********** Date: Thu, 31 May 2001 09:54:36 -0400 To: declanat_private From: Michael Geist <mgeistat_private> Subject: Canadian Privacy Commish needs a change in policy Declan, I thought your readers may be interested in my cyberlaw column today which focuses on the Canadian privacy commissioner's decision to keep most of his decisions interpreting Canada's new privacy law secret. In doing so, companies and individuals are missing out on critical information regarding their privacy rights and obligations. The column calls on the Privacy Commissioner to change his policy by at least making all decisions publicly available on a "no-names" basis. MG http://www.globetechnology.com/servlet/GAMArticleHTMLTemplate?tf=globetechnology/TGAM/EBusinessFullStory.html&cf=globetechnology/tech-config-neutral&slug=TWGEISY&date=20010531 globeandmail.com, Thursday, May 31, 2001 Privacy law needs open disclosure MICHAEL GEIST Friends and foes of Canada's new federal privacy legislation tend to agree on at least one issue -- the law is deceptively complex. Although the basic principles of privacy protection are relatively straightforward -- organizations must obtain consent for the collection, use, and disclosure of personal information as well as provide individuals with information about the data collection practices used and access to their personal information files -- the implementation of these principles is subject to different interpretations. George Radwanski, Canada's privacy commissioner, is the arbiter who determines how to interpret and implement these privacy obligations. The law requires the privacy commissioner to investigate each privacy complaint filed with his office and to issue a report on the complaint within one year. This places a huge burden on the privacy commissioner's shoulders, since everyone with an interest in personal privacy -- from organizations seeking to ensure they comply with the law to individual Canadians asserting their privacy rights -- turns to Mr. Radwanski for guidance. In light of the importance of the privacy commissioner's decisions, it comes as a shock to learn that Mr. Radwanski's current policy is to keep his decisions and interpretations secret, with the exception of a few decisions that may be highlighted in his annual report or used to encourage greater privacy compliance by recalcitrant organizations. While this approach reflects a longstanding policy at the privacy commissioner's office, one that may have been appropriate when it dealt only with privacy complaints involving the federal government, the expansion of the privacy commissioner's duties to include on-line matters should also bring with it a change in Canada's disclosure policy. In contrast to this federal approach, provincial privacy commissioners, such as Ann Cavoukian in Ontario or David Loukidelis in British Columbia, regularly publish their decisions on the Internet for everyone to see. This provincial open approach ensures that organizations can gauge how to comply with the law and that individuals can better understand their privacy rights. For example, consider the application of the federal privacy law's consent requirements. The current law contains a flexible provision that mandates an explicit consent for the collection, use and disclosure of sensitive data, but allows for an implied consent for less sensitive information. Organizations will be looking to the privacy commissioner for what constitutes sensitive data or what is considered acceptable implied consent. Under the current non-disclosure policy, there will be precious little public guidance, leaving organizations vulnerable to expensive investigations and higher compliance costs. Individual Canadians will also be hurt by the policy of non-disclosure. Under the new law, organizations must provide Canadians with access to their personal information file. Unfortunately, the law is short on specifics when it comes to implementing this new access right. For example, how quickly must an organization respond to an access request? What, if anything, may be excluded from the report? Answers to questions such as these must come from the privacy commissioner. The privacy commissioner has publicly defended his position by arguing that keeping his decisions private provides him with greater leverage over non-compliant organizations. He notes that adverse publicity is his most powerful weapon and that a position of non-disclosure enables him to threaten violators with public disclosure in order to ensure better and quicker compliance with the legislation. The privacy commissioner neglects to mention, however, that the costs of this approach are borne by everyone. Organizations seeking to comply with the law face the additional costs of not knowing how the law has been interpreted. Individual Canadians, meanwhile, are denied the information they need to fully take advantage of their newly enshrined privacy rights. The policy is particularly puzzling since an obvious compromise exists: Information that might identify a violator could easily be removed from decisions, leaving only the fact scenario -- along with the decision and reasoning -- to be released. Such an approach would provide everyone with what they seek -- the public would gain a better understanding of how the legislation is being applied, while the privacy commissioner would retain his power to threaten organizations with public disclosure if they don't comply with the law. In fact, the privacy commissioner could and should do more than just begin to post his compliance decisions. He should also post unofficial guidance, providing organizations with the opportunity to pre-clear their corporate privacy policies with his office and making those guidelines public on a "no-names" basis. The appropriate policy on public disclosure is as simple as the law is complex. Whatever steps can be taken to make it easier for organizations and individuals to understand their rights and obligations under the new legislation should be pursued. A policy of openness is undoubtedly another issue that friends and foes of the legislation can agree upon. Michael Geist is a law professor at the University of Ottawa Law School and director of e-commerce law at the law firm Goodmans LLP. His Web site is http://www.lawbytes.com. -- ********************************************************************** Professor Michael A. Geist University of Ottawa Law School, Common Law Section 57 Louis Pasteur St., P.O. Box 450, Stn. A, Ottawa, Ontario, K1N 6N5 Tel: 613-562-5800, x3319 Fax: 613-562-5124 e-mail: mgeistat_private URL: http://www.lawbytes.com ------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if you include this notice. To subscribe, visit http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ -------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Thu May 31 2001 - 07:42:32 PDT