Privacy laws may sound confusing at first, but much of it is common sense. By understanding the fair information principles, you will be better prepared to develop a proper privacy policy. Moreover, if you obtain proper legal advice, your online business should proceed with minimal difficulties.
Privacy is often defined as the right to be left alone, or the right to not have information about you collected, or used or disclosed without your consent.
In recent years, privacy has become a hot topic. Governments around the world have reacted by introducing new laws to deal with real or perceived dangers arising from digital and computer technologies and the ability to process and organize data in new ways.
Privacy on the Internet is of particular concern given the ability to not only collect personal information, often without your knowledge, but also to transfer it around the world. There is a broad consensus that personal information (defined as information about an identifiable individual) is at risk, and that legal and other means are necessary to protect individual privacy rights.
Interestingly, only individuals have privacy rights; corporations and other organizations do not. Corporations may have rights, however, to confidentiality of information under a non-disclosure agreement, for example, or as part of an employment contract.
As far back as the early 1980s, the Organization for Economic Cooperation and Development, a group of 30 countries committed to democratic government and free market economies, reacted to the increasing use of computers and databases by developing a model privacy code for organizations to use. For more information, click on www.oecd.org.
During the 1990s, the European Union developed and enacted its Privacy Directive, also known as the EU Data Protection Directive, which was designed to protect the personal information of European citizens. One of the provisions of the Directive was that European organizations could not share personal information with organizations in other countries, unless these countries had adequate laws protecting individual privacy. You can read the Directive at the following Internet address: europa.eu.int/comm/internal_market/privacy/index_en.htm.
Partly in response to the European Directive, Canada enacted the Personal Information Protection and Electronic Documents Act (PIPEDA), which came into effect in stages starting in 2001. As of January 1, 2004, in its final stage, PIPEDA applies to all commercial activities carried out by Canadian organizations, both provincially and internationally. ‘‘Organization’’ refers not only to societies and corporations, but also to you as an individual if you are carrying on business and engaging in commercial activities.
PIPEDA does state that organizations in certain provinces may be declared exempt from the provisions of PIPEDA if these provinces have enacted substantially similar laws to PIPEDA. To date, BC, Alberta and Quebec have done so and have been declared exempt from PIPEDA by the federal government. However, this only applies to activities within those provinces; cross-border activities may still be subject to PIPEDA. Also, federally regulated organizations such as banks, airlines and telecommunications companies have always been, and continue to be, subject to PIPEDA.
PIPEDA incorporates the provisions of the CSA (Canadian Standards Association) model code, which consists of ten ‘‘fair information principles.’’ The ten principles can be summarized as follows:
If you understand these principles, you already know a great deal about privacy law. For further information, you can visit the website of the Privacy Commissioner of Canada at www.privcom.gc.ca.
It is also important to keep in mind that privacy laws do not just apply to online business; they are equally applicable in the world of paper and filing cabinets as well.
A number of provinces in Canada have their own laws with respect to privacy:
There is also a provision in the Criminal Code of Canada, which has never been tested in court, that could make intercepting and reading the e-mail or web surfing habits of others, for example your employees, an illegal wire-tap subject to criminal penalties, unless you obtain the consent of at least one party involved in the communication or a court order.
It is important to understand that you cannot ignore the laws of other countries just because you are not physically there. This is a complicated area of the law. You should keep in mind, however, that:
It is important to understand that you cannot ignore the laws of other countries just because you are not physically there. This is a complicated area of the law. You should keep in mind, however, that:
In addition to the way privacy laws apply in the "real" world, there are some special things to think about when dealing with the Internet and e-business.
You should fully understand how your website fits into privacy law requirements.
Keep in mind that people do look for privacy policies so, without a policy, you may lose prospective customers. A properly drafted privacy policy or statement will not only minimize your legal exposure, it can serve a marketing function as well, allowing you to attract and retain customers who otherwise might not be as inclined to deal with you.
Whatever you do, do not create a policy and then not follow it precisely. This is an invitation for disaster, including not only possible legal problems, but also injury to your reputation and goodwill.
It is therefore important to not just let the policy sit once it has been posted. It should be revisited regularly to determine whether or not it is still accurate and to evaluate whether or not it should be revised to assist you in your business goals and objectives.
Lastly, keep in mind other privacy or related technical issues that may cost you customers and money. For example, P3P, or the Platform for Privacy Preferences, now allows websites to encode their privacy practices in a manner that some browsers, such as recent versions of Internet Explorer, can "read.’’ So, if a visitor to your site has configured their browser to reject your type of configuration, they may receive error or time-out messages. They may not be aware as to why they can no longer log in, and you may not be aware that you've lost them.
Privacy laws may sound confusing at first, but much of it is common sense. By understanding the fair information principles, you will be better prepared to develop a proper privacy policy. Moreover, if you obtain proper legal advice, your online business should proceed with minimal difficulties.
(This guide was prepared by the Alberta E-Future Centre)
DISCLAIMER
Information contained in this document is of a general nature only and is not intended to constitute advice for any specific fact situation. Users concerned about the reliability of the information should consult directly with the source, or seek legal counsel.
Links Policy
Some of the hypertext links lead to non-federal government sites which are not subject to the Official Languages Act and the material is available in one language only.