FC: Canadian privacy czar shouldn't be so private, by Michael Geist

From: Declan McCullagh (declanat_private)
Date: Thu May 31 2001 - 06:59:43 PDT


**********

Date: Thu, 31 May 2001 09:54:36 -0400
To: declanat_private
From: Michael Geist <mgeistat_private>
Subject: Canadian Privacy Commish needs a change in policy

Declan,

I thought your readers may be interested in my cyberlaw column today which 
focuses on the Canadian privacy commissioner's decision to keep most of his 
decisions interpreting Canada's new  privacy law secret. In doing so, 
companies and individuals are missing out on critical information regarding 
their privacy rights and obligations.  The column calls on the Privacy 
Commissioner to change his policy by at least making all decisions publicly 
available on a "no-names" basis.

MG

http://www.globetechnology.com/servlet/GAMArticleHTMLTemplate?tf=globetechnology/TGAM/EBusinessFullStory.html&cf=globetechnology/tech-config-neutral&slug=TWGEISY&date=20010531

globeandmail.com, Thursday, May 31, 2001
Privacy law needs open disclosure

MICHAEL GEIST

Friends and foes of Canada's new federal privacy legislation tend to agree 
on at least one issue -- the law is deceptively complex. Although the basic 
principles of privacy protection are relatively straightforward -- 
organizations must obtain consent for the collection, use, and disclosure 
of personal information as well as provide individuals with information 
about the data collection practices used and access to their personal 
information files -- the implementation of these principles is subject to 
different interpretations.

George Radwanski, Canada's privacy commissioner, is the arbiter who 
determines how to interpret and implement these privacy obligations. The 
law requires the privacy commissioner to investigate each privacy complaint 
filed with his office and to issue a report on the complaint within one 
year. This places a huge burden on the privacy commissioner's shoulders, 
since everyone with an interest in personal privacy -- from organizations 
seeking to ensure they comply with the law to individual Canadians 
asserting their privacy rights -- turns to Mr. Radwanski for guidance.

In light of the importance of the privacy commissioner's decisions, it 
comes as a shock to learn that Mr. Radwanski's current policy is to keep 
his decisions and interpretations secret, with the exception of a few 
decisions that may be highlighted in his annual report or used to encourage 
greater privacy compliance by recalcitrant organizations.

While this approach reflects a longstanding policy at the privacy 
commissioner's office, one that may have been appropriate when it dealt 
only with privacy complaints involving the federal government, the 
expansion of the privacy commissioner's duties to include on-line matters 
should also bring with it a change in Canada's disclosure policy.

In contrast to this federal approach, provincial privacy commissioners, 
such as Ann Cavoukian in Ontario or David Loukidelis in British Columbia, 
regularly publish their decisions on the Internet for everyone to see. This 
provincial open approach ensures that organizations can gauge how to comply 
with the law and that individuals can better understand their privacy rights.

For example, consider the application of the federal privacy law's consent 
requirements. The current law contains a flexible provision that mandates 
an explicit consent for the collection, use and disclosure of sensitive 
data, but allows for an implied consent for less sensitive information. 
Organizations will be looking to the privacy commissioner for what 
constitutes sensitive data or what is considered acceptable implied consent.

Under the current non-disclosure policy, there will be precious little 
public guidance, leaving organizations vulnerable to expensive 
investigations and higher compliance costs. Individual Canadians will also 
be hurt by the policy of non-disclosure.

Under the new law, organizations must provide Canadians with access to 
their personal information file. Unfortunately, the law is short on 
specifics when it comes to implementing this new access right. For example, 
how quickly must an organization respond to an access request? What, if 
anything, may be excluded from the report? Answers to questions such as 
these must come from the privacy commissioner.

The privacy commissioner has publicly defended his position by arguing that 
keeping his decisions private provides him with greater leverage over 
non-compliant organizations. He notes that adverse publicity is his most 
powerful weapon and that a position of non-disclosure enables him to 
threaten violators with public disclosure in order to ensure better and 
quicker compliance with the legislation.

The privacy commissioner neglects to mention, however, that the costs of 
this approach are borne by everyone.

Organizations seeking to comply with the law face the additional costs of 
not knowing how the law has been interpreted. Individual Canadians, 
meanwhile, are denied the information they need to fully take advantage of 
their newly enshrined privacy rights.

The policy is particularly puzzling since an obvious compromise exists: 
Information that might identify a violator could easily be removed from 
decisions, leaving only the fact scenario -- along with the decision and 
reasoning -- to be released. Such an approach would provide everyone with 
what they seek -- the public would gain a better understanding of how the 
legislation is being applied, while the privacy commissioner would retain 
his power to threaten organizations with public disclosure if they don't 
comply with the law.

In fact, the privacy commissioner could and should do more than just begin 
to post his compliance decisions. He should also post unofficial guidance, 
providing organizations with the opportunity to pre-clear their corporate 
privacy policies with his office and making those guidelines public on a 
"no-names" basis.

The appropriate policy on public disclosure is as simple as the law is 
complex. Whatever steps can be taken to make it easier for organizations 
and individuals to understand their rights and obligations under the new 
legislation should be pursued.  A policy of openness is undoubtedly another 
issue that friends and foes of the legislation can agree upon.

Michael Geist is a law professor at the University of Ottawa Law School and 
director of e-commerce law at the law firm Goodmans LLP. His Web site is 
http://www.lawbytes.com.

-- 
**********************************************************************
Professor Michael A. Geist
University of Ottawa Law School, Common Law Section
57 Louis Pasteur St., P.O. Box 450, Stn. A, Ottawa, Ontario, K1N 6N5
Tel: 613-562-5800, x3319     Fax: 613-562-5124
e-mail:	mgeistat_private
URL:	http://www.lawbytes.com




-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
To subscribe, visit http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
-------------------------------------------------------------------------



This archive was generated by hypermail 2b30 : Thu May 31 2001 - 07:42:32 PDT