Address to the Riley Conference on Privacy and Bill C-54 by Philippa Lawson (February 1999)
Address to Riley Conference on Privacy and Bill C-54 Privacy in Canada: A Public Interest Perspective
It’s been said that privacy is the civil liberties issue of our era. We used to take it for granted, but all that has changed with computers. As David Flaherty said, our technocratic societies can now accomplish what George Orwell could only dream about. But it’s not just government that’s finding ever more privacy-invasive uses of information technology; it’s also business.
The public is gradually waking up to the fact that they have lost all control over their personal information with the advent of increasingly powerful computer technologies. And they are not happy about it.
I’ve been working as a consumer advocate for eight years. Over that period of time, concern over consumer privacy has steadily grown.
First, it was junk mail and telemarketing – consumers did not like getting unsolicited mail and certainly not unsolicited telephone calls, especially during dinner time. Telemarketing was – and still is – seen as an unwelcome intrusion into the privacy of one’s home, violation of the “right to be let alone”.
What’s interesting here is that the mere act of calling a stranger to make a commercial solicitation was considered a privacy invasion, even before taking into account the unauthorized collection and disclosure of personal data that made the call possible. At the time, consumer complaints focused on the physical privacy invasion, without fully appreciating that such invasions were based on a growing trade in personal information.
Then came the use by some commercial marketers of automatic dialling and announcing devices – known by their acronym as ADADs. The use of this technology to speed up the dialling process and replace human interaction generated unprecedented volumes of consumer complaints – people reacted even more negatively to computer recordings and dead air – for some reason, this seemed more of a privacy invasion than when humans were on the other end of the line.
Parliament responded by including in the Telecommunications Act of 1993 a provision which empowers the CRTC to prohibit or regulate the use of Canadian telecommunications facilities for the provision of unsolicited telecommunications. For its part, the CRTC established various rules for telemarketing, including time of day restrictions, identification and disclosure requirements, and the consumer’s right to have themselves removed from marketing lists.
But these were merely band-aid measures in relation to the underlying problem.
They didn’t even purport to limit the unauthorized collection, trading and use of personal information.
Around the same time, came a new telecommunications service known as Call Display. Suddenly, Canadians found themselves put in the strange position of automatically sharing their phone number with others, whether they meant to or not. While the service has its privacy enhancing side, and proved to be quite popular, its introduction served as a wake-up call for Canadians who had until then taken their privacy for granted. There was a public outcry. The CRTC was forced to retract its original decision to permit a 75 cent charge each time a caller blocked the display of their number, and to permit such blocking free of charge.
Even with free blocking, many people felt cheated of their legitimate privacy rights by this new technological invention. The tables had been turned; the default was now disclosure, they were now required to make an effort in order to maintain the same level of privacy, through anonymity, that they originally had.
As Internet usage blossomed, and electronic commerce for the masses was born, consumers learned about cookies, about information brokers and about data mining.
They found their confidential information published in alternative telephone directories, without their knowledge or consent.
They received unsolicited e-mail messages, offering the means to “find out anything about anyone on the Net”.
They discovered how easy it is for strangers to get hold of everything from a list of their assets, to a detailed map showing the way to their house.
They continued to be bombarded with unwanted commercial offers targeted at them personally.
Consumers are now beginning to appreciate the enormity of the problem – that all of this reflects a wholesale loss of control by individuals over their own personal information.
The problem is a consumer problem in the sense that the information is gathered largely through consumer transactions, and is used largely to induce further consumer transactions. But it goes much deeper – to the values at the core of civil society: liberty, freedom of speech, security of the person, individual autonomy and human dignity. Consumers are also citizens, and as citizens, they are demanding legal recognition of a basic right: the right to control who gets hold of their personal information, and over the uses to which such information can be put.
Some say that market forces will work this one out, that we don’t need legislation protecting personal data in the private sector.
The evidence against this view is overwhelming: unauthorized collection, use and disclosure of personal information continues apace. Businesses (and governments for that matter) find that the financial gains from trafficking in personal data are just too tempting. And consumers are too rushed, too trusting, and too resigned to put up a fight.
In many instances, consumers are told they can only get the product of service if they provide the information, regardless of how necessary that information is to the transaction in question.
In other instances, consumers are wrongly assured that the information will be used for no other purposes.
In still other cases, consumers don’t even know that their personal information is being recorded, or assume, quite reasonably, that the information will not be sold to other entities. They simply don’t know enough to complain or refuse
Clearly, data protection requires legislative action. The right to privacy that Canadians assert needs to be explicitly recognized in law. This is one of those areas in which societal rules for the protection of the weak from the strong have not kept pace with technological change. It’s time for us to bring our laws into line with our social values.
Bill C-54 is a major step forward in this respect. While limited in application to federal employees and commercial activities, apparently because of the limited scope of the federal “trade and commerce” power, it provides a model which can be used by the provinces to legislate data protection in respect of all activities, not just commercial.
Let me tell you some of the things that we, as consumer and privacy advocates, like about Bill C-54:
We like the federal government’s willingness to act where provinces fail to do so. All Canadians deserve the same legislated rights and protections in respect of their personal information. They don’t want to be deprived of protection simply because their provincial government has failed to act. Moreover, they don’t want a patchwork of different standards and regimes across the country, especially when the problem of data flows so often crosses borders. This problem is not a local issue: it transcends provincial, even national, boundaries. It’s solution must similarly transcend provincial and national boundaries.
We like the definition of personal information as “information about an identifiable individual that is recorded in any form”. It is important that anonymized information be treated as personal information as long as it can be re-personalized, through whatever means, be it code matching or analysis of other data in the record, such as the date, location and type of treatment that a particular patient received. As long as the individual can be identified, through whatever means, associated information must be protected.
We like the protection of all personal data, including that which is already available to the public. Just because personal information has been released into the public sphere does not mean that it should now be “fair game” for any and all commercial interests. In many cases, individuals have no choice but to allow their personal information to be added to a public register, in order for example, to purchase a house or obtain a driver’s licence. Surely it cannot be said that these individuals have thus consented to the subsequent collection, use or disclosure of that information by any private entity for any commercial purpose. Indeed, they may not even be aware of the fact that this information is now publicly available.
Furthermore, much personal information is improperly published without the individual’s knowledge and consent. Treating this improperly published information as “fair game”, especially with respect to further disclosure, is clearly unacceptable and contrary to the purpose of the legislation.
We like the broad mandate and powers given to the Privacy Commissioner for research, education, and promotion of effective privacy practices, and especially for publication of the results of his investigations. Publicity is probably the strongest tool for enforcing the rights and obligations in this Bill. No company wants bad publicity. In contrast, fines can be considered a mere cost of doing business, if they are not of sufficient magnitude.
We also like the powers of the Commissioner to initiate a complaint himself, and to take complaints to the Federal Court for binding orders as necessary.
In order for the benefits of these powers to be realized, it will of course be necessary that the Privacy Commissioner have significantly more financial resources than he now has. We therefore join the chorus of parties urging the federal government to increase the Commissioner’s budget accordingly.
What don’t we like?
We don’t like the subsuming of privacy rights within legislation designed “to support and promote electronic commerce”. Privacy rights should stand on their own legislative ground. They should be legally recognized on their own merit, not as enablers of electronic commerce.
We are concerned with the wholesale importation of an industry code, which has a number of deficiencies, two of which stand out in our view:
First, is the failure of the Code to limit the purposes for which personal information can be collected, used or disclosed. Under the Code, organizations must identify their purposes internally, and must make reasonable efforts to ensure that the individual is advised of those purposes. However, there is nothing to stop organizations from collecting or using personal information for objectionable purposes, as long as they have identified such purposes.
In our view, this is a major gap that should be filled with a clause clearly limiting the term “purposes” to those which are legitimate, justifiable in the circumstances, and reasonably expected in the circumstances. Or, as Val has suggested, “purposes” should be limited to those which can be demonstrably justified in a free and democratic society – thus importing the Supreme Court’s jurisprudence on section 1 of the Charter.
Secondly, the Bill fails to separate the requirements of knowledge and consent in those situations where the requirement for consent is waived. People deserve to be notified of information collection, use and disclosure in almost all cases. Yet, the Bill, like the CSA Code, treats knowledge and consent as one and the same thing. Wherever the requirement for consent is waived, so is the requirement for notification. We hope that this is an oversight that will be corrected. In all but a few exceptional cases (such as the investigation of fraud), individuals deserve to be told what is happening with their personal information.
We are very concerned about the broadly worded exceptions for “statistical, or scholarly study or research, purposes”, especially in respect of disclosure. There is no limit to the types of organizations and activities which can qualify under these exceptions. The term “statistical purposes” is particularly subject to abuse, as Canadian consumers well know from the endless clever marketing solicitations they receive. Even “scholarly research” opens the door to significant abuse, unless it is further qualified. At a minimum, the use of personal information for research should be permitted only where anonymous information will not suffice, and only with approval from the Privacy Commissioner.
Fourth, we think there should be strong whistleblower protection. Privacy abuses are often invisible to the individual concerned. We must therefore rely upon those working for data users to disclose privacy violations. Those with the courage to blow the whistle on their employer must be properly protected.
We don’t like reliance on the Federal Court for binding orders. The Federal Court is not accessible to the ordinary citizen. It requires the assistance of a lawyer, and a significant financial investment. Only the most determined and financially able complainants will pursue their wrongdoers under this regime. Instead of being able to rely on consumers to discipline wrongdoers through the court system, the Commissioner will have to do so on their behalf. The Bill thus places an even heavier burden on the Commissioner than appears at first blush.
A preferable approach would be to establish a small, accessible, inexpensive tribunal to handle enforcement and redress matters. One way to keep such tribunals accessible to the public may be to follow the Australian example of prohibiting lawyers from appearing on behalf of others.
We also don’t like limiting punitive damages to $20,000. Personal information is valuable. There may well be cases in which such a penalty constitutes nothing more than a cost of doing business, from the perspective of the wrongdoer.
Finally, while we strongly support the granting of audit powers to the Commissioner, we do not think that they should be limited to cases in which the Commissioner “has reasonable grounds to believe that the organization is contravening [the Act]”. Given the invisible nature of privacy violations, audits are an important tool for obtaining compliance, and should be available even where no complaints have been received.
Even if our legislators get it right, Bill C-54 can only go so far. Not only is the federal government limited by the constitution and political realities within Canada, but domestic legislation can only address a fraction of this worldwide problem. Let’s face it: the globalization of commerce has severely limited the abilities of individual states to protect their citizens from commercial abuses. Multinational firms require multinational responses. It’s therefore essential that countries work together to develop consistent, comprehensive laws and enforcement mechanisms for the protection of personal information.
I’d like to wrap up by quoting from Edward Ryan, who recognized in 1972 that:
“Privacy is not just an individual interest, but is first and foremost a political value of the highest order. The creation now of a conceptual rubric under which privacy can be protected, both legally as well as ethically, will be as important to the functioning of western democracy at the end of the twentieth century as was the existence of a viable concept of freedom of speech at its beginning.”