IP: Canadian Privacy Commish needs a change in privacy policy

[David Farber <dave@farber.net>]

>Date: Thu, 31 May 2001 09:55:46 -0400
>To: farber@cis.upenn.edu
>From: Michael Geist <mgeist@uottawa.ca>
>Subject: Canadian Privacy Commish needs a change in privacy policy
>
>Dave,
>
>I thought your readers may be interested in my cyberlaw column today which 
>focuses on the Canadian privacy commissioner's decision to keep most of 
>his decisions interpreting Canada's new  privacy law secret. In doing so, 
>companies and individuals are missing out on critical information 
>regarding their privacy rights and obligations.  The column calls on the 
>Privacy Commissioner to change his policy by at least making all decisions 
>publicly available on a "no-names" basis.
>
>MG
>
>http://www.globetechnology.com/servlet/GAMArticleHTMLTemplate?tf=globetechnology/TGAM/EBusinessFullStory.html&cf=globetechnology/tech-config-neutral&slug=TWGEISY&date=20010531
>
>globeandmail.com, Thursday, May 31, 2001
>Privacy law needs open disclosure
>
>MICHAEL GEIST
>
>Friends and foes of Canada's new federal privacy legislation tend to agree 
>on at least one issue -- the law is deceptively complex. Although the 
>basic principles of privacy protection are relatively straightforward -- 
>organizations must obtain consent for the collection, use, and disclosure 
>of personal information as well as provide individuals with information 
>about the data collection practices used and access to their personal 
>information files -- the implementation of these principles is subject to 
>different interpretations.
>
>George Radwanski, Canada's privacy commissioner, is the arbiter who 
>determines how to interpret and implement these privacy obligations. The 
>law requires the privacy commissioner to investigate each privacy 
>complaint filed with his office and to issue a report on the complaint 
>within one year. This places a huge burden on the privacy commissioner's 
>shoulders, since everyone with an interest in personal privacy -- from 
>organizations seeking to ensure they comply with the law to individual 
>Canadians asserting their privacy rights -- turns to Mr. Radwanski for 
>guidance.
>
>In light of the importance of the privacy commissioner's decisions, it 
>comes as a shock to learn that Mr. Radwanski's current policy is to keep 
>his decisions and interpretations secret, with the exception of a few 
>decisions that may be highlighted in his annual report or used to 
>encourage greater privacy compliance by recalcitrant organizations.
>
>While this approach reflects a longstanding policy at the privacy 
>commissioner's office, one that may have been appropriate when it dealt 
>only with privacy complaints involving the federal government, the 
>expansion of the privacy commissioner's duties to include on-line matters 
>should also bring with it a change in Canada's disclosure policy.
>
>In contrast to this federal approach, provincial privacy commissioners, 
>such as Ann Cavoukian in Ontario or David Loukidelis in British Columbia, 
>regularly publish their decisions on the Internet for everyone to see. 
>This provincial open approach ensures that organizations can gauge how to 
>comply with the law and that individuals can better understand their 
>privacy rights.
>
>For example, consider the application of the federal privacy law's consent 
>requirements. The current law contains a flexible provision that mandates 
>an explicit consent for the collection, use and disclosure of sensitive 
>data, but allows for an implied consent for less sensitive information. 
>Organizations will be looking to the privacy commissioner for what 
>constitutes sensitive data or what is considered acceptable implied consent.
>
>Under the current non-disclosure policy, there will be precious little 
>public guidance, leaving organizations vulnerable to expensive 
>investigations and higher compliance costs. Individual Canadians will also 
>be hurt by the policy of non-disclosure.
>
>Under the new law, organizations must provide Canadians with access to 
>their personal information file. Unfortunately, the law is short on 
>specifics when it comes to implementing this new access right. For 
>example, how quickly must an organization respond to an access request? 
>What, if anything, may be excluded from the report? Answers to questions 
>such as these must come from the privacy commissioner.
>
>The privacy commissioner has publicly defended his position by arguing 
>that keeping his decisions private provides him with greater leverage over 
>non-compliant organizations. He notes that adverse publicity is his most 
>powerful weapon and that a position of non-disclosure enables him to 
>threaten violators with public disclosure in order to ensure better and 
>quicker compliance with the legislation.
>
>The privacy commissioner neglects to mention, however, that the costs of 
>this approach are borne by everyone.
>
>Organizations seeking to comply with the law face the additional costs of 
>not knowing how the law has been interpreted. Individual Canadians, 
>meanwhile, are denied the information they need to fully take advantage of 
>their newly enshrined privacy rights.
>
>The policy is particularly puzzling since an obvious compromise exists: 
>Information that might identify a violator could easily be removed from 
>decisions, leaving only the fact scenario -- along with the decision and 
>reasoning -- to be released. Such an approach would provide everyone with 
>what they seek -- the public would gain a better understanding of how the 
>legislation is being applied, while the privacy commissioner would retain 
>his power to threaten organizations with public disclosure if they don't 
>comply with the law.
>
>In fact, the privacy commissioner could and should do more than just begin 
>to post his compliance decisions. He should also post unofficial guidance, 
>providing organizations with the opportunity to pre-clear their corporate 
>privacy policies with his office and making those guidelines public on a 
>"no-names" basis.
>
>The appropriate policy on public disclosure is as simple as the law is 
>complex. Whatever steps can be taken to make it easier for organizations 
>and individuals to understand their rights and obligations under the new 
>legislation should be pursued.  A policy of openness is undoubtedly 
>another issue that friends and foes of the legislation can agree upon.
>
>Michael Geist is a law professor at the University of Ottawa Law School 
>and director of e-commerce law at the law firm Goodmans LLP. His Web site 
>is http://www.lawbytes.com.
>
>--
>**********************************************************************
>Professor Michael A. Geist
>University of Ottawa Law School, Common Law Section
>57 Louis Pasteur St., P.O. Box 450, Stn. A, Ottawa, Ontario, K1N 6N5
>Tel: 613-562-5800, x3319     Fax: 613-562-5124
>e-mail: mgeist@uottawa.ca
>URL:    http://www.lawbytes.com
>
>Looking for Internet and technology law resources?  Check out:
>- the Canadian Internet Law Resource Page (CILRP) at: http://www.cilrp.org/
>- my bi-weekly Globe & Mail Cyberlaw column at http://www.globetechnology.com
>- my new Internet law textbook at 
>http://www.captus.com/Information/inetlaw-flyer.htm
>- Butterworths monthly newsletter Internet and E-commerce Law in Canada at 
>http://www.butterworths.ca/sampleinternetandecommercelawincanada.htm.
>
>My daily Internet law news service is now BNA's Internet Law News. Visit 
>http://www.bna.com/ilaw to subscribe to this free service.



For archives see: http://www.interesting-people.org/