[IP] : Privacy and Expectations
Delivered-To: dfarber+@xxxxxxxxxxxxxxxxxx
Date: Mon, 17 Nov 2003 10:07:24 -0500
From: Michael Geist <mgeist@xxxxxxxxx>
Dave,
My regular Toronto Star Lawbytes column may be of interest -- it contrasts
privacy compliance in Canada and the U.S. It argues that while Canada may
have enacted comprehensive privacy legislation, there are minimal
expectations that the law will be enforced aggressively. It concludes that
organizations with good privacy practices as well as the public would
benefit from Canada's next privacy commissioner creating the expectation
that privacy practices that run afoul of the law will be punished and
publicly identified.
Column at
<http://shorl.com/darugodraguvy> [Toronto Star]
Best,
MG
Name names, or privacy law toothless
Michael Geist
Lawbytes
The Canadian privacy community has long circled January 1, 2004 on its
collective calendar as the privacy equivalent of Y2K.
The Personal Information Protection and Electronic Documents Act (PIPEDA),
Canada's national private-sector privacy legislation, kicks into full swing
on that date, following three years of limited applicability to federally
regulated entities such as banks and broadcasters.
Despite a widespread campaign warning organizations to examine their data
collection and disclosure practices to ensure compliance with the law, the
consensus is that the majority of Canadian organizations will not be
compliant come January 1.
Although some organizations may still be unaware of the law, many others
may have deliberately decided to not comply, having concluded that
non-compliance is a rational, albeit unfortunate, approach.
The emerging problem does not lie in the substantive provisions found in
the law - PIPEDA sets out time-tested privacy principles that have been
adopted around the world - but rather it lies in the way the law has been
enforced.
Although PIPEDA contains penalty provisions that establish the potential
for both actual and punitive damages, the most powerful weapon in a privacy
commissioner's arsenal is public disclosure of non-compliant organizations.
Extensive media coverage understandably generates far more fear in the
hearts of organizations than any prospective penalties or fines could cause
since the harm to reputation inflicted by a front page headline detailing
privacy abuses can cause damage that may take years to undo.
A review of the more than 200 findings released thus far reveals that the
Federal Privacy Commissioner has been unwilling to name names. Although the
cases have dealt with a wide range of critical privacy issues including the
nature of consent and the appropriate standard for protecting personal
information, with the exception of one case involving Aeroplan, the parties to
the privacy complaints have themselves been kept private.
This approach hurts both companies that maintain good privacy practices as
well as the general public.
For companies with good privacy practices, the anonymous approach cheats
them of the reputational benefit associated with respecting their
customers' privacy.
Similarly, the public is harmed since they lose access to valuable
information that would allow them to make better-informed decisions about
which organizations best respect their personal privacy.
In fact, while Canadians often point to their national privacy law as
evidence of a more progressive approach to privacy than that found in the
U.S., the truth is that the aggressive enforcement of the patchwork of
privacy laws found in the U.S. may actually lead to better corporate
privacy practices there.
A comparison of Canadian and U.S. approaches to inadvertent privacy errors
is instructive. In one Canadian case, a consumer launched a complaint after
his bank released the personal information of five other customers to him.
The bank argued that the mistake was an isolated incident. The Commissioner
sided with complainant yet did not disclose the name of the bank nor levy
any punishment.
In another recent case, a bank admitted accessing customer account
information after using the call display feature to identify an anonymous
caller. The bank again claimed that this was an isolated incident. The
Commissioner sided with the complainant but again did not identify the bank
nor award damages.
By comparison, in the U.S. in 2002 pharmaceutical giant Eli Lilly disclosed
the e-mail addresses of 669 people subscribed to a Prozac reminder service.
The U.S. Federal Trade Commission launched an action against this isolated,
inadvertent mistake, ordering the company to limit employee access to its
e-mail program, to conduct an audit of its entire Internet operations for
other potential security risks, and to submit an annual review of its
practices.
The difference between Canadian and U.S. privacy enforcement underlies the
dramatically different expectations about the consequences of privacy
compliance.
While Canada may have enacted comprehensive privacy legislation, there are
minimal expectations that the law will be enforced aggressively. The United
States, meanwhile, may not have similarly comprehensive legislation, but
there is every expectation that their current laws will be enforced in a
serious manner.
The lesson for the Canadian privacy community is that privacy laws alone
are not sufficient to ensure good privacy practices. Rather, privacy
compliance depends upon establishing the expectation that privacy practices
that run afoul of the law will be punished and publicly
identified.
We should expect nothing less.
--
**********************************************************************
Professor Michael A. Geist
Canada Research Chair in Internet and E-commerce Law
University of Ottawa Law School, Common Law Section
Technology Counsel, Osler, Hoskin & Harcourt LLP
57 Louis Pasteur St., P.O. Box 450, Stn. A, Ottawa, Ontario, K1N 6N5
Tel: 613-562-5800, x3319 Fax: 613-562-5124
mgeist@xxxxxxxxx http://www.michaelgeist.ca
-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/