Letter to Privacy Commissioner of Canada urging Commissioner to name names of respondents in Commissioner Findings PDF [pdf file: 0.12mb]
December 18, 2003
Ms. Jennifer Stoddart
Privacy Commissioner of Canada
Office of the Privacy Commissioner of Canada
112 Kent Street
Ottawa, Ontario K1A 1H3
BY FAX & MAIL
Dear Ms. Stoddart:
Naming Names of Respondents in Commissioner Findings
I am writing to you on behalf of the Public Interest Advocacy Centre. Firstly let us congratulate you on your appointment as Privacy Commissioner of Canada. We look forward to your able stewardship of this most important public office.
Naming of Respondents in Findings
PIAC is calling on you to consider naming the respondents in the findings of the Privacy Commissioner of Canada, effective January 1, 2004. The Office of the Privacy Commissioner of Canada has become an invaluable resource for Canadians seeking to vindicate their privacy rights. In particular, the Commissioner’s findings have convinced many federally-regulated businesses to mend their ways and respect Canadians’ privacy rights as guaranteed in the Personal Information Protection and Electronic Documents Act (PIPEDA).
However, these findings are significantly weakened as an enforcement tool by the anonymization of the organization whose practices have been challenged. Identification of parties is a matter of course in the courts and in administrative tribunals, including those dealing with such sensitive matters as human rights. The reason for this is obvious it keeps the parties honest, and it informs the public. “Justice should not only be done, but manifestly and undoubtedly be seen to be done.” Lord Hewart.
History of the Anonymous Findings Policy
The previous Privacy Commissioner, Mr. Radwanski, continued the practice of the first Commissioner, Mr. Phillips, of anonymizing the parties and offering the public the findings only in summary form. Apparently, there was some concern expressed by the industries likely to be most affected by PIPEDA during its early years (banks, telcos, transport companies), that publication of their names would be unfair and counterproductive to their efforts to comply. PIAC and others have in the past expressed the opposing view to Mr. Radwanski. However, we now feel the forbearance and restraint shown by the previous Commissioners has outlived the rationale of protecting the “early adopters”.
Recent Developments
We note that in a recent speech the B.C. Information and Privacy Commissioner, Mr. Loukidelis, has come out strongly in favour of publishing the names of the participants in any public hearing he holds in B.C. under the new B.C. privacy legislation (which is likely to apply in B.C. in place of PIPEDA). 1
This will also likely occur in Alberta and is also the case when matters come to a hearing in Quebec, as you know. In the interests of consistency of privacy law in Canada, publication of names should not depend where one’s corporation is headquartered.
We understand that the Office of the Privacy Commissioner of Canada, like the B.C. Information and Privacy Commissioner, is intending to adopt a dispute resolution model for the vast majority of complaints. This is to be applauded and will likely greatly aid citizens in providing fast, informal and better resolutions of complaints. It will also help the privacy commissioner in reducing misunderstandings and narrowing the issues for those complaints that do proceed to a formal hearing or investigation. However, we feel the naming of names will complement this approach, not harm it.
Policy and the Finding Process
When the issue truly is a difficult one, with corporate interests lined up against an individual complaint of a privacy violation, a formal investigation process is needed. A final finding will be invaluable to companies seeking to comply with privacy legislation and to citizens wishing to protect their privacy rights. But presently citizens cannot modify their behaviour by shunning a non-compliant organization or, as is more likely, demanding change from the organization they simply don’t know who it is. And the organization has no real incentive to change its practice a recipe for recidivism.
For example, the Interim Commissioner, Mr. Marleau, recently had to chastise “the bank” again for not implementing a previous finding and Commissioner advice on how to handle alternatives to taping telephone conversations with customers. Which bank? Only your office, “the bank” and one “lucky” customer know.
As Mr. Loukidelis notes, “the publication of the name of a non-compliant organization is a necessary and legitimate sanction for non-compliance and an incentive for compliance.” Of course, those organizations that are found to have been compliant with PIPEDA will be able to trumpet this fact. However, we do not see this as a drawback. Instead it will be a market-driver: organizations may sell themselves on their privacy stance and competitors will be able to state they can equal or better it. This is a true “privacy pay-off”.
The Law
There is some statutory reference to the issue in s. 20 of PIPEDA. Unfortunately it is general in nature. However, since the wording is key to your jurisdiction, we hope you will permit us to quote it, and to tolerate our following attempt at statutory interpretation.
Confidentiality
20. (1) Subject to subsections (2) to (5), 13(3) and 19(1), the Commissioner or any person acting on behalf or under the direction of the Commissioner shall not disclose any information that comes to their knowledge as a result of the performance or exercise of any of the Commissioner’s duties or powers under this Part.
Public interest
(2) The Commissioner may make public any information relating to the personal information management practices of an organization if the Commissioner considers that it is in the public interest to do so. [. . .]
At first glance, subs. 20(1) seems to prohibit the Commissioner from publishing anything at all about complaints. However, it must be read in conjunction with the Commissioner’s duty to report the findings under subs. 13(1). Nonetheless, the Commissioner’s past stance regarding non-publication of names could appear to be justified by subs. 20(1) and subs. 13(1).
Note however, that subs. 20(1) is subject to subsection 2, that is, subject to the public interest. Under subs. 20(2) the “Commissioner may make public any information relating to the personal information practices of an organization” if it is in the public interest. It is futile to detail the poor information practices of an organization without naming it. The public, in whose interest this power has been enacted, cannot act unless the personal information practices in question can be linked to the perpetrator. Otherwise subs. 20(2) is a dead letter. Parliament should not be assumed to have created a little black privacy box which spews only good advice of a general “feel good” nature. This is not in the public interest.
We are aware of the reasons of the Supreme Court of Canada in Lavigne v. Canada (Office of the Commissioner of Official Languages), [2002] 2 S.C.R. 773, which considers s. 72 of the Official Languages Act, that has nearly identical wording to subs. 20(1) of PIPEDA. However, a close reading of Lavigne reveals a concern with anonymity for the complainant, not the respondent, in such “ombudsman”-like proceedings. We are, in fact, highly supportive of an asymmetrical naming policy by the Commissioner. For all the reasons given in Lavigne, we feel it is not appropriate to name complainants, who may therefore be victimized a second time by publicity.
Organizations, however, the vast majority of which are major corporations, cannot expect such privacy. These businesses increasingly collect, use and disclose (often for secondary marketing) personal information of real, live human beings. This means these businesses cannot have a reasonable expectation of privacy for their dealings with other people’s personal information. If they will trade in it, they will be accountable for it.
Rather than being a barrier to making the names of respondent public, section 20, on a common-sense reading, appears to be aimed squarely at protecting valuable commercial or other information of respondents. This is indeed the interpretation given in The Canadian Privacy Law Handbook by Murray Long and Suzanne Morin.2
Should you be willing to consider naming respondents, we hasten to point out the Commissioner and staff cannot be held criminally or civilly liable for any statements made in the course of their duties: s. 22 PIPEDA.
We therefore recommend that the Commissioner name respondents in findings as a matter of course.
Other Problems with the Finding Process
There are related problems with the process of issuing Commissioner findings that are exacerbated by the anonymization of organizations. Firstly, the practice of issuing separate findings to the complainant and respondent is quite irregular and leaves an impression that it is possible there could be a double-standard. It also seems contrary to the wording of s. 13, which speaks of “a report” and “the report” not the “reports”. Secondly, the practice of only making public the short summaries of findings means omitting very important details that would greatly benefit those seeking to comply with the Act. It also places the findings at one further remove from reality.
We therefore recommend that the Commissioner issue a single report on each investigation, as contemplated by the legislation. This report should be available to all interested parties, not just the parties to the complaint.
Thirdly, businesses routinely cite “errors” in the Commissioner’s factual findings and then justify the anonymization of parties as a protection against negligent factual investigation. Surely this problem is better resolved by requiring the complainant and respondent to agree to a statement of facts. In this way, factual “errors” can be avoided in the first place.
We therefore recommend that the Commissioner obtain an agreed statement of facts from the parties before making findings on any complaint.
In conclusion, PIAC feels there is an enforcement problem with PIPEDA: due to the ombudsman model adopted for the Privacy Commissioner and the policy of not naming respondents, little incentive exists for organizations to fully respect the Act. Other aspects of the Commissioner’s findings exacerbate this problem. With the increase in jurisdiction of the Privacy Commissioner in January 2004, the time seems right to institute a policy of naming names of respondents as a matter of course and generally increasing the transparency of the findings. In the name of Canadian consumers and citizens, we call upon you to seriously consider such a choice, and we are available to speak to you or meet with you to discuss this matter.
Sincerely,
John Lawford
Research Counsel
1. See “Thoughts on Private Sector Privacy Regulation” (November 24, 2003) at: http://www.oipcbc.org/publications/speeches_presentations/FIPAPIPAspeech112403.pdf.
2. See their comment to subs. 20(1):
“While the scope of what can be released is conceivably quite broad, this subsection [subs. 20(1)] should be read as requiring the Commissioner to maintain the confidentiality of any proprietary business information, business plans, trade secrets, or any other information that is not generally of a public nature and is properly outside the scope of an investigation or audit.” [emphasis added.]