Implementing PIPEDA: A review of internet privacy statements and on-line practices

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Archived

This page has been archived on the Web.

Organization

University of Toronto

Published

2005

Summary

These four studies evaluate how well various Canadian telecommunications, airline, banking and retail companies are complying with PIPEDA’s openness principle and, in the case of airlines and banks, with the European Commission’s Data Protection Working Party Opinion on information notices. The authors reviewed the companies’ online privacy policies against these criteria, combining their research with surveys, interviews and online interaction with chief privacy officers and other experts.

The telecommunications study is a summary of a Canadian Federal Court of Appeal case, Englander v Telus Communications Inc. Mr. Englander contended that Telus had contravened the knowledge and consent requirements of PIPEDA (which should mirror the openness principle); and that charging a fee to obtain an unpublished phone number contravened the spirit if not the letter of the Act. The Court agreed concerning the former, but not the latter. Service fees of telecommunications companies are regulated by another federal agency.

The second paper examines the online privacy statements of four Canadian airlines, Air Canada, WestJet, CanJet and Jetsgo, to determine their compliance with PIPEDA and the Working Party Opinion. The latter provides insight into European Commission policy processes seeking to ensure adequate protection of personal information on passengers and crew arriving from Europe. This information is used by the Canada Border Services Agency to identify potential terrorist threats. The Agency’s privacy commitments to the Working Party were welcomed and sufficient to conclude that protection was adequate. However, the study notes a lack of uniformity in the airlines’ online privacy statements which it suggests the Office of the Privacy Commissioner deal with by audit or education.

The third paper explains more fully the Working Party Opinion on harmonizing privacy notices and evaluates the extent to which two leading Canadian banks (CIBC and Scotiabank) meet identified standards. The author agrees that harmonization is likely to result in greater ease of comparison among statements, including identifying omissions. A three-tier notice system is recommended, the first providing ‘core’ information and the second and third more relevant information that is required by the Commission and national law. Taken together, these constitute a legal notice. In this light, it is believed both CIBC and Scotiabank privacy statements are deficient, although Scotiabank’s notice was found to be more user-friendly through the use of links.

The final paper examines privacy statements within the retail business sector which falls under provincial jurisdiction. It concludes that while this sector is generally following the lead of federal undertakings such as banks and airlines (which were subject to privacy legislation three years in advance of retail businesses), this may not be a good thing. Publication of more detailed information would provide consumers with a proper basis on which to assess companies’ privacy practices and hold them to account.

Overall, the authors find ad hoc compliance, concluding that companies appear motivated to communicate their privacy policies due to business prudence rather than concerns for privacy. There is room for improvement.

This document is available in the following language(s):

English only

•  English (HTML document)

OPC Funded Project

This project received funding support through the Office of the Privacy Commissioner of Canada’s Contributions Program. The opinions expressed in the summary and report(s) are those of the authors and do not necessarily reflect those of the Office of the Privacy Commissioner of Canada. Summaries have been provided by the project authors. Please note that the projects appear in their language of origin.

Contact Information

Toronto University
27 Kings College Cir
Toronto, ON M5S

Website: http://www.utoronto.ca/
Tel: (416) 978-2011