- Data Protection in the Private Sector - Options for a Uniform Statute 1996
- Annex I - Summary of Recommendations
- Annex II - The Principles in the Canadian Standards Association Model Code for the Protection of Personal Information
- Annex III - Summary of the Quebec Model
- Annex IV - Questionnaire
- Annex V - Persons consulted
- All Pages
At the Uniform Law Conference in 1995, a paper on Personal Information and the Protection of Privacy was presented. The paper was prepared by Denis Kratchanov, my colleague at the federal Department of Justice, with input from a number of expert commentators. The last paragraph of Denis' paper reads:
The first step for the ULCC, if it decides to deal with this issue, is to agree on the principles that a data protection law should promote. These might be the principles identified in the CSA Draft Model Privacy Code; in any event, they should be consistent with the OECD Guidelines. The second step would be to decide on the best approach to ensure compliance with those principles, i.e. "light" or "heavy" legislation. The third and final step would be to prepare draft legislation that would be available to any government in Canada. The ULCC can play a vital role in ensuring that legislation adopted in this area by Parliament and the provinces does not lead to confusion in the marketplace for consumers and businesses alike or to the creation of new non-tariff barriers between provinces.
Earlier in the paper, the "light" and "heavy" legislative options were explained this way:
Data protection legislation can take many forms, but to be effective it needs to be based on a set of fair information practices similar to the 10 principles enunciated in the CSA Draft Model Privacy Code. The difference lies in the degrees of coercion and voluntary cooperation it relies on. A "light" version as requiring collectors and users of personal information to adopt privacy codes, based on the CSA model, within a specified time frame. An advisory body could help draft and promulgate the code, and the legislation would impose codes created by that body if the deadline had not been met. Compliance with the codes would be purely voluntary. A "heavier" version would provide a public body with the powers to force a private sector entity to comply with its own code. Between the two versions, there is a range of "medium" versions that could be adopted.
Another variation of the two options outlined above could be to design codes that are sector specific, which would allow greater flexibility to the protection of privacy interest in different contexts. Having separate data protection laws or regulations to address the concerns of specific industries such as telecommunications and insurance, might cause sever difficulties in compliance, however, since different sectors of industry exchange information and the lines between industries are beginning to blur.
After a discussion of this report, the ULC resolved:
That the Steering Committee of the Uniform Law Section create a Task Force to develop proposals for a Uniform Personal Information Protection Act which will include a statement of principles and options for implementation.
Since then, the federal government announced its response to the Information Highway Advisory Council (IHAC) report. The IHAC recommended that legislation is needed, that there needs to be effective, independent oversight, and that all parties should follow the same rules and that the government should:
- create a level playing field for the protection of personal information on the Information Highway by developing and implementing a flexible legislative framework for both public and private sectors. Legislation would require sectors or organizations to meet the standard of the CSA model code, while allowing the flexibility to determine how they will refine their own codes. (p. 141)
The report goes on to make special mention of health records and especially the ability to identify health research participants, recognizing that obtaining individual consent is not always desirable or feasible. (p. 147) The government response to the IHAC report includes the following statements:
The right to privacy must be recognized in law, especially in an electronic world of private databases ... As a means of encouraging business and consumer confidence in the Information Highway, the ministers of Industry and Justice, after consultation with the provinces and other stakeholders, will bring forward proposals for a legislative framework governing the protection of personal data in the private sector.
The federal government is currently finalizing a consultation strategy and issues paper to help it develop a legislative proposal for regulating data protection in the private sector.
The reasons for legislating data protection in the private sector are numerous and were discussed in some length in Denis' paper last year. To recap in summary form, the Information Highway Advisory Council, the federal Privacy Commissioner, the B.C. and Ontario Information and Privacy Commissioners, the Canadian Direct Marketing Association, among others, have all called for such legislation. Quebec has already adopted such legislation.
In addition, the Canadian Standards Association has finalized a voluntary standard for data protection, articulating 10 basic data protection principles that should be followed by private sector organizations. This voluntary standard was unanimously accepted by a committee of government, consumer, business and other interest group representatives and demonstrates that there is a growing consensus on the need for data protection in the private sector and on the key principles that define data protection. The CSA Code became a national standard in March 1996 and is now being considered by the Committee on Consumer Policy of the International Organization for Standardization. The consultations and consensus that have already been achieved provide a good base upon which to develop a uniform statute. ( NOTE: Annex II sets out the 10 data protection principles contained in the CSA Code and Annex III to this paper contains a two-page summary of the main provisions in the Quebec Act.)
There are important trade reasons to develop a uniform statute: to ensure that trade with the European Union countries is not disrupted by failure to meet the adequacy test of the EC Data Protection Directive; to promote a uniform approach to such legislation so that consumers and companies operating in a number of jurisdictions in Canada will not be faced with a patchwork of differing rules; and to promote consumer confidence in electronic commerce.
The Consultations to Date
In order to advance the ULCC's resolution in favour of a uniform statute on data protection, I consulted with approximately 30 knowledgeable private sector, consumer and government representatives and other data protection experts and circulated two consultation papers asking questions on a variety of issues relating to what a Uniform statute on data protection might contain. (See Annex V for a list of the persons consulted. Not all of the 30 persons provided responses to my consultation documents.) The second consultation paper included a questionnaire (Annex IV sets out the questionnaire and contains brief "pro" and "con" statements for each question.) There were 22 responses to the questionnaire, with six from private sector interests (including two private practice lawyers), three from provincial government organizations, and thirteen responses from other sources, being Privacy, Human Rights or Law Reform Commissions, consumer or labour groups and academics.
The first consultation paper generated responses from two other private sector businesses and a meeting with the Canadian Medical Association, in addition to responses from most of the persons who responded to the questionnaire. An articling student completing his Master in Laws thesis in data protection, Tom Onyshko, wrote a lengthy letter rather than fill our the questionnaire (and is not included in the count of 22 responses to the questionnaire). Given the time-frames involved, the individuals who responded did not have an opportunity to canvass their organizations and could not express formal views of their organizations. It cannot be said that the consultations were a product of scientific sampling or that there was perfect clarity in the questions asked or responses received or unanimous agreement on any particular issue.
This paper addresses the following issues in some detail:
Is a legislated approach desirable?
What should the statement of data protection principles contain?
What kind of oversight mechanism should exist?
What powers should an oversight body have?
What should be the subject matter of a Model Data Protection Law?
Given that the purpose of the Uniform Law Conference is to promote uniformity across the country, and given that Quebec has already legislated data protection in the private sector, any departure from the Quebec model would make achieving uniformity more difficult to achieve. Therefore, in the recommendations that follow, I have noted the extent to which they are compatible with the Quebec approach. At the same time, it is also desirable that regulation of data protection in the private sector be reasonably uniform with regulation of data protection for the public sector, so this should be kept in mind as another uniformity objective. That being said, John Gustavson of the Canadian Direct Marketing Association, while noting that the CDMA is supportive of some form of legislation, emphasizes his organization's opposition to the Quebec model and argues that the Uniform Law Conference should not let the model chosen by one province dictate the uniform law the Conference might ultimately choose to adopt.
1. .Is a legislated approach desirable?
In the first consultation paper was the following sentence:
Given the report and the resolution of the Uniform Law Conference in 1995, I do not believe it would be appropriate for us to debate whether or not governments should adopt legislation or whether or not the ULC should prepare a Model Act.
Despite the above, a number of comments were received on whether or not legislation is a good idea. Many persons who responded, whether they be private individuals, or representatives of government, the Ontario Law Reform Commission, the Canadian Labour Congress or the Canadian Mental Health Association, were supportive of a legislated approach.
On the other hand, representatives of Equifax and the Canadian Bankers Association were not persuaded of the need for legislation, but accepted that if there is to be legislation, then a uniform law is the way to go. A representative of Stentor replied that framework legislation should be based on federal-provincial-territorial agreements in all jurisdictions to ensure harmonization and an equal playing field for all players in the private sector. The Canadian Direct Marketing Association (CDMA) supports the idea of "framework" legislation that relies primarily on sectoral codes for implementation. Equifax replied that it hoped that laws regulating data protection in the private sector would replace credit reporting legislation, rather than being in addition to those laws.
At the same time, no one other than the CDMA reported any difficulties created by the adoption of private sector data protection law in Quebec (although Equifax noted some consumers initially mistakenly thought the Quebec law could help them remove negative but accurate credit reports, and some data protection advocates suggested the Quebec Commission d'accès à l'information has been somewhat weak in enforcing the law with respect to the private sector). A paper prepared by lawyer Jacques St. Amant for Industry Canada quotes a speech from Étienne Dubreuil, vice-president with Teleglobe Canada Inc. as follows:
The legislation is not unreasonable; as a matter of fact, a few irritants aside, it is a statute with which enterprises will not have tremendous difficulties dealing with. If we base ourselves on the last four months experience with this legislation, Quebec firms have had to change some of their practices but most have seen this as a transparent step, satisfying both the clients and the enterprise itself. Some people would even say that it has been a good marketing tool. ... Everything considered, perhaps the only real difficulty with Bill 68 resides in the fact that it is functional approach with applicability to Quebec only. This should be less than satisfactory for Canadian financial institution enterprises which deal across Canada and for whom a multiplication of standards of protection of personal information is unacceptable.
In contrast, John Gustavson of the CDMA wrote:
[M]any participants .in the Canadian Standards Association committee that drafted the CSA Model Code for the Protection of Personal Information. _ and I would certainly include CDMA among this group _ find the Quebec law far too intrusive and an unnecessary burden on business in that province. By contrast, the great advantage of simple framework legislation, as endorsed by the government in its response to IHAC, is that it empowers industry groups, associations, and privacy advocates within individual companies to take ownership of the issue. In the process, it shifts the burden of detailed codes away from government and back on to self-regulating sectoral organizations where peer pressure and other instruments of self regulation can be utilized much more effectively. This does not necessarily mean exclusive sectoral enforcement.
Having said that, I am generally supportive of the conclusions you have drawn in response to these latest consultations. I would simply note that, although I have not had a chance to consider them in detail, there seems to be nothing in these recommendations that is inconsistent with our approach to legislation.
It should be noted that a number of Canadian companies operate successfully in other countries, such as New Zealand, which already have data protection laws for the private sector.
CONCLUSION: The responses to the first consultation paper revealed that there is a large consensus that such a law should apply to everyone in the private sector, regardless of size and including non-profit organizations, and should apply to all personal information, using standard definitions of personal information (any information about identifiable persons). The real issues will arise in the content of the law and the enforcement mechanisms and powers, and much less in whether or not there should be a law.
2. What should the statement of data protection principles contain?
The consultations did not focus very much on this question. My second consultation paper summarized responses to my first consultation paper on the question of data protection principles this way:
Most respondents agree with the CSA Model Code's statement of principles and favour a uniform law that incorporates those principles. Generally, data protection principles are fairly basic, although variations in wording can be found from the CSA Model Code, the EU Directive, the OECD Guidelines and federal and provincial public sector data protection statutes. However, the basic principles themselves do not appear to be contentious. No one recommended any other model other than legislating the CSA Model Code, except respondents from Quebec who simply noted they already have a law. The real issue, then, is not what the principles should be but what form of compliance mechanism should exist.
See the Annex for the CSA Model Code's statement of data protection principles.
Any statement of principles will contain ambiguities and exceptions. The CSA Model Code contains fairly extensive commentaries to explain its principles. In the May 1996 issue of Privacy Files (a new publication canvassing privacy issues in Canada and elsewhere), Rohan Samarajiva notes two important areas of vagueness in the Quebec Act. (His comments could also apply to other statements of data protection principles.) First, he observes that the principle which limits collection to that personal information "which is necessary" for the intended purpose of the organization. Agreeing on what is "necessary" can be difficult. Second, the Quebec Act provides that personal information is not to be communicated to a "third person" or to be "used for purposes not relevant to the object of the file." The problem here is that disclosure within a company, or to subsidiaries, may not be considered disclosure to a "third person" and it may be difficult to agree on what is "relevant to the object of the file". The CSA Model Code says that personal information shall be limited to that which is "necessary" for the purpose identified by the organization and that it will not be "disclosed for purposes other than those for which it was retained" (disclosure is defined as meaning disclosure to third parties).
Another potential interpretation problem is in the principle that knowledge and consent of individuals is required for the collection, use or disclosure of personal information, "except where inappropriate" (from the CSA Model Code). A final potential problem is that data protection principles tend not to define permissible uses of personal information _ organizations can identify any purposes they choose.
The first consultation paper noted a number of potential problems with respect to data protection principles, but very few of the respondents indicated concern. There seems to be agreement that
- generally worded data protection principles do provide effective data protection;
- it is reasonable to expect that requested corrections can be passed on to others to whom the original information was communicated if the time frame is short enough (e.g.: six months) and if the requirement to forward amendments is focused on information whose inaccuracy might cause harm (e.g.: it is unlikely to cause a person harm if a correction in a person'saddress in a direct marketing mailing list is not passed on to others who received the mailing list); and
- it is reasonable to expect that organizations can keep data segregated for specific purposes and acquired from separate purposes.
RECOMMENDATION: data protection principles are fairly universal, even though they can differ from one data protection instrument to another. The principles in the CSA Model Code represent a good base on which to build a Uniform statute and these principles are consistent with the principles in the Quebec Act which regulates data protection in the private sector. There do not appear to be significant differing options with respect to the selection of data protection principles.
3. What kind of oversight mechanism should exist?
There was a strong consensus among respondents (20/22) that data protection regulators which already exist should be the agencies that monitor the private sector's handling of personal information, rather than using tribunals that already regulate specific sectors, rather than creating entirely new tribunals and rather than relying exclusively on the courts. Using existing data protection regulators would minimize the creation of new bureaucracies (and therefore minimize the costs associated with the legislation), would capitalize on the data protection expertise that already exists, and would promote uniformity in approach and interpretation of data protection principles for the public and private sectors.
Jacques St.-Amant, a lawyer with the Association Coopérative d'Économie Familiale du Centre de Montréal, wrote that
[I]n the context of a uniform statute which may be used by all provinces, it may be appropriate to allow for some flexibility in the area of implementation: one province might choose to grant jurisdiction on data protection to its already existing Privacy Commissioner while another might opt to grant such powers to its Human Rights Commission, for instance. ...
One thing however is clear: there is no basis for sectoral jurisdiction. Data protection principles are basically identical in all areas, territorial jurisdictions ensures more uniformity and expertise should be concentrated. That is not to say that sectoral regulators would be shut out: beyond the general principles, specific areas may occasionally require an expertise which regulators such as the CRTC may provide. By and large, however, CRTC, OSFI and others are not prepared to regulate in the data protection area, nor are they able to adjudicate in order to settle conclusively individual complaints. ...
In any event, sectoral regulation cannot be advantageous to citizens, nor to most enterprises. It would be a consumer's nightmare to face different rules and to have to find the appropriate commission depending on whether he has a problem with a bank, a telecommunication company, a utility or a retailer. It would also be a nightmare for businesses to face various regulators when trying to set their data protection policies, as the case of banks makes clear: would they be required to establish some rules in the labour regulations field, others pertaining to their consumer banking activities, and yet another set of rules applicable to their investment dealer subsidiaries?
An alternative voice was Colin McNairn, a private practice lawyer who is the author of a book on access and privacy legislation in Canada, who presented this suggestion:
I favour a sector specific approach, initially in respect of regulated industries or regulated service sectors broadly defined (e.g. financial institutions (not just banks) and medical care services (not just doctors) that are likely to be entrusted with personal information, with complaint handling through a panel of independent mediators/arbitrators assembled by the sector regulator or regulators and paid for out of levies against the regulated entities or individuals, at least where mechanisms already exist for passing on regulatory costs to such persons.
In addition, a few individuals suggested that existing information and privacy commissions and sectoral commissions could both play roles with respect to privacy. For example, Pierrôt Péladeau, editor of Privacy Files, says "we need existing commissions on data protection and sectoral commissions like the CRTC to deal with the larger privacy issues than strictly data protection (ex.: telecommunication privacy, etc.)." A representative from Equifax suggested that where sectoral commissions exist, they should be used, but where one does not exist, the data protection commissions should be used. A representative from Stentor would prefer that the CRTC have a significant role in data protection issues.
Charles Ferris of the New Brunswick Human Rights Commission said that the Commission must be representative of and sensitive to the private sector environment and must carry out its functions efficiently and economically. He suggested that each sector could create a sector-specific processes which would address public education, technology impact assessments, compliance audits and complaint processes. Mr. Ferris suggested that the Model Law and the Commission should set out minimum rules for the sectors to follow, and that the Commission would supervise or "manage" the sectoral application of these rules, rather than operating the functions itself. He did not favour recognizing sectoral codes in the model law itself.
Eugene Oscapella of the federal Privacy Commissioner's Office stressed that the role should be performed by an individual Commission er rather than by a Commission.
RECOMMENDATION: Of the various options (courts only; new agencies; sectoral commissions; panels of mediators/arbitrators appointed sectorally; existing data protection commissions) there is a large consensus for using existing data protection bodies to oversee laws regulating data protection in the private sector. This is the model adopted in the Quebec legislation.
4. What powers should an oversight body have?
The most significant issues with divergent views are what powers should an oversight body have, but even here there are a number of points of reasonably strong consensus.
Public education mandate
Almost everyone agreed the Commission (whichever Commission is ultimately designated by a jurisdiction to exercise data protection functions) should have a public education power (19/22), although one respondent noted that the Commission should not bear the lion's share of this responsibility, it should be the responsibility of government. There is no express public education mandate for the Quebec Commission.
Complaint investigation powers
Almost everyone agreed the Commission should have the power to investigate complaints (18/22) and to mediate complaints (17/22). The Quebec Act provides its Commission with the power to conduct investigations.
Complaint adjudication powers
Almost everyone agreed that that Commission should be able to adjudicate complaints (nine respondents suggesting that this should be done by the Commission, seven suggesting it should be done by adjudication panels (similar to the model of human rights commissions) (17/22). A few others suggested the better model is that of an Ombudsman, such as the role of the federal Information Commissioner and Privacy Commissioner, where the first recourse is to go to the Commissioner for mediation or a non-binding recommendation, followed by an appeal to court, which could be done by the Commissioner on behalf of the complainant if the Commissioner chose to do so.
Pierrôt Péladeau and others in Quebec find that a Commission that tries to perform too many roles can result in confusion and worse (Pierrôt Péladeau, "Visions for Privacy", Privacy Files, July-Aug. 1996, p. 9, reporting on a recent data protection conference in B.C.):
Nathalie Belleau, a tenant's rights advocate, and Raymond Doray, a lawyer representing large public and private data users, both faulted .the Quebec's Commission d'accès à l'information (CAI). complaint handling process because, in their opinion, it shows little respect for due process and natural justice requirements. Like many others, Doray points to structural conflicts between the CAI's many different roles: consultative body, tribunal, regulator and complaint handler. ... Two solutions were put forward: the first was to strip CAI of its judicial function and give it to an independent tribunal; the second was to set clearer and stricter practice guidelines, especially with regard to due process requirements in all the Commission's various activities.
Jacques St.-Amant's response supported the above view that adjudication should be separated from the other roles. Charles Ferris suggested that the investigation and mediation roles should be kept separate within the Commission, and that there should recourse to the Courts.
Company complaint process first?
Thirteen respondents agreed that the law should provide that individuals should use the company's complaint process before going to the Commission, so long as such a provision was carefully worded to prevent companies from using such a process to delay the complaint. It would also not apply where companies (especially small businesses) do not have a complaint process. Charles Ferris suggested there should not be a "company" complaint process procedure, but a "sectoral" complaint process that the sectors could establish. Others noted that in practice the Commission would use a "company process first" approach simply as a way to manage the volume of complaints and there is no need to put such a provision in the law. The Quebec Act does not have a "company process first" clause.
Eleven respondents agreed that the Commission should play a role in assessing the data protection implications of new technologies. However, the private sector respondents did not agree that the Commission should have this power but that this function could be performed by the private sector. Two of the respondents suggested that such a role is important but does not need to be performed by a data protection commission and could be performed by other government agencies. Eugene Oscapella suggested an appropriate government ministry could perform the role. Pierrôt Péladeau said:
We also need some kind of Office of Technology Assessment role to deal with issues beyond the strict privacy issue and provide public expertise for the conduct of public debates (this can be done through research departments of Ministries, specific agencies, funding for public research in universities, costs awards to citizens' organizations, etc.) I spontaneously tend not to give such a mandate to data protection commissioners because they tend to reduce the scope of their inquiry only to data protection related issues. ... This is a dangerous pitfall for data protection commissions: to think that data protection assessment is sufficient technology assessment. ... Technology assessment is a very good investment and does give good monetary returns (I have written a few papers on this subject). Technology assessment in fact diminishes the risks linked with systems development and diminishes the cost as well. ...
The Quebec Act does not make a specific provision for technology assessments.
Only ten of the respondents and none of the private sector respondents supported the Commission performing compliance audits. Some private sector respondents preferred independent registrars. The Quebec Act does not provide for compliance audits separate from complaints but allows the Commission to make whatever inquiries it chooses on its own initiative.
Order registration to the CSA Model Code?
Twelve of the respondents recommended integrating a private sector registration process into the law. Only six suggested mandatory registration of large companies ("large" might depend on the amount of personal information collected, number of employees or total revenues), and eight suggested the Commissioner should be able to order poor performers to register. A representative from Stentor suggested that registration is more effective with respect to some private businesses than others. Colin McNairn said that if governments used private standards registration processes on a wide-spread basis, this would be too expensive for the private sector. Pierrôt Péladeau stated:
Registration is needed only for intermediaries like credit bureaus with which the data subject has no direct business relationship ... This should a very light (just fill a one page form) process with no audits required. The objective is openness, public knowing of the existence of this organization.
Standard registration or certification DO NOT bring ANY benefit to data subjects. .his emphasis. The real interest is for businesses and organizations themselves: integrity of networks, business partnership, etc. No certification will prevent political conflicts with data subjects, nor can it solve them. Audits deal mostly with objective procedural requirements not with subjective conflicts. Standard registration or certification should not be mandatory but the ordinance power .power to make remedial orders. should be broad enough to implicitly permit a Commission to ask for registration in particular ad hoc cases.
Expressing the opposite view is Colin Bennett, Associate Professor of Political Studies at the University of Victoria, who recently wrote a paper for Industry Canada in which he says "Registration to the CSA Model Code contributes a crucial mechanism for enforcement within any potential regulatory system. ... It can be used to reward good practice, and to bring the recalcitrants into line. ... The standards-registration process can relieve regulatory bodies of checking and verifying .sectoral. privacy code content." The Quebec Act does not provide for a registration process.
A majority of respondents agreed that the Commission should be able to publish the names of companies who were found to have breached the requirements of the law (15/22), although there was a sharp distinction between private sector and other respondents, where only two of the private sector respondents supported this idea and one of them simply noted that the publicity would be accomplished because decisions of the Commission would be public. Pierrôt Péladeau said "Publicity is the atomic bomb of a Commission, far more effective than any penalty. A Commission should always have this power." The Quebec Act provides a publication clause.
Thirteen of the respondents recommended that the law should contain an offence provision, though it seems that relatively few expect an offence provision would be used often or would be very useful in promoting general compliance with the Act and satisfactory resolutions of complaints. Private sector representatives were not supportive of an offence provision. Eugene Oscapella recommended an offence provision for interference with a Commissioner's investigation, but otherwise no offence provision (similar to the federal Privacy Act). The Quebec Act has an offence provision for persons who collect, hold, communicate or use personal information otherwise than in accordance with the Act. Even without a specific offence, it should noted that all jurisdictions have a general offence provision where statutes do not specifically provide for an offence.
Whether or not the Commission should have the power to order damage awards was not canvassed in the consultation. It would be premature to make a recommendation on this point. The Quebec Act does not expressly provide for damage awards but allows the Commission to "order the application of such remedial measures as are appropriate to ensure the protection of personal information." Tom Onyshko recommends a provision for damage awards.
RECOMMENDATIONS: Based on the above, a uniform statute should provide the data protection commission with a mandate for public education, powers to receive complaints (but generally only after the organization's process had been tried first), conduct investigations, mediation and adjudication. Whether the adjudication would be better done by a single Commissioner, full-time hearing officers, or from an ad hoc roster should be the subject of further consultation. Also, the law should not expressly provide for compliance audits or for technology assessments (although it is probable and acceptable that a Commission might issue papers or reports on how certain technologies affect privacy). The law should provide the Commission with the power to publicize the names of organizations with poor performance (although even if the law did not expressly provide for this, the Commission's decisions and reports would be public in any event). It would be useful to conduct more consultation on whether and how the law might recognize to private standards registration processes. The law should contain an offence provision similar to the one in the Quebec Act.
5. What should be the subject matter of a Uniform Data Protection Act?
The consultation papers noted that there is very little uniformity in privacy matters and a wide variety of laws deal with privacy issues. The second consultation paper stated:
There is a patchwork of data protection and privacy laws already in place and adding a 'uniform' law to regulate data protection in the private sector would simply add to the heap. Almost all jurisdictions have data protection laws for their public sectors; most jurisdictions have separate credit reporting regulations (as noted above, Equifax is hoping a data protection for the private sector law might replace the eight separate provincial credit reporting laws); and a variety of industry and professional associations have codes which address data protection issues. Legal, medical, financial and other forms of privilege are sometimes expressly recognized in law, either in statute or common law, and constitute a form of data protection. The IHAC appears to consider medical records differently than other kinds of personal information. Ontario is apparently considering specific legislation for the protection of medical information. The protection of rape counselling records has been the subject of recent litigation and possible Criminal Code amendments. Many individual statutes have specific data protection rules, some of which extend to the private sector (e.g.: Income Tax Act and the use of the Social Insurance Number for purposes other than tax reporting; the Bank Act and provisions relating to security and confidentiality of financial records). The federal Privacy Commissioner has commented on the desirability of continuing public sector personal information rights for public employees who find their jobs transferred to the private sector. The CRTC has some responsibilities for privacy matters in the telecommunications industry (and it is on this basis that it has been suggested by some that the CRTC be responsible for regulating data protection in the telecommunications industry), the Office of the Superintendent of Financial Institutions has some with respect to banking.2
It can be difficult for the ordinary citizen to know which data protection or privacy rights apply to a given situation, how to enforce any rights they might have and difficult to understand why there are different privacy rules in different situations. These difficulties can become worse if we add to the laws that already exist sector-specific privacy codes, keep privacy torts separate from data protection remedies, keep private sector data protection separate from public sector data protection, or have multiple data protection commissions (e.g., federal and provincial commissions with shared jurisdiction in a province, or the federal Privacy Commissioner, the CRTC, OSFI, etc., all performing data protection functions at the federal level).
Thus, there is a considerable challenge to making laws which protect privacy uniform, understandable and accessible. While a number of respondents are sympathetic to this challenge, there seems to be a consensus that a uniform statute on data protection stands the best chance of being accepted if it is limited to data protection matters and does not address other kinds of privacy issues and does not try to get overly specific with certain kinds of sensitive personal information.
Less than half of the respondents supported including in the model data protection law specific provisions dealing with credit reporting (although Equifax would prefer uniform provisions in all jurisdictions, preferably as part of a uniform model data protection law) (10/22), invasion of privacy torts (based on the Uniform Law Conference's model Act in this area) (7/22), workplace privacy (i.e.: limits on employer rights to keystroke, e-mail or video surveillance or drug testing, etc.) (7/22), or medical records (9/22). The general view appears to be that the data protection law should express universally applicable data protection principles that are not context or technology specific. The Quebec Act includes provisions relating to credit reporting. Most jurisdictions have credit reporting provisions in other statutes.
Tom Onyshko was one of those who favours giving stronger protections for certain kinds of personal information within the model statute.
[A] model law might include controls on the collection of at least some sensitive information. The approach of existing data protection legislation is to impose controls on the use of information; however, the most effective method of preventing mis-use is to the control the information that may be collected in the first place. As I wrote in the conclusion to my thesis:
For example, legislation might prohibit the collection of government identifiers such as the SIN, except where required by law. Legislation might prohibit the collection of information about key grounds included in non-discrimination sections of human rights legislation (race, political or religious beliefs, sexual orientation, etc.) unless the information was collected directly from the individual and the collection was optional. The collection of information about health or sexual habits might be prohibited outside the medical context, except where compelling circumstances required collection.
Although common sense tells us that some personal information is more sensitive than other personal information, data protection principles generally allow organizations to identify any purpose they choose and to collect any personal information that is relevant to the identified purpose. In part, this may reflect how difficult it can be to identify when personal information is sensitive and when it is not (especially with data profiling) and to know when there is a legitimate right to collect even sensitive personal information. In part, it may reflect an assumption that organizations will generally collect only information with is directly relevant to their activities, because it would be a waste of resources to do otherwise.
Eleven of the respondents supported sectoral codes. Some persons have the view that universally applicable data protection principles do not vary between sectors; that sectoral codes could increase complexity and lack of uniformity for data protection. Some respondents indicated that if sectoral codes were permitted, the law should shape the codes and not the other way around, and the codes should be approved by regulation. In other words, sectoral codes would be fine so long as they met the legislated standards. Whether the uniform statute should incorporate sectoral codes, and if so, how this might be done should be the subject of further consultations. The Quebec Act does not recognize sectoral codes.
RECOMMENDATION: The uniform statute should express universally applicable data protection principles and an implementation mechanism, and should not attempt to set out specific rules for medical information, credit reporting or deal with privacy issues that are broader than data protection, such as workplace surveillance and invasion of privacy torts. More consultations should be undertaken with respect to the use of sectoral codes.
6. Miscellaneous matters.
There seemed to be a general consensus that technology-specific data protection rules are not needed. The Quebec Act does not create technology-specific rules.
There seemed to be little concern among respondents about cross-border data flows or special rules for such data movements. The Quebec Act requires organizations communicating personal information from within the province to destinations outside of Quebec must take all reasonable steps to ensure that the information will not be used for purposes not relevant to the object of the file or communicated to third persons without the consent of the persons concerned (with a number of exceptions, see the Annex).
There seemed to be general level of comfort with the "opt out" for intended uses (i.e.: organizations can use personal information for identified purposes unless the individual opts out of the use, rather than requiring express consent for the use. This is particularly important for selling and sharing mailing lists). This is consistent with the Quebec Act.
Although it was accepted that it is virtually impossible to prevent persons with authorized access from using that access for unauthorized purposes, only one respondent suggested there should be a specific offence created to deal with such individuals. The Quebec Act does not deal with this problem directly.
The consultation papers did not address issues concerning the constitutional limits to what activities might be subject to federal law or provincial law. Pierrôt Péladeau noted that where there is no law, an existing law can apply. He gave as an example a company operating in a number of provinces: "Maritime workers can use the Quebec Act as their files are kept at the Montreal regional office of the company and in the Toronto head office. Since it has a business place in Quebec, even the Toronto files are under the Commission d'accès' jurisdiction."
Eleven of the respondents suggested a uniform statute should have a provision that provides in case of conflict between applicable data protection laws, the law that best protects personal data should prevail. Others preferred to rely on the traditional federal paramountcy rule, which would promote greater certainty in the law.
Conclusion and Next Steps
In 1995, the ULCC adopted a resolution to work towards a Uniform statute regulating privacy in the private sector. Since that time, much work has been done within the ULCC context and in other contexts to find consensus among the various interested parties and much consensus has been found. The CSA Code and the Information Highway Advisory Council report are excellent examples of the consensus that is emerging. Data protection principles are fairly universal, whether expressed in the CSA Code, the Quebec Act on protection of personal information in the private sector or the European Community Directive. While the principles will be at the heart of any uniform statute, the key decisions for policy makers will be in the implementation mechanisms.
This paper has set out a number of recommendations relating to those implementation mechanisms. There are a few areas where more consultation and research may be desirable, such as with respect to the desirability or use of sectoral codes, the adjudication mechanism (panels of experts, courts, all-in-one commission), the extent of the remedial powers of a commission (damage awards, use of private registration processes, publicity?), and the relationship between federal and provincial Acts.
The task now is for the ULCC to consider the recommendations in this paper and make proposals that will advance the development of a uniform statute regulating data protection in the private sector.
RECOMMENDATION: The ULCC should approve and support the drafting of a uniform statute based on the directions and recommendations set out in this report (subject to specific changes the 1996 meeting of the ULCC might suggest), and based on further consultations and research with respect to sectoral codes, adjudication mechanism and remedial powers.