Home / Privacy Resources / Article Search / PrivaTalk - March 2002

PrivaTalk - March 2002

PrivaTalk

March 2002
Volume 2
Issue 3

Canada Post Receives Slap on the Wrist from the Federal Privacy Commissioner

Privacy Commissioner George Radwanski says Canada Post’s change-of-address service violates public sector privacy laws because customers’ personal information is passed on
to mass mailers and direct marketing companies without adequate notice or a reasonably convenient method of opting out.

The National Change of Address (NCOA) is offered by Canada Post at a fee of $30. Individuals receive their mail at their new address until they have had an opportunity to notify parties of their change of address. Individuals who subscribe to the service are informed that they are agreeing to have their mail redirected.

Customers may contact Canada Post and state that they do not want their new address provided to certain organizations or businesses. However, to know this, they must read the fine print on the back of the NCOA form, which states that:
"At no additional cost, Canada Post will help you advise businesses and other organizations of your new permanent address. These mailers must request it and already have your name(s) and old address."

Should customers not want this added service, they must write a letter to Canada Post within seven days. By forcing individuals to take the initiative and write to Canada Post indicating that they do not want their new address disclosed to certain organizations or businesses, Canada Post uses “opt-out” as a means of obtaining their consent, in other words “negative consent”.

Canada Post typically provides the new addresses to banks, credit card companies and utilities, allowing them to update their records easily. The business must have the old address to get the new one. However, a “mailer” could be any organization – for example, list brokers, mass mailers or direct marketers. While Canada Post claims that they will advise these organizations of an individual’s new address at no cost to the individual, the information is provided to them by Canada Post for a fee. So, in effect, the individual’s personal information is sold by Canada Post to organizations that will use the information for purposes other than the purpose for which the information was originally collected.

Having come to this conclusion, the Commissioner recommended that Canada Post clearly indicate in its brochure and literature, including the NCOA form, that the selling of an individual’s new address to any organization, which may include list brokers, mass mailers or direct marketers, is one of the features of the NCOA service. He further recommended that Canada Post add a check-box feature on the face of the NCOA form that would allow individuals to consent to the sale of their personal information.

Section 5(2) of the federal Privacy Act requires an organization to inform an individual from whom it collects personal information about the purpose for the collection. The Commissioner found that Canada Post was in violation of this provision because of a lack of plain and full identification of purposes. He further stated that in cases of disclosure to a third party for commercial purposes such identification should extend to indicating the nature of the third party's business.

Canada Post has launched a challenge of Mr. Radwanski's determination in Federal Court. The post office contends that passing on the new addresses is exactly the service that its customers are asking for when they voluntarily sign up and pay the $30 fee.

The private sector privacy law under the Commissioner’s mandate also requires purposes for collection, use and disclosure to be clearly stated, as does Ontario’s proposed privacy legislation. The Ontario draft legislation also clarifies that the exact identity of third parties to whom disclosures of personal information are made need not be revealed, however, the type of organization must be stated in order to obtain true consent to the disclosure.

Federal Privacy Commissioner Releases New Decisions against Canadian Banks

The Canadian Privacy Commissioner has released a batch of new decisions under Canada's private sector privacy legislation. Most of these decisions deal with the information-handling practices of banks, and some deal with telecommunications companies. The decisions can be found on the Commissioner’s site at http://www.privcom.gc.ca . Note that many of the privacy concerns have been resolved by the time the Commissioner issues his decision, with the company taking appropriate steps to satisfy the complainant. This article will deal with two of the more interesting decisions released: one involving a bank's disclosure of personal information to a customer's employer and another involving privacy concerns over a bank's confidentiality agreement with a marketing firm.

In the former case, the complainant had gotten into a heated argument with a bank employee about a cheque charge on his personal account. The bank branch manager called the complainant’s employer and informed him of the inappropriate behaviour as well as the fact that the bank would be terminating their financial relationship with the complainant, but that this would not adversely affect the business relationship the bank had with the employer.

The complainant took the position that his personal information, that is, the argument he had with the bank employee and the fact that his personal account was being closed, had been disclosed to his employer without his consent, in contravention of the privacy legislation. The bank argued that they had the right to make such disclosures for purposes of extending business courtesy and protecting the bank's own interests in future business dealings with the complainant's employer. The bank held the position that a reasonable person would consider the disclosure appropriate and that this should be taken into account in determining whether it was necessary to obtain the complainant’s consent (Principle 4.3.5 of Schedule 1 and section 5(3) of the Personal Information Protection and Electronic Documents Act). The bank also argued that the information disclosed should not be considered personal information, and should thus be exempt from the privacy legislation all together.

The Commissioner found that this was indeed personal information since it was clearly about an individual. He agreed that, in a small town where people tend to know other people’s business and make casual and inadvertent disclosures to one another, the complainant might reasonably have expected the disclosures at issue to eventually occur through the grapevine or, in the bank's words, “normal public discourse”. However, a reasonable person would not expect his bank manager to make such a disclosure directly to his employer.

This decision should put businesses on guard – what would seem like simple statements, for example, the fact that someone is or is no longer a customer, could be characterized as personal information, and thus require the customer or the previous customer’s consent.

The second case involved a complainant who was contacted by an interviewer of a market survey firm who identified the complainant as a customer of the bank in question. The complainant contacted her bank’s local branch manager who acknowledged that the bank did use private firms to gather information on its behalf. The complainant was concerned with respect to how much of her personal information had been disclosed by the bank to the survey firm.

The bank had contracted with a certain market research firm to conduct a study related to future provision of products and services to customers. That firm in turn had subcontracted the telephone survey portion of the study to another research company. The personal information disclosed by the bank had consisted of customer numbers, full names, addresses, home telephone numbers, and preferred language.

The bank had been doing business with the contracting firm for more than 10 years, and there was a confidentiality agreement between the two. However, although the bank believed that the subcontracting firm would be covered under the same agreement, in fact there was no specific confidentiality agreement between the contracting firm and the subcontracting firm. On completion of the survey and the study and in accordance with the existing confidentiality agreement, both firms destroyed the information that the bank had originally provided. The study report that the contracting firm eventually submitted to the bank contained only aggregated data and did not refer to individual customers.

The Commissioner found that at the time of opening her account, the bank had provided the complainant with written notification of its practices of disclosing customer information to, and receiving information from, external parties for purposes of maintaining the banking relationship and offering products and services. Moreover, he was satisfied that the stated purpose - i.e., obtaining the customer's opinion on products to be offered - had been one that a reasonable person would have considered appropriate in the circumstances.

However, the Commissioner also determined that the confidentiality agreement between the bank and the contracting firm was deficient in that it made no provision for subcontracting. In this regard, therefore, he found that the bank was in contravention of the private sector privacy legislation. Principle 4.1.3 of Schedule 1 states that an organization is responsible for personal information it its possession or custody, including information transferred to a third party for processing, and must use contractual or other means to provide a comparable level of protection while the information is being so processed.

Organizations need to be careful when making outsourcing arrangements to ensure that the contractual provisions thoroughly address the protection of personal information by all parties that may have access to the information.

The Ontario Privacy Commissioner Comments on Ontario’s Draft Privacy Legislation

The Ontario government is drafting new privacy legislation that, if passed, would likely be the most comprehensive in North America. The law will, for example, widely apply to Ontario businesses, universities, hospitals, doctors, health clinics, pharmacies, associations, not-for-profit organizations and unions. The draft legislation is available for comment till March 31, 2002. The proposed bill is expected to close some loopholes in the federal Personal Information Protection and Electronic Documents Act (PIPEDA) introduced in 2001. In a presentation to the Toronto Board of Trade, the Ontario Information and Privacy Commissioner (IPC), the enforcement body to whom complaints regarding non-compliance will be filed, made it clear that her Office likes the fact that the legislation will extend beyond the business sector and will be based on the CSA Model Code for the Protection of Personal Information. The IPC is however concerned about the extensive regulation-making powers given to the government, since these powers allow the government to possibly “hide” controversial provisions till after the legislation has been enacted, limiting the ability of the public to oppose such provisions in Committee hearings.

The draft bill, as it currently stands, can be found at http://www.cbs.gov.on.ca/mcbs/english/56Y2UJ.htm - it is complex piece of legislation in that certain sections apply to all organizations, others apply to organizations that are not “health information custodians”, others to organizations that are not health information custodians but handle health information, and still others apply only to health information custodians! The definition of a health information custodian is itself quite complicated, but essentially covers all health care providers and others who have custody or control of health information as a result of their powers or duties. The Ministry of Health and Long-Term Care is also included in the definition of a health information custodian since the Ministry collects a great deal of personal health information (such as OHIP billings) and should thus be held to the same standards as others holders of health information in the health care sector.

The procedures in the draft bill by which an individual can access their personal information are different from those under which one accesses their health information from a health information custodian. The IPC points out that this will create confusion for those making access requests. However, this level of complexity runs throughout the bill, that is, there are different exemptions to the consent requirement for health information custodians as well. The history behind the structure of the draft legislation rests in the attempt to incorporate portions of Bill 159, Ontario’s health information legislation that was introduced but never enacted by the Ontario government. As acknowledged by the IPC, the health sections in the draft are significantly improved over Bill 159 and less privacy-invasive. However, in attempting to keep many of the health-specific provisions, and incorporate private sector privacy rules in the same statute, simplicity has most definitely been compromised.

Although the draft legislation seems more daunting, it is actually less vague and leaves less room for a variety of interpretations in comparison to the federal private sector privacy legislation. For example, it is clear in the Ontario draft that personal information does not include business information, that is, information used for the purpose of identifying an individual in their employment, business, professional or official capacity.

The IPC is also concerned about the investigation powers given to the Commissioner’s Office under the legislation. The IPC has actually been given quite broad powers, including the power to enter premises without a warrant under certain circumstances, and the power to demand the production of records for inspection. These powers are much greater than those currently enjoyed by the Commissioner under the rules governing privacy for the public sector. However, the IPC feels they need to be given the power to compel witnesses, that is, force individuals to speak to them in the context of an investigation.

There are a number of inconsistencies in the draft legislation but the Ontario government should be commended for releasing such a complex and controversial piece to the public well before it has been put into final form for introduction. It is clear that the government is being open to public input – thus, at the end of the day, we may indeed see some major changes to the Ontario privacy legislation, and some of the IPC’s concerns may also be addressed by the government.

Working with the European Union Data Protection Rules

A European Commission progress report has revealed a number of flaws in the U.S. Safe Harbor Agreement which aims to provide protection for the transfer of individuals’ personal data from EU member states to organizations in the
U.S. The report can be found at: http://europa.eu.int/comm/internal_market/en/dataprot/news/02-196_en.pdf .

Despite some big corporate sign-ons (such as Microsoft and Hewlett Packard), few organizations have signed up to the Safe Harbour scheme. Of the 154 that have, less than half are complying with all of the required principles for ensuring adequate data protection.

The Commission found that some organizations lack transparency in their privacy statements, leaving customers with little or no information as to what happens to their personal details. But the fact that organizations failing to comply with their obligations aren't likely to be prosecuted has cast even more doubt on the effectiveness of Safe Harbour. The Federal Trade Commission (FTC) lacks the power to take action against
organizations in breach of the principles.

The report could be a serious blow to a scheme that has been much criticized by many as an attempt to smooth over serious problems with the lack of broad U.S. privacy laws. Under the Safe Harbor principles, participants are required to inform European customers of their privacy rights, register with independent dispute resolution mechanisms, and publish details of complaints procedures. But the report shows that only 54 participants have registered with such mechanisms, which could account for the fact that there have been relatively few complaints from European consumers.

It is clear that the Safe Harbor Agreement was put in place to avoid confrontation with the U.S. over privacy issues. An American company that agrees to participate is deemed to meet the standard of adequate protection as required by the EU Data Protection Directive. For most other countries, meeting the adequacy test, in order to be able to receive data from EU member states, will mean enacting privacy legislation. However, the EU Directive recognizes other ways to deal with the export limitation. Article 26(2) provides one method – a contract between the data exporter and the data importer.

To make the contracting process more secure and predictable, the European Commission has created standardized contract clauses that exporters and importers of data can use. The chief benefit of using the model contract is that all EU member states must accept it as sufficient to meet export requirements. An EU member state could reject the model contract or require changes only under narrow and unlikely circumstances. The European Commission said the move would make compliance easier but would still safeguard individual privacy rights.

The model contract will make contracting for data processing simpler. When a company exports personal data from more than one EU country, using the model contract will avoid the need to seek approval of an export contract from the data protection authority in each relevant country. Trying to obtain agreement from as many as 15 separate national data protection authorities would be a daunting task.

The final contract presented by the European Commission was not so well received by some in the United States. The business community appeared horrified at the notion that a data export contract would impose any requirements at all or that it would be stricter than Safe Harbor. American banks in particular seem desperate to avoid the EU data protection rules. Many of the banks want the EU to declare that the privacy rules of the Gramm-Leach-Bliley Act meet the adequacy standards of the Directive. The difficulty is that the Gramm-Leach-Bliley Act offers few meaningful privacy protections to consumers. The poor way that banks implemented the law, with privacy disclosure statements that are far too complex for the average consumer to understand, certainly does not help their case either. It is hard for anyone to argue that Gramm-Leach-Bliley is an adequate law. The EU has rejected the complaints of the U.S. and had made it clear that they would not find the Gramm-Leach-Bliley Act, as it currently stands, to be adequate.

The model contract does offer another way to tackle a difficult problem for companies that need to export personal data from Europe. EU companies do not have to use the clauses in data transfers to countries whose data protection laws are considered up to the Commission's standards, such as Switzerland, Hungary and Canada, or to US companies adhering to the Safe Harbor principles.

As organizations find ways to work with the stringent EU data protection rules, the European Commission is clearly becoming more sensitive to facilitating organizations doing business in Europe, such that privacy rules do not negatively impact the European economy.

On-Line Consumers Concerned that Companies are Not Protecting Privacy

A Harris Interactive survey polled 1,529 adults and found that many on-line consumers want to see third-party verification of companies’ security procedures and privacy policies on the Internet. 75 percent of consumers polled worry that companies will share personal data with other corporations without permission, while 70 percent doubt the security of on-line transactions and 69 percent fear that hackers will steal the personal data they have submitted online.

62 percent of the respondents also said that independent privacy policy reviews, to ensure that the privacy policy truly reflect the companies’ privacy practices, would ease their worries, and 84 percent said that third-party reviews should be a requirement for e-commerce businesses. The study also showed that 91 percent of the respondents said they would feel more comfortable doing business with companies whose privacy policies were just reviewed by a third party. It is important to recognize that a review of a policy, without reviewing the company’s information-handling practices can never be as credible in terms of third party involvement. The Better Business Bureau and eTrust for example review policies, but this doesn’t mean that the company is living up to the policy. A fuller privacy assessment by a credible, third party organization is the only way to catch inconsistencies between what a company says they do and what they actually do.

About 83 percent of the respondents also said that they would stop doing business with companies that use personal customer data in inappropriate ways.

The survey was conducted on behalf of Privacy & American Business, a non-profit policy think-tank devoted to business privacy issues. The American Institute of Certified Public Accountants and consulting firm Ernst & Young sponsored the study.

The Whois Database Debate - A Threat to Privacy?

Whois, a database that contains the personal contact information of people who register Web sites, has been the subject of controversy for some time. Anyone who registers a domain name must provide the company that handles the registration with a name, mailing address, e-mail address and phone number. This information is entered into the Whois database and is made available to the public (the database is accessible through the Web sites of most registrars), enabling Internet users to look up any domain name and, in theory, find out who owns it. In practice, many domain name registrants know they can circumvent the system by entering fake information. Copyright and trademark holders 7say a thorough, accurate database is necessary to pursue people who pirate their works and post them for free on the Web. But privacy advocates worry that a single, centralized system makes it easier for everyone from marketers to stalkers to abuse people's privacy rights. Compilers of marketing lists have for years used Whois registration information as a source of personal information, so concerns over data privacy are well justified.

The conflicting motives, and the competing agendas of those interested in finding this information, have lined up various interest groups on opposite sides of a continuing debate over the Whois database. Namely, how much information should be made available to the public about the individuals and businesses that have registered more than 35 million domain names? What restrictions, if any, should be placed on who has access to this data?

On one side of the fence are law enforcement agencies, intellectual property owners and marketers. All of them favour a more accurate, widely accessible registry of domain name holders, although for different reasons. Investigators and lawyers have been frustrated to find that suspected criminals and copyright infringers can hide behind fake data given to a registrar, which itself may not know the true identity of some customers who have registered domain names. Marketers have a different agenda, perceiving a gold mine of leads in databases they buy from registrars.

On the opposite side of the fence are privacy advocates and many consumers and businesses that have registered Web addresses. They generally prefer some restrictions on who can have access to their contact information.
Registrars, for their part, are of two minds on the issue. They do not want customers angry about who may view their personal data, nor do they want to be responsible for verifying that registrants have submitted accurate information. But as competition increases and profit margins from domain registrations get smaller and smaller, some registrars may see marketing their data as a source of income.

The Whois debate could reach a highlight soon, as Congress, ICANN (the Internet Corporation for Assigned Names and Numbers that oversees the Internet's address system) and privacy advocates all weigh in on how well the system is working. In December of last year, the House Judiciary Subcommittee on Courts, the Internet and Intellectual Property sent letters to 50 United States registrars requesting information about whether and how the companies verify customer data and how they deal with complaints about fraudulent information. Congress seems to be focusing primarily on the validity of information in the Whois database, however, most registrars cannot afford to engage in extensive screening.

In the meantime, privacy advocates are concerned about the prospect of an even more comprehensive database of domain holders being developed by VeriSign, the company that formerly had a government-granted monopoly in the domain registration business. Unlike the current Whois database, which does not include all of the new domain extensions or those assigned to specific countries, the universal Whois repository that VeriSign is developing would be able to search for any domain name. A universal Whois database holding a massive amount of personal information poses significantly greater privacy risks.

A good start to resolving the privacy issues could involve drawing a distinction between individuals and commercial domain name holders. Individuals would not necessarily have to register their names and contact information. For example, in light of Australia’s recently introduced Privacy (Private Sector) Act, domain name regulator AuDA is planning to remove personal information from its Whois database for .id.au domains, which are used by individuals (the more popular .com.au is for businesses). Thus, the contact details of individuals with a personal domain name will not be published.