Private Sector Data Protection 1997

PRIVATE SECTOR DATA PROTECTION (1997)


Denis C. Kratchanov
Counsel, 
Public Law Policy Section
Department of Justice Canada
See footnote 1

  1. FOREWARD
  2. INTRODUCTION
  3. I. HOW SHOULD THE CSA MODEL CODE
    BE REFLECTED IN THE LEGISLATION?
  4. II. WHAT ROLE SHOULD SECTORAL OR
    INDUSTRY CODES PLAY IN THE ACT?
  5. CONCLUSION


FOREWORD
At its 1996 annual meeting the Uniform Law Conference of Canada resolved:


1. That a draft Uniform Data Protection Act and commentaries be prepared for [the] consideration of the 1997 Conference.


2. That the working group give specific attention to compliance audits.


3. That the working group undertake to ascertain if there are effective mechanisms for the development and ratification of sectoral codes or other measures that provide more precise guidelines for the protection of privacy and disclosure interests specific to particular sectors, consistent with the general principles set out in the Act.


Two drafters of the Department of Justice were assigned to this project last fall, and a ULCC working group composed of approximately 30 knowledgeable private sector, consumer and government representatives and other data- protection experts was created. In 1997, a draft Uniform Act was circulated to the working group, and comments were received. The purpose of this paper is to provide a progress report on the work done to date by the working group and to seek the ULCC's guidance on some of the issues to be resolved before a Uniform Act can be adopted.


INTRODUCTION


Policy Developments in Canada


Since the 1996 annual meeting of the ULCC, the pace of policy development regarding the collection and use of personal information by the private sector has accelerated.


In September 1996, the Minister of Justice, the Honourable Allan Rock, stated to the International Privacy and Data Protection Commissioners Conference in Ottawa that: "By the year 2000, we aim to have federal legislation on the books that will provide effective, enforceable protection of privacy rights in the private sector." In his speech, he also emphasized the fact that collaboration between the federal, provincial and territorial governments was essential to adequately protect the privacy interests of Canadians. To help it to prepare its legislative proposal, the federal government is preparing a public consultation paper, which could be released later this year.


Formal discussions between the federal, provincial and territorial governments began in 1996. Ministers responsible for the Information Highway agreed, at a meeting held last September in Winnipeg, that

  • businesses and consumers need a clear and consistent set of rules to protect the privacy of personal information;
  • federal, provincial and territorial cooperation is desirable to ensure a common minimum level of privacy protection across the country;
  • legislation should be examined as one possible avenue to implement rules;
  • measures should be developed to foster consumer awareness of ways to protect personal privacy; and
  • governments should take steps within their power to ensure that personal privacy is protected when implementing electronic service delivery.
The Ministers also agreed to create a governmental working group composed of federal, provincial and territorial officials which would seek to find a consensus on a minimum level of privacy protection standards across jurisdictions and examine methods, including legislation, to apply and enforce privacy standards. The working group was asked to make recommendations to the Ministers at their next meeting, which is expected to be held in the fall.


Privacy issues are also attracting the attention of more and more members of Parliament. In April 1997, the House of Commons unanimously adopted a motion recommending that all federal Crown corporations be made subject to the Privacy Act. In addition, during 1996-97, the House of Commons Standing Committee on Human Rights and the Status of Persons with Disabilities heard from Canadians from across the country on the issue of privacy and new technologies. In its report See footnote 2, it recommended the adoption of a Charter of Privacy Rights which would have primacy over other federal legislation and the adoption of a Data Protection Act which would be applicable to both the public and the private sectors under federal jurisdiction. Another one of its recommendations called on the federal government "to work with the provinces and territories to harmonize privacy legislation across the country."

A number of privacy-related initiatives which would have an impact on the private sector are also under way in the provinces. This spring, the provincial governments of Alberta and Manitoba introduced legislation protecting health information, and similar legislation is also being prepared by the government of Ontario.


It is in this still-developing policy environment that the first version of the ULCC Act was drafted.


First Draft of the Uniform Protection of Personal Information Act

The preparation of the first draft of the Uniform Act proceeded on the instructions that had been adopted by the ULCC during its 1996 meeting. The principal elements of these instructions were:


  1. that the principles in the CSA Model Code See footnote 3, which are consistent with the principles in the Quebec legislation, represent a good base on which to build a Uniform statute;
  2. that there is consensus to use existing data-protection bodies to oversee the legislation, while leaving some flexibility to each jurisdiction;
  3. that the data-protection commission should have a mandate for public education and the power to receive complaints and conduct investigations, mediation and adjudication;
  4. that the Act should express universally applicable data-protection principles and an implementation mechanism; and
  5. that further work should be done with respect to compliance audits and the development and ratification of sectoral codes. 
The first draft, which was circulated to the ULCC working group in March 1997, attempted to reflect these instructions and to serve as a tool to facilitate discussions of issues requiring more attention. Reactions from the working group to the draft varied greatly. Some thought it was a "good beginning" or a "basis for discussion," the direction of which was "generally satisfactory." Others, on the contrary, thought that the draft was "wholly inadequate" and "unacceptable" to the private sector. One working group member, who later withdrew from the group, even questioned the need for legislation. Most members of the working group who responded, however, provided useful comments and offered suggestions on how it could be improved. Work on a second draft began in the spring, but at the time of the preparation of this report, it had not yet been circulated to the working group for comments. It is clear that a considerable amount of work needs to be done before a draft Uniform Act can be ready to be adopted by the Conference.


From the comments that were received with respect to the first draft, two main issues have been identified:


  1. How should the CSA Model Code be reflected in the legislation?
  2. What role should sectoral or industry codes play in the Act?
The issue of compliance audits, which the ULCC had asked to be the subject of specific attention, was also dealt with in the first draft of the Uniform Act, and it will be the subject of more consultation when a second draft is produced.

I. HOW SHOULD THE CSA MODEL CODE BE REFLECTED IN THE LEGISLATION?


Many working group members, especially those who had been directly involved to the development of the CSA Model Code for the Protection of Personal Information See footnote 4, noted that the first draft of the Uniform Act did not reflect the structure or the wording of the Code. The point was made again and again that the Code was the result of a long (five years) and arduous negotiation process, that numerous compromises had been agreed to by various groups to arrive at a consensus, and that any departure from the wording used in the Code would cause this consensus to evaporate.

One suggestion that has been made is that the Code itself should be referenced in a schedule of the Act and given the force of law. (Disputes concerning the interpretation and the application of the Code that could not be resolved between a company and an individual would ultimately have to be submitted to an independent third party with or without powers to order redress.) While the reference to standards in legislation is not new, it is usually done in respect of purely technical and administrative standards. The CSA Model Code could hardly be viewed as a technical or administrative standard. It sets out principles and then provides a commentary on how these principles should be applied, leaving considerable room for interpretation. Traditionally, legislators in Canada have not favored this legislative drafting technique, even with respect to the incorporation of International Conventions or Aboriginal Treaties in domestic legislation. 


The problem with this approach is that the Code was negotiated as a voluntary standard, not as a model for legislation. The drafting style, especially in the commentary of the Code, is not the type of language that would normally be found in legislation. The Code is also much less precise than existing public sector legislation (or than the Quebec private sector legislation) in terms of the obligations imposed on persons subject to it. Adopting the Code as is and leaving its ultimate interpretation to a commissioner, a tribunal or a court might result not merely in more flexibility for the private sector, but also in more uncertainty about the real nature of the obligations imposed upon it. In addition, legislative bodies might be reluctant to simply delegate to the CSA (or to the Standards Council of Canada) the power to define legislative requirements. 

The obvious advantage of this approach, on the other hand, is that it builds on a consensus of representatives from consumers groups and unions, the transportation, telecommunications, insurance, health and financial services industries, public sector officials and other general interest groups. As such, it is a compromise that in many ways might be more easily accepted by those affected by the legislation.

One possible alternative to this suggestion is that only the ten principles that form the basis of the CSA code be referenced in legislation. These principles are written in a prescriptive language that more closely resembles legislative drafting. The Code's commentary, which is more explanatory than prescriptive in style, could then be referred to as an instrument of interpretation to be used by those charged to apply the legislation and to enforce it. 


A third solution is to try to reflect, as far as possible in the drafting of the Act, the structure and wording of the CSA Model Code. There is no doubt that a new draft of the Uniform Act could be prepared to resemble the CSA Model Code more closely, thus making it easier to recognize the Code in the legislation. In making the wording more precise, however, choices would inevitably have to be made in the interpretation of certain paragraphs of the Code, and this would put at risk the consensus on which the Code is based.


II. WHAT ROLE SHOULD SECTORAL OR INDUSTRY CODES PLAY IN THE ACT?

Probably more privacy codes have been adopted by industry associations or individual companies in Canada than in any other country See footnote 5. Many associations have already revised or are now revising their existing privacy codes to tailor the CSA Model Code to meet their specific circumstances. The existence of these codes is a feature of the Canadian privacy landscape, and any legislative regime should try to incorporate them in one way or another to the extent possible. There are different possibilities for doing this. 

In the United Kingdom, privacy codes adopted by trade associations or other bodies do not have statutory recognition, but they nonetheless play a role in the interpretation and the enforcement of the Data Protection Act. In the Netherlands, privacy codes adopted by industry must, under the legislation, be approved by the Privacy and Data Protection Commissioner, but these codes are not binding on the courts. Courts may, however, refer to them in interpreting the legislation. New Zealand has gone one step further by giving the force of law to codes which have been approved by the Privacy Commissioner. Once approved, a code replaces the privacy principles stated in the legislation, whether the code provides more stringent or less stringent protection than those principles.


Finally, the European Union Data Protection Directive See footnote 6 recognizes that privacy codes may contribute to the implementation of privacy legislation adopted by member States and that these codes may be submitted to the approval of national authorities. Most member States of the European Union are revising their existing legislation and are expected to present modifications to it to implement the Directive in 1997-98. 

Codes or standards addressing the concerns of industries such as telecommunications and banking would have the advantage of providing more specific rules than the CSA Model Code or legislation could. There is a risk, however, that this approach might not reflect the growing convergence of many industries in each others' markets and so could result in confusion and an uneven playing field. Experience in countries that have provided for a formal approval process for individual or trade association privacy codes suggests that this approval process can be time-consuming and expensive. A potential conflict of interest may also be created if the body which must approve these codes is also mandated to receive complaints made under them and is ultimately responsible for interpreting the codes. If, on the other hand, codes have no legislative underpinning, their language may conflict with the wording of the legislation, and the end result may be confusion about the implementation of legislation. 


A solution to this dilemma could be to allow in the legislation the registration of a privacy code through a body accredited by the Standards Council of Canada. Arguably, such accrediting bodies, if they develop the necessary privacy expertise, could provide an independent and cost-effective certification process that would be less bureaucratic than a service provided by a government agency. The registration process would ensure, to the extent possible, that the code is consistent with the CSA Model Code. Once registered, such a code would not replace the core principles contained in the legislation, but it could become an instrument of interpretation that an adjudicator would have to take into consideration in making his or her findings in response to a complaint made under the Act. 


CONCLUSION


The need for a harmonized approach to the protection of personal information in the private sector will be more important than ever in 1998. The federal government has made a commitment to prepare legislative proposals. Provincial and territorial governments have also begun to consider the issue. There is therefore no doubt that the ULCC can continue to play an essential role in ensuring that legislation adopted in this area by Parliament and the provinces does not lead to confusion in the marketplace for consumers and businesses alike or to the creation of new barriers between provinces. 


The development of this new Uniform Act at the same time as many governments are considering the need for legislation is not, however, without its challenges. It presents both some difficulties and some opportunities. It is difficult because the exercise is not limited to drafting legislation incorporating into law a clear statement of policy direction already agreed to by governments in Canada. Perhaps more importantly, though, it represents an opportunity to shape Canadian privacy policy, as many policy makers in governments may look to the results of this ULCC initiative not only to use it as a legislative model but also to decide whether they want to adopt legislation. 


While the drafting of Uniform Act will not be completed in 1997, the development of such an Act progressed considerably in 1996-97. The composition of the working group grew as many private sector organizations asked to be consulted and kept informed of the status of this initiative. Also, the first draft Act, which was circulated during the year, received more responses than the discussion documents circulated in the previous two years had received. 


The instructions the ULCC will adopt with respect to the two above-mentioned questions at its 1997 meeting in Whitehorse will help in the completion of the drafting of the first part of the Uniform Act. What will then be left to do in 1997-98 will be to continue the drafting of the second part of the legislation, designing an effective enforcement mechanism to ensure the implementation of the principles stated in the first part of the Act. 



Footnote: 1 The opinions expressed in this paper do not necessarily reflect the views of the Department of Justice of Canada.



Footnote: 2 Report of the House of Commons Standing Committee on Human Rights and the Status of Persons with Disabilities, Privacy: Where do we draw the line?, House of Commons, April 1997 (http://www.parl.gc.ca/committees352/huso/reports/03_1997-04/toce.html ).


Footnote: 3 It should be noted that the CSA Model Code was approved as a National Standard of Canada by the Standards Council of Canada in 1996.



Footnote: 4 The Code is attached to this report. It is made up of ten principles followed by a commentary clarifying and elaborating on each of the principles. The "CSA Model Code" is the principles and the commentary.


Footnote: 5 Colin Bennett, Adequate Data Protection by the Year 2000: The Prospects for Privacy in Canada, [1997] 11 IRLC&T, 79, p.87.


Footnote: 6 Directive 95/46/EC, OJ No.L281. , p.31 (http://www2.echo.lu/legal/en/dataprot/directiv/directiv.html.).


August 1997