Comments on A Consultation Paper: Proposed Ontario Privacy Act
We agree that the proposed Privacy Act should include rules on whether minors can give consent and that 13 is a reasonable age to be considered able to give this type of consent. The Canadian Marketing Association (CMA) Code of Ethics is good model to follow on this issue. The CMA Code considers someone under 13 to be a child, but also specifies that CMA members should use “discretion and sensitivity” in marketing to young people (people between the ages of 13 and 19) “to address the age, knowledge, sophistication and maturity of this audience”.
We recommend that there be some limitations on the collection of information from young people (ages 13 – 19) for marketing purposes. As the discussion paper notes, the collection of personal information in the private sector has become more and more intensive, for the purposes of both targeting promotions and providing personalized services. In many instances, an incentive will be offered to disclose personal information, which presents a trade-off between privacy and other benefits. Young people may not be equipped to fully assess this type of trade-off. Therefore, young people should be not be subject to offers of benefits in exchange for permission to build up a profile about them. For instance, unlimited Internet service should not be offered to a fourteen-year old in exchange for creating a profile of her Internet use.
Also, we recommend that there be some safeguards in place to protect vulnerable adults. The legislation should specify that contracts with consumers that involve building up a profile about them should allow a consumer to withdraw from the contract without penalties. For instance, if a consumer wishes to withdraw from a loyalty program, they should be able to do so, as well as withdraw their consent to having the information already collected being used, without having to pay the organization any compensation.
The Act should allow for the indirect collection of personal information only in circumstances where consent can reasonably be implied.
We agree that the Act should limit the use of “opt-out” consent. As the discussion paper suggests, an “opt-out” is meaningful only if it is clearly worded, brought to the attention of the consumer, and made with full information as to the implications of the choice. We therefore recommend that the Act specify the following requirements for valid consent via “opt-out” provisions:
- The opt-out option should be clearly worded, and should explain the implications of the choice which the consumer is being asked to make.
- The opt-out consent should be separate and distinct from any other consents given by the consumer or agreements made by the consumer.
- The consumers’ attention should be directed to the opt-out option, either verbally or via large, bold type in a written document.
- Opting out should require no extra effort on the part of the consumer. For instance, the consumer should not be required to make a separate telephone call or a separate written request in order to opt out. It should be no more difficult for the consumer to exercise the opt out choice than it is for him or her to exercise the converse choice, which involves consenting to the collection of the information.
- In the case of ongoing customer relationships (e.g., telephone service), the opt-out option should be offered to existing customers who have not chosen to opt-out at regular intervals, and at least every two years.
We agree that the Act should allow for implied consent in limited circumstances. The approach to this issue outlined in the discussion paper is sound. The key point is that consent should only be implied for uses of information that relate to the primary purpose for which the information was collected, and for uses that a person would reasonably expect in the circumstances.
We agree that the Act should require organizations to explain their security safeguards. As the discussion paper suggests, it is important that information security is not compromised by requiring overly specific information. On the other hand, enough information should be available for consumer to be able to understand generally the security safeguards, and to compare the safeguards offered by different organizations.
5A Openness Principle
Although Question 5 did not ask about the proposal that the legislation not adopt the CSA Code’s Openness Principle, we would like to make some comments on this subject. The discussion paper suggests that an organization’s privacy practices will be made clear by requiring an explanation of security safeguards, and by requiring disclosure to individuals of the sources of its personal information and the organizations to which it has disclosed personal information. In our view, this proposal lacks important consumer safeguards that are provided by the CSA Code’s Openness Principle.
There are many instances in which individuals will have an interest in knowing about the more general information management policies and practices of the organization, in addition to the specific information about them held by the organization, for instance. Individuals should have a legal right to such information, and organizations should be legally obliged to disclose such information upon request.
For example, individuals have the right under the Consumer Reporting Act to inspect their own credit reports and thereby to find out what information it contains and with what organizations it has been shared. Yet these disclosures do not answer many other important and legitimate questions the consumer may have relating to the privacy of their credit information, such as:
- What types of organizations may obtain access to my credit report in the future?
- What type of information does the credit reporting agency intend to collect about me in the future?
- Can I consent to having my credit report disclosed without having my SIN disclosed?
- Is my husband’s credit report linked to my own, or not?
In fact, to truly be able to assess whether it is in their interest to allow certain information to be shared with credit reporting agencies, or allow their credit report to be shared, consumers need to know how the credit reporting system works. Without knowledge of the ground rules, consumers cannot fully appreciate the implications of either giving or withholding consent, and hence, their right to withhold consent is significantly less meaningful. As long as the data protection regime is based on the concept of individual knowledge and consent, openness is an absolutely critical piece of the puzzle.
The discussion paper seeks to regulate outcomes rather than processes. Requiring organizations to draft policies can be viewed as a process, but requiring certain key disclosures about their practices is surely an outcome, not merely a process. It is unrealistic to assume that organizations will make such disclosures of their own accord. Credit reporting agencies, for example, do not publish information that answers the four questions enumerated above, and are not willing to give complete answers upon request. It is even harder to obtain information about data protection practices from some other organizations that deal with personal information(1).
Without the disclosure of information that follows from the Openness and Accountability principles of the CSA Code, public scrutiny of organization practices will be considerably more difficult. In the area of privacy, public scrutiny is particularly important because privacy invasions by their very nature occur largely without the knowledge of affected individuals and are difficult to detect. Public scrutiny is essential in order to encourage compliance with privacy laws and to facilitate their enforcement.
The Openness Principle serves an important purpose within the CSA Code. Without it, the consumers’ consent is considerably less informed, and thus less meaningful. Without statutory requirements for openness, the Ontario legislation will be significantly weaker than the CSA Code and Bill C-6. Indeed, it may not meet the “substantially similar” requirement of Bill C-6.
The accuracy of personal information should be subject to an additional statutory requirement reflecting the CSA Code’s requirement that information be as accurate as necessary for the purposes for which it will be used. Such a statutory requirement is important because it places a responsibility on the organization to devote an appropriate level of resources to ensuring the accuracy of its databases. For organizations holding large databases, the extent to which the data is accurate is directly proportional to the amount of routine data checking and verifying. Under the government’s proposed approach, the regulator would not be able to compel an organization to improve its database accuracy, even if the organization was clearly not devoting enough attention to maintaining an accurate database. The legislation need not instruct organizations on how to achieve ongoing accuracy, but it should require a certain level of accuracy as an outcome of the organization’s information management practices.
Yes, the Act should require contractual safeguards when personal information is sent to another jurisdiction. In addition, it should be clear that consent is required for such inter-jurisdictional disclosures. This is important given the difference in informational privacy rights among different jurisdictions.
Yes, the proposal for transition is appropriate, although it should take into account that organizations subject to the federal legislation should be ready to comply with it in January 2001, and thus would not need the year-long transition period to comply with the Ontario legislation.
We agree that clear, workable rules are desirable. We also agree that some “process” (vs. outcome) requirements of the CSA Code, such as the requirement for staff training, need not be included in legislation. However, we feel strongly that substantive, outcome-oriented aspects of the Accountability, Openness and Accuracy Principles in the CSA Code should be included. Two specific concerns we have in this regard are:
- that the proposed approach does not provide consumers with the ability to obtain enough information about an organization’s practices to make meaningful choices about whether to consent to the collection, use and disclosure of their personal information; and
- that the proposed approach does not protect consumers from organizations that do not take reasonable measures to ensure the accuracy of their databases.
Sectoral codes must not be allowed to dilute legislated standards nor to weaken existing processes for enforcement and consumer redress. On the other hand, properly constructed sectoral codes can achieve even more effective regulation than general cross-sectoral legislation. It is important in this respect to appreciate that the proposed sectoral code approach will require additional effort to ensure that the legislated standards are being met, and that consumers are not being short-changed as a result of less rigorous or more permissive sectoral codes. In order to achieve effective regulation via sectoral codes, it is essential that:
- the standards set out in sectoral codes be no lower than those set out in the general statute;
- consumers continue to have access to the same legislative protections and processes that they would otherwise have (i.e., the codes should be enforceable in the same way as the principles set out in the legislation);
- the sector be defined as clearly as possible, and there must be a clear and simple method of determining which codes apply to which organizations;* the regulatory process for developing such codes include:
- an open, transparent process that involves equal representation of industry and non-industry stakeholders;
- participant funding to allow non-industry stakeholders to participate effectively in the process; and
- rigorous advance notice to the public of the code approval process and an opportunity for public input;
- once approved under the legislation, codes be easily accessible by the public; and
- there be follow-up public education and awareness programs.
The example of credit reporting illustrates both the potential advantages and the potential pitfalls of the sectoral code approach. On one hand, it makes sense to apply more detailed rules (such as those contained in the Consumer Reporting Act) to credit reporting agencies, since credit reporting involves complex transactions of personal information as well as technical issues specific to that industry. On the other hand, a major player within the credit reporting industry is aggressively seeking to be exempted from general data protection legislation. A process to develop a sectoral code would clearly present an opportunity for this industry to pursue lower standards of data protection than required by the general legislation, and to avoid addressing the many privacy concerns raised by the industry’s current operations(2). Developing a fair sectoral code consistent with the protections set out in general data protection legislation will be a major challenge in the case of credit reporting.
Generally, the exemptions and exceptions to the proposed Act are reasonable, but we do have concerns in three areas:
Private Enforcement of Contractual Rights:
While we agree that certain contractual enforcement activities involving the collection, use or disclosure of personal information should not be impeded by data protection legislation, it is important that this exemption is not overly broad. Private enforcement of contractual rights should not be an excuse for unnecessary uses or disclosures of personal information. In particular, creditors and collection agencies should not be permitted to use or disclose any personal information collected in the course of debt collection for secondary purposes (i.e., purposes other than collecting the specific debt). This would include disclosure to credit bureaus, since such disclosure is not necessary for the purpose of collecting the debt.
In order for interested persons to respond fully to this proposal, the government should list examples of exemptions that would fall under this provision.
Public Domain Information:
We strongly oppose a broad exemption for “public domain information”. Indeed, this is one area in which we consider current practices of the Ontario government and Ontario municipalities, while permitted under the Freedom of Information and Protection of Privacy Acts, to be in clear violation of fundamental privacy principles. Specifically, we strongly object to the disclosure by governments of public registry data to third parties for marketing or other secondary purposes. Section 27 of the Municipal Freedom of Information and Protection of Privacy Act and section 37 of the Freedom of Information and Protection of Privacy Act exempt “personal information that is maintained for the purpose of creating a record that is available to the general public” from the full set of provisions protecting individual privacy in those statutes.
This exemption is overly broad; it fails to recognize that just because a record is publicly available does not meant that it should be “fair game” for anyone seeking to use the information for any purpose. In fact, most, if not all, of the registries in question were created and made publicly available at a time when the information therein could not be easily compiled, manipulated, sold, and used for commercial purposes. Times have changed. With the advent of computers and information technology, it is possible for entire databases to be transferred at the click of a mouse. No longer do researchers have to pore over handwritten records in chronological order to find what they are seeking; a simple keyword search will pull up the entry in seconds.
The implications for public registries of this transformation are enormous. Suddenly, the mere fact of technological capability has changed the meaning of “publicly available”. It is up to our lawmakers to ensure that the original intention of making such registries publicly available is identified and achieved, but not broadened. In particular, the Ontario government should take this opportunity to limit the use and disclosure of information in public registries; secondary purposes such as products marketing should not be permitted.
At a minimum, the Ontario government’s exemption for “public domain information’ should be consistent with the federal government’s regulation on the same topic, to be finalized later this year.
The proposed exemption for collection, use or disclosure authorized by another law is deficient, and clearly does not meet the standard set by the federal legislation which exempts disclosures only where “required by law” (subs.7(3)(i)). Simply because another statute authorizes certain collection, use, or disclosure of personal information does not mean that such collection, use or disclosure is appropriate in the circumstances. If data protection rights (i.e., to knowledge and consent ) are to be meaningful, they must not be so easily overridden. Individuals deserve to be notified and given an opportunity to refuse the collection, use or disclosure of their personal information whether or not such activities are authorized by statute. Indeed, data protection rights should take precedence in all cases of statutory authorization. Only where another statute requires collection, use, or disclosure should the requirement for knowledge and consent be lifted.
This is an important area in which the proposed approach falls short of the federal legislation, and thus where the Ontario government risks failing to achieve substantial similarity with the federal statute.
Question 12: Enforcement Regime
We view as one of the weaknesses of the federal data protection legislation its requirement that any legal enforcement be accomplished via the court system. This is a problem for individual consumers because court actions are too costly for the vast majority of complainants in privacy cases. It will be the very rare individual who deems it worthwhile to pursue a privacy invasion in court, especially where no measurable damages have occurred. Thus, enforcement of the law will be weak. For this reason, we support a legislative framework which includes the ability of government authorities to make binding orders, non-compliance with which is both punishable by fines and/or other penalties, and actionable either by the state or by the affected individual.
A key provision for compliance and enforcement purposes is that empowering the oversight agency to publicize its findings. An essential corollary to this power is statutory protection from liability for any such public statements or disclosures. Publicity can be the most potent tool of enforcement, at least with respect to businesses who deal with the public or who operate in the public eye. Some businesses dealing with personal information, however, are not well-known by the general public and do not deal with consumers directly. Publicity may not be such a powerful tool in respect of their non-compliance. Hence, publicity should be considered as just one of many available enforcement tools.
Question 12 asks specifically about the desirability of an administrative appeals process. It seems to be suggesting an appeals mechanism for corporate defendants in enforcement actions. If such an appeal process is put in place, it should be available to both complainants and respondents. Given that most such appeals are likely to be taken by respondents, however, the value of it for complainants is likely to be minimal. Indeed, there is a risk that such an administrative tribunal would become “captured” by the industry it is meant to regulate, an unfortunate reality with which administrative lawyers have been grappling for years. The easiest way to avoid such a result is simply not to create the tribunal in the first place, and to rely instead upon the court system. If a tribunal is established, it should be staffed not by political appointees but rather by Ontario Court judges, or at least by legally trained persons familiar with concepts of due process as well as privacy rights.
We agree with the proposals on enforcement powers, but would emphasize that the results of the enforcement agency’s activities should in all cases be made public. Mediation reports, compliance orders and assurances of voluntary compliance should be published, and done so in a manner that is easily accessible to the public. Such publication of enforcement activities will ensure that:
- consumers have access to important information about the organizations they deal with;
- the enforcement agency will be publicly accountable, and thus held to a high standard of performance; and
- other organizations will see that government is serious about enforcing the legislation, which will in turn encourage compliance.
The enforcement agency should have the mandate to investigate all privacy issues under its jurisdiction which come to its attention. As mentioned above, privacy invasions occur in secret and are difficult to detect. The nature of privacy makes it likely that a complaint is just the “tip of the iceberg” in terms of a privacy issue. The enforcement agency should not be limited to addressing the specific complaint, but should also have the power to investigate further issues arising from the complaint.
Also, the enforcement agency should be able to initiate investigations in the absence of a formal complaint if it has any reasonable grounds to suspect non-compliance. We were appalled to discover recently that unregistered consumer reporting agencies (tenant blacklists) were operating openly in Ontario. These agencies had been openly advertised in the Yellow Pages under “credit reporting agencies” for several years, yet no-one tasked with enforcing the Consumer Reporting Act had noticed this flagrant violation of the law. This example shows that a complaints-based investigative power is not enough, and that the oversight agency itself needs the power to conduct proactive monitoring and enforcement activities.
There also needs to be a serious commitment by the government to ensuring strong enforcement of the legislation, if the consumer protection contained in it is to be meaningful. In our report on the consumer reporting industry(3), we raise serious concerns about the Ontario government’s apparently weak enforcement of its Consumer Reporting Act, including the facts that:
- Most consumers do not know that the Ministry of Consumer and Commercial Relations takes complaints about credit reporting agencies. There is little effort to raise consumer awareness of this, and, in fact, current practices at the Ministry make it difficult for consumers to reach the appropriate official.
- There is little public accountability in respect of the government’s enforcement of the Consumer Reporting Act. We were forced to make a Freedom of Information request to get basic information about the governments’ investigations of consumer reporting agencies.
- A tenant blacklist was found to be operating in flagrant violation of the laws of Ontario, yet the responsible government authority made no investigation of its database to ensure that the information it contained had not been collected and/or disclosed illegally.
Clearly, the proposed Ontario Privacy Act needs to improve significantly upon the current Ontario Consumer Reporting Act in respect of enforcement.
1. Recently, in the course of a research project we contacted 40 companies that had good privacy policies. Of these, only 11 agreed to answer questions about their practices for our research project.
2. For more information about the privacy concerns raised by the consumer reporting sector, please refer to PIAC’s forthcoming report, Protecting Consumers’ Privacy in the Consumer Reporting System that will be available shortly.