<<< Date Index >>>     <<< Thread Index >>>

[IP] : Privacy and Expectations




Delivered-To: dfarber+@xxxxxxxxxxxxxxxxxx
Date: Mon, 17 Nov 2003 10:07:24 -0500
From: Michael Geist <mgeist@xxxxxxxxx>

Dave,

My regular Toronto Star Lawbytes column may be of interest -- it contrasts privacy compliance in Canada and the U.S. It argues that while Canada may have enacted comprehensive privacy legislation, there are minimal expectations that the law will be enforced aggressively. It concludes that organizations with good privacy practices as well as the public would benefit from Canada's next privacy commissioner creating the expectation that privacy practices that run afoul of the law will be punished and publicly identified.

Column at
<http://shorl.com/darugodraguvy> [Toronto Star]

Best,

MG

Name names, or privacy law toothless

Michael Geist
Lawbytes

The Canadian privacy community has long circled January 1, 2004 on its collective calendar as the privacy equivalent of Y2K.

The Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's national private-sector privacy legislation, kicks into full swing on that date, following three years of limited applicability to federally regulated entities such as banks and broadcasters.

Despite a widespread campaign warning organizations to examine their data collection and disclosure practices to ensure compliance with the law, the consensus is that the majority of Canadian organizations will not be compliant come January 1.

Although some organizations may still be unaware of the law, many others may have deliberately decided to not comply, having concluded that non-compliance is a rational, albeit unfortunate, approach.

The emerging problem does not lie in the substantive provisions found in the law - PIPEDA sets out time-tested privacy principles that have been adopted around the world - but rather it lies in the way the law has been enforced.

Although PIPEDA contains penalty provisions that establish the potential for both actual and punitive damages, the most powerful weapon in a privacy commissioner's arsenal is public disclosure of non-compliant organizations.

Extensive media coverage understandably generates far more fear in the hearts of organizations than any prospective penalties or fines could cause since the harm to reputation inflicted by a front page headline detailing privacy abuses can cause damage that may take years to undo.

A review of the more than 200 findings released thus far reveals that the Federal Privacy Commissioner has been unwilling to name names. Although the cases have dealt with a wide range of critical privacy issues including the nature of consent and the appropriate standard for protecting personal information, with the exception of one case involving Aeroplan, the parties to
the privacy complaints have themselves been kept private.

This approach hurts both companies that maintain good privacy practices as well as the general public.

For companies with good privacy practices, the anonymous approach cheats them of the reputational benefit associated with respecting their customers' privacy.

Similarly, the public is harmed since they lose access to valuable information that would allow them to make better-informed decisions about which organizations best respect their personal privacy.

In fact, while Canadians often point to their national privacy law as evidence of a more progressive approach to privacy than that found in the U.S., the truth is that the aggressive enforcement of the patchwork of privacy laws found in the U.S. may actually lead to better corporate privacy practices there.

A comparison of Canadian and U.S. approaches to inadvertent privacy errors is instructive. In one Canadian case, a consumer launched a complaint after his bank released the personal information of five other customers to him.

The bank argued that the mistake was an isolated incident. The Commissioner sided with complainant yet did not disclose the name of the bank nor levy any punishment.

In another recent case, a bank admitted accessing customer account information after using the call display feature to identify an anonymous caller. The bank again claimed that this was an isolated incident. The Commissioner sided with the complainant but again did not identify the bank nor award damages.

By comparison, in the U.S. in 2002 pharmaceutical giant Eli Lilly disclosed the e-mail addresses of 669 people subscribed to a Prozac reminder service.

The U.S. Federal Trade Commission launched an action against this isolated, inadvertent mistake, ordering the company to limit employee access to its e-mail program, to conduct an audit of its entire Internet operations for other potential security risks, and to submit an annual review of its practices.

The difference between Canadian and U.S. privacy enforcement underlies the dramatically different expectations about the consequences of privacy compliance.

While Canada may have enacted comprehensive privacy legislation, there are minimal expectations that the law will be enforced aggressively. The United States, meanwhile, may not have similarly comprehensive legislation, but there is every expectation that their current laws will be enforced in a serious manner.

The lesson for the Canadian privacy community is that privacy laws alone are not sufficient to ensure good privacy practices. Rather, privacy compliance depends upon establishing the expectation that privacy practices that run afoul of the law will be punished and publicly
identified.

We should expect nothing less.
--
**********************************************************************
Professor Michael A. Geist
Canada Research Chair in Internet and E-commerce Law
University of Ottawa Law School, Common Law Section
Technology Counsel, Osler, Hoskin & Harcourt LLP
57 Louis Pasteur St., P.O. Box 450, Stn. A, Ottawa, Ontario, K1N 6N5
Tel: 613-562-5800, x3319     Fax: 613-562-5124
mgeist@xxxxxxxxx              http://www.michaelgeist.ca


-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/