Bill C-54, Personal Information Protection and Electronic Documents Act
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Office of the Privacy Commissioner of Canada to the Standing Committee on Industry
December 2nd, 1998
Ottawa, Ontario
Bruce Phillips
Privacy Commissioner
(Check Against Delivery)
If I do nothing more useful here today, I want to leave you with a sense of the fundamental nature of the issue at stake here.
You will have a copy of our submission and, of course, I will leave most of the time for your questions. But, since privacy matters are usually the turf of the Justice Committee, I thought it appropriate to discuss some of the ethical underpinnings of privacy. Why have we reached the point at which we need a law to protect Canadians' personal information in the private sector?
We so take our privacy for granted in a democracy; it is so self-evident that it has almost ceased to be evident. Think about it. Privacy is the value at the foundation of the secret ballot, doctor-patient confidentiality, solicitor-client privilege, wiretapping law, the concept that our homes are our castles, and our society's fierce defence of the autonomy of the individual.
Privacy is not the political correctness "Flavour of the Month". Far from it. It is a bedrock human value which former Supreme Court Justice La Forest described as "at the heart of liberty in the modern state". Nor is it an individual right enjoyed at the expense of society as a whole. Respecting one another's privacy is an integral ingredient in the glue of mutual respect which helps hold a free society together. Respecting the boundaries that we choose to draw around ourselves makes the difference between a life of liberty, autonomy and dignity, and a hollow and intimidating existence under a cloud of constant oppressive surveillance.
Whether to reveal or conceal the details of our lives are decisions for us to make, not for others, not for business, and certainly not for the state, except in the most limited and exceptional circumstances.
Privacy matters. Never has this value been more vital to an individual's free existence, nor more threatened, than in the technologically advanced societies in which we live. And never have the challenges and the threats been couched in sweeter and more reasonable language than in democracies committed to free speech, free markets, personal safety, caring social programs and, most ominous of all, "efficient" government.
This is a critical time for this value we take for granted. Nothing but bold steps will save it. Surveillance, that tool of oppressive totalitarian regimes, is now within the reach of virtually everyone with the desire and the few dollars it takes to buy the sophisticated equipment. By surveillance I don't mean the guys in trench coats or ubiquitous cameras, although the proliferation of cameras and microphones in both public places and businesses in North America is astonishing. What I am talking about is the unseen surveillance through the computer databases of governments and businesses both large and small.
The power of new information systems to record, to mine, to match and to manipulate data has grown exponentially since passage of the Canadian Privacy Act. Consider my own tiny office as an example. When the Act took effect in 1983, three secretaries had word processors, the Commissioner and one staff member had typewriters. Although our equipment has never been state-of-the-art, we were probably like many government offices. Computing, where it happened at all, was done on mainframes which, despite their then-impressive size, simply stored and retrieved static data.
Today, everyone in the office has personal computers on their desks. The de-facto standard desk-top computer today has 64 megs of RAM, substantially more powerful than those old mainframes. And in an office setting, they seldom stand alone but are linked into internal networks which enable us to share data. But more critical to our privacy than the memory capacity is the new machines' ability to collect, exchange, manipulate, analyze and store the data.
The more the machines can do, the more we seek new and creative uses for them and the data they store. This is "function creep", or with apologies to author WP Kinsella, "If you build it, they will find new and sometimes dubious uses for it".
There is no debate about modern societies living without electronic information processing. But the quid pro quo for using these systems is providing legal protection for the individuals whose personal data can be amassed, mined, manipulated and disclosed, often, one might even argue, usually, without their knowledge or consent. We now face an economic, social and technical environment that few legislators, bureaucrats and privacy advocates contemplated as little as ten years ago, let alone in 1982 when the Canadian law was drafted. We have gone though an economic boom, a recession, a recovery and now the Asian flu.
The economy has forced governments of all persuasions and business to regard their collective bottom lines with steely eyes and hearts. We are all taxpayers and consumers here. We can certainly support efforts to streamline and economize; we all have to do it in our own lives. But as our economies turned leaner and meaner, our societies seem to be turning nastier. Our vaunted commitment to those social values of mutual support and caring, and our ability to allow for some slush in the system in order to protect our neighbours from real deprivation, while maintaining our democratic freedoms, appear to be under siege.
We also appear to have become more fearful for our safety. Besieged by a media focused on crime stories, yet in the face of statistics reporting generally falling crime rates, many seem ready, even eager, to accept living more circumscribed lives if that will guarantee safety for themselves and their families. In our pursuit of the risk-free life we are building ourselves electronic Gulags.
When a society under these pressures is offered technologies which promise to pare costs, manipulate consumers to enhance the bottom line, catch the cheats and criminals, identify those leading unhealthy lives, and winnow out the dead wood, the temptations are very hard to resist. The risk we court is making a Faustian deal which could be terminal for a good deal more than privacy laws. This is the gentle slope to surrendering our freedom. The effect could be deadly for the soul of our societies.
I don't want to sound apocalyptic here. There is going to be altogether enough of that as we approach the millennium. But I do want us to consider not just the impact of some of the individual initiatives you will discuss later, but also their cumulative effect on our social values.
The patchwork of legal protection in Canada is no match for current information technology in the hands of efficient governments, aggressive corporations and the new hybrids. These new entities may be part federal, part provincial, commercialized government, private contractors or blends of all of the above. Which law governs? The short answer is; who knows?
The federal privacy law, which I oversee, covers only the operations of most, but not all, federal government agencies. Most, but not all, provinces have privacy laws governing their own operations.
But only in Quebec does the law regulate the private sector. Not only does this create anomalies; it leaves the other 23 million Canadians out in the cold. For example;
- when a Montrealer goes shopping at the Hudson Bay Company, she enjoys privacy rights her cousin in Calgary doesn't have at his local Bay store;
- when her credit information is sent to Equifax, Canada's largest credit bureau, her information is protected by law; her Calgary cousin's information is not;
- our Montrealer has privacy rights if she banks with the local caisse populaire or credit union which operates under Quebec privacy law, but her Calgary cousin has none if he chooses the Bank of Montreal which, although federally chartered, is private sector and so not covered under federal privacy law.
At present, I have no right to know what information businesses hold on me, how they got it, how they use it, whether it is accurate, with whom they share it and how they will keep it.
Corporations increasingly regard client data as a resource which they own and can mine, use and sell as they wish. The more widely my information is shared, the more likely it will be used to decide what services I will be offered, what benefits I may receive and what jobs I may qualify for, all without my permission, usually without my input, and frequently without my knowledge. Equally dangerous is that these decisions could be made based on faulty information which I have no right to correct.
The legal patchwork is threadbare and drafty, and Canadians want something altogether better at keeping their personal data warm at nights.
Two factors have spurred government to action. The first factor is the coming European Directive and its possible impact on data transfers to countries without adequate privacy law, of which Canada is one. The second and, let's be frank, likely more decisive factor is the advent of electronic commerce and all the opportunities it offers. The government has recognized that a knowledge-based economy is driving global growth and is determined to make Canada "the most connected nation in the world". And it wants to create an environment which will see Canada out in front of the pack in developing electronic commerce. Fair enough, after all there are jobs and business at stake.
However, the government also understands that they have to build trust in the system, many Canadians will not shop, bank and file taxes on line knowing they risk sharing their personal lives with tens of millions of people worldwide. An ongoing survey found recently that more than 80 per cent would refuse to provide their credit card number when buying over the Internet. I have to wonder about that other 20 per cent! The number who would refuse to conduct transactions electronically drops below 50 per cent when offered the opportunity to know and control how the business would use their personal information. Even so, the advocates of e-comm clearly have a lot of heavy rowing ahead of them.
Whatever the motivation for the government's plans, I am not looking this particular gift horse in the mouth. In my response to Industry Canada's call for comments on their discussion paper I offered the following advice:
- Keep it simple. Avoid registering databases which will become costly, burdensome and bureaucratic, and likely a huge irritant to business. I also counselled against sectoral codes as impractical in the current North American business environment;
- Build a level playing field. The last thing we need is data havens within the country;
- Give it teeth. The scheme needs independent oversight with strong investigative powers but which is simple for consumers and non-confrontational for business;
- Put the onus on business. Business should be obliged to deal with complaints initially. This is their opportunity to understand, deal with and hopefully learn from the experience. Also require business to audit their information practices periodically and act on the findings;
- Educate public and business. No law will be effective without consumer and business understanding. Business must bear the primary responsibility for informing its clients and employees. I also asked for both a specific education mandate and money to increase public awareness. At the moment I have neither and I know how seriously it hampers us.
I know that some are concerned about my oversight role in this bill so I would like to close by explaining how the ombudsman role works in a privacy setting. And I want to give you a sense of how we do business.
The traditional ombudsman is an official appointed by the legislature or Parliament to protect "the little guy" from bureaucratic mistakes and abuses of power. Ombudsmen investigate complaints from the public about administrative unfairness, helping to restore the balance between a powerless individual and powerful government.
Most provinces have ombudsmen who investigate complaints about provincial government agencies. And the federal government has several "special ombudsmen" (like the Commissioner of Official Languages and the Privacy Commissioner) whose oversight is limited to a specific field.
But the model has appealed to many organizations outside government. Newspapers, universities and banks have appointed ombudsmen as an effective way to resolve clients' complaints, and often to learn something in the process.
So how does this role differ from that of other investigative bodies?
Like investigative bodies, ombudsmen have substantial powers to interview anyone, to compel evidence and examine any records they need to reach a conclusion.
Unlike some apparently similar bodies, ombudsmen do not issue orders or impose penalties. Ombudsmen resolve disputes through persuasion, relying on their competence, knowledge and impartiality. They are trusted and respected third parties who act as a sort of alternate dispute resolution mechanism. They are not tribunals or mini-law courts. They frequently exonerate staff and protect organizations against unfair accusations. And their less formal approach makes the process less intimidating for citizens, and much less costly for business.
One of the greatest contributions a special ombudsman can make is to an organization's understanding of and commitment to the issue at stake. Ombudsman and their staff can be a valuable resource for the organizations under their jurisdiction. Most organizations do not want to act unfairly. Many are simply unaware that occasionally their actions hurt their clients or employees. Given a chance to mend the damage or improve their procedures, they seize it.
In our experience, the model works well and I think it will translate well in the private sector. I see our role in this bill as teaching business the personal information business. Our first priority is to learn their business as they learn ours, we understand the need to understand.
Our second priority is to help companies find solutions that lead to better personal information management, and thus prevent complaints to the greatest extent possible. I expect a heavy emphasis on our educational role in the first year.
Our third priority is to resolve disputes effectively. We will count on business to handle complaints through their existing dispute resolution process. Since resolving complaints is our bread and butter, it is here that we may have a good deal to offer business clients.
We will proceed cautiously. Ombudsmen don't wear jackboots. Nor do they wear bedroom slippers. We will occasionally disagree; sometimes with business, and sometimes with complainants. But we will be informed, sensitive and fair, as I hope we always have been.
I want to end on an intensely practical note: money. This scheme will not work if the Commissioner is inadequately resourced. I speak from considerable experience. Inadequate funding has hobbled our Office certainly for my term and, I understand, virtually from its inception. But in the past five years we have descended into "fiscal anorexia".
This committee may not know that, once we pay our 38 employees, we have $100,000 left to run our program. My office investigates about 1800 complaints and handles more than 10,000 inquiries a year. We attempt to monitor the information handling practices of government. We try to keep a watching brief on new legislation and new technologies for their privacy implications. And we try to educate the public about the law, their rights and the looming threats to their privacy, all out of chewing gum and bailing wire, we get no educational funds at all.
We have made our case to the Treasury Board which agrees that we are underfunded. Our budget is now undergoing a thorough review. But the review is confined to our present mandate. It does not anticipate these new tasks. I urge you to recommend that my office be properly funded to carry out the responsibilities set out in this bill. Not to do so may risk raising expectations of privacy protection that are physically impossible to meet. This would simply set us up to fail.
I believe the scheme envisaged by the bill can work well. We look forward to the challenge; I ask only that you ensure we have the tools to do the job.
Thank you.
- Date modified: