[Maybe the U.S. laws in this area aren't as lacking and in need of "strengthening" as advocates of more regulation keep telling us? Heresy, I know... --Declan] -------- Original Message -------- Subject: Canadian privacy law protects those who break it Date: Mon, 18 Oct 2004 10:56:23 -0400 From: Michael Geist <mgeist@private> To: declan@private Declan, Of possible interest to Politech - my regular Toronto Star Law Bytes column focuses on a recent Canadian privacy finding involving an inadvertent email disclosure. The column contrasts the finding with a similar incident in the United States (the Eli Lillyl case) and argues that for Canadian privacy law to garner the respect it needs to achieve widespread compliance, the Privacy Commissioner's office should consider several changes to its reporting approach including releasing full reports and exercising its power by identifying the targets of well-founded privacy complaints. At the present time, those that violate Canada's privacy law are invariably protected under a veil of anonymity. Column at <http://geistcanprivacyenforcement.notlong.com> Best, MG Privacy law perversely protects those who break it Michael Geist Toronto Star With Canada's national privacy law now nearly four years old, the Canadian privacy community has begun to assess the law's strengths and weaknesses. A recent ruling from the Privacy Commissioner of Canada's office involving an inadvertent e-mail disclosure provides a good case study for why the law's fundamental principles remain sound but that enforcement - both in terms of the Commissioner's approach and in limitations found in the law - remain a persistent shortcoming. The case involved an unnamed Canadian loyalty program that mistakenly revealed the e-mail addresses of 618 people when it sent an e-mail message about a contest. The error was a relatively common one - rather than hiding the names in the e-mail message, the e-mail operator placed all the addresses in the "to" field. The company quickly sent an apology to the affected parties, but eleven recipients still chose to launch a complaint with the federal privacy commissioner. The assistant privacy commissioner, who assumed responsibility for the complaint, concluded that it was "well founded." Canada's privacy legislation requires consent before the disclosure of personal information and it also compels organizations to provide adequate security safeguards to protect the personal information they collect. In this particular case, the e-mail addresses constituted such personal information. Despite the existence of a privacy policy and some security safeguards, the loyalty program failed to comply with both the disclosure and security principles and thus ran afoul of the law. Unfortunately, that is where the finding ends. While the decision properly finds that misuse of personal information, even if inadvertent, is contrary to the law, it does not delve deeper into important questions such as whether there were any consequences to the loyalty program for failing to comply with its privacy obligations. To see how the case might have been handled, contrast it with a similar incident in the United States in 2002. Eli Lilly, the pharmaceutical giant, created an e-mail reminder service to alert subscribers to when they needed to take a pill or refill a prescription. Due to employee error, an e-mail message was sent that disclosed the e-mail addresses of all 669 subscribers. The U.S. Federal Trade Commission investigated the incident and ultimately reached a settlement with the company. The company was barred from future privacy misrepresentations, mandated to institute a four-step security program to safeguard personal information, and required to conduct an annual written review of its compliance with the program. Although the Eli Lilly case might be distinguishable from the Canadian incident on the grounds that it involved more sensitive personal information, large consumer loyalty programs maintain enormous databases of personal information and should therefore be held to a similarly high standard. The real differences between the cases lie in the enforcement process. From a substantive perspective, the U.S. case resulted in tough new obligations backed by the threat of financial penalties for failure to comply with the settlement. In Canada, the statute provides the commissioner with little more than the power to issue a non-binding finding (the law requires the commissioner to take the case to the federal court if stronger sanction is desired). While next week I will address how Canada could beef up its privacy law, another significant distinguishing feature lies in the difference in reporting mechanisms. In the United States, the Eli Lilly case stands as a forceful example of the reputational damage a company may sustain if it fails to sufficiently protect the personal information it collects. The case was widely reported in the media as the FTC provided complete copies of the settlement, the initial complaint, relevant exhibits, and its analysis. In Canada, the e-mail disclosure case is known simply as Finding #277. The public has not been provided either with the name of the loyalty company or with a complete copy of the commissioner's report on the case. Instead, the commissioner's website features only a summary of the findings. For Canadian privacy law to garner the respect it needs to achieve widespread compliance, the commissioner's office should consider several changes to its reporting approach. First, it should work toward a more timely release of findings, recognizing the import attached to them by the privacy community. Moreover, it should update findings that are challenged in federal court and refrain from removing findings from its site without public notice (as it did in one instance over the summer). Second, the commissioner's office should stop adding an additional layer to the reporting system with its summaries of each finding and instead release the full text of Commissioner's report for each case (with only the complainant's identifying information omitted). The current approach adds unnecessary costs, leads to reporting delays, and fosters uncertainty within the privacy community on the degree to which the summary can be relied upon in future complaints. Third, it should at long last exercise its power by identifying the targets of well-founded complaints. The Act empowers the Commissioner to "make public any information relating to the personal information management practices of an organization if the commissioner considers that it is in the public interest to do so." Critics of a "naming names" approach have pointed to this provision as a reason for keeping the parties anonymous, arguing that it cannot always be in the public interest to release identifying information. In fact, changes at the commissioner's office suggest that the law provides plenty of support for a more transparent disclosure policy. Recent reports indicate that the commissioner's office is scaling back its disclosure of findings. Roughly half of all complaints are now settled through mediation and the commissioner apparently does not plan to release the details of those resolved cases. Moreover, where a finding involves a fact scenario that has previously been discussed in a reported case, a new finding will similarly not be issued. As a result of these changes, the commissioner's office seemingly now plans to release only novel findings that cannot be settled. Adopting a naming names approach to the well-founded subset of those findings could be manifestly justified on public interest grounds, providing the public with valuable information in assessing the privacy practices of Canadian organizations as well as sending a much-needed message that failure to comply with the law will result in serious consequences. While Industry Canada Minister David Emerson will lead a statutorily mandated parliamentary review of Canada's privacy law in 2006, the Privacy Commissioner of Canada need not wait for the results of that process. Changes to Canada's reporting mechanisms would be a good start toward ensuring that our privacy law is treated with the respect it deserves. -- ********************************************************************** Professor Michael A. Geist Canada Research Chair in Internet and E-commerce Law University of Ottawa Law School, Common Law Section 57 Louis Pasteur St., Ottawa, Ontario, K1N 6N5 Tel: 613-562-5800, x3319 Fax: 613-562-5124 mgeist@private http://www.michaelgeist.ca _______________________________________________ Politech mailing list Archived at http://www.politechbot.com/ Moderated by Declan McCullagh (http://www.mccullagh.org/)
This archive was generated by hypermail 2.1.3 : Mon Oct 18 2004 - 21:02:07 PDT