[IP] Canadian privacy law protects those who break it

To: Ip <ip@xxxxxxxxxxxxxx>
Subject: [IP] Canadian privacy law protects those who break it
From: David Farber <dave@xxxxxxxxxx>
Date: Mon, 18 Oct 2004 14:29:05 +0100
List-help: <http://v2.listbox.com/doc/help_sub?list_name=ip@v2.listbox.com>
List-id: <ip@xxxxxxxxxxxxxx>
List-software: listbox.com v2.0
List-subscribe: <mailto:subscribe-ip@v2.listbox.com>, <http://v2.listbox.com/subscribe/?listname=ip@v2.listbox.com>
List-unsubscribe: <mailto:unsubscribe-ip@v2.listbox.com>, <http://v2.listbox.com/member/unsubscribe/?listname=ip@v2.listbox.com>
Reply-to: dave@xxxxxxxxxx
Sender: owner-ip@xxxxxxxxxxxxxx



Begin forwarded message:

From: Michael Geist <mgeist@xxxxxxxxx>
Date: October 18, 2004 11:57:18 AM GMT+01:00
To: dave@xxxxxxxxxx
Subject: Canadian privacy law protects those who break it

Dave,

Of possible interest to IP - my regular Toronto Star Law Bytes columnfocuses on a recent Canadian privacy finding involving an inadvertentemail disclosure. The column contrasts the finding with a similarincident in the United States and argues that for Canadian privacy lawto garner the respect it needs to achieve widespread compliance, thePrivacy Commissioner's office should consider several changes to itsreporting approach including releasing full reports and exercising itspower by identifying the targets of well-founded privacy complaints.At the present time, those that violate Canada's privacy law areinvariably protected under a veil of anonymity.


Column at
<http://geistcanprivacyenforcement.notlong.com>

Best,

MG

Privacy law perversely protects those who break it

Michael Geist
Toronto Star

With Canada's national privacy law now nearly four years old, theCanadian privacy community has begun to assess the law's strengths andweaknesses. A recent ruling from the Privacy Commissioner of Canada'soffice involving an inadvertent e-mail disclosure provides a good casestudy for why the law's fundamental principles remain sound but thatenforcement - both in terms of the Commissioner's approach and inlimitations found in the law - remain a persistent shortcoming.

The case involved an unnamed Canadian loyalty program that mistakenlyrevealed the e-mail addresses of 618 people when it sent an e-mailmessage about a contest. The error was a relatively common one - ratherthan hiding the names in the e-mail message, the e-mail operator placedall the addresses in the "to" field. The company quickly sent anapology to the affected parties, but eleven recipients still chose tolaunch a complaint with the federal privacy commissioner.

The assistant privacy commissioner, who assumed responsibility for thecomplaint, concluded that it was "well founded." Canada's privacylegislation requires consent before the disclosure of personalinformation and it also compels organizations to provide adequatesecurity safeguards to protect the personal information they collect.In this particular case, the e-mail addresses constituted such personalinformation. Despite the existence of a privacy policy and somesecurity safeguards, the loyalty program failed to comply with both thedisclosure and security principles and thus ran afoul of the law.

Unfortunately, that is where the finding ends. While the decisionproperly finds that misuse of personal information, even ifinadvertent, is contrary to the law, it does not delve deeper intoimportant questions such as whether there were any consequences to theloyalty program for failing to comply with its privacy obligations.

To see how the case might have been handled, contrast it with asimilar incident in the United States in 2002. Eli Lilly, thepharmaceutical giant, created an e-mail reminder service to alertsubscribers to when they needed to take a pill or refill aprescription. Due to employee error, an e-mail message was sent thatdisclosed the e-mail addresses of all 669 subscribers.

The U.S. Federal Trade Commission investigated the incident andultimately reached a settlement with the company. The company wasbarred from future privacy misrepresentations, mandated to institute afour-step security program to safeguard personal information, andrequired to conduct an annual written review of its compliance with theprogram.

Although the Eli Lilly case might be distinguishable from the Canadianincident on the grounds that it involved more sensitive personalinformation, large consumer loyalty programs maintain enormousdatabases of personal information and should therefore be held to asimilarly high standard.

The real differences between the cases lie in the enforcement process.From a substantive perspective, the U.S. case resulted in tough newobligations backed by the threat of financial penalties for failure tocomply with the settlement. In Canada, the statute provides thecommissioner with little more than the power to issue a non-bindingfinding (the law requires the commissioner to take the case to thefederal court if stronger sanction is desired).

While next week I will address how Canada could beef up its privacylaw, another significant distinguishing feature lies in the differencein reporting mechanisms. In the United States, the Eli Lilly casestands as a forceful example of the reputational damage a company maysustain if it fails to sufficiently protect the personal information itcollects. The case was widely reported in the media as the FTC providedcomplete copies of the settlement, the initial complaint, relevantexhibits, and its analysis.

In Canada, the e-mail disclosure case is known simply as Finding #277.The public has not been provided either with the name of the loyaltycompany or with a complete copy of the commissioner's report on thecase. Instead, the commissioner's website features only a summary ofthe findings.

For Canadian privacy law to garner the respect it needs to achievewidespread compliance, the commissioner's office should considerseveral changes to its reporting approach. First, it should work towarda more timely release of findings, recognizing the import attached tothem by the privacy community. Moreover, it should update findings thatare challenged in federal court and refrain from removing findings fromits site without public notice (as it did in one instance over thesummer).

Second, the commissioner's office should stop adding an additionallayer to the reporting system with its summaries of each finding andinstead release the full text of Commissioner's report for each case(with only the complainant's identifying information omitted). Thecurrent approach adds unnecessary costs, leads to reporting delays, andfosters uncertainty within the privacy community on the degree to whichthe summary can be relied upon in future complaints.

Third, it should at long last exercise its power by identifying thetargets of well-founded complaints. The Act empowers the Commissionerto "make public any information relating to the personal informationmanagement practices of an organization if the commissioner considersthat it is in the public interest to do so." Critics of a "namingnames" approach have pointed to this provision as a reason for keepingthe parties anonymous, arguing that it cannot always be in the publicinterest to release identifying information.

In fact, changes at the commissioner's office suggest that the lawprovides plenty of support for a more transparent disclosure policy.Recent reports indicate that the commissioner's office is scaling backits disclosure of findings. Roughly half of all complaints are nowsettled through mediation and the commissioner apparently does not planto release the details of those resolved cases. Moreover, where afinding involves a fact scenario that has previously been discussed ina reported case, a new finding will similarly not be issued.

As a result of these changes, the commissioner's office seemingly nowplans to release only novel findings that cannot be settled.

Adopting a naming names approach to the well-founded subset of thosefindings could be manifestly justified on public interest grounds,providing the public with valuable information in assessing the privacypractices of Canadian organizations as well as sending a much-neededmessage that failure to comply with the law will result in seriousconsequences.

While Industry Canada Minister David Emerson will lead a statutorilymandated parliamentary review of Canada's privacy law in 2006, thePrivacy Commissioner of Canada need not wait for the results of thatprocess. Changes to Canada's reporting mechanisms would be a good starttoward ensuring that our privacy law is treated with the respect itdeserves.


--
**********************************************************************
Professor Michael A. Geist
Canada Research Chair in Internet and E-commerce Law
University of Ottawa Law School, Common Law Section
57 Louis Pasteur St., Ottawa, Ontario, K1N 6N5
Tel: 613-562-5800, x3319     Fax: 613-562-5124
mgeist@xxxxxxxxx              http://www.michaelgeist.ca


-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/

Prev by Date: [IP] more on Wendy Grossman: Carbon-dating the Internet
Next by Date: [IP] "Fahrenheit 9/11" on Web to answer Sinclair anti-Kerry documentary?
Previous by thread: [IP] more on Wendy Grossman: Carbon-dating the Internet
Next by thread: [IP] "Fahrenheit 9/11" on Web to answer Sinclair anti-Kerry documentary?
Index(es):
- Date
- Thread