The adoption of legislation is not a panacea to all the ills in society. For a time, governments may have believed that by adopting legislation they could regulate not only the market imbalances created by monopolies, but also a whole sector of activities to ensure that they provided adequate service to citizens. In an open economy, however, the markets and the law of supply and demand regulate economic activities. Since the deregulation of the American airline industry in the late 1970s, governments have tried to regulate less but to regulate better. In Canada, whole sectors of activities have been deregulated in the last 15 years. This trend is continuing, as shown by the introduction in Parliament last year of a bill (the Regulatory Efficiency Act) that would allow the replacement of regulations by standards negotiated between a responsible minister and a regulated entity. Whether that bill is passed or not, the trend is well established: governments will look at legislation and regulations only when other methods of controlling an activity or a behaviour have failed.
That is not to say, however, that the adoption of data protection legislation applicable to the private sector should be precluded. Privacy is a human right protected under the Canadian Charter of Rights and Freedoms, and similar human rights, such as equality rights, benefit as well from protection in other legislation. The same reason that lies behind legislation against discrimination or supporting workplace safety or environmental protection applies to a right of privacy: to protect a societal value that is fundamental to the interest of all citizens.
Privacy, as a subject of legislation, is not exclusively either a federal or provincial concern. It is an area of shared responsibility, like human rights legislation, and legislation in this area should preferably be, if not identical throughout the country, at least based on the same underlying principles, especially with respect to the private sector. Given the ease with which information crosses boundaries, cooperation between the federal and provincial governments on this issue is essential if we are to meet the concerns that Canadians have expressed over privacy.
Data protection legislation can take many forms, but to be effective it needs to be based on a set of fair information practices similar to the 10 principles enunciated in the CSA Draft Model Privacy Code. The difference lies in the degrees of coercion and voluntary cooperation it relies on. A "light" version would require collectors and users of personal information to adopt privacy codes, based on the CSA model, within a specified time frame. An advisory body could help draft and promulgate the code, and the legislation would impose codes created by that body if the deadline has not been met. Compliance with the codes would be purely voluntary. A "heavier" version would provide a public body with the powers to force a private sector entity tocomply with its own code(53). Between the two versions, there is a range of "medium" versions that could be developed.
Another variation of the two options outlined above could be to design codes that are sector specific, which would allow greater flexibility to the protection of privacy interest in different contexts. Having separate data protection laws or regulations to address the concerns of specific industries such as telecommunications and insurance, might cause severe difficulties in compliance, however, since different sectors of industry exchange information(54) and the lines between industries are beginning to blur.