Home / Privacy Resources / Article Search / PrivaTalk - May 2004

PrivaTalk - May 2004

PrivaTalk

May 2004
Volume 4
Issue 3

Privacy Commissioners Establish Process for Dealing with Privacy Complaints

Based on discussions between the federal, Alberta and B.C. privacy commissioners, this article outlines the process that will be implemented when a complaint is filed with the Federal Privacy Commissioner’s office against an organization in British Columbia or Alberta.


Until the B.C. and Alberta Personal Information Protection Acts (PIPAs) are declared to be substantially similar by the Governor in Council:



  1. The Federal Privacy Commissioner’s office (the “Office”) has a legal obligation to apply the Personal Information Protection and Electronic Documents Act (PIPEDA) where appropriate.

  2. The Office will take complaints against private sector organizations in B.C. and Alberta that are collecting, using or disclosing personal information about their customers in the course of commercial activities. This includes organizations that deal in personal health information such as physicians and dentists’ offices, private laboratories, etc.

  3. The Office will verbally inform complainants of the possibility of complaining directly to the appropriate provincial commissioner and that complaints which fall clearly in provincial rather than federal jurisdiction, after a substantially similar order, will be transferred in any event.

  4. If the complainant wishes nevertheless to proceed federally, the Office will open a complaint file but will inform all parties to the complaint that there will be a transfer of the complaint and all information on the file to the appropriate provincial commissioner if and when a substantially similar order is made.

The Office will continue, after any substantially similar order is made, to take complaints concerning federal works, undertakings and businesses (FWUBs), including complaints about employee personal information and information about job applicants to FWUBs.


Before the making of a substantially similar order, the complaints will be handled as per (2) above in all cases unless the complaint is substantially about the crossing of inter-provincial boundaries or the issue otherwise falls under the Office’s jurisdiction.  After the making of a substantially similar order, complaints will be handled as per arrangements which the Office promises to continue developing with the B.C. and Alberta commissioners.


The three privacy commissioners are also currently discussing the following issues:



  1. Arrangements to share the contents of complaint files where circumstances warrant and this is consistent with each of the respective laws and regulations in the applicable jurisdictions;

  2. Harmonization of statistical reporting and language for such reporting where possible;

  3. Development of joint statements, questions and answers, and jurisdictional tools where possible.

For those businesses with offices in multiple provinces who are now faced with three private sector privacy laws to comply with, it is encouraging to see that the Privacy Commissioners are talking to each other and clarifying the complaint handling process.

The Use of Opt-Out Consent

Organizations that have existing databases containing personal information about thousands or even millions of individuals face special challenges now that PIPEDA applies to them. The cautious approach is to obtain positive consent from each of the individuals before using their personal information; this is known as the “opt-in” approach.  The obvious disadvantages of using an opt-in approach are the cost of contacting each individual and the likelihood that the vast majority of them will not respond one way or the other.  


As a result of these difficulties, most organizations with large customer databases that became subject to PIPEDA in 2001 (such as banks, telephone companies and cable operators) used a form of negative option or “opt-out” consent.  This opt-out strategy generally involved sending a notice to all customers outlining the organization’s proposed collection, use and disclosure of personal information (generally characterized as something positive like “we respect your privacy”) with details about how an individual could withdraw their consent to some or all of the enumerated uses.  Such an opt-out strategy, combined with express consents in new application forms, were felt by organizations to be sufficient to permit ongoing use of their existing databases.  


The effectiveness of opt-out consent strategies is still unclear.  Here is what the former federal Privacy Commissioner said about an attempt by Aeroplan to employ an opt-out notice to obtain consent from existing customers:  


“Like most privacy advocates, I have a very low opinion of opt-out consent, which I consider to be a weak form of consent reflecting at best, a mere token observance of what is perhaps the most fundamental principle of privacy protection…Accordingly, while acknowledging that the Act does provide for the use of opt-out consent in some circumstances, I intend, on all future deliberations on matters of consent, to ensure that such circumstances remain limited, with due regard both to the sensitivity of the information at issue and to the reasonable expectations of the individual.”  


The strange thing about this quote is that one would have thought that the Commissioner, as a statutory appointee to administer specific statutes, is not a “privacy advocate”.  In any event, the former Commissioner’s approach to opt-out consent was not very consistent.  In PIPEDA case summary #82, the Commissioner called a bank’s procedure for leading customers through an opt-out process a “highly exemplary method of obtaining consent”.  


In a series of recent decisions (in particular, PIPEDA case summary #192, 203 and 207), the interim Commissioner attempted to clarify the situations in which opt out consent can be used.  He stated that the following conditions must be met in order for an organization to justify reliance upon opt-out consent:  



  1. The personal information must be clearly non-sensitive in nature and context;

  2. The information-sharing situation must be limited and well-defined as to the nature of the personal information to be used or disclosed and the extent of the intended use or disclosure;

  3. The organization’s purposes must be limited and well-defined, stated in a reasonably clear and understandable manner, and brought to the individual’s attention at the time the personal information is checked; and

  4. The organization must establish a convenient procedure for easily, inexpensively, and immediately opting out of, or withdrawing consent to, secondary purposes and must notify the individual of this procedure at the time the personal information is collected.  

While this enumeration of conditions provides a welcome clarification of one of the  most important areas of privacy compliance, it may be too restrictive to be realistic.  For example, the first condition would limit the availability of opt out consent to non-sensitive information; based on the characterization in Principle 4.3.4, health and financial records would always be considered sensitive.  It is clear, however, that there should be no objection to a bank or other financial institution using opt out consent to obtain consent to the everyday use of personal information that is required to process transactions for customers, and in fact there have been decisions of the Commissioner that permitted such opt out consent to be used.  It remains to be seen how this list of conditions is interpreted by the present Commissioner, Jennifer Stoddart, and whether it is accepted by the Federal Court as the appropriate standard.  

ISPs Win – File Sharing on the Internet appears to be a Private Matter

The federal court of Canada recently ruled in favour of the protection of personal information in a lawsuit launched February 10, 2004 by the Canadian Recording Industry Association (CRIA) against 29 alleged music file-sharers.  CRIA was requesting the release of the identities of the alleged file-sharers by Internet Service Providers (ISPs) but Mr. Justice Konrad von Finckenstein concluded that CRIA had failed to produce evidence that proved the file-sharers knew they were distributing or reproducing sound recordings without authorization.  


ISPs (including Bell Canada, Telus Communications, Rogers Cable, and Shaw Communications) were unwilling to release the identities of their customers, because of their commitments to maintaining subscriber privacy.  The ISPs made efforts to notify their affected subscribers about CRIA requests in advance of the hearing to allow the subscribers a chance to seek legal advice or representation.   


Shaw Communications argued privacy legislation protects the identity of its subscribers and, along with other ISPs it was argued that regardless, the required information wouldn’t be 100 per cent accurate due to the dynamic make-up of IP addresses.   


It was concluded CRIA failed to make a valid case that ‘public interest’ trumps privacy concerns.  Justice von Finckenstein noted that Canada’s Copyright Act allows the downloading of music for personal use.  von Finckenstein also cited a recent Supreme Court of Canada decision on photocopying, which established the setting up of photocopying facilities does not authorize infringement.  “I cannot see a real difference between a library that places a photocopy machine in a room full of copyrighted material and a computer user that places a personal copy on a shared directory linked to a P2P (peer-to-peer) service,” he wrote.    


P2P service is now being incorporated into the Project Gutenberg eBook sharing platform.  The organization’s stated mission is to “put the world’s great literature on the hard drives and in the CD collections of as many people as possible at little or no cost.”  Recently Project Gutenberg announced the opening of a Canadian operation.  The organization notes that within the P2P service even the several hundred copyrighted eBooks may be shared for non-commercial purposes.  The Canadian federal court decision could prompt an attempt to experiment with the free file sharing of current and contemporary literature, an industry already implicated in the photocopying decision.   


The CRIA action is limited to a small percentage of music file-sharers who engage in massive piracy.  The federal court decision to respect the autonomy of the individual P2P file-sharer will be challenged by the music industry as it continues to seek the identities of the alleged.  CRIA lawyers will have to produce evidence that proves without a doubt that Internet music sharing negatively affects the public interest and outweighs the negative affect of sharing personal information. 


In the U.S. the music industry has sued almost 2000 people and have reached 400 out-of-court settlements with alleged file-sharers.  CRIA claims a loss of $425 million in the Canadian market due to song theft.

India Plans to Address Concerns about Data Protection

India’s lax data protection regime, which has long been a problem to those European and U.S. companies seeking to outsource to the sub-continent, is likely to be tightened by the end of the year, according to recent reports.  


EU law in particular restricts businesses from transferring data to countries with weak privacy protection, and with Indian IT wage costs rising - albeit still far behind those in the U.S. and Europe - India is seeking to remove reasons for potential customers to look elsewhere for their outsourcing solution.  


European firms are severely restricted in terms of the Data Protection Directive of 1995 as to what data can be transferred or stored in countries without equivalent rules and enforcement procedures. At present, India has no such regulations, and relies on individual contracts negotiated between the main company and the Indian outsourcing contractor to address the data protection issues.


Currently, the U.S. is the biggest investor in Indian IT services, with major players like IBM and Accenture taking advantage of India’s cheap labour costs – almost an eighth of wages in the U.S.  However, there has been unease in the States over data security in outsourcing for some time.  Last year, the states of New Jersey, Maryland, Connecticut and Washington, were considering legislation to prevent the transmission of data to developing nations.  


According to a report in The Times of India, the Indian Government is not likely to bring into force a data protection act as such, but might amend existing legislation, such as the country's Information Technology Act 2000, with the intention of bringing the data protection regime up to the standard required by the U.S. and the EU.


The preferred approach, according to The Times of India, is to negotiate a safe harbour agreement with the EU, along the lines of the safe harbour agreement that currently exists between the EU and the U.S.


Under that safe harbour deal, US companies can voluntarily adhere to a set of data protection principles recognised by the Commission as providing adequate protection and thus meet the requirements of the Directive with respect to transfers of data out of the EU.


The Times of India reports that the Indian Government’s department of IT is corresponding with Indian ambassadors in both the EU and U.S. to discuss various options.  In the meantime, Nasscom, India’s National Association of Software and Service Companies (NASSCOM), has also been asked to develop best-practice guidelines to assist companies in this area.

Canadians Concerns about Genetic Privacy

Genetic information could set insurance premiums at new heights and Canadians, overwhelmingly want privacy protection for their genes, according to a federal study.  The study conducted by Pollara Research and Earnscliff Research polled 1, 200 people on the commercial, medical and technological aspects of genetic information.  The study suggests that although most people haven’t fully considered genetic privacy the use of such information by insurance companies is an issue concerning most Canadians.  


91 per cent of those polled felt that insurance companies should not have the right to access existing genetic information—a powerful and unmovable opinion.  The fear is that insurance companies will use this information to inflate prices for those predisposed to genetic disorders, despite the fact they may never develop the disease.  In follow-up groups participants were presented with various reasons for allowing insurance companies the right to access genetic information but no suggestion could alter the consensus.   


Insurance companies presently require the disclosure of information obtained by genetic testing.  “If a person has had genetic testing and that information is relevant, and rests with a medical doctor, it is considered part of the type of information that should be disclosed,” said Wendy Hope of the Canadian Life and Health Insurance Association in a recent article from The Globe and Mail.  


There are no specific privacy laws governing the use of genetic information.  The Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA) provide governance and protection for medical records in general but do not directly address genetic privacy.  In 1998 the publication of a Tri-Council policy statement, Ethical Conduct for Research Involving Humans set several provisions and guidelines on the privacy, ethical and discriminatory issues around genetic privacy.  


The Privacy Act and PIPEDA regulations, along with the Tri-Council policy statement could provide a general framework for the handling of personal genetic information but there are still large gaps in the current regulatory framework.  The Tri-Council policy statement offers no suggestion for an enforcement mechanism and non-compliance with the guidelines cannot be enforced in court.  Furthermore, the policy statement does not provide clear incentives for commercial adherence to its guidelines.  


Research being conducted at the University of Guelph by Economics Professor Michael Hoy seeks to find a balance between the genetic privacy rights of individuals and the right to access genetic information by insurance companies.   


Aware of the recent federal study Professor Hoy notes, “Canadians right now are clearly speaking to the side of keeping genetic information private.  My research tries to answer the questions of how to balance the argument of both sides.”   Professor Hoy, along with Economics Professor Mattias Polborn of the University of Illinois, is developing a model for understanding the effects of protecting genetic test information.  His research could provide insight for Canadian policymakers when the time comes to make decisions regarding genetic privacy.  


According to the research, banning access to genetic information means individuals know more than insurance companies and high-risk clients are likely to buy more insurance.  Companies faced with higher claims may be forced to set higher premiums for all clients.  This can provoke low-risk individuals to cancel their plans and with fewer clients insurance companies would have to raise their prices even higher.  On the other hand, the sharing of genetic information could be a serious health risk, causing individuals to avoid genetic testing in order to secure lower insurance rates and so endanger their health.  


Genetic privacy is an issue gaining momentum in the public and private sectors.  The expansion and availability of genetic testing and research is forging ahead and many Canadians are fiercely opposed to sharing genetic information.  Canadian privacy policymakers will be faced with challenging decisions.   


Other countries around the world including Austria, Belgium and the Netherlands have already set regulations restricting the use of genetic information by insurance companies.  In the Netherlands federal legislation prevents insurance companies from requesting or using genetic information for certain policies, based on the face value.  This is an option that may prove useful for Canada in determining the proper balance between the privacy of individuals and the information required by insurance companies to satisfy industry needs.        

Biometrics Poses Threats on Privacy

Having your Iris read, the palm of your hand scanned and your facial structure recognized for identity verification are no longer science fiction.  Biometric technologies have experienced renewed awareness and interest amongst governments and nationals due, for the most part, to the stringent and focused lobbying efforts of biometrics companies after September 11, 2001.   


The existence of biometric data introduces some fundamental questions about protecting privacy with regards to the security, use, storage, and collection of individual physical characteristics.   Despite the universal guarantees and claims of biometric companies for their products, academics and researchers are continually pointing out flaws in the stability and security of biometric technology as well as interoperability and standardization issues.     


In their current application biometrics offer the potential for increased security of the personal identity of travelers.  According to a recent article in The Globe and Mail, the U.S. requires citizens of all 27 visa-waiver countries to be fingerprinted and digitally photographed before gaining entry to the U.S.  Originally staged for implementation in October 2004 that date will likely be pushed forward to December 2006 to give the required countries, (including Ireland, the UK, Australia, Italy and Japan) time to arm their citizens with biometric identification.  


The sheer task of undertaking a national opt-in application process requires wide-scale research and financial investment, not to mention the need for a detailed and well thought-out privacy and security management system, a task that might prove difficult considering the novelty of such extensive biometric identification procedures.  The two storage options for biometric data are one-to-one verification systems, using smart cards to verify identity and, one-to-many verification, a system that matches the identify of an individual in a database of many users.   


One-to-one verification provides a double-security measure where an attacker must access the sending and receiving biometrics, but creates significant cost and control issues.  One-to-many verification – matching biometric data against a database – makes the possibility for attacks much more feasible with a wealth of biometric data stored collectively and accessible to multiple ‘insiders.’  


Canada is excluded from the agreement between the U.S. and the visa-waiver countries and has yet to decide whether biometrics will be introduced nation-wide as a standard security measure.   


In 2003, biometric identification procedures were implemented at the Vancouver International Airport and the Halifax International Airport under the CANPASS-Air program, a joint initiative of Citizenship and Immigration Canada (CIC) and the Canada Customs and Revenue Agency.   The CANPASS-Air program uses iris-scanning technology to identify pre-approved, low-risk commercial air travelers.  People wishing to participate in the program must complete an application form with photocopies of various identity documents and attend an interview.   


A recent survey by the CIC on document integrity and biometrics shows that three-quarters of Canadians agree that the implementation of biometrics will help prevent the use of fraudulent identity documents by illegal migrants.  Unfortunately less than 10 per cent of respondents could associate biometrics to the physical characteristics of individuals before being given a definition, and accordingly would be relatively uneducated about security and privacy issues around biometrics.   


The Royal Canadian Mounted Police is working with the International Standards Organization (ISO) to develop ISO standards that will ensure the secure and protected exchange of fingerprint images.  Such standards will decrease the risk of interoperability problems, i.e. the system rejecting a legitimate person or accepting an illegitimate person, provided countries adhere to international regulations.   This research is presently limited to the criminal policing sphere, not yet reaching out to the application of biometrics in airports and in travel documentation like passports.  If a legitimate person is rejected entry into a country, how does the system find correct verification without searching through that person’s history of biometric recognitions and possibly infringing upon their privacy?   


Beyond system compatibilities, loss of privacy is at risk by the existence of people who seek fraudulent identity with purposes of criminal intent – the very perpetrators biometrics claims to protect against.  The biometric identity if captured by organized crime, hackers or ‘insiders’ could provide a guaranteed legitimate identity for illegitimate people with little challenge by authorities.  Governments must not be too quick to dismiss the technological capabilities of criminals.  


Biometric identities are a commodity worthy of the time and money required by a criminal operation.  And if we take a look to the future of biometrics and consider the use of such technology to enter a building, use a computer or conduct banking, sophisticated  privacy control measures would be required to protect biometric data from improper collection, use, storage and destruction.