Riley Home Page 

report_but2.gif (4270 bytes) 
  

To receive 
The Riley Report
free by e-mail,

CLICK HERE 

Back Issues 

December 2001

September 2001

August 2001 

June 2001 

April 2001 

Feb 2001 

Sept 2000 

April 2000 

March 2000 

January 2000 

November 1999 

October 1999 

July 1999 

What's NewRiley Books, Columns, SpeechesCurrent Riley ReportUpcoming Riley SeminarsContact Riley Information Services
 

THE RILEY REPORT – March 2002

From Thomas B.Riley (Tom@Rileyis.com)

 

http://www.rileyis.com 

Following is the Riley Report for March 2002.  Please feel free to pass this on as you see fit. If you wish to use any part of the Report in an offline publication please acknowledge the author or contact the author if to be fully republished offline. If you are not currently subscribed to the Riley Report (there is no charge) you can email info@rileyis.com and simply put subscribe in the body of the text.  You can also go to the Riley Report at: http://www.rileyis.com/rileyreport/ and subscribe there.

This month The Riley Report presents a guest column written by Professor Colin Bennett, the Department of Political Science, the University of Victoria, Canada.  Professor Bennett is a long time international privacy expert, highly respected in his field, and has published many books and articles on the subject of privacy and data protection. 
                           
His column here is based on a speech delivered to a privacy conference on March 11, 02, produced by the Freedom of Information and Privacy Association of British Columbia.   Professor Bennett addresses some major privacy issues that have arisen since the recent passage of Canada's privacy law covering the private sector.   While Professor Bennett, in his column, specifically addresses issues of privacy under Canadian law, his comments are relevant to a wider, international audience as he addresses very basic privacy precepts and tenets.  His analysis goes to the core of the privacy and data protection issue.

This is a first of two reports on recent privacy developments in Canada and around the world.  The next Riley Report will deal with how, through legislative measures in many countries, the nature of privacy is changing since the events of September 11/01.

Thomas B. Riley (tom@rileyis.com)  

 

THE FIRST YEAR OF THE PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT:  WAS THIS THE WAY IT WAS SUPPOSED TO BE?

 

by Professor Colin J. Bennett

Address to the conference on  "Understanding Privacy New Laws, New Challenges", Vancouver, March 11-12th.  


I've been involved with the attempt to fashion a stronger and more consistent set of privacy rights in Canada for the last 12 years or so.  I was involved (peripherally) in the Canadian Standards Association (CSA) process, in the later attempt to get an international privacy standard, and in the implementation of the  European union (EU) Data Protection Directive.   I have also written about this subject comparatively.  In the light of that historical and comparative experience, I want to share some thoughts on the first year of Canada's attempt to extend privacy protection to the organizations of the private sector through the Personal Information Protection and Electronic Documents Act (PIPEDA).  

I have not done systematic interviews, but from my conversations with governmental officials, private sector representatives, consumer groups etc. there seems to be a widespread feeling that something is wrong with the way PIPEDA is working:  that this is NOT the way it was supposed to have been. How one measures whether privacy protection laws are "working", however, is a complicated issue. The goal to be attained is a fluctuating, imprecise and subjective one, and there are no common yardsticks for measurement. However, if one were to try to answer the question, what practices have changed as a result of the enactment of PIPEDA -- that would not have changed anyway -- I'm not sure that one could come up with a substantial list.

There will always be a certain volume of criticism of any new legal regime.  If there weren't I would be concerned.   But to what extent is this disappointment a reflection of: 1) the inherent complexity and difficulty of the issue; 2) weaknesses in the law; or 3) problems of implementation and oversight. In this address, I want to try to unpack some of these reasons, and in a spirit of constructive engagement suggest ways that the Office of the Privacy Commissioner (OPC) might operate differently.

The Issue itself?
First, let us not forget that privacy protection is an inherently complicated question.  The number of practices that we can all agree are invasive is minimal.  Most issues operate at the margins. The resolution of complaints and the promotion of compliance take place in some gray interpretive areas: whether X is indeed personal information; whether consent is indeed "informed"; whether the organization made bona fide efforts to respond to an access request; whether the security provisions are consistent with the "sensitivity of the data"; what a "reasonable person" would consider an appropriate purpose; what is a "consistent use"; and so on.   Any resistance to the implementation of privacy tends to focus on these more subtle issues of interpretation, which then lead to some quite complicated and technical debates about the balancing of risks within certain organizational and technical contexts. 

Second, the organizational interests and technological forces that operate to oppose privacy protection are extremely strong.  No business or government agency will tell you that they do not like privacy.  But many will seek to define the issue in ways that suit their interests, and to finesse the rules in such a way to minimize inconvenience.  The general public is also very concerned about privacy.   But it also has variable understandings about what privacy means, and about the trade-offs that are available.   And in the wake of September 11th, as many have noted, privacy has certainly been on the defensive.   

Or is it the Law?
I was always very supportive of the theory behind PIPEDA.  It made a lot of sense, in my judgment, to base the legislation on the existing consensus embodied in the CSA standard.  And it produced a quite distinctive Canadian approach to privacy protection, about which there has been a great deal of interest overseas.  When I testified in 1999 on the original Bill C-54, I noted that Canada had embarked on a policy process of building data protection from the bottom-up.  The standard built on existing industry codes.  The law built on the standard.  This theory recognized the realities of enforcement;  compliance has to emerge as much from the bottom-up, as from the top-down.

But as drafted, C-6 gives the impression that the most important responsibilities of the Commissioner under this legislation relate to complaints investigation and redress.   In my view this is one of the less important functions of a privacy or data protection commissioner. The complaints investigation process is largely a reactive one, performed only after privacy problems arise. The implementation of privacy protection law is, however, as much an educational or consultative effort as an investigative one. Much can be achieved in anticipation of policy and system development if privacy protection is built in at the outset, rather than "added on" afterwards.  Commissioners in other jurisdictions are as much educators and consultants as they are investigators, judges and enforcers.  The most important functions are those that are anticipatory and general, rather than reactive and specific.  

Or is it Office of the Privacy Commissioner?
Privacy protection laws create obvious dilemmas for privacy commissioners. They have many hats to wear, some of them contradictory.  Both federal statutes (the Privacy Act and PIPEDA) invite the Commissioner to be both an enforcer and an educator; an advocate and a balancer; a publicist and a private negotiator.  On a larger theoretical level, therefore, the implementation of data protection policy involves a considerable degree of learning and mutual adjustment and readjustment.  It is not characterized by a top-down process of command, control and sanction.  It is a process that involves organizational change and learning and that involves a large implementation network of persons and organizations engaged in the co-production of data protection.  In this context, the roles are not fixed.

First I will make some positive comments.    One of the persistent criticisms of privacy commissioners is that they are spineless.  They 'balance' too often.   They are too pragmatic and expedient. In his seminal study of data protection policy in 6 countries, David Flaherty concluded that: 

The data protection agency should not be a mini-parliament that seeks to settle the appropriate balance internally, nor should it concentrate solely on presenting a balanced perspective of the competing interests to the external master, be it the government or the legislature.   Its emphasis should be on the anti-surveillance side of the balance, since the forces allied against privacy, or at least in favor of efficient surveillance, are generally so powerful. 

The Canadian law covering the private sector, PIPEDA contradicts that view.  Its purpose is to "establish, in an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances"  (Section 3, my emphasis).    Moreover, the importance of organizational interests stems from the government's explicit attempt to link privacy protection to its more general effort to promote electronic commerce.

Some of the initial public comments by Commissioner Radwanski suggest that he agrees with David Flaherty.   He has stated that Parliament created the position of the Privacy Commissioner of Canada, not only to oversee Canadian privacy law, "but also to serve as the champion of the privacy rights of all Canadians."    Earlier he concluded a speech by stating that "a Privacy Commissioner's voice has to be raised in constant advocacy of privacy, reminding people of their rights and obligations, standing up for principle in the face of expediency and convenience, and strengthening one of the most critical elements of the social glue that binds us together-strengthening privacy."    Thus, a quite strident and public posture of privacy advocacy is contrasted with legislative reality and statutory responsibility that inevitably requires a more pragmatic role.

Second, Privacy Commissioners need to be publicists.  Initial evidence from the first year of PIPEDA's implementation suggests that the current Commissioner is, by instinct, a publicist who understands the important role of the media in spotlighting privacy-invasive practices.   Like his predecessor, Bruce Phillips, George Radwanski is a former journalist who has a keen instinct for what makes news, and a large number of contacts who might give him a sympathetic ear.    Each Privacy Commissioner has also tried to make a big media event of the publication of the Annual Report.   The discourse in these reports used to be quite populist in tone, with cute headlines and the occasional cartoon punctuating the reports on legislative and policy developments.  I was glad to see the first report of Commissioner Radwanski adopt a more serious tone.

Having acknowledged some obvious benefits to having a Commissioner with backbone and an instinct for publicity, I would now like to suggest some ways in which his office might operate more effectively.  

It is not entirely clear that the Office of the Privacy Commissioner fully recognises that successful privacy protection depends on using the entire repertoire of possible policy instruments for the protection of privacy.  It should never be forgotten that any privacy protection regime has to rely, not only on law, but also on codes and standards, on the application of privacy-enhancing technologies and on the actions of an informed and vigilant citizenry.  Each is a necessary condition for privacy protection in any society; none is a sufficient condition.   This is one of the overriding messages of our book, Visions of Privacy.  So what does this mean in practical terms?  

First, there obviously needs to be better cooperation between provincial and federal commissioners.  One problem, of course, is that each statute, and each agency, has been created independently and with little regard to cooperative action. Certainly there has been a good deal of policy emulation from province to province, leading to a degree of policy harmonization.    And of course, the federal structure provides a natural laboratory for policy learning.   But, little in any of these distinct pieces of legislation, at either federal or provincial levels, contemplates a concerted approach to the implementation of privacy protection policy in Canada.  

Even before PIPEDA, the Commissioners have held annual meetings to discuss issues of common import.  Rarely, however, have these occasions prompted any public statement or communiqué.  It is certainly arguable that the progress of privacy protection in Canada will depend upon the ability of the Commissioners to learn from one another, and occasionally to act and speak with one voice. Second, there is clearly a need for greater collaboration with those associations who have already developed codes of practice.   It seems rather counterproductive for rules about direct-marketing, for example, to emerge slowly and pragmatically from the accumulation of findings in response to complaints.   Surely, the staff of the Commissioner's office and the Direct Marketing Association (DMA) can get together to figure out a consistent interpretation of the rules for notification, consent, access and so on.  The law, after all, is based on the CSA standard, which grew out of association codes, such as that of the DMA.  The discrepancies are not that great.   I have seen a number of pieces of direct-mail promotions come into my home since 2001 and wondered whether or not they are technically in compliance with PIPEDA.  (I already have one complaint being investigated).   But frankly I could have lodged a far greater number, not about major privacy violations but about practices whose legality simply needs to be clarified.  I am sure the same is true with respect to the banks, the insurance companies, the telecommunications industry and so on.  Much can be done to preempt complaints, if there were a better level of cooperation between the OPC and the major Canadian trade associations.  In this regard, much can be learned from the approach of the Privacy Commissioner in Australia, who is overseeing a new law, explicitly based on the co-regulatory model. 

Third, it is equally important that the CSA standard not fade into oblivion.   The dominant attitude seems to be that the standard has done its job, in forging a consensus around which the new legislation could be based.   I think such a view is short-sighted, because it ignores the crucial role that the standard can play in the implementation of PIPEDA.  A mechanism is currently in place to ensure that organizations say what they do, and do what they say.  Once an organization is registered, the CSA Model Code ceases to be a "voluntary" mechanism.  That organization would have to produce a code and a related set of operational guidelines and be subjected to regular and independent auditing of its practices by an accredited registrar. This is a very important technique that an under-resourced OPC can use in order to ensure a good level of compliance.  In my view, the Commissioner should be constantly advising companies to engage in the certification process.  That process at least ensures that the correct privacy questions are asked, if not always answered in clear and acceptable terms.     

Of course, this would require a more proactive role by the CSA, and its branch the Quality Management Institute, both of whom seem to have abandoned their own creation.  It will also require a closer cooperation between the Office of the Privacy Commissioner and any other accredited registrar.   Clearly rules need to be developed about what constitutes an effective privacy audit, and about how to accredit auditors.   The OPC cannot, and should not, try to do everything.   They should be relying on those institutions in Canadian society that have plenty of experience of management auditing.   

Finally, let me say something about the investigation findings.  Whatever one believes about the results in different cases, I would argue that some of these decisions need a lot more substance and weight.   Clearly, findings of investigations into whether Person A did or did not receive his credit report on time do not need lengthy treatment.   On the other hand, major findings such as those on the Yellowknife and Kelowna video-surveillance plans would benefit from having more substance.  I do not dissent from either of these decisions.  On the contrary, I think the Commissioner has taken a very bold stance.  I just suggest that his findings might carry more weight in the communities concerned if the judgments were supported more effectively.   I do not necessarily mean just legal reasoning, but also empirical social science evidence.  There is a wealth of expertise in Canada on these and other issues that the Commissioner and his staff could be using more effectively.  

Of course, if the investigation findings are to carry more weight, then the complaints themselves need to be more substantial.   I am frankly disappointed with the extent and quality of complaints that have been made under PIPEDA.  Those of us who know about this subject should be using the law more.  And this means making substantial, credible, well-articulated complaints about any practices that strike us as contrary to this legislation.  

In conclusion, I do not agree with all the constant criticism of how the OPC is doing, because I fully understand the difficult dilemmas he and his staff face. It may be that some of the changes I have suggested are being contemplated. But if they are, that is not obvious, because the staff of the OPC do not engage, or are not allowed to engage, openly and constantly with the Canadian 'privacy policy community,' the core of which originally coalesced around the table at the CSA.  I think their overall administrative style has become too reactive, and too removed from the ongoing debates in Canada.  Yet, if greater emphasis is to be placed upon those educational and advisory functions that may actually change practices before problems occur, then this style may have to change.  The Commissioner and his staff need to educate; but they also need to be educated.   They need to investigate and respond to complaints; but they also need to give advice to, and cooperate with, data users, so that the complaints do not arise in the first place.   They need to faithfully implement the law; but they also need to realize that PIPEDA is just one, and not necessarily the most important, instrument in the "privacy toolbox" in Canada.  And all that involves moving from a style that is somewhat aloof and reactive, to one that is more engaged and proactive.  

 

Professor Colin J. Bennett
Department of Political Science
University of Victoria
Victoria, B.C.
V8W 3P5
CJB@UVIC.Ca
http://web.uvic.ca/polisci/bennett                                   

The Riley Report

Thomas B. Riley 
Executive Director 
Commonwealth Centre for Electronic Governance 
http://www.electronicgov.net 
Visiting Professor, University of Glasgow 
Riley Information Services Inc. 
http://www.rileyis.com  
Tom@Rileyis.com 
100 Bronson Ave., Suite 1203 
Ottawa, ON K1R 6G8 
Ph:  613-236-7844 
Fax:613-236-7528 
With author attribution, this document may be freely copied in whole or in part for online distribution.
Any offline use requires the author's permission.