The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

Search this blog

Recent Posts

On Twitter

About this page and the author

The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.

For full contact information and a brief bio, please see David's profile.

Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.

David Fraser's Facebook profile

Privacy Calendar

Archives

Links

Subscribe with Bloglines

RSS Atom Feed

RSS FEED for this site

Subscribe to this Blog as a Yahoo! Group/Mailing List
Powered by groups.yahoo.com

Subscribe with Bloglines
Add to Technorati Favorites!

Blogs I Follow

Small Print

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.

Monday, April 11, 2005

The Three Stages of Canadian Privacy Law 

Michael Geist, in his most recent Law Bytes column, writes that he believes Canadian privacy law is soon to enter a third stage. Self-regulation (stage one) and weak enforcement (stage two) will give way to more aggressive enforcement, particularly after the Personal Information Protection and Electronic Documents Act comes up for review next year. There is no doubt that the enforcement of the law has been very low key up to this stage, leading to very uneven compliance and many businesses dismissing the necessity to become compliant with the law.

The Three Stages of Canadian Privacy Law:

"Canadian privacy law has developed in three stages. Stage one involved the adoption of a self-regulatory approach to privacy protection, as the Canadian Standards Association brought together industry, government, and public interest groups in the early 1990s to develop a non-binding code of privacy best practices based on international standards.

While CSA Model Code was initially hailed a self-regulatory success, within a few years it became apparent that few companies were willing to bind themselves to the Code’s principles.

With the growing interest in privacy protection, Ottawa moved to stage two by introducing the first national private sector privacy statute (PIPEDA) in 1998. That law, which took effect in 2001, directly incorporates the CSA Model Code into the legislation, supplemented by a series of enforcement provisions.

The result is a light regulation model that emphasizes mediation of privacy disputes. Administration rests with the Privacy Commissioner of Canada who issues “findings” that are not binding on the parties. Unlike some of her provincial counterparts, the Federal Commissioner does not currently enjoy order-making power. Rather, she must apply to the federal court, which is not bound by her findings, for enforcement. In addition to the statutory shortcomings, the Commissioner has been reluctant to engage in an aggressive application of the law, protecting the targets of privacy complaints by refusing to disclose their identity.

As Canada heads toward a review of the current law led by Industry Minister David Emerson, it is likely moving toward the third stage of privacy law that will be characterized by greater emphasis on transparency and aggressive enforcement.

Recent developments point to three potential reforms that illustrate this evolution. First, as frustration mounts over the Commissioner’s lack of order making power as well as the policy of shielding the targets of privacy complaints, the third stage of privacy law will feature growing pressure to address these issues through a statutory amendment. Although order making power might result in more contentious investigations and challenges to the Commissioner’s findings, it would also send a much-needed message about the importance attached to privacy protection in Canada.

Moreover, a commitment to disclosing the names of organizations that breach Canadian privacy law would create an important incentive for greater compliance. According to a recent, unreleased finding involving spam, the Commissioner reminded the target of the complaint that failure to abide by Canada’s privacy legislation created “a risk that its business reputation will be tarnished.” This statement will only become reality if the Commissioner begins to name names.

...

Third, the B.C. outsourcing case points to the need for increased statutory protections for personal information that may be secretly disclosed to foreign law enforcement authorities. Although the recent court case was a nominal victory for the outsourcing company, a careful examination of the decision reveals a dramatic change in the protections afforded to the personal information in question.

The B.C. judge affirmed the importance attached to privacy protection but allowed the outsourcing arrangements largely because of a series of significant new protections introduced by Maximus in response to the public outcry. These included a $35 million penalty for breach of confidentiality, extensive provisions to ensure that the data remained in the province, and a contractual term prohibiting disclosure of the data.

The Maximus case will set the benchmark for future outsourcing arrangements in Canada with similar safeguards likely to be introduced on a national level in the months ahead. If accompanied by order making power and greater transparency, it will go a long way to ushering a new age for Canada’s privacy law framework. The days of light regulation for Canadian privacy appear to be numbered."

Labels: ,

Links to this post:

Create a Link

This page is powered by Blogger. Isn't yours? Creative Commons License
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License. lawyer blogs