy Act, which sets out certain requirements in respect of the collection, use and disclosure of personal information held by the Centre, and which gives the Privacy Commissioner oversight powers in relation to FTRAC’s handling of personal information. However, most of the protections established by the Privacy Act are either so limited in scope or subject to such broad exemptions in respect of criminal investigations that they become empty insofar as FTRAC is concerned. In particular,

s.6(2) of the Privacy Act requires that FTRAC “take all reasonable steps to ensure that personal information that is used for an administrative purpose by the institution is as accurate, up-to-date and complete as possible” (italics added). But FTRAC’s use of personal information will not be for “administrative purposes”, so this provision is of limited applicability;
s.8(2)(b) of the Privacy Act permits non-consensual disclosure of personal information by FTRAC to third parties “for any purpose in accordance with any Act of Parliament or any regulation made thereunder that authorizes its disclosure”;
s.7(b) of the Privacy Act permits the non-consensual use of personal information by FTRAC “for a purpose for which the information may be disclosed to the institution under subsection 8(2)”;
s.22(1)(b) of the Privacy Act permits FTRAC to refuse to disclose any personal information requested by the individual under the individual access provision (s.12(1)), where “the disclosure of that information could reasonably be expected to be injurious to the enforcement of any law of Canada or a province or the conduct of lawful investigations…..”;
while the Commission has broad powers to investigate complaints under s.29 of the Privacy Act, the secrecy permitted to FTRAC operations and investigations makes it unlikely that complaints will arise (since individuals will have no knowledge of the FTRAC “investigation”, they will have no basis on which to complain).

Clearly, the exemptions with respect to disclosure and individual access rights are justified in order not to defeat the purpose of FTRAC; it makes no sense to permit a person under investigation for money laundering to examine their records held by FTRAC. However, it is unclear how the vast amounts of “innocent” personal information collected and analysed by FTRAC will be treated under this regime. FTRAC may well argue that all of the information collected by it is subject to the exemption in s.22(b) of the Privacy Act and that its disclosure, even in cases where no police investigation has been initiated, could “be injurious to the enforcement of …law…. or the conduct of lawful investigations”. Yet, without any clear access rights, individuals will not even be aware of whether or not FTRAC holds files on them. As the Privacy Commissioner urged in his 1997-1998 Annual Report, “all exemptions should be subject to an injury test, meaning investigative bodies should be required to demonstrate how granted access to an individual would harm a law or their investigations”.
In any case, as the exemptions set out above show, the Privacy Act offers little in the way of privacy protection to individuals under Bill C-22 given the nature of the FTRAC’s operations (related to law enforcement). However, it does establish a regime of accountability of the FTRAC to the Privacy Commissioner, weak as this regime (under the Privacy Act) is.

Consumer privacy concerns arise from the following aspects of Bill C-22:

Reporting Regime
Bill C-22 requires two kinds of reporting, each of which raises privacy concerns for consumers. Section 9 provides for mandatory reporting of certain kinds of personal financial transactions (to be detailed in regulations), even where the reporting entity has no basis on which to suspect criminal behaviour or is confident that there is no criminal behaviour involved. While this section has the benefit of providing clear, objective criteria for s.5 entities to follow, it has the disadvantage of requiring reporting even where there is no basis on which to suspect money laundering activity. Thus, it will undoubtedly result in inefficient and unnecessary reporting, contrary to the principles of fair information practice.
Section 7 provides for mandatory reporting without the individual’s knowledge of transactions “in respect of which there are reasonable grounds to suspect that the transaction is related to the commission of a money laundering offence.” While the government may provide guidelines to s.5 entities for use in making determinations under this section, it apparently does not intend to establish any regulations to define and thereby limit what constitutes a “suspicious transaction”. This provision raises two concerns: (1) the inability for individuals to find out if they have been reported on under this section, and (2) the subjective nature of the determination required to be made by s.5 entities. It places private enterprises and professionals in the role of money laundering investigators – a role which they are generally neither equipped nor prepared to play, especially with respect to their customers. There is likely to be a wide range of interpretations as to what constitutes a “suspicious” behaviour or demeanour, with one end of the spectrum resulting in over-reporting, and hence undue privacy invasions of innocent citizens.
Together with the significant penalties for failure to report, these two mandatory reporting provisions create a strong incentive for s.5 entities to over-report. There is no downside to over-reporting, while the potential cost of under-reporting is high. Where there is any doubt whatsoever, it is likely that the transaction will be reported. Hence, it can be expected that many innocent consumers will have their confidential financial information shared with FTRAC and possibly made subject to an investigation, without their knowledge. This is a clear violation of fundamental privacy.
Collection of Personal Information by FTRAC
Section 54(b) gives FTRAC broad powers to collect “information that the Centre considers relevant to money laundering activities and that is publicly available, including commercially available databases, or that is stored in databases maintained by the federal or provincial governments for purposes related to law enforcement…..”.
A fundamental principle of fair information practices is that collection of personal information be limited to that which is necessary for the legitimate and reasonable purposes identified by the organization (and, unless inappropriate, consented to by the individual).(13) While this provision appropriately restricts FTRAC’s collection rights to information which is both relevant to money laundering and publicly available, it could be even further restricted in the interests of privacy, either by specifically listing (in a regulation) the types information that could be “relevant to money laundering activities”, or by limiting collection of information to that which is necessary “to detect and deter money laundering and to facilitate the investigation and prosecution of money laundering offences”(14) (the objective of Bill C-22).
Disclosure of Personal Information by FTRAC
Under section 55(3), FTRAC is permitted to disclose personal information to law enforcement agencies, the Canada Customs and Revenue Agency (for tax law enforcement purposes), CSIS (for national security purposes), and the Department of Citizenship and Immigration (for immigration law enforcement purposes), without judicial authorization. While these additional purposes may be justified, they are not reflected in the title or description of the Bill. They significantly broaden the purposes for which information collected by FTRAC may be used and disclosed, beyond money laundering. It is important, at a minimum, that any such new purposes be clearly communicated in the title and object clause of the Bill.
Section 55(7) sets out the type of information (data elements) that may be disclosed without judicial warrant under ss.55(3) to (5). This subsection purports to limit such “designated information” to listed data elements (e.g., client name, business name and address, amount and type of currency or monetary instruments involved), but includes in part (e) “any other similar information that may be prescribed”. Thus, once again, the regulations may be used to significantly broaden the scope of warrantless searches permitted under this Bill, and thereby significantly weaken individual privacy.
Accuracy, Access, Transparency
While understandable in light of the purpose of the Bill, and the need for investigatory agencies to conceal information from those they are investigating, the lack of transparency to innocent consumers in respect of the collection, use and disclosure of their personal information by FTRAC, is troubling. In order to correct any inaccurate information about them, on which harmful decisions may be made, individuals must have access to their information held by others. In order for any access rights to be meaningful, however, individuals must first have knowledge that the information exists in the first place.
Yet, Bill C-22 establishes a regime of secrecy under which private entities are prohibited from disclosing both the existence and contents of “suspicious transaction” reports to individuals who request such information about themselves.(15) Moreover, individual access rights under the Privacy Act are severely curtailed by means of exemptions related to law enforcement and investigatory purposes (see above). Even the Privacy Act provision requiring FTRAC to “take all reasonable steps to ensure that personal information that is used for an administrative purpose by the institution is as accurate, up-to-date and complete as possible” is strangely limited to use “for an administrative purpose”, which will clearly not apply to the bulk of FTRAC’s uses.
Thus, there remains considerable concern that innocent Canadians will not only suffer unwarranted intrusion into their private lives by state authorities, but also possibly suffer serious consequences as a result of investigations based on inaccurate or incomplete information.
Internal Accountability
The first principle of the CSA Privacy Code, now Schedule 1 of Bill C-6, is “Accountability”. Specifically, the principle states:
“An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with the following [data protection] principles.”
This rule recognizes the fundamental importance of internal accountability to any effective data protection regime – the need for individual responsibility and accountability within the organization, and appropriate organizational controls, such that individual rights to privacy in respect of that organization can in fact be exercised.
While FTRAC, as a government agency, will not be subject to Bill C-6, the principle of accountability is nevertheless applicable. In order that the privacy protections inherent in the Bill are effective, FTRAC should be required to designate an individual (e.g, a “privacy officer”) responsible for ensuring that the collection, use and disclosure of personal information by FTRAC is appropriately minimized. This is especially important given the likely tendency for s.5 entities to over-report, as discussed above.
External Oversight
Despite the fact that the Privacy Commissioner will have jurisdiction over FTRAC under the Privacy Act, concerns remain over the effectiveness of this oversight given the nonbinding powers of the Privacy Commissioner and the covert nature of the proposed regime (thus likely resulting in few complaints).

V. RELATIONSHIP OF BILL C-22 WITH BILL C-6

In direct contrast to Bill C-22, Bill C-6, the Protection of Personal Information and Electronic Documents Act, requires that non-governmental agencies refrain from collecting, using, and disclosing personal information in the context of commercial activities without the individual’s knowledge and consent. Bill C-6 is based on the CSA Model Privacy Code, now CAN/CSA-Q830-96, a formal Canadian Standard, which sets out ten principles of fair information practices, centered around the individual’s right to knowledge of and control over transmissions of personal information in the private sector. Clearly, the goal of Bill C-6 (data protection) conflicts with the goal of Bill C-22 (detection and prevention of crime).
This apparent conflict in the obligations of s.5 entities is, however, simply resolved by way of an exemption clause in Bill C-6, which permits the disclosure of personal information without the individual’s knowledge or consent where “required by law” (s.7(3)(i)).
In addition, Bill C-6 permits:

the collection of personal information without the individual’s knowledge or consent if “it is reasonable to expect that the collection with the knowledge or consent of the individual would compromise the availability or the accuracy of the information and the collection is reasonable for purposes related to investigating … a contravention of the laws of Canada or a province” (s.7(1)(b));
the use of personal information without the individual’s knowledge or consent if ”….it could be useful in the investigation of a contravention of the laws of Canada, a province or a foreign jurisdiction that has been, is being or is about to be committed, and the information is used for that purpose of investigating that contravention” (s.7(2)(a)), or if “it was collected under paragraph 1(a) or (b)” (s.7(2)(d)).

Another area of potential confusion, involving individual access rights under clause 9, has also been addressed in Bill C-22. By invoking their access rights under clause 9 of Bill C-6, individuals can find out (a) whether a report has been made about them under Bill C-22, and (b) the personal information contained in any such report, unless the reporting organization can rely upon one of the exemptions specified in clause 9 of Bill C-6. Thus, money launderers could potentially use Bill C-6 to find out (a) whether they are under investigation, and (b) the nature of that investigation. Bill C-22 addresses this problem by adding a new section 9.1 to Bill C-6, prohibiting organizations from (a) disclosing or giving an individual access to personal information contained in a clause 7 report (suspected money laundering), and (b) disclosing that it has made a clause 7 report or giving access to such report.
However, with section 9.1 comes some further potential confusion around the applicability of procedural safeguards set out in subsection 9(3)(5) of Bill C-6. This section provides that where an organization refuses access to personal information on the grounds that such access might compromise the investigation of a criminal offence (or other illegality), the organization must notify the Privacy Commission in writing. It is not clear that this provision will apply to organizations refusing access under the new section 9.1. Bill C-22 should clarify that such notification continues to be required.
In summary, then, because of its nature as a law enforcement and investigation, the regime established by Bill C-22 is largely exempted from the fundamental privacy protections set out in both the federal Privacy Act and Bill C-6. The “privacy-protective” provisions in Bill C-22, while important, are in the nature of minor constraints on a regime which involves massive privacy invasions, however justified these invasions may be.

VI. CONCLUSION

Bill C-22, The Proceeds of Crime (Money Laundering) Act, is a good example of a situation in which individual privacy rights clash with law enforcement tools. In order to effectively address the problem of money laundering, perceived as pernicious and thriving, Bill C-22 makes significant sacrifices in terms of consumer privacy.
The first question that legislators must ask is: Is this sacrifice justified in a free and democratic society? This requires a detailed examination of the goal of Bill C-22 (do we need new legislation to address the problem of money laundering?), an analysis the privacy invasive aspects of Bill C-22 (does the Bill minimally impair privacy rights in the achievement of its goals?), and a balancing of the law enforcement objective against the privacy invasions it creates (is the invasion proportional to the objective?).
We do not have sufficient information on which to judge the adequacy of existing laws relating to money laundering or the extent of the problem. Assuming that Bill C-22 can be so justified, however, we have set out some concerns about the extent of consumer privacy invasion that it authorizes. These concerns include:

systemic over-reporting by private entities subject to the Bill;
reliance on individual judgement re: s.7 “suspicious transaction” reporting;
potential over-collection of personal information by FTRAC from other sources (s.54(b));
limited ability of individuals to identify and correct inaccurate information about them held by FTRAC;
lack of full accountability of s.5 entities and FTRAC to individuals who have suffered undue privacy invasions under the regime (ss.10, 69);
accountability within FTRAC for data protection;
appropriate sensitivity to privacy issues among FTRAC staff;
lack of public awareness of the regime; and
limited oversight/redress powers of the Privacy Commissioner.

Much of the important detail of the new regime remains to be determined through regulations. For example, the types of transactions subject to mandatory reporting under s.9 remain to be specified. While information subject to disclosure by FTRAC without warrant is listed in s.55(7), the Bill permits the use of regulations to expand this list. The drafting of these regulations will therefore be critical. It is essential that the regulation-making process be open and based on broad consultations with interested stakeholders.
It is clear that this Bill has been carefully drafted with a view to minimizing the privacy invasions consequent upon establishing a mandatory reporting regime for better detecting, deterring, investigating and prosecuting money laundering and related crime. Many of our concerns are inherent to a mandatory reporting regime, and others lie with the inadequacy of the Privacy Act generally. However, some concerns could be addressed without undermining the whole regime. In this respect, we recommend the following:

that the Bill require FTRAC to designate an individual (e.g, a “privacy officer”) responsible for ensuring that the collection, use and disclosure of personal information by FTRAC is appropriately minimized;
that one of the qualities sought when hiring personnel for FTRAC is sensitivity to privacy issues;
that a process be established to ensure that FTRAC officials, as well as those in the private sector responsible for reporting, are properly educated as to the importance of minimizing the collection, use and disclosure of personal information to what is necessary under the Act;* that measures be taken by the government to ensure public awareness of the regime, through preparation and distribution to s.5 entities of brochures and other informational materials for public consumption;
that s.5 entities be encouraged, if not required, to place stickers identifying themselves as reporting entities under the Act (similar to the CDIC model);
that the five year Parliamentary review required under s.72 be made perpetual; and
that the open, public process followed to date with respect to the drafting of regulations under this Act be continued.

END
1. Finance Canada, Backgrounder on the New Proceeds of Crime (Money Laundering) Act, News Release 99-046.
2. Terence Corcoran, “Canada’s Money Laundering Dragnet: Creating a Subculture of Informants and Snitches”, The Financial Post, March 4, 2000.
3. Frank Cilluffo and Sharon Cardash,”Time to pay our laundry bill”, The Globe and Mail, March 30, 2000, p.A15.
4. Legislative Summary of Bill C-22, Parliamentary Research Branch, 9 February 2000, http://www.parl.gc.ca/36/2/parlbus/chambus/house/bills/summaries/c22-3.htm
5. See http://www.ustreas.gov/fincen
6. See http://www.ustreas.gov/fincen/40rec.pdf or http://www.oecd.org/fatf/recommendations.htm
7. Legislative Summary, op cit.
8. FATF, Annual Report 1997-98, June 1998, p.13; http://www.oecd.org//fatf/reports.htm
9. Op cit, footnote 1.
10. March 4, 2000.
11. Cristin Schmitz, “CBA leads battle against proposed money laundering law”, The Lawyers’ Weekly, March 31, 2000, p.3; See also “Suspicious Minds; Bill C-22”, The National, vol.9 no.1, Jan-Feb. 2000, p.43.
12. As reported by Schmitz, ibid.; and Vancouver Sun, July 11, 2000.
13. See Principle 4 of the CSA Privacy Code, Schedule 1 to Bill C-6, s.4.4.
14. s.3(a), Bill C-22.
15. Section 97, Bill C-22, adding the new clause 9.1 to Bill C-6.

Comparative Analysis of BBBOnline Draft Code

Comparative Analysis of BBBOnline Draft Code of Online Business Practices with Other Consumer ECommerce Codes and Standards

Public Interest Advocacy Centre
1204 – 1 Nicholas St.
Ottawa, Ontario K1N 7B7
TABLE OF CONTENTS
I. INTRODUCTION
II. COMPREHENSIVENESS OF BBBONLINE DRAFT CODE
III. COMPREHENSIVENESS OF OTHER CODES AND STANDARDS RELATIVE TO THE BBBONLINE DRAFT CODE
IV. FORMAT/STRUCTURE OF BBBONLINE DRAFT CODE
V. FORMAT/STRUCTURE OF OTHER CODES
VI. ADEQUACY OF BBBONLINE DRAFT CODE PROVISIONS
1. Information Disclosure
2. Misleading/Deceptive Practices
3. Online Contract Formation/Cancellation
4. Contract Fulfilment/Return Policy
5. Consumer Privacy (Data Protection)
6. Transactional Security
7. Consumer Redress
8. Unsolicited Commercial Email
9. Protection of Children
10. Compliance Assessment and Oversight
VI. CONCLUSION
APPENDIX A: OUTLINE OF SELECTED CODES AND STANDARDS
APPENDIX B: COMPONENTS OF A CONSUMER ECOMMERCE STANDARD

INTRODUCTION

The following report examines the current draft “Code of Online Business Practices” developed by BBBOnline,(1) and analyses its practicability and rigour from a consumer perspective, in comparison with other existing codes and standards on consumer ecommerce. The conclusion of the comparative analysis is that the draft BBBOnline Code is strong in some respects but weak in others. The Code is particularly strong in the areas of information disclosure, misleading and deceptive practices, and the protection of children. It is particularly weak, however, in the areas of consumer privacy and redress. Depending on how each of these components is valued, the BBBCode may be considered adequate or inadequate. It is certainly superior to many other codes and seal programs currently offered in the marketplace, but is clearly deficient in some key respects.
The author reviewed a number of Codes and Standards (see Appendix A) in order to develop a list of possible components of a consumer ecommerce standard (See Appendix B). This list is divided into the following categories:

Information Disclosure
No Misleading/Deceptive Practices
Online Contract Formation/Cancellation
Contract Fulfilment/Return Policy
Consumer Privacy (Data Protection)
Transactional Security
Consumer Redress
Unsolicited Commercial Email
Protection of Children
Compliance Assessment
Miscellaneous

The BBBOnline draft Code was then judged against this list in order to determine its comprehensiveness, both absolutely and relative to other Codes and Standards. The terms of the BBBOnline draft Code were then assessed for adequacy and rigour, under the general headings above. In each case, the adequacy of the BBBOnline Code was assessed both absolutely and relative to other Codes and Standards.
In general, the documents examined fall into three categories, which we have termed “standards”, “seal programs”, and a “seal of seals” or “umbrella code”.

Standards set out a list of requirements, but have no compliance mechanism attached to them, no “seal” to place on the business’s website, no registration system, and no oversight body or “code owner”. (Such mechanisms may be attached to formal standards, but are not necessarily so.)
Seal programs, on the other hand, couple a list of requirements with a seal and registration system administered by the “code owner”, and usually also include a compliance mechanism also administered by the “code owner”.
A “seal of seals” legitimizes and certifies seal programs according to its own code of practice, and therefore involves all of the same components as a seal program, with additional requirements for “code owners”.

The BBBCode, as presented, is in the nature of a standard, lacking any particular compliance mechanism or seal. BBBOnline states the draft Code “is designed to guide ethical business conduct in electronic commerce”, and goes on to “encourage broad compliance with this voluntary Code”, stating: “We encourage all online businesses to adopt these guidelines.” Thus, it appears that the Code will not be accompanied by a separate seal, and that businesses may simply self-declare their adherence to the Code. This raises concerns from a consumer perspective, since association of the Code with BBB may suggest a level of oversight that does not exist.
However, BBBOnline also indicates that it intends to apply this new Code of Practice to its existing “Reliability” seal program: “Our BBBOnline Reliability participants are expected to adhere to these guidelines.” In this context, the Code would then become part of a seal program, with the associated mechanisms for consumer redress and subscriber compliance.(2) In this context, some of the draft Code’s deficiencies would be corrected, but gaps would still remain in the areas identified above.
BBBOnline also administers another Code of Practice, focused on consumer privacy: the BBBOnline Privacy Seal is a separate program, with a much more detailed set of privacy requirements than those set out in the draft Code examined.(3) It is unclear why BBBOnline sees fit to accept data protection practices under its Reliability Seal that are of a lower standard than those required under its Privacy Seal.
The following codes, seals, and standards were examined in the research underlying this report:

Standards

Canadian Principles of Consumer Protection for Electronic Commerce
CSA International Privacy Standard (part of Canadian Principles)
OECD Consumer Protection Guidelines for E-Commerce
Australian Complaints Handling Standard (AS/NZS 4269)
British Standard on Information Security Management (BS 7799-2)
Ziff-Davis “The Standard for Internet Commerce”
Seal Programs
WebTrader (UK)
WebTrust
TRUSTe
Better Internet Bureau
Better Cyber Bureau (Safengine)
Seal of Seals
TrustUK

II. COMPREHENSIVENESS OF BBBONLINE DRAFT CODE

The BBBOnline draft Code (“BBBCode”) covers all relevant topics, but is more comprehensive in some areas than in others. Its rules regarding information disclosure, misleading or deceptive business practices, contract formation/cancellation, contract fulfilment, and protection of children are highly comprehensive; BBBOnline scores top marks here. Many of the BBBCode provisions in these areas were found in no other code. Indeed, the BBBCode deserves special mention for its relatively comprehensive prohibitions in the area of misleading and deceptive practices, as well as information disclosure. The only gaps noticed in these areas are minor, and mitigated by other requirements – they involve:

the tentative nature of the proposed clause requiring online businesses to disclose “any health, safety, nutrition or other package warnings for those transactions if those warnings are required to appear on the good or service packaging” (A note following this clause expresses concern that it may be too burdensome for businesses.)
there is no clause requiring certain information to be provided with tangible goods at the time of delivery. However, all relevant information is to be provided on the website.
there is no rule specifically requiring the business to promptly correct any mistakes in billing, payment, or receipts. However, there is a general rule that al commitments and representations be honoured, and that good faith efforts be made to resolve any disputes to the consumer’s satisfaction.

The BBBCode is less comprehensive, however, when it comes to consumer privacy, redress and transactional security. While each of these areas is addressed, large gaps remain. In particular,

there is no rule requiring the clear identification of unsolicited commercial email as such (however, the Code does require businesses to offer an “opt-out” option, and to respect the consumer’s preference regarding unsolicited commercial email);
the rule regarding security is brief and general, seems to focus on confidentiality of transactional information, and does not clearly cover issues concerning authenticity and integrity;
the rules regarding consumer privacy fail to limit collection, use or disclosure (other than to third parties for marketing purposes), fail to limit retention (other than when the transaction is not completed), and fail to establish any individual access rights, redress rights, or compliance/accountability standards. Instead, they focus almost exclusively on disclosure;
there is no rule establishing business responsibility for unauthorized transactions;
businesses are not required to have a returns policy, or to refund the consumer in appropriate circumstances;
the rules regarding complaints handling and dispute resolution are extremely brief and general, which is surprising given the BBB’s long history of expertise in this area. In particular, all that the draft code currently requires with regard to dispute resolution where the complaint cannot be resolved internally is that “additional means” be provided to satisfy the consumer, which “means” may or may not include third party dispute resolution (they could instead be refunds, insurance policies, escrow services, or chargeback mechanisms). It should be noted, however, that BBBOnline highlights the tentative nature of this approach and has invited feedback on it.

In summary, the BBBCode covers all major areas of consumer concern in ecommerce, but does so with varying degrees of comprehensiveness. Areas well covered include information disclosure, fair business practices, contract formation and fulfilment, and special protection for children. Areas not so well covered include consumer privacy and consumer redress.
Interestingly, privacy and redress are areas in which BBBOnline offers separate programs, with separate codes and compliance mechanisms: businesses who subscribe to the BBBOnline Reliability program must pledge to offer dispute resolution through the BBB or another dispute resolution provider that meets BBB standards (which involve a long and detailed set of rules to ensure due process); and businesses who subscribe to the BBBOnline Privacy Seal must adhere to a set of rules regarding consumer privacy, as well as a special dispute resolution process for privacy complaints. While a detailed review of these two BBB programs is beyond the scope of this report, we have briefly addressed the adequacy of the Privacy Seal requirements under section VI, part 5, below, and of the dispute resolution mechanism associated with the Reliability Seal under section VI, part 7, below.
To the extent that the new Code will form part of the BBBOnline Reliability Seal requirements, it is appropriate that we examine those requirements as well. In order to use the BBBOnline Reliability Seal, companies are required to:

Become a member of the appropriate local Better Business Bureau;
Provide the BBB with information regarding company ownership and management and the street address and telephone number at which they do business, which will be verified by the BBB in a visit to the company’s physical premises;
Be in business a minimum of one year (with limited exceptions);
Have a satisfactory complaint handling record with the BBB;
Agree to participate in the BBB’s advertising self-regulation program, and correct or withdraw online advertising when challenged by the BBB and found not to be substantiated or not in compliance with our children’s advertising guidelines;
Respond promptly to all consumer complaints; and
Agree to dispute resolution, at the consumer’s request, for unresolved disputes involving consumer products or services advertised or promoted online.

The BBB’s initial onsite verification, ongoing monitoring of complaints, advertising self-regulation program, and dispute resolution mechanism are all valuable components of its seal program, and if added to the draft Code, will substantially improve on its provisions for consumer redress and compliance assessment. In particular, the requirement for a physical onsite inspection of online businesses by BBB officers is unique and adds significantly to the value of the BBBOnline seal. We have, however, reviewed the draft Code as a stand-alone document, since BBBOnline is promoting it as such.

III. COMPREHENSIVENESS OF OTHER CODES AND STANDARDS RELATIVE TO BBBONLINE DRAFT CODE

Compared to the BBBCode, the Canadian Principles (and incorporated CSA Privacy Code) are more comprehensive in the areas of consumer privacy, returns policy, and, to some extent, dispute resolution, but less comprehensive in the areas of misleading/deceptive business practices, contract fulfilment, and, to a lesser extent, information disclosure. Protection of children is not addressed at all in the Canadian Principles or CSA Standard.
The Ziff-Davis Standard is far less comprehensive than the BBBCode, both in an overall sense (areas covered) and by topic. It provides no guidance at all on contract formation/cancellation, unsolicited commercial email, protection of children, or dispute resolution, almost none in the area of misleading/deceptive business practices and very little on internal complaints handling. Its rules on consumer privacy are as weak or weaker than those of BBBOnline.
Clearly, the Australian Complaints Handling Standard is highly comprehensive in the area of complaints handling, and the British Standard on Information Security Management similarly in the area of security. None of the general ecommerce standards or codes examined would be expected to match the comprehensiveness of these specific standards in the areas they cover.
TrustUK, the “seal of seals” program, has a list of accreditation criteria which is the most comprehensive of all other codes examined. It covers all areas other than online contract formation/cancellation, and like the BBBCode, includes a strong section aimed at protecting children. Its rules on consumer privacy, redress, and transactional security are significantly more detailed and comprehensive than those of the BBBCode. Indeed, its rules on security are much more comprehensive than any of the other codes examined: it recommends use of the highly detailed BSI Standard on information security management, in addition to requiring adherence to a number of specific security-related rules. While not as comprehensive as the BBBCode in the areas of information disclosure, misleading/deceptive business practices, it is generally more so than most other codes.
The WebTrader Code addresses most areas, but fails to address contract formation/cancellation (other than cancellation rights where the price changes) and provides no rules regarding the protection of children. It is most comprehensive in the area of complaints resolution, and, by linking to other Codes and Statutes, in the areas of misleading/deceptive practices (advertising and sales promotion) and data protection. It is much less comprehensive in the areas of information disclosure, contract fulfilment, unsolicited commercial email, and dispute resolution.
The WebTrust Code is difficult to compare because it takes a completely different approach to consumer protection, focussing almost exclusively on disclosure and internal controls, rather than end-results from the consumer perspective. It thus provides a completely different type and level of detail from most of the other codes and standards considered. For example, on information disclosure, instead of providing a comprehensive listing of specific disclosures that must be made, it offers a general statement with examples. Areas that it fails to cover include misleading/deceptive business practices, unsolicited commercial email, dispute resolution, and the protection of children. Contract formation, consumer privacy, complaints handling and dispute resolution are only partially addressed. More thoroughly covered are the areas of contract fulfilment and transactional security.
TRUSTe does not purport to cover more than consumer privacy. On this issue, however, it is not as comprehensive as some other codes which deal with more than data protection – it is similar to the BBBCode in this respect. TRUSTe’s code, however, does require use of a particular dispute resolution process for consumer privacy complaints, and in this respect provides more than does the BBBCode.
The Better Internet Business Code is not at all comprehensive, and is markedly less so than the BBBCode. It addresses only four relevant issues, and in each case doing so exceedingly briefly, as follows: no “unlawful acts”, no “misleading or deceitful statements”, no “spam”, and a minimum 30 day refund on items sold on the Internet. It requires nothing in terms of information disclosure, contract formation/cancellation, contract fulfilment, consumer privacy, transactional security, complaints handling, dispute resolution, or children. In contrast, the BIB seal is remarkably sophisticated and suggests far more than the Code actually delivers. In addition to the words “Better Internet Bureau”, the seal states “Certified Quality Site”. Not only is this misleading in and of itself, but it clearly takes advantage of the goodwill generated by the Better Business Bureau and may well violate the BBB’s trademark rights.
The Better Cyber Bureau (“Safengine”) Code is similarly superficial, addressing only transactional security, contract formation, and consumer complaints handling/dispute resolution, and in each case doing so less than comprehensively. While the Safengine Seal is significantly different from other seals, it again suggests more than it delivers, and therefore may generate unwarranted consumer trust.

IV. FORMAT/STRUCTURE OF BBBONLINE DRAFT CODE

As the above analysis indicates, the BBBCode is relatively comprehensive in its coverage of consumer issues in ecommerce. However, the value of this comprehensiveness is diminished to some extent by the structure of the draft code: the subject matter of the five Principles is not 100% clear from the titles, and not all relevant rules are provided in the section where one might expect them to appear. For example, a number of disclosure requirements are set out in other sections (e.g., disclosure of safety warnings is found under Principle 2, which addresses misleading/deceptive practices, rather than Principle 1 which addresses information disclosure; disclosure of the entity conducting compliance reviews is found under “Compliance” rather than Principle 1; provision of clear billing information is found under Principle 4 but not Principle 1; the rule re: limiting retention of consumer information is set out under Principle 4 “Aim to Please!”, instead of Principle 3 “Have Respectful Information Practices!”).
Thus, it is essential for someone trying to determine the Code’s requirements in any particular area to review the entire Code. While this is not a herculean task (since the Code is not long, is drafted in fairly concise language, and uses subheadings to advantage), it would be more helpful to cross-reference those provisions that logically fall under more than one heading.
Moreover, it is not always clear whether a given requirement applies only to the subject-matter of the subheading under which it appears, or more generally to the subject-matter of the entire Principle. For example, the following clause appears under Principle 1, subheading “Information about the Online Transaction Itself”: “When online businesses provide consumers with the ability to conduct a transaction in more than one language, they must assure that all material information appears in all the languages provided.” It is not clear whether “material information” is limited to “information about the transaction itself”, or applies to all information, including that relating to the business and the goods and services offered.
The BBBCode is divided into six sections, as follows:
Principle 1: Disclose! Disclose! Disclose! Principle 2: Tell the Whole Truth and Nothing but the Truth! Principle 3: Have Respectful Information Practices! Principle 4: Aim to Please!Principle 5: Take Special Care with Children!

Compliance

It is not clear why Compliance is not presented as a Principle, especially in light of its stated importance (“Failure to properly identify the compliance review entity shall be considered a violation of the Code.”).
Under Principle 1, BBB provides most of the information disclosure requirements (however, as noted above, many appear in other sections). These requirements are categorized by type (e.g., about the business, about goods and services offered, about the transaction itself), rather than by the stage at which they must be made (e.g., to all consumers accessing the website, vs. to consumers on verge of making transaction, vs. to customers after transaction made). This is not necessarily a drawback, as long as BBB sets out in each case the minimum requirement in terms of timeliness of the disclosure. Our review indicates that such is usually but not always the case. Similarly, BBB repeats the general information requirements of clarity, conspicuousness, etc. with each disclosure requirement rather than setting the general requirements out up front, as we have done in Appendix B. The risk of the BBB approach is that failure to specify the general and/or timeliness requirements with respect to a specific disclosure rule may significantly weaken that rule.
Clearly, BBBOnline is attempting through its catchy titles not only to attract the attention of readers, but to put a positive light on the requirements of the code. The downside of this approach is that it may obscure the actual content of the provisions.
We also note that the BBBCode sets out a summary listing of the five Principles up front, before launching into the detailed requirements of each. While readers can be expected to appreciate that the Code involves more than this summary, there is a risk of misinterpretation unless the summary is clearly identified as such. In comparison, the Canadian Principles note as follows with their summary: “This summary must be read in conjunction with the full text of the principles, which follows.”
Also potentially prone to misinterpretation is the infrequent use by BBBOnline of the term “should” (and in one case, the term “can”) in a document that otherwise uses the terms “shall” and “must” throughout. While it may seem clear that in such a context, the use of “should” clearly indicates an intention to recommend rather than demand, such intention is not otherwise brought to the attention of the reader. All but the most careful readers may fail to notice the “should” statements, and may thus assume incorrectly that they represent requirements. In contrast, the Ziff-Davis Standard clearly indicates which of its provisions constitute minimum standards, and which constitute best practices. In keeping with its own principles of clarity and disclosure, BBBOnline should highlight any non-binding clauses in its Code.
Finally, the BBBCode provisions are not (yet) numbered, unlike those of other codes. This lack of numbering makes it difficult to refer to specific sections, and may make the code more difficult to read.

V. FORMAT/STRUCTURE OF OTHER CODES

The structure and format of other general consumer ecommerce codes reflects both the perspective of the drafters, and the target audience. For example, the Canadian Principles and OECD Guidelines identify discrete subject areas more on the basis of law and government policy, reflecting the perspective of their drafters and the needs of OECD members. Unlike the BBBCode, section headings provide no directives in and of themselves; they simply identify the subject area.
The format of the CICA WebTrust Code, on the other hand, reflects a preoccupation of accountants with internal company controls aimed at providing “reasonable assurance” that certain results will be achieved. Thus, instead of setting out a comprehensive list of required results, the WebTrust Code focuses on execution of transactions in accordance with disclosed business practices, effective operational controls, and monitoring of those controls. This Code is divided into three sections, titled “Business Practice Disclosure”, “Transaction Integrity”, and “Information Protection”. Because of the generality of these headings, and the lack of sub-headings, it can be difficult to pinpoint a particular clause. This structure may make sense to accountants and possibly some businesses, but it is not “consumer-friendly”, and is likely to be difficult for small businesses to easily understand and adopt.
The format of the Ziff-Davis Standard is once again distinct, with clauses covering scope, purpose, and uses of the Standard, as well as conformance and definitions/terminology. The Z-D Standard requires such clarification because of its requirement for an “Information Centre”, and its inclusion of best practices as well as minimum standards in the standard. Another interesting approach taken by the Z-D Standard is to include explanatory notes with each clause. These notes are distinctively highlighted so as not to confuse the reader, and provide a useful purpose statement for each clause.
TrustUK’s accreditation criteria (Core Principles for Online Codes of Practice, and Core Principles for Redress Mechanisms, Monitoring and Enforcement) are well-laid out and clearly identified. This is the longest and most complicated code of all examined (other than the formal Australian and BSI Standards), yet one of the easiest to navigate and understand. All sections are numbered, and ordered in a logical fashion.
The WebTrader Code is similar to the BBBCode insofar as it uses plain and concise language, but is even more brief and to-the-point on the topics it covers. Clear headings are provided for each subject area, and given the brevity of each, the lack of paragraph numbering is not a problem – this code is easy to navigate and understand. Unlike the BBBCode, however, WebTrader does not attempt to categorize its provisions other than into the 18 topics covered. Should this Code become any more detailed, such categorization would be useful. However, as the BBBCode example shows, categorization of rules comes at a price if not done properly and with appropriate cross-referencing.

VI. ADEQUACY OF BBBONLINE DRAFT CODE PROVISIONS

Information Disclosure
The BBBCode provisions on information disclosure are generally excellent, covering such key requirements as clarity, ease of understanding, conspicuousness, comprehensiveness, accuracy, and capability of being retained by the consumer. Unlike most other codes, the BBBCode includes provisions requiring disclosure in all pertinent languages, and disclosure of the entity that conducted the site’s compliance review. This latter requirement is particularly important where there is no requirement under the code for compliance assessment by a neutral third party. BBB also requires disclosure of the site’s policy on unsolicited commercial email, an increasing frustration for many online shoppers, and requires that all billing information be provided “in an easy-to-understand format so the consumer can determine to which transaction and which company the bill relates”. Unlike other Codes, BBBOnline’s also addresses the issue of ongoing subscriptions, requiring in such cases that the business provide consumers with “easy-to-understand subscription cancellation information…”.
Improvements, however, could be made in the following areas:

the Code’s provisions on capability of retention by the consumer are not written in binding language. Unlike most other provisions, they use the term “should” rather than “shall”. It is not clear whether this is intentional or not, and if so, why it would not be a requirement of the Code that information “appear in a format that allows the consumer to maintain a record of it through printing or storing if the customer is properly equipped to do so”.
the Code could state that information disclosed about the business must be sufficient for follow-up inquiries, dispute resolution and legal action (this is merely implied);
the Code’s provision under “Information about goods and services offered online” does not clearly state that such information should be complete, but does go on to state that “Complete and accurate information means enough information so that a consumer understands the goods or services being offered through an online transaction”. It is possible that the word “complete” was unintentionally omitted from the first clause in this draft.
the Code requires businesses to “disclose information about how consumers can make their transaction payments”, but does not require businesses to disclose relevant implications of different payment options, such as its credit card payment policy.
businesses are not required to provide notice to the customer of potential additional charges beyond the control of the business, but material to the consumer’s purchasing decision. Instead, they are merely encouraged, “when possible and at a reasonable cost” to give such notice.

Misleading/Deceptive Practices

This is an area in which the BBBCode is clearly superior to all of the other codes examined. One of five Principles is devoted to this topic, and covers not only advertising standards, but also the covert use of technology to deceive consumers, affect consumers’ navigational choices, or deceptively draw consumers to certain websites. The potential for deceptive use of technology raises important issues in electronic commerce, which few consumers are likely aware of given the hidden nature of the practices. Businesses need to be told that such practices are unacceptable. The BBBCode gets high marks for its attention to these online consumer problems.
Misleading advertising is a significant problem for consumers both online and offline. As it has done offline, BBB addresses this issue in the online context, and does so more than adequately. Only the WebTrader and TrustUK codes provide similar levels of protection in this area, by incorporating relevant Codes administered by the Advertising Standards Authority in the UK. The OECD Guidelines provide more general directives on misleading advertising, while the Canadian Principles merely require that the terms and conditions of sale be clearly distinguished from marketing and promotional material or messages.
The Ziff-Davis Standard takes a different and much less rigorous approach to online advertising, requiring only that “In the merchant’s information centre, the merchant shall notify customers of its policy on accepting payments or other consideration from third parties for placement of any content related to the third parties’ products/services that is not clearly identifiable as advertising.”
Online Contract Formation/Cancellation
This is one area in which the BBBCode is inadequate, from the consumer perspective. Given the potential for keystroke or clicking errors, as well as for misunderstanding, in the online context, it is essential that online vendors confirm a consumer’s intent to transact before engaging the consumer in a binding transaction. Electronic commerce is still in its early stages; many consumers are still unfamiliar with the medium and may not appreciate the consequences of their online actions. Yet, the BBBCode does not appear to require business subscribers to take proper precautions in this respect. Instead, it merely encourages them (through the use of the term “should” instead of “shall”) to:

provide the consumer with an opportunity to confirm her intent to enter into the online transaction,
confirm key details of the order, and
correct and modify the order.

Moreover, the BBBCode provides consumers with cancellation or refund rights only where “a delay in shipping occurs”. This is insufficient consumer protection in the online context.
A separate provision in the draft BBBCode, however, raises questions as to exactly what BBBOnline intends to provide in this respect. Under Principle 1, “Terms of the Online Transaction”, the Code states as follows:
“Upon consummation of a transaction by a consumer, online businesses shall provide the consumer with a confirmation notice of the transaction. Online businesses shall give notice that they provide this confirmation prior to the completion of a transaction.”
Needless to say, this provision is ambiguous both in its own wording, and in relation to the other permissive provision referred to above. Confirmation should be required both before and after the transaction is completed. Beforehand, the purpose is to ensure intentional contract formation; afterward, the purpose is to facilitate contract fulfilment and redress as necessary. The BBBCode requires clarification and modification in order to resolve this drafting problem.
Consumers must have an opportunity, before concluding the transaction, to, in the words of the OECD Guidelines, “identify and correct any errors or modify the order, express an informed and deliberate consent to the purchase, and retain a complete and accurate record of the transaction”. Moreover, as the OECD Guidelines state, “the consumer should be able to cancel the transaction before concluding the purchase”.
In keeping with the OECD Guidelines, the Canadian Principles require online vendors to “make clear what constitutes an offer, and what constitutes acceptance of an offer”, so as “to ensure that the consumer’s agreement to contract is fully informed and intentional”. They go on to require “in inadvertent sales transactions in which consumers acted reasonably, the vendor should allow the consumer a reasonable period of time to cancel the transaction once the consumer has become aware of it”. Even WebTrust requires “controls to provide reasonable assurance that positive acknowledgement is receive from the customer before the order is processed”, and Safengine (the Better Cyber Bureau) includes as one of its very few requirements that “some type of confirmation form” be used for all online transactions.
It should be noted that the BBBCode does require businesses offering subscriptions online to provide consumers with “an easy to use means to cancel an ongoing subscription, and timely confirmation of such cancellation”. We found this provision in no other code.
Contract Fulfilment/Return Policy
The BBBCode deals with contract fulfilment issues succinctly, by requiring that “online businesses shall comply with all commitments, representations, and other promises made to a consumer”. In addition, it requires confirmation of sales transactions either at the time of the transaction or immediately following via email. Such confirmation must include sufficient information for purchasers to obtain the status of the order, and must be capable of being printed by the consumer.
While not as detailed as some Codes in the area of contract fulfilment (e.g., WebTrust, Ziff-Davis), the BBBCode is more detailed than others (Canadian Principles, WebTrader).
However, the BBBCode does not set a high standard when it comes to return policies. As noted above under “Contract Formation/Cancellation, the BBBCode requires that businesses offer refunds where there is a delay in shipping. Otherwise, however, the Code does not require businesses to adopt any sort of return policy. Indeed, under the information disclosure provision on return policies, the Code states “If the business does not offer a return policy, it shall clearly disclose that fact.”. (In the section on dispute resolution, however, businesses are encouraged to consider refunds as one method of satisfying customers in the event of problems with the transaction.)
The BBBCode’s provisions in this respect are inadequate, and do not meet the standard set by other codes, such as WebTrader, which requires full refunds within 30 days where goods turn out to be faulty or different from those ordered, or the Canadian Principles, which require prompt refunds for unauthorized transactions, transactions in which the consumer did not receive what she paid for, and transactions in which the vendor failed to provide relevant information. The WebTrader Code also provides consumers with cancellation/refund rights where the price changes or where the business cannot deliver within the agreed time.
Consumer Privacy (Data Protection)
This is one area in which the BBBCode is clearly inadequate. As noted above in our examination of the comprehensiveness of the BBBCode, numerous important elements of effective data protection are missing. These gaps become most evident when the BBBCode is compared with the CSA Privacy Code (which forms the basis of Bill C-6, proposed federal legislation in Canada, as well as the privacy section of the Canadian Principles reviewed here), or the TrustUK privacy provisions, which appear to be based on a set of principles similar to the CSA Code. Both the TrustUK Code and the WebTrader Code require compliance with the UK Data Protection Act, the provisions of which we have not examined.
Like TRUSTe, the BBBCode focuses on posting and adhering to a privacy policy, rather than meeting all the requirements of fair information practices. While stating up front that the business’s privacy policy must be “consistent with the following fair information principles: (1) Notice/Awareness; (2) Choice/Consent; (3) Access/Participation; (4) Integrity/Security; and (5) Enforcement/Redress”, the BBBCode uses permissive (“should”) language for three of the five principles, requiring only that:

consumers be given the opportunity to opt-out of have their personal information shared with a third party for future marketing purposes;
notice be provided as to “what access consumers have to the information collected”;
“mechanisms to correct inaccurate individually identifiable information” be established;
business that collect personal information “state how they protect the quality and integrity of the information collected as well as the confidentiality of that information from unauthorized access”.

In addition, under its “Aim to Please!” principle, the BBBCode prohibits retention of consumer information without affirmative consent where the consumer does not consummate the transaction.
Two of these five requirements constitute information disclosure rules, rather than substantive privacy protection. Hence, the only clear, substantive, and binding privacy protection offered by the BBBCode involves opting-out of disclosures for marketing purposes, the correction of inaccurate information, and the retention of consumer information where the consumer does not complete the transaction. This is woefully inadequate.
In contrast, the CSA Privacy Code and the TrustUK privacy provisions set out a much more comprehensive list of privacy protections, including the following fundamental elements of fair information practices which are not even recommended in the BBBCode:

limiting collection of personal information to that which is necessary for the purposes understood and consented to by the consumer;
no use or disclosure of personal information without the informed consent of the individual;
no unnecessary retention of personal information;
measures to ensure the security of personal information held;
personal information held must be accurate and where necessary, up-to-date;
individuals must be provided, upon request, with reasonable access to their personal information held by the organization;
incorrect information must be deleted or corrected promptly;
individuals must be able to hold the organization accountable for privacy violations, and challenge its compliance with these policies through a fair and effective redress mechanism.

Even TRUSTe’s privacy code, which is also deficient when compared with the CSA Code, is superior to the BBBCode, insofar as it requires:
– key disclosures (rather than just recommending them, as BBB does),
– that consumers be given an opportunity to opt out of internal secondary uses as well as third party distribution for secondary purposes (not just marketing purposes),
– that appropriate security measures be taken to protect personal information;
– that appropriate measures be taken to ensure the accuracy, completeness and timeliness of personal information collected online and that users can verify that inaccuracies have been corrected.
Hence, the BBBCode fails to measure up to established standards in the area of privacy protection.
Out of interest, we also briefly examined BBBOnline’s Privacy Seal requirements, to see how they measure up to the standards established by other codes such as the CSA Privacy Code. While significantly stronger than the draft BBBCode, the BBBOnline Privacy Seal is still deficient in some key areas. Like the TRUSTe Code, it focuses on disclosures rather than on substantive consumer rights to privacy. Neither the collection, use nor disclosure of consumer information is adequately limited (e.g., to that consented to by the individual), and there is no rule restricting the retention of personal information to that which is necessary. However, the BBBOnline Privacy Seal, like TRUSTe, does require special privacy protections for children, along with a separate Children’s Privacy Seal.
Transactional Security
The BBBCode provisions on security require that online businesses “use secure and encrypted channels for the maintenance and transfer of personally identifiable information such as a credit card number”, and “provide safeguards to ensure that any third parties involved in fulfilling a transaction maintain equal or superior security to that used by the business”.
Security provisions in other codes range from extremely basic (“The site must be secure for sending personal information”: WebTrader) to extremely detailed (BSI Information Security Management Standard, recommended by TrustUK). Most of the codes examined (Ziff-Davis, WebTrust, WebTrader, TRUSTe) require only that the business ensure the security of its own site and/or transmissions. However, like the BBBCode, the Canadian Principles and TrustUK Code explicitly address the need for all parties involved in the transaction to adopt appropriate security measures. BBB’s and TrustUK’s provisions in this respect are superior to those of the other codes insofar as they clearly place a responsibility on the business to ensure that third parties involved in the transaction adopt similar security safeguards.
Security of information collected is one aspect of privacy protection, addressed in most privacy policies, including that in the BBBCode. Transactional security involves measures to protect information in transmission, to ensure authenticity of the parties, and to ensure integrity of the transaction. Some codes address these concepts separately, while others treat them as a single issue. By taking the former approach, the BBBCode provides clearer and more specific direction to businesses; it recognizes that different measures will be needed to ensure different types of security (e.g., security of stored information from unauthorized access vs. security of credit card information in transit).
The overall issue of information security management is the subject of a British Standard, BS 7799-2, which specifies requirements for establishing, implementing and documenting information security management systems. This Standard is not limited in application to online businesses. An outline of it is provided in Appendix A. The controls described in this Standard are extremely detailed, addressing all aspects of a business operation, from management accountability and organization processes to systems development and maintenance. The Standard itself is far more lengthy and detailed than most of the general ecommerce codes examined in this study. While certainly desirable, it is unrealistic to expect businesses (especially small businesses) to adopt a standard of this nature as part of a general, mass-marketed ecommerce code.
It is interesting, however, that the TrustUK Code recommends use of the BSI Standard “as a basis for [the business’s] security standards”, and that both the TrustUK and WebTrust codes include a number of provisions on security which focus, like the BSI Standard, on internal business controls.
Consumer Redress
The Better Business Bureau emphasizes effective complaints resolution as an essential component of good business practices, and prides itself on its efforts to resolve customer disputes. It is therefore surprising that the BBBCode would be so deficient in the area of consumer redress. All that is required under the draft code is:

“an easy-to-find and easy-to-understand notice of how a consumer can contract the business to resolve any dissatisfaction related to the transaction”
“an effective internal consumer dispute resolution mechanism”;
“good faith effort[s] to resolve any disputes…”; and
“additional means to satisfy a consumer should the business’s internal consumer dispute resolution mechanism not result in customer satisfaction. Such additional means could include: money-back guarantees, third-party alternative dispute resolution, escrow services, chargeback mechanisms, or insurance policies….”

Complaints Handling
With respect, first, to internal complaints handling, the BBBCode is barely adequate. On one hand, it offers a concise summary of the overall requirement for an effective complaints handling process. On the other hand, it fails to provide sufficient detail on what constitutes an effective complaints handling process, leaving the question of what constitutes “effective” open to interpretation.
A similar approach to complaints handling (broad statements only) is taken by the Canadian Principles, the OECD Guidelines, and the TrustUK Code. In contrast, the WebTrader Code provides an unusual amount of detail on an effective complaints handling process, listing eight necessary components (fair, confidential, effective, easy to use and well publicized, speedy, informative, simple to understand and use, and checked, to see that it is working well), and linking the online reader to a UK government document providing more detailed guidance as to an effective complaints handling process.
The WebTrader Code comes closest to the standard established by the Australian Standard on Complaints Handling (AS/NZS 4269). This Standard is not specific to online businesses, but it is nevertheless entirely applicable. As described in Appendix A, the Australian Standard sets out thirteen “essential elements” of an effective complaints handling process, and expands on each. While it is arguable to what extent the BBBCode’s requirements for an “effective” mechanism and “good faith” efforts to resolve complaints meet the criteria set out in the Australian Standard, it is clear that many important elements of effective complaints handling have been overlooked in the BBBCode (as in most other codes).
For example, the BBBCode does not require that businesses respond to complaints in a timely fashion. Interestingly, this is one requirement that some otherwise even more deficient codes (Ziff-Davis; Better Cyber Bureau) do contain. Perhaps BBBOnline expected that the Code’s requirement for businesses to “respond, promptly and substantively, to the consumer’s questions” met this need. However, “complaints” are not necessary “questions”, and the two matters are in any case dealt with separately in the BBBCode. Nor does the BBBCode require that the complaints process be “easy to use”, as do both the TrustUK and WebTrader codes.
Dispute Resolution (post-complaint)
The BBBCode is even less adequate with respect to dispute resolution, once the internal complaints process has failed. It simply requires “additional means to satisfy a consumer”, leaving the determination of what those “additional means” are up to the business. BBBOnline explains this initial approach to dispute resolution by noting that there are many ways to resolve disputes, and that technological advances will likely provide others in the future. BBBOnline states in a Note that it “sought to make this paragraph performance based rather than force one option (ADR) on the business”.
The creators of TrustUK, the OECD Guidelines, the Canadian Principles, and TRUSTe, on the other hand, consider third party dispute resolution to be an integral element of effective consumer redress in the context of a code of online business practices. (WebTrader simply requires subscribing businesses to cooperate with Which? legal services, and neither the Ziff-Davis nor WebTrust codes address this issue.) Indeed, TrustUK’s accreditation criteria require that all unresolved complaints be referred to the Code owner for independent resolution – in other words, that the Code owner administer or oversee some kind of independent third party dispute resolution process. Given that BBBOnline already offers such a service under its “Reliability” seal (indeed, requires its Reliability seal holders to participate in it), it is odd that the Code would not make this process a central aspect of its redress provisions. Like BBBOnline’s Reliability seal program, both TRUSTe and the Better Cyber Bureau require subscribing businesses to engage in their dispute resolution processes as necessary, although the efficacy of these particular processes is questionable.
TrustUK also sets out, for Code owners, a list of criteria that their dispute resolution mechanisms must meet. According to TrustUK, redress mechanisms should be effective, free or low cost, independent, quick (with time limits for each stage), easy to use (clear rules), well-publicized, transparent (annual report to be published), and binding on subscribers. Both TrustUK and the Canadian Principles specifically state that use of the dispute resolution process must not remove the complainant’s right to take the matter to court. The Australian Complaints Handling Standard also lists criteria, albeit somewhat different, for an effective dispute resolution process (see Appendix A).
BBBOnline Reliability Seal Complaints and Dispute Resolution Rules
As noted above, BBBOnline has expressed an intention to incorporate the new Code of Online Business Practices into its existing Online Reliability Seal program. BBBOnline’s Reliability seal program requires that participants “have a satisfactory complaint handling record with the BBB”, “respond promptly to all consumer complaints”, and offer dispute resolution through the BBB or another provider that meets BBB criteria. Those criteria are:

Full Disclosure (of types of disputes covered, contact information for the arbitration forum, fees, standards used as the basis for the decision, and legal implications of signing the arbitration clause);
Requirement that the consumer separately sign the arbitration clause; and
Fair and Impartial Resolution (independent and impartial administration, due process, reasonable costs, feedback to BBBOnline on case resolution).

While a vast improvement over the draft Code provisions, the Reliability Seal requirements still do not meet the highest standards of complaints handling and dispute resolution. Numerous requirements of an effective complaints handling mechanism are simply not addressed, and some of the key elements of effective dispute resolution are left unclear (e.g., low cost, ease of access and use, availability of information on past performance) in the criteria set out above. Thus, even in the context of the BBBOnline Reliability Seal Program, there is room for improvement in the area of consumer redress.
Unsolicited Commercial Email
The BBBCode’s provision on unsolicited commercial email (“UCE”) requires that subscribing businesses “provide an easy to use and understand “Do Not Contact” policy – a policy that enables those customers who do not wish to be contacted online to ‘opt out’ online from future solicitations”, and that the businesses “subscribe to a bona-fide email suppression list”. It is not clear what is meant by “email suppression list” – this needs to be clarified.
The “opt-out” approach taken by BBBOnline is common among those codes that address UCE (e.g., OECD Guidelines, WebTrader, TrustUK). TRUSTe, while not specifically addressing UCE, effectively does so via the requirement that consumers be able to opt out of “internal secondary uses”. The Canadian Principles do explicitly address UCE, but do not explicitly choose the opt out approach. They state instead that “Vendors should not transmit commercial email without the consent of consumers, or unless a vendor has an existing relationship with a consumer”. (It is not clear from this statement whether consent can be obtained implicitly via an “opt-out” approach.)
Alternative approaches to UCE are (a) to simply prohibit it, or (b) to require express, positive consent from the consumer (the “opt-in” approach). Interestingly, one of the few requirements of the Better Internet Bureau is that the business does not engage in “any mass distribution of email known as “spam” (the term “spam”, however, could be interpreted broadly or narrowly). TrustUK, while requiring consumer opt-out mechanisms, also prohibits outright the sending of “unsolicited commercial email which is random and untargeted” (one possible definition of “spam”). Given the increasing annoyance and cost imposed on consumers by such untargeted “spamming”, such a rule is appropriate and should be adopted by BBB and other codes.
While “opt in” approaches are preferable from the consumer perspective, “opt-out”approaches can work if applied rigorously and in good faith. It is important, for example, that consumers be made aware of their rights to refuse UCE, and of the method by which to exercise those rights. (The BBBCode requires the business to describe its UCE practices). It’s also important that UCE be clearly identifiable as such – a requirement found only in the TrustUK code, of all the codes examined.
The BBBCode provisions on UCE, while adequate and better than some other codes, are not in our view optimal. At a minimum, the existing provisions should be supplemented with an outright prohibition on random and untargeted UCE, as well as a requirement that all UCE be clearly identified as such. BBB could also encourage adoption of an “opt in” approach, as a best practice.
Protection of Children
Not all Codes address the special protections that are needed to avoid exploitation of children’s natural credulity, lack of experience and level of risk awareness. Of those reviewed, only the BBBCode, the TrustUK Code, TRUSTe, and the OECD Guidelines address the issue. Unlike the first three, which set out detailed rules, the OECD Guidelines merely state that “Businesses should take special care in advertising or marketing that is targeted to children, the elderly, the seriously ill, and others who may not have the capacity to fully understand the information with which they are presented”.
The BBBCode devotes an entire Principle to children, and requires subscribers to adhere to a separate Code of Practice on advertising to children (“Children’s Advertising Review Unit (CARU) Self Regulatory Guidelines for Children’s Advertising”). TRUSTe requires adherence to an additional set of requirements (“children’s seal requirements”), and display of a separate children’s seal, if the site is aimed at children under 13. TrustUK requires that accredited Codes include “specific requirements relating to the fair treatment of children”, and sets out six provisions that must be included. The TrustUK, TRUSTe, and BBBCode (CARU Code) provisions on children all include rules limiting the collection of information from children, and requiring verifiable parental consent. It should be noted that in the United States, recent passage of the Children’s Online Privacy Protection Act of 1998 establishes legal requirements in respect of such activities. The CARU Code also provides a lengthy and detailed set of rules regarding advertising directed at children.
The BBBCode therefore scores highly in the area of children’s protection.
Compliance Assessment and Oversight
A Code is meaningful only if the entities that claim to comply with it actually do so. Business self-declaration is insufficient particularly when it comes to reliability seals; independent third party compliance assessment is an essential component of any such scheme. This is recognized:

by TrustUK in its accreditation criteria, under which Code owners are responsible for monitoring and enforcing their Codes, and under which TrustUK is responsible for monitoring Code owners and withdrawing accreditation as necessary;
by TRUSTe, in its oversight and complaint resolution procedures; and
by WebTrust, in its quarterly audit requirement.

All that the BBBCode requires, however, is that the entity that conducted the compliance assessment review be disclosed. In other words, businesses must state that they are declaring themselves to be compliant with the Code, if they choose not to obtain a third party compliance assessment. While such disclosure is essential where self-declaration is permitted, it is not at all clear that consumer misunderstanding will be thus averted, especially if self-declaration is accompanied by a mark indicating third party accreditation.
Assessing the BBBCode in the context of the BBBOnline Reliability Seal program, however, changes the results. Under the Reliability seal program, BBBOnline is the entity responsible for compliance assessment. It monitors the subscriber’s complaint handling and dispute resolution record, and has the power to revoke the seal where a subscriber does not satisfactorily comply. It does not, however, engage in audits (like WebTrust), “seeding” (like TRUSTe), or monitoring of subscribers’ business practices (as required by TrustUK); compliance assessment is purely complaints based. In this respect, the BBB approach to compliance assessment may be seen to be lacking.
TrustUK requires that Code owners “have in place an effective system to enforce the provisions of the Code of Practice to ensure compliance with it”, which system must include:

monitoring of subscribers’ compliance with the Code;
“effective and meaningful sanctions”;
“a commitment from the subscriber to comply with the Code and an undertaking from them to take appropriate action to amend procedures to bring them in line with the Code at the request of the Code owner…”
“the ability to terminate membership of or involvement with the Code owner…where the subscriber fails to take action to ensure compliance with the Code or is found to be seriously or consistently in breach of the Code”.

In addition, TrustUK requires that Code owners report quarterly to TrustUK on the compliance of their subscribers/members with their Code of Practice.
For its part, TRUSTe conducts periodic reviews of member sites, and periodically “seeds” member sites (submits personal information online) to verify that the site is following its stated privacy policies. When and where it deems appropriate (e.g., where violations are found or suspected), TRUSTe may also require an on-site compliance review by an independent auditing firm. Where licensees fail to correct problems, TRUSTe may revoke the trustmark. However, the criteria for revocation are left unclear, such that revocation decisions are left entirely within the discretion of TRUSTe.
The WebTrust seal program is all about compliance assessment. Entities are permitted to continue displaying the WebTrust seal only if the “assurance examination” is updated on a regular basis, which shall in no case be less than quarterly, and if the entity gives notice of any significant and relevant changes in its business policies, practices, processes and controls during the interval between compliance assessments.

VI. CONCLUSION

The BBBOnline draft Code of Online Business Practices receives a mixed review when measured against emerging standards as well as other existing codes. It is strong in some respects but weak in others. The Code is particularly strong in the areas of information disclosure, misleading and deceptive practices, and the protection of children. It is particularly weak in the areas of consumer privacy and redress. Depending on how each of these components is valued, the BBBCode may be considered adequate or inadequate. It is certainly superior to many other codes and seal programs currently offered in the marketplace, but remains deficient in some key respects. It is hoped that the worst of these deficiencies, at least, will be corrected before the draft Code is finalized and put into practice.
When assessed as part of the BBBOnline Reliability Seal program, the redress and compliance aspects of the draft Code are substantially strengthened, but still don’t meet the highest standards of complaints handling, dispute resolution, and compliance assessment.
APPENDIX A:
OUTLINE OF SELECTED CODES AND STANDARDS
BBBOnline draft Code of Online Business Practices
http://www.bbbonline.org
– speaks to online merchants only
– logo provided to approved members; may be withdrawn if non-compliance
– links to other Code (re: Children’s Advert)

The End of (Traditional) Regulation?

THE END OF (TRADITIONAL) REGULATION? A RESPONSE TO PROFESSOR RICHARD SCHULTZ
Speaking Notes, Philippa Lawson, Public Interest Advocacy Centre
pippa@web.net; http://www.piac.ca
“Breaking the Mould: Reconceiving Telecommunications Regulation” Conference
Faskin Martineau/University of Toronto
February 17, 2000
Richard, let me begin by summarizing your position. I heard you say 6 important things:

To the extent there’s any kind of telecom policy in this country, its overriding goal should be competition
Competition only works in the absence of regulation. So the CRTC has to go.
The way to deliver universal service is through direct government subsidy—so it can be ladled out by MPs just before an election.
Anybody, from any country, ought to be able to own Canada’s phone system.
Incumbent carriers, who are trying to compete in the new multimedia world of communications with highly vertically integrated international competitors, should be stripped of their long distance businesses
Once the competitive Nirvana arrives, we can all relax—general competition law will keep everything running smoothly.

I think you won’t be surprised to hear that I think all of these propositions are a little dubious.
Instead, I’d like to put forward an alternative thesis: that, yes, traditional regulation has run its course, and that new models are needed for the new competitive environment – new models in which pro-competitive specialized regulation complements general competition law. This necessary shift has largely been recognized by the CRTC and is reflected in the dramatic regulatory transformation to which you have referred. But first, let me respond to Richard’s arguments.
Richard has made an impassioned case for establishing competition as the overriding goal of telecommunications policy, to which all other goals are secondary. Competition, for competition’s sake. Ideology substituting for rational, objective thinking informed by economic history – a history that proves the inability of market forces alone to achieve prosperity for anyone other than the corporate elite.
It’s this religious embrace of market forces as the be-all and end-all that leads him into contradictory arguments:
On one hand, we must get rid of the CRTC in order to achieve full competition. On the other hand, we need to keep the CRTC around until competition is sufficiently robust and assured to survive without a specialized regulator.
On one hand, we need to minimize interference with market forces, while on the other hand, we should be actively promoting competition through various interventionist means.
On one hand, we should sit back and let the “creative energies” of the market “forge new corporate alliances”, but on the other hand, we should be wrenching apart those corporations which are only doing what market forces compel them to do.
This fixation on competition, I submit, is precisely what has led to the airline debacle. We forced competition onto an industry which simply could not sustain it.
The fact is that healthy, sustainable competition is not possible in all locations or in all industry sectors. Remnants of natural monopoly, inadequate market forces, and other thorny issues often exacerbated by competition keep rearing their ugly heads.
Even where effective competition is possible, it is rarely achieved in the form that economists promise. Persistent market dominance by the incumbent tends to muddy the clear waters of academic theory. And forcing the incumbent to divest itself of long distance operations won’t provide much relief to local competitors.
Finally, where effective competition is achieved, it will be fragile and vunerable to sabotage by corporate mergers brought about by global forces over which we have little control. Thus, having forborne, the regulator must be ready to step back in if and when the need arises – it must not totally abdicate.
Competition is too elusive, too fragile to be considered our sole end goal. It is, rather, a preferred means to an end. So what is that end?
This is where Richard has left us in the lurch – there’s an unstated assumption in his thesis about what competition will deliver. I can only presume that this ultimate goal is prosperity, a higher standard of living, a better life for all. In other words, competition is secondary to these ultimate goals – it is merely our preferred means of achieving them. So, in fact, Parliament’s error was not in failing to make competition an overriding goal of telecom policy, but rather in giving competition the status of a goal in the first place.
In any case, Parliament has spoken – there are a number of objectives of Canadian telecommunications policy, reflecting a conscious decision to treat telecommunications as a social and economic enabler, not just another utility. Deride these objectives if you wish, but they reflect a national consensus that universal service is a primary goal of telecommunications policy – not just because we want to be nice to poor people, but because we recognize the tremendous positive social and economic externalities that this particular networked industry has the potential to deliver, to the benefit of all Canadians, including our corporate brethren, and to the benefit of Canada as a nation.
Are long term competition and regulation enemies, as Rick suggests? Absolutely not.
Competition can coexist with regulation. Indeed, they must co-exist in order both for competition to thrive and for the other goals of telecom policy to be achieved. A new regulatory model is being developed, one that permits healthy competition, while filling in the gaps that market forces leave behind.
These are difficult issues. It’s no easy task to turn a regulated monopoly into a competitive market, especially when the product in question is an essential service. With difficult issues comes a human tendency to seek out simple answers. And where better to look than economics. Just step out of the way, let those market forces work, and we’ll all be happier for it. Works in theory, right?
It’s reassuring to hear that Rick Schultz does not entirely buy into this long discredited notion – at least he recognizes that taking away regulatory barriers doesn’t guarantee competition. He recognizes that without appropriate regulation the existence of dominant players tends to distort markets and impede the development of competition. That much is obvious to even the most hard core disciples of neoclassical economics.
Beyond this short term, narrowly circumscribed, role, though, the free marketeers seem to me to be astounding naive with respect to the way markets work in practice. They downplay or simply ignore policy goals other than economic efficiency, and they’re blind to the possibilities for more nuanced, sophisticated approaches to complicated problems.
Getting rid of the CRTC will not get rid of the many forces that tend to undermine the development and maintenance of effective competition in a previously monopolized market. It will not make dominant firms any less dominant. It will not get rid of the remnants of natural monopoly in this still highly capital intensive industry. It will not change the fact that consumers – the basis of market forces – in fact often act quite irrationally, contrary to the assumptions of economic theory. It would, in my submission, be disastrous for competition in telecommunications.
It would also be disastrous for Canadians, who have come to rely upon affordable, accessible telecommunications services wherever they live. Which leads me to the question of whether telecommunications is still unique.
Telecommunications is unique in a key respect: it is a networked service, whose value depends upon its universality. Unlike electricity, transportation, housing, or other industries providing essential services, telecommunications is based on connecting people to each other. The value of the network is only as good as its universality. This is what sets telecommunications apart, and what justifies the policy emphasis on universal service.
Richard argues that competition is suffering because of an outdated approach to funding universal service, that we should end the industry contribution scheme once and for all, and leave it to government to deal with the fall-out through the tax system. This is not an unreasonable argument, but it does ignore some important realities.
Let’s just acknowledge, first, what Richard is actually proposing. Under this approach, people living in Iqaluit, for example, would face basic monthly rates of $90. Farmers in Saskatchewan, outport fishermen in Newfoundland, social workers in Yellowknife would have to pay $50 or $60 per month. Some areas would probably be left entirely unserved. What would happen to these communities? What businesses would want to locate there? And who would qualify for subsidized rates? Those on welfare? What about the working poor? Don’t fool yourselves about the efficacy of targeted subsidies – they help some, but not all.
What does Richard’s argument ignore?
It ignores the fact that universal service enhances the value of the network and thereby benefits the industry that provides it. It’s not just taxpayers that benefit from a strong, ubiquitous telecommunications system linking Canadians to each other, it’s also the industry that profits from universal service.
Moreover, while the government may well be at fault for not providing more specific guidance to the CRTC in policy matters such as the extent to which rural and remote areas should be subsidized out of industry-generated funds, it has in fact spoken through the recent amendment to the Telecom Act explicitly providing the CRTC with powers to establish and administer an industry fund through which to “support continuing access by Canadians to basic telecommunications services”. (s.46.5(1))
So it appears the argument we are having is purely academic – the government neither wants nor intends to take over the challenge of ensuring universal service in telecommunications.
It is not uncommon for revolutionaries to ignore thorny problems raised by the new regime they propose. We know all too well the problems with the existing regime. Why are we so naive as to suppose that similarly serious problems won’t result from a new system? Take Rick’s proposal for a government sponsored telecom subsidy – How do you determine eligibility for the subsidy? How do you ensure that it is spent on telephone service and not food? How do you make sure that everyone who needs the subsidy gets it? And that those who don’t need it, don’t get it? The fact is that in programs such as this, people always fall through the cracks, and the result is greater suffering, marginalization, and increased social costs.
This would of course run completely counter to the government’s agenda of “Connecting Canadians”, under which efforts are being made to address the digital divide, to ensure that less privileged Canadians are not only connected by phone, but also have access to the Internet.
Finally, telephone service is not a government sponsored benefit, like OAS or the child tax credit. I doubt that government would want to start using the tax system to dole out money intended for the payment of specific services. The issue here is not income supplementation; it’s affordable service.
Aside from passing the buck on the universal service issue, and making competition an overriding policy goal in the Telecom Act, Richard proposes that we “aggressively promote” competition in two concrete ways:

Reduce or eliminate foreign ownership restrictions, and
Force the incumbents to divest themselves of their LD (or local) operations.

I’ll leave the issue of foreign ownership to tomorrow’s panel, other than to say that the current restrictions don’t seem to be much of an obstacle to foreign investment in Canadian telecommunications – I suspect that we have more foreign ownership of telecom carriers in Canada than in most other countries.
The divestiture argument, however, does demand a response. I would have agreed with Rick on this five years ago, but the telecom world has been transformed since then. We are now into a new world of global competition, in which the name of the game is corporate merger, so as to combine integrated data, voice, multimedia, and IP-based services. The trend in the US and elsewhere is RE-integration, “one-stop shopping”, providing the full suite of services. We’re way past the local/long distance problem.
Look at AT&T, now hooked up in Canada with Metronet, Rogers and Videotron. It’s become, in the new world, perhaps the ultimate example of a vertically integrated incumbent, providing not just long distance, but local voice in some markets, wireless (Cellular One), Internet (WorldNet), business data and voice services, network outsourcing, web hosting, ecommerce entertainment, and cable (TCI) services.
Divestiture may be an appropriate response to competitive abuses by incumbents, but those who were the incumbents in the old world of telecommunications may not be the incumbents of the new world. I submit that the greater danger that we face in the form of these corporate behemoths is the combining of content and carriage functions under one roof. That’s where divestiture may prove necessary in order to maintain a vibrancy and diversity in the telecommunications marketplace
Finally, I come to Richard’s argument that the CRTC should be dismantled and replaced with, in his words, “a more sophisticated tool-kit of public remedies” including competition law, trade regulation and copyright law. Mindful that these subjects will be addressed by later panels, I wish only to make a few points about the so-called sophistication of competition law, and why it cannot substitute for specialized regulation.
Even our official cheerleader of competition and competition laws, Mr. Von Finkenstein, would be loathe, I suspect, to characterize general competition law as “sophisticated”, especially in comparison with specialized sectoral regulation. It is precisely the unsophisticated nature of competition law that renders it inadequate to safeguard the development of competition in the telecommunications industry.
First, general prohibitions don’t catch all forms of anti-competitive conduct – for example, predatory pricing rules applied under general competition law do not account for the high ratio of fixed to variable costs in the telecom industry, which inhibit entrants from leaving the market during below-cost pricing by a rival. The “revenue recoupment test” does not take account of the strategic benefits to a telecom industry predator of establishing a reputation for toughness and deterring innovation and investment by its rivals.
Second, enforcement of competition law tends to be slow and expensive, whereas specialized regulators can issue directions based on specific regulatory powers in a matter of days, providing a clear signal of the regulator’s view of the conduct in question even if not giving rise to direct liability.
And third, even if general competition laws are successfully invoked, suitable remedies may not be available. A Court, for example, is unlikely to be able to set an appropriate interconnection charge in the way that the regulator can.
We have only to look to New Zealand to see the folly of total reliance on competition laws – millions of dollars and several years were spent in protracted negotiations and lawsuits during which the incumbent carrier was able to delay the introduction of competition and the resolution of competitive disputes. Surely that lesson has been learned.
Australia has attempted to avoid the New Zealand fiasco by empowering its competition authority to act as a specialized telecoms regulator as well. The Australian Competition and Consumer Commission (ACCC) remains in charge of general competition law, but has since 1997 been empowered with specialist knowledge and specific responsibility in respect of telecommunications competition. Telecom staff in charge of carrier competition issues at the old telecom regulator, Austel, were simply transferred to the ACCC. Australia has thus recognized that general competition law and telecoms-specific law are not mutually exclusive choices, but rather, are complementary tools.
This is also recognized by our Commissioner of Competition, who advocates leaving specific regulatory functions regarding interconnection and access with the CRTC. As the Assistant Deputy Commissioner of Competition has emphasized, “competition is not a substitute for regulation”.
So, are facing the end of traditional regulation? Clearly, yes. Traditional quasi-judicial, command and control regulation is not likely to work in an era of rapid change. This has been recognized by the CRTC, and is reflected in its move from hands-on regulator to referee, and from top-down regulation to negotiated rule-making.
Are we facing the end of specialized telecom regulation? No. There will likely always be a role for a specialized telecoms regulator, to deal efficiently and effectively with interconnection disputes, access issues, and universal service subsidization. The CRTC will not go out of business; it will continue to adapt its regulatory approach and procedures to suit the changing marketplace.
But will it adapt appropriately, or sufficiently? A new paradigm of regulation is needed, one which puts more emphasis on cooperation between the CRTC and competition authorities, which focuses on consumer protection, and which takes on a more proactive approach to industry monitoring and consumer information.
My concern is that the CRTC may be too short-sighted and reckless in its desire to please those whose self-interest is in complete forbearance. The Internet of 1999 may not need to be regulated – but who knows about the Internet of 2005? I, for one, am not willing to bet that regulatory intervention in new media will never be needed. The AOL/TimeWarner merger is just a sign of things to come.
I’m also concerned that that CRTC doesn’t appreciate the need for its continued presence not only as a referee of competitive disputes, but also as an information gatherer and distributor, so as to provide consumers with the information they need to make informed choices. We need more regulation by information.
We are in the process of reinventing telecommunications regulation in Canada. What we need is not free market evangelism but rather imaginative and sensible approaches to pro-competitive regulation which are informed by history and guided by a vision of the future in which everyone, not just the corporate elite, benefits.
Thank you.

Letter to the Minister re: AOL TIME WARNER merger

VIA FAX AND MAIL
(613) 992-0302

Honourable John Manley
Minister of Industry
235 Queen Street
11th floor, East Tower
Ottawa, ON
K1A 0H5
Dear Minister Manley:
Re: AOL Time Warner Merger
The AOL acquisition of Time Warner presents serious implications for Canadian consumers of broadcasting and new media services, as well as potential problems of access for Canadian content providers. These problems are not confined to Canada. Significant and reputable consumer groups in the United States, including the Consumers Federation of America, Consumers Union, and the Consumers Project on Technology, have called for the AOL acquisition of Time Warner to be stopped. We believe that the analysis of the American consumer groups is compelling, and that a thorough review of the competitive and other implications of this deal is called for.
As you are aware, the issue of the importance of carriage/content separation is not a new one for the federal government and your department. In 1995, the Information Highway Advisory Council report entitled “The Challenge of the Information Highway” had this to say on the issue:

“The Broadcasting Act calls for programming that is varied and comprehensive, expressing a range of differing views on matters of public concern; indeed, the promotion of diversity has been a tradition in Canadian broadcasting policy and regulation. As companies merge to face global competition, maximize competitive advantage, and benefit from vertical integration, maintaining diversity will require structural measures that discourage preferential treatment based on ownership interests.”

Recommendation 7.7 of the aforesaid report provided as follows:

“The principle of carriage/content separation should be maintained at a minimum through the requirement of structural separation between programming and distribution undertakings and with other reasonable safeguards.”

The legitimacy of these concerns was acknowledged by the federal government in its later report “Building the Information Society: Moving Canada Into the 21st Century”. That report noted the dangers to Canadian content for new media services:

“More important within the emerging information industry itself, there are signs of growing vertical integration between providers of broadcasting carriage and content services. This trend could ultimately leave providers of Canadian content vulnerable to discrimination. The present policy and regulatory framework may have to take this new reality into account.”

PIAC is of the opinion that the AOL Time Warner merger may have serious and sustaining implications for access and distribution of new Canadian media services. It not only blurs the line between the desirable carriage/content separation, it potentially lessens competition. In the words of our American counterparts the deal:

”…raises the threat of discrimination among content providers effectively degrading the services offered by competitors.”

We believe that the implications for Canada and Canadian consumers are such that the government should make a formal request pursuant to Article V of the 1995 “Agreement between the government of the United States of America and the government of Canada Regarding the Application of Their Competition and Deceptive Marketing Practices Laws”
The Agreement provides that:

“If a party believes that anti-competitive activities carried out in the territory of another party adversely affect its important interest, the first party may request that the other parties competition authorities initiate appropriate enforcement activities…”

We believe that AOL’s acquisition should be afforded a rigorous review by American competition authorities. It is also our preliminary view that the merger in its current form should be stopped.
We welcome the opportunity to discuss these concerns with your office and your officials. We would be pleased to provide any further information that may be of assistance to the government in making this request.
Thank you.
Yours truly,
Michael Janigan
Executive Director/
General Counsel
cc: Konrad von Finckenstein – fax only – 953-5013
Commissioner of Competition

A Consultation Paper: Proposed Ontario Privacy Act

Comments on A Consultation Paper: Proposed Ontario Privacy Act

Question 1

Question 2

Question 3

Question 4

Question 5

Question 6

Question 7

Question 8

Question 9

Question 10

Question 11

Question 12: Enforcement Regime

Question 13

Letter to Minister Anne McLellan regarding the Privacy Act review

Letter Re: Uniform Electronic Commerce Act and Consumer Protection

Existing Requirements to Provide Information to Consumers

Consumer consent to receive information electronically

Consequences of Refusing to Deal Electronically

Integrity of Electronic Signatures

Conclusion

Electronic Authentication: An Element of Canada’s Trust Agenda

Comments on Electronic Authentication: An Element of Canada’s Trust Agenda

General

Certification Authority Power

Competition

Will PKI be Privacy Respecting or Privacy Invading?

Principles

Standards

Government PKI

Raising Consumer Awareness and Use

Next Steps

PIAC Submission to Senate Committee, on Privacy and Security on the Internet

Privacy and Security on the Internet Submission to the Senate Subcommittee on Communications

Background on PIAC

Consumer Privacy on the Internet

Online Data Security

Online Investigative Services

Identity Theft

Responses to the Privacy Problem

Technological Fixes

Voluntary Codes of Practice

Legislation

Implementation of Bill C-6

The International Context

Privacy as a Human Right

Recommendations

Recommended Reading

Newsletter – April 2000, Vol.7, No.1

PRIVACY PROTECTION ON THE WAY – BILL C-6 FINALLY PASSES!

KEEPING POLICE POWERS IN CHECK

PROTECTING CONSUMERS ONLINE: STANDARDS FOR ECOMMERCE

TELECOMMUNICATIONS REGULATION: WHAT’S UP?

Internet “Have” and “Have-nots” in Canada split along Social Class Lines!

Consumer Privacy Implications of Bill C-22

Consumer Privacy Implications of Bill C-22: Proceeds of Crime (Money Laundering) Act

I. INTRODUCTION

II. PURPOSE, CONTEXT AND HISTORY OF BILL C-22

III. STRUCTURE AND KEY PROVISIONS OF BILL C-22

IV. IMPACT OF BILL C-22 ON CONSUMER PRIVACY

Privacy Protective Features of Bill C-22

Consumer privacy concerns arise from the following aspects of Bill C-22:

V. RELATIONSHIP OF BILL C-22 WITH BILL C-6

VI. CONCLUSION

Comparative Analysis of BBBOnline Draft Code

Comparative Analysis of BBBOnline Draft Code of Online Business Practices with Other Consumer ECommerce Codes and Standards

INTRODUCTION

Standards

II. COMPREHENSIVENESS OF BBBONLINE DRAFT CODE

III. COMPREHENSIVENESS OF OTHER CODES AND STANDARDS RELATIVE TO BBBONLINE DRAFT CODE

IV. FORMAT/STRUCTURE OF BBBONLINE DRAFT CODE

Compliance

V. FORMAT/STRUCTURE OF OTHER CODES

VI. ADEQUACY OF BBBONLINE DRAFT CODE PROVISIONS

Misleading/Deceptive Practices

VI. CONCLUSION

The End of (Traditional) Regulation?

Letter to the Minister re: AOL TIME WARNER merger

Privacy and Security on the Internet
Submission to the Senate Subcommittee on Communications