Media Centre

PIPEDA and the Private Sector — Harmonization between Different Jurisdictions

2nd annual Conference on the Management of Personal Information by Private-Sector Organizations

December 6, 2004
Montreal, Quebec

Address by Jennifer Stoddart,
Privacy Commissioner of Canada

Good morning and thank you. It is a great pleasure to have been invited to speak to you this morning. With only a few days before the end of the year, this strikes me as a particularly well-chosen opportunity to make a preliminary assessment of the first year of full application of the Personal Information Protection and Electronic Documents Act in Canada, and to reflect on some of the challenges ahead of us in the next few years.

A year in review

Please allow me, first, to say a few words in summary about the past year. As you know, the Act is the result, of a collaborative process among representatives of business, civil society and government authorities, under the auspices of the Canadian Standards Association. I believe we can say that the concerns of business were carefully taken into account in the process that led to introduction of the Act. I have no doubt that is one of the reasons why implementation of the Act has posed no major problems to date.

That is not to say that there have been no problems. In fact, between January 1 and November 15, 2004, for example, the Office of the Privacy Commissioner of Canada received 567 complaints related to the application of the Act. More than half of these concerned organizations have been subject to the Act since January 1, 2004. These complaints dealt mainly with the use and disclosure of information, and information collection practices.

More than 50% of these complaints have already been resolved, which indicates that our complaint handling process is working well. Among complaints resolved, we found that nearly one out of five was well founded.

Hundreds of recommendations on the application of the Act have already been published by the Commissioner or the Assistant Privacy Commissioners. These are available on our Web site. This growing body of case summaries provides guidance on questions such as video surveillance in the workplace, for example, which is generally not allowed — or when used, must be used under specific conditions.

The Office of the Privacy Commissioner of Canada also maintains close links with the associations that represent different industries. These contacts revealed a certain anxiety during the past year, related to application of the Act in thousands of Canadian companies. They also allowed us to distribute information that helped those companies adapt to the new rules. The Office of the Privacy Commissioner has also made significant efforts in terms of public education during the past year, both in Canada and abroad, to ensure better understanding of our system for the protection of personal information. In particular, you will find practical recommendations and helpful advice on the evolution of privacy rights on our Web site, which I invite you to consult frequently.

The year 2004 was marked by another important privacy achievement: Alberta and British Columbia both adopted legislation governing the protection of personal information by businesses located in those provinces. The Government of Canada deemed those laws were essentially similar to PIPEDA, and that, accordingly, the federal Act would not apply to intra-provincial activities of companies other than federal works undertakings and businesses in those two jurisdictions.

This should not be seen as a fragmenting of the Canadian system for protecting personal information that unnecessarily complicates business management. The Alberta and British Columbia laws are similar to the federal legislation and are based on the same principles, which is also the case for the Quebec law. As the Federal Court of Appeal recently emphasized, federal regulations must be applied with "flexibility, common sense and pragmatism.". Companies that comply in good faith with the spirit of the law in these jurisdictions should have no difficulty in complying with the letter of all these laws.

The authorities responsible for application of these laws are also concerned about ensuring consistency among the different legislative systems, to the fullest extent possible, while respecting their autonomy and the principles of independence and judicial impartiality. For example, the Office of the Privacy Commissioner of Canada has established mechanisms for consultation with the Commissioners' offices in Alberta and British Columbia, and also maintains close contact with the Access to Information Commission in Quebec. We not only exchange opinions and information, but we sometimes conduct joint investigations. For example, we recently cooperated with the authorities in Alberta, in a case where several companies, which either fell under their jurisdiction or ours were sending personal information in error to the same fax number, which was not the number of the party who was supposed to be receiving that information.

Overall, the experience of this first year of application of the Act in the private sector appears to have been positive. The Federal Court has classified PIPEDA as "a fundamental law of Canada" and has emphasized the interpretation that must be given to its provisions. The Act is becoming more better known among an increasing number of companies and individuals. A dialogue has been opened between the Office of the Privacy Commissioner of Canada and other regulatory agencies and industry. However, there is still much work to be done.

Some challenges

The complaints that we receive and that we exchange with industry or our colleagues in other jurisdictions indicate to us that there are still areas where business practices could be improved and that technology still holds many challenges.

In particular, too many businesses continue to use standard clauses in their contracts intended to obtain consent for the collection and use of personal information in which the scope seems to be clearly exaggerated. One of the objectives of the Act, as stated in subsection 4.3.2 of Schedule 1, is to ensure consumers give free and informed consent concerning the use of the information provided. Does a contract clause that authorizes a company to use such information "for whatever purposes it considers appropriate," or "for any purposes related to its commercial activities," really comply with this objective? The recent decision in the Englander case suggests that the interpretation of the consumer's valid consent will be much stricter in the future.

We have also seen, with increasing frequency, cases where a company charges a person very high fees for providing copies of that person's personal information. So far, we have considered that high fees are excessive and we encourage companies to adopt procedures that will facilitate access by clients to their own personal information.

We are also concerned about issues relating to medical files. There are still lessons to be learned about protection of health information in the workplace. Employers need to develop a culture that is more respectful of the private life of employees in general and especially information related to health not required for legitimate management reasons.

The cross-border flow of information is another cause for serious concern. The flow is increasing daily and includes many kinds of data, some of which is sensitive. A great deal more work is needed to increase the transparency of business practices in this field.

We know that some interesting discussions lie ahead. For example, some manufacturers and some retailers are examining the possibility of using radio frequency identification devices (RFID) to manage their inventories more efficiently. If these devices were to be associated with specific goods and if they could be used to establish a link with the people who acquire those goods so as to create, for example, a personalized consumption profile, the federal Act or various provincial Acts would apply to those operations and it would be necessary to determine if those practices comply with the law.

With regard to the Internet, the proliferation of spam raises concerns, as do the various methods that allow computer criminals to obtain personal information under false pretences. In the United States, an effort is being made to fight spam by creating a national list of people who do not want to receive advertising messages by email. However, there are real fears that this method will not be very effective. So far, no specific prevention measure has been announced in Canada.

Since we use personal information in a wide range of situations, the Office of the Privacy Commissioner of Canada and other regulatory agencies, along with businesses and individuals, will be invited to reflect on a host of practices, in order to decide which practices are acceptable and which should be avoided.

The future

Gradually, the protection of personal information is becoming more and more important in Canada. We are continuing to establish constructive relations with the private sector and with other regulatory agencies to ensure that the objectives of the legislation are achieved. Information about these new rights is being more widely circulated.

Today, the question being asked, more and more, is not whether PIPEDA applies to a particular case, but rather how it should be interpreted and applied. It comes down to a matter of ensuring a balance between different interests in the light of Section 3 of the Act. It is a matter of balancing, on one hand, the privacy rights of an individual, and, on the other hand, the need for organizations to deal with personal information "for reasons that a reasonable person would consider acceptable in the circumstances."

When the Office of the Privacy Commissioner receives a complaint, we are asked, to some extent, to play the role of that "reasonable person," who must consider whether the necessary balance has been respected. However, we also like to act in a proactive way by distributing information and, in doing so, preventing abuses of the Act.

For my part, I am convinced that protection of personal information will become even more important. Indeed, I would not be surprised to see an evolution in this field similar to what we have seen in terms of concern for the environment. Just 25 years ago, "environmentalists" were considered to be dreamers or obstacles to doing business;. Today, more and more companies accept that it is "good business" to operate in ways that preserve the environment. In the same way, the principles of dealing with personal information are, essentially, principles of good management. While it is normal that there should be a period of adaptation to these principles, I am confident that we can work together to guarantee the protection of personal information about Canadian citizens.

There has been a real cultural revolution. According to one legal authority, it is a revolution in favour of the right to privacy — in the rest of Canada, outside Quebec. After all, companies in Quebec have been dealing with this issue for almost a decade. In fact, it is nearly a generation if we think of Section 5 of the Quebec Charter of Human Rights and Freedoms.

The experience in Quebec can serve as a reference point. In 2005, we intend to publish a summary of Quebec jurisprudence, which should help to enlighten the interpretation of other laws that are "substantially similar."

Thank you very much.