|
||
Research and retrieval of news articles by: SPECIAL NOTE TO ALL VISITORS: |
PRIVACY LAW NEEDS OPEN DISCLOSURESource: Michael Geist, GlobeTechnology.comPosted on May 31, 2001 Friends and foes of Canada's new federal privacy legislation tend to agree on at least one issue -- the law is deceptively complex. Although the basic principles of privacy protection are relatively straightforward -- organizations must obtain consent for the collection, use, and disclosure of personal information as well as provide individuals with information about the data collection practices used and access to their personal information files -- the implementation of these principles is subject to different interpretations. George Radwanski, Canada's privacy commissioner, is the arbiter who determines how to interpret and implement these privacy obligations. The law requires the privacy commissioner to investigate each privacy complaint filed with his office and to issue a report on the complaint within one year. This places a huge burden on the privacy commissioner's shoulders, since everyone with an interest in personal privacy -- from organizations seeking to ensure they comply with the law to individual Canadians asserting their privacy rights -- turns to Mr. Radwanski for guidance. In light of the importance of the privacy commissioner's decisions, it comes as a shock to learn that Mr. Radwanski's current policy is to keep his decisions and interpretations secret, with the exception of a few decisions that may be highlighted in his annual report or used to encourage greater privacy compliance by recalcitrant organizations. While this approach reflects a longstanding policy at the privacy commissioner's office, one that may have been appropriate when it dealt only with privacy complaints involving the federal government, the expansion of the privacy commissioner's duties to include on-line matters should also bring with it a change in Canada's disclosure policy. In contrast to this federal approach, provincial privacy commissioners, such as Ann Cavoukian in Ontario or David Loukidelis in British Columbia, regularly publish their decisions on the Internet for everyone to see. This provincial open approach ensures that organizations can gauge how to comply with the law and that individuals can better understand their privacy rights. For example, consider the application of the federal privacy law's consent requirements. The current law contains a flexible provision that mandates an explicit consent for the collection, use and disclosure of sensitive data, but allows for an implied consent for less sensitive information. Organizations will be looking to the privacy commissioner for what constitutes sensitive data or what is considered acceptable implied consent. Under the current non-disclosure policy, there will be precious little public guidance, leaving organizations vulnerable to expensive investigations and higher compliance costs. Individual Canadians will also be hurt by the policy of non-disclosure. Under the new law, organizations must provide Canadians with access to their personal information file. Unfortunately, the law is short on specifics when it comes to implementing this new access right. For example, how quickly must an organization respond to an access request? What, if anything, may be excluded from the report? Answers to questions such as these must come from the privacy commissioner. The privacy commissioner has publicly defended his position by arguing that keeping his decisions private provides him with greater leverage over non-compliant organizations. He notes that adverse publicity is his most powerful weapon and that a position of non-disclosure enables him to threaten violators with public disclosure in order to ensure better and quicker compliance with the legislation. The privacy commissioner neglects to mention, however, that the costs of this approach are borne by everyone. Organizations seeking to comply with the law face the additional costs of not knowing how the law has been interpreted. Individual Canadians, meanwhile, are denied the information they need to fully take advantage of their newly enshrined privacy rights. The policy is particularly puzzling since an obvious compromise exists: Information that might identify a violator could easily be removed from decisions, leaving only the fact scenario -- along with the decision and reasoning -- to be released. Such an approach would provide everyone with what they seek -- the public would gain a better understanding of how the legislation is being applied, while the privacy commissioner would retain his power to threaten organizations with public disclosure if they don't comply with the law. In fact, the privacy commissioner could and should do more than just begin to post his compliance decisions. He should also post unofficial guidance, providing organizations with the opportunity to pre-clear their corporate privacy policies with his office and making those guidelines public on a "no-names" basis. The appropriate policy on public disclosure is as simple as the law is complex. Whatever steps can be taken to make it easier for organizations and individuals to understand their rights and obligations under the new legislation should be pursued. A policy of openness is undoubtedly another issue that friends and foes of the legislation can agree upon. Michael Geist is a law professor at the University of Ottawa Law School and director of e-commerce law at the law firm Goodmans LLP. His Web site is http://www.lawbytes.com.
E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Professional Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes. |
ALERT WebTrust Is Your Best Defense Against Privacy Breaches. Get WebTrust Working For Your Site. |