[Politech] Canadian privacy law protects those who break it [priv]

From: Declan McCullagh (declan@private)
Date: Mon Oct 18 2004 - 20:17:02 PDT


[Maybe the U.S. laws in this area aren't as lacking and in need of 
"strengthening" as advocates of more regulation keep telling us? Heresy, 
I know... --Declan]


-------- Original Message --------
Subject: Canadian privacy law protects those who break it
Date: Mon, 18 Oct 2004 10:56:23 -0400
From: Michael Geist <mgeist@private>
To: declan@private

Declan,

Of possible interest to Politech - my regular Toronto Star Law Bytes
column focuses on a recent Canadian privacy finding involving an
inadvertent email disclosure.  The column contrasts the finding with
a similar incident in the United States (the Eli Lillyl case) and
argues that for Canadian privacy law to garner the respect it needs
to achieve widespread compliance, the Privacy Commissioner's office
should consider several changes to its reporting approach including
releasing full reports and exercising its power by identifying the
targets of well-founded privacy complaints.  At the present time,
those that violate Canada's privacy law are invariably protected
under a veil of anonymity.

Column at
<http://geistcanprivacyenforcement.notlong.com>

Best,

MG

Privacy law perversely protects those who break it

Michael Geist
Toronto Star

With Canada's national privacy law now nearly four years old, the
Canadian privacy community has begun to assess the law's strengths
and weaknesses. A recent ruling from the Privacy Commissioner of
Canada's office involving an inadvertent e-mail disclosure provides a
good case study for why the law's fundamental principles remain sound
but that enforcement - both in terms of the Commissioner's approach
and in limitations found in the law - remain a persistent shortcoming.

The case involved an unnamed Canadian loyalty program that mistakenly
revealed the e-mail addresses of 618 people when it sent an e-mail
message about a contest. The error was a relatively common one -
rather than hiding the names in the e-mail message, the e-mail
operator placed all the addresses in the "to" field. The company
quickly sent an apology to the affected parties, but eleven
recipients still chose to launch a complaint with the federal privacy
commissioner.

The assistant privacy commissioner, who assumed responsibility for
the complaint, concluded that it was "well founded." Canada's privacy
legislation requires consent before the disclosure of personal
information and it also compels organizations to provide adequate
security safeguards to protect the personal information they collect.
In this particular case, the e-mail addresses constituted such
personal information. Despite the existence of a privacy policy and
some security safeguards, the loyalty program failed to comply with
both the disclosure and security principles and thus ran afoul of the
law.

Unfortunately, that is where the finding ends. While the decision
properly finds that misuse of personal information, even if
inadvertent, is contrary to the law, it does not delve deeper into
important questions such as whether there were any consequences to
the loyalty program for failing to comply with its privacy
obligations.

  To see how the case might have been handled, contrast it with a
similar incident in the United States in 2002. Eli Lilly, the
pharmaceutical giant, created an e-mail reminder service to alert
subscribers to when they needed to take a pill or refill a
prescription. Due to employee error, an e-mail message was sent that
disclosed the e-mail addresses of all 669 subscribers.

The U.S. Federal Trade Commission investigated the incident and
ultimately reached a settlement with the company. The company was
barred from future privacy misrepresentations, mandated to institute
a four-step security program to safeguard personal information, and
required to conduct an annual written review of its compliance with
the program.

Although the Eli Lilly case might be distinguishable from the
Canadian incident on the grounds that it involved more sensitive
personal information, large consumer loyalty programs maintain
enormous databases of personal information and should therefore be
held to a similarly high standard.

The real differences between the cases lie in the enforcement
process. From a substantive perspective, the U.S. case resulted in
tough new obligations backed by the threat of financial penalties for
failure to comply with the settlement. In Canada, the statute
provides the commissioner with little more than the power to issue a
non-binding finding (the law requires the commissioner to take the
case to the federal court if stronger sanction is desired).

While next week I will address how Canada could beef up its privacy
law, another significant distinguishing feature lies in the
difference in reporting mechanisms. In the United States, the Eli
Lilly case stands as a forceful example of the reputational damage a
company may sustain if it fails to sufficiently protect the personal
information it collects. The case was widely reported in the media as
the FTC provided complete copies of the settlement, the initial
complaint, relevant exhibits, and its analysis.

In Canada, the e-mail disclosure case is known simply as Finding
#277. The public has not been provided either with the name of the
loyalty company or with a complete copy of the commissioner's report
on the case. Instead, the commissioner's website features only a
summary of the findings.

For Canadian privacy law to garner the respect it needs to achieve
widespread compliance, the commissioner's office should consider
several changes to its reporting approach. First, it should work
toward a more timely release of findings, recognizing the import
attached to them by the privacy community. Moreover, it should update
findings that are challenged in federal court and refrain from
removing findings from its site without public notice (as it did in
one instance over the summer).

Second, the commissioner's office should stop adding an additional
layer to the reporting system with its summaries of each finding and
instead release the full text of Commissioner's report for each case
(with only the complainant's identifying information omitted). The
current approach adds unnecessary costs, leads to reporting delays,
and fosters uncertainty within the privacy community on the degree to
which the summary can be relied upon in future complaints.

Third, it should at long last exercise its power by identifying the
targets of well-founded complaints. The Act empowers the Commissioner
to "make public any information relating to the personal information
management practices of an organization if the commissioner considers
that it is in the public interest to do so." Critics of a "naming
names" approach have pointed to this provision as a reason for
keeping the parties anonymous, arguing that it cannot always be in
the public interest to release identifying information.

  In fact, changes at the commissioner's office suggest that the law
provides plenty of support for a more transparent disclosure policy.
Recent reports indicate that the commissioner's office is scaling
back its disclosure of findings. Roughly half of all complaints are
now settled through mediation and the commissioner apparently does
not plan to release the details of those resolved cases. Moreover,
where a finding involves a fact scenario that has previously been
discussed in a reported case, a new finding will similarly not be
issued.

As a result of these changes, the commissioner's office seemingly now
plans to release only novel findings that cannot be settled.

  Adopting a naming names approach to the well-founded subset of those
findings could be manifestly justified on public interest grounds,
providing the public with valuable information in assessing the
privacy practices of Canadian organizations as well as sending a
much-needed message that failure to comply with the law will result
in serious consequences.

While Industry Canada Minister David Emerson will lead a statutorily
mandated parliamentary review of Canada's privacy law in 2006, the
Privacy Commissioner of Canada need not wait for the results of that
process. Changes to Canada's reporting mechanisms would be a good
start toward ensuring that our privacy law is treated with the
respect it deserves.

-- 
**********************************************************************
Professor Michael A. Geist
Canada Research Chair in Internet and E-commerce Law
University of Ottawa Law School, Common Law Section
57 Louis Pasteur St., Ottawa, Ontario, K1N 6N5
Tel: 613-562-5800, x3319     Fax: 613-562-5124
mgeist@private              http://www.michaelgeist.ca



_______________________________________________
Politech mailing list
Archived at http://www.politechbot.com/
Moderated by Declan McCullagh (http://www.mccullagh.org/)



This archive was generated by hypermail 2.1.3 : Mon Oct 18 2004 - 21:02:07 PDT