[IP] Is Canada's Privacy Law a Privacy Placebo?
Delivered-To: dfarber+@xxxxxxxxxxxxxxxxxx
Date: Mon, 19 Apr 2004 09:25:54 -0400
From: Michael Geist <mgeist@xxxxxxxxx>
Subject: Is Canada's Privacy Law a Privacy Placebo?
Dave,
Of possible interest to IP -- my regular Toronto Star Law Bytes column
questions the
effectiveness of Canada's privacy legislation, arguing that privacy laws
without effective enforcement and genuine transparency may provide
Canadians with little more than placebo privacy protection. The column
suggests that responsibility for these issues rests with both the Privacy
Commissioner's Office and the Canadian government.
Column at
<http://tinyurl.com/3bx56> [Toronto Star]
MG
Weak enforcement undermines privacy laws
MICHAEL GEIST
LAW BYTES
At a recent meeting of Canadian privacy professionals, the United States'
approach to privacy was derisively characterized as amounting to little
more than a privacy policy placebo, a reference to the reliance on privacy
policies under the U.S. system.
The comment reflects the perspective of many in the privacy community
outside the U.S., who view the legislative approach employed in Canada,
Europe, and Australia as a superior method of protecting personal privacy.
Although the U.S. system is not perfect - privacy policies do not
necessarily equate to effective privacy protection - several recent studies
do suggest that major U.S. companies respect their privacy obligations and
strictly adhere to the commitments set out in their policies in greater
numbers than companies in countries with privacy legislation.
The reason behind the U.S. findings may well rest with the very active
enforcement mechanisms found there. While U.S. privacy laws may not be as
comprehensive as those found in Canada, enforcement agencies have levied
millions in fines for privacy violations, sending an unmistakable signal
that privacy legislation is serious business.
By contrast, PIPEDA enforcement has thus far not resulted in the pursuit of
cases in federal court nor in public fines being levied. As former IBM CEO
Louis Gerstner once noted, "people do what you inspect, not what you expect."
Given that there have been few, if any commissioner-initiated inspections,
it should be a matter of concern that Canadians are beginning to expect
precious little when it comes to their privacy law.
While Canada has opted for an ombud-type approach that is designed to
resolve outstanding privacy complaints rather than encourage increased
litigation, it may be time to consider how we can instil a greater
commitment to privacy within our chosen approach. In fact, the privacy
commissioner of Canada recently raised the question of responsibility for
privacy in a decision titled "A Question of Responsibility."
The case involved a workplace dispute in which a union representative sent
a confidential letter on behalf of an employee from the company fax machine
without a cover sheet. The employee's manager picked up the fax receipt,
which included a copy of the letter. After the employee noticed the manager
reading the confidential information, he asked that the manager stop
reading the letter and promptly return it to him. The manager ignored the
request and returned the letter only after reading it in its entirety.
While privacy-watchers might have expected the commissioner (and the
assistant commissioner who is credited with the decision) to side with the
employee - most jurisdictions with privacy legislation would have required
the manager to have stopped reading the letter once advised of its private
nature - the commissioner surprisingly issued a not well-founded decision.
The reasoning apparently rests with the new commissioner's view of who
bears responsibility for protecting personal privacy. According to the
summary of the decision, responsibility rested with the union
representative and the employee to take the steps necessary to ensure that
the letter was kept private given the public nature of the fax machine.
Although the commissioner's view of the public nature of the fax machine is
certainly supportable, the willingness to excuse the disregard for the
employee's privacy sends a disturbing message to all Canadians concerned
with their personal privacy. It suggests that individuals are only entitled
to privacy protection if they take active steps to protect their personal
privacy, a condition certainly not found in the law.
While the commissioner has focused on the need for both individuals and
companies to shoulder their share of the burden in fostering a
privacy-friendly environment in Canada, responsibility for privacy should
also be examined from the perspective of both the office of the privacy
commissioner and the federal government.
As noted above, the privacy commissioner must ensure that PIPEDA is not
rendered ineffectual through weak enforcement. The danger that the Canadian
law will be viewed as having more bark than bite can be addressed if the
commissioner's office can marshal the financial resources to use all of the
statutory powers placed at its disposal.
It also must jump at the opportunity to take a leadership position on
emerging issues such as spam. While private companies such as Yahoo,
Amazon.com, and Earthlink have all launched actions against Canadian
organizations for spamming activity, the commissioner's office has been
inactive on an issue that affects millions of Canadian businesses and
Internet users.
To the credit of the commissioner's office, it has recently improved the
search functionality of its Web site. More can be done to improve the
dissemination of privacy-related information to the public, however. For
example, decisions continue to be released in summary form, many of which
are difficult to decipher. The entire privacy community would benefit from
greater transparency in this area by being provided with more information,
not less.
If the commissioner's office is to take the lead on cutting edge issues and
increase its enforcement activity, the federal government must step up to
the plate to provide it with much-needed resources.
In the wake of last year's scandal involving former privacy commissioner
George Radwanski, the office has faced significant budget pressures that
have constrained new hiring and sadly transformed the current privacy
legislation into a complaints-only-driven process.
While there is no doubt the will at the commissioner's office to ensure
that PIPEDA meets expectations, the federal government must help pave the way.
It is evident that privacy laws without effective enforcement and genuine
transparency may provide Canadians with little more than placebo privacy
protection. Ensuring that this does not happen is, in the words of the
privacy commissioner, a question of responsibility.
**********************************************************************
Professor Michael A. Geist
Canada Research Chair in Internet and E-commerce Law
University of Ottawa Law School, Common Law Section
Technology Counsel, Osler, Hoskin & Harcourt LLP
57 Louis Pasteur St., P.O. Box 450, Stn. A, Ottawa, Ontario, K1N 6N5
Tel: 613-562-5800, x3319 Fax: 613-562-5124
mgeist@xxxxxxxxx http://www.michaelgeist.ca
-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/