Home / Privacy Resources / Article Search / PrivaTalk - December 2001

PrivaTalk - December 2001

PrivaTalk

December 2001
Volume 1
Issue 11

Money Laundering Legislation in Canada – Erosion of Lawyer-Client Confidentiality

Canadians who count on their lawyers to keep their business private might be in for a surprise as law firms across the country begin warning clients about the stringent requirements of new money laundering rules. The mandatory reporting of suspicious transactions commenced when the law came into force on November 8, 2001.

Under the Proceeds of Crime (Money Laundering) Act, lawyers are required to report any “suspicious” transactions or activities to federal authorities, whether or not they have solid evidence to back their concerns. One form letter that is being recommended by the Lawyers' Professional Indemnity Co. states “the new legislation may require lawyers and their staff of this firm to disclose confidential client information”.

The money laundering legislation was passed in June 2000, amid growing concern that criminal organizations were parking their money with ostensibly legitimate businesses in Canada. Federal justice officials have since flaunted the legislation as a weapon against terrorist funding networks, which are known to launder their funds much as other criminal groups, and which depend on the ability to make undetected cross-border financial transactions.

But the legislation’s most radical provisions have come under fire from legal groups that see an attack on the time-honoured principle of solicitor-client privilege. Canadian lawyers’ professional rules of conduct oblige them to keep confidential all information about their clients' business and affairs, unless required by law or a court to disclose such information. The money laundering legislation is just such a law, requiring disclosure of client confidences. Among other things, the act requires lawyers to report certain financial transactions to FINTRAC, a federal agency charged with analyzing deals for potential criminal links.

While the exact definition of "suspicious" is not yet clear, government guidelines distributed with the legislation suggest lawyers look upon a client's nervousness, over-friendliness or even reluctance to discuss personal finances as signs of danger. Clients who receive their mail in post office boxes, who are in a hurry or who have had their phones disconnected could all be suspect, too, as could clients who inquire about the systems, policies and controls over the money they are spending or transferring.

Lawyers can be fined as much as $2 million, or imprisoned as long as five years, for failing to comply with the laws. More alarming to lawyers though, are secrecy provisions built into the legislation that forbid lawyers from telling their clients they have reported transactions. Other provisions set to go into effect over the next year require lawyers to report cash transactions of $10,000 or more and allow authorities to seize lawyers' mail or enter their firms' premises.

On November 20, 2001, the Supreme Court of British Columbia granted a temporary exemption for B.C. lawyers from the reporting requirements of the new money laundering law until a constitutional challenge can be heard. Specifically, the court ordered that legal counsel in B.C. are exempt from the application of the law pending a full hearing of the petitions by the Federation of Law Societies of Canada and the Law Society of British Columbia. The full decision can be found at: http://www.courts.gov.bc.ca/jdb-txt/SC/01/15/2001BCSC1593.htm. . The Charter protections of the right to counsel, solicitor-client confidentiality, and against unreasonable search or seizure and self-incrimination are at issue.

On November 21, the President of the Federation of Law Societies of Canada wrote to the Honorable Anne McLellan, Minister of Justice for Canada, asking that this Interlocutory Order be accepted as having national reach with the result that legal counsel across the country will be exempt from complying with the money laundering legislation. A copy of this letter is available at: http://www.flsc.ca/english/publications/Letter%20to%20Anne%20McLellan.pdf. The Justice Minister has not yet replied to this letter.

This is yet another example where privacy rights must be balanced with other social interests, in this case, crime prevention. It’s a battle lawyers in Canada will fight hard for in order to protect client confidentiality and hence the public’s perception of the Bar as independent and as a loyal defender of client interests.

PIAC Complaint brings Attention to the Practices of Big Canadian Business Players

The Public Interest Advocacy Centre (PIAC) recently followed up on a study they conducted by filing a formal complaint with the federal Privacy Commissioner. The study was reported in the Survey Says… article of the October 2001 issue of PrivaTalk entitled “EKOS Survey shows Companies’ Practices are not Transparent to Customers”. PIAC’s complaint is with respect to business non-compliance with the requirement, under the federal private sector privacy legislation, for individual knowledge and consent to the collection, use and disclosure of personal consumer information for secondary marketing purposes. PIAC maintains that the research conducted on their behalf by EKOS Research Associates Inc. clearly indicates that many companies are not obtaining adequate informed consent (either implicit or explicit).

The non-compliance PIAC complains of reflects prevailing business practice in the retail market. Many companies seem to take the view that customer consent to secondary marketing (using or disclosing information provided for specific purposes for the purpose of marketing) can be deemed to have been given, as long as the policy is stated in some document that is accessible to the customer. They do not feel that they have any obligation to bring to the attention of the individual customer the practices in question or the negative options regarding those practices.

Hoping that the Privacy Commissioner would investigate specific companies, PIAC targeted their submission to the practices of Bell Canada, the Hudson’s Bay Company, MBNA Canada Bank, the Bank of Nova Scotia and the AIR MILES reward program. PIAC expressed concern that these companies do not adequately bring to the attention of customers, or provide clear information on, their practices of using and sharing customer data for secondary marketing purposes, or the opportunity for customers to opt-out of such practices. PIAC also accused these companies of not providing applicants or customers with a method of opting-out that can be executed immediately, easily, and at minimal effort and cost.

Clearly the issue is, when can consent reasonably be inferred? That is, when can companies rely on "implied consent" to secondary marketing purposes. Is it reasonably obvious that customers indeed consent to the use and sharing of their information with other companies for marketing purposes? I would suggest it is not so clear, and this is exactly where there is a difference of view between the marketers and the marketed.

Most consumers are not aware of companies’ practices or of the option to not provide consent. PIAC stated in their complaint that “If they are not aware, they clearly are not consenting, implicitly or otherwise”. PIAC found in their study that most companies rely on a document which is not provided to the individual customer, and which the customer must find on their own initiative, or rely on fine print buried in a long document, which most customers do not read in full (and which companies do not realistically expect them to read in full).

PIAC stated that other common deficiencies which render the "implied consent" relied upon by companies meaningless, include: failure to provide the relevant information in clear, plain language such that the ordinary consumer can easily understand what they are being assumed to have consented to; and failure to provide adequately detailed information such that the consumer can fully appreciate the extent and purpose of uses and sharing to which they are consenting.

It is important to note that attitudes vary widely among Canadians. The EKOS survey found that 38% of respondents were not comfortable with companies using their personal information to advise them of new products and services that may interest them. A higher proportion of Canadians (48%) are uncomfortable with the sharing of such information among affiliates for the same secondary marketing purposes. PIAC used these results to support the argument in their complaint that businesses cannot assume anything about consent to secondary marketing.

PIAC also found that only a tiny percentage of consumers actually execute the negative options offered to them by companies, in respect of data use and sharing for secondary marketing purposes. For example, Bell Canada reports that approximately 500 of its customers have exercised an opt-out with respect to affiliate sharing. This is a tiny fraction of a percent of Bell’s residential customer base. Representatives from Air Miles have stated in the media that only a very small percentage of their customers exercise the negative option.

The mismatch between the proportion of Canadians who say they would like to exercise the opt-outs, and the proportion of Canadians who actually do, is being used by PIAC to claim that most people are either inadequately informed or simply unaware of the practices in question and of the opportunity to opt-out. Of the minority who are aware, many likely fail to act on their desires because of the effort required to exercise the opt-out.

PIAC asked the federal Privacy Commissioner to issue a directive to the retail and marketing industry at large stating that opt-out approaches to individual consent to the collection, use and/or disclosure of personal data for secondary marketing purposes meet the requirements of the federal private sector privacy legislation only if they are: brought to the attention of the individual, are clearly worded, provide sufficient detail for the consumer to make an informed choice, and are easy to execute with minimal effort.

If the federal Privacy Commissioner finds PIAC’s complaint to be well-founded, many businesses in Canada will need to change their practices and the cost of compliance in with privacy laws in Canada is likely to soar.

An Overview of Quebec’s Private Sector Privacy Legislation

One of the earliest privacy developments in Canada was the passage of legislation in Quebec intended to protect personal information in the private sector. The relevant provisions are found in the Civil Code of Quebec, passed in 1991, and An Act respecting the protection of personal information in the private sector (also known as Bill 68), which came into force in January 1994. The Civil Code functions as a general framework for laws which regulate the private sector, while Bill 68 fleshes out the privacy provisions contained in the Code.

The Civil Code includes a variety of articles intended to protect privacy and personal information. Of particular note is Article 36, which prohibits certain types of invasions of an individual’s privacy, including:
(1) intentionally intercepting or using a person's private communications;
(2) appropriating or using a person's image or voice while he or she is in private premises;
(3) keeping a person's private life under observation by any means; and
(4) using a person's name, image, likeness or voice for a purpose other than the legitimate information of the public;
(5) using a person's correspondence, manuscripts or other personal documents.

Other articles in the Civil Code limit the ability of a business to gather personal information and give individuals a right of access to their information and a right to seek a correction of inaccurate information.

Bill 68 is based on the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. It applies to a wide range of private sector entities, including corporations, sole proprietorships, partnerships and associations. It also applies to all forms of recorded personal information, defined as “any information which relates to a natural person and allows that person to be identified.”

Various provisions in Bill 68 govern the collection of personal information. For example, Bill 68 requires businesses to assign an object or purpose to a file of personal information on the establishment of the file and, in certain cases, to inform the individual of the existence of the file. In addition, Bill 68 states that a business may collect only information which is “necessary” to the object of the file on the individual. Thus, information may only be collected for a stated purpose. Other provisions require businesses to collect information directly from the individual, unless the individual consents to collection from third parties, and to collect information only by lawful means.

Bill 68 also sets out provisions which apply to the use and transfer of personal information by a business. Businesses must take measures to ensure that personal information is up-to-date and accurate when it is used to make a decision in relation to the individual. In general, businesses are prohibited from disclosing, transferring or using personal information for purposes that are “not relevant” to the object of the individual’s file. Other uses, disclosures or transfers are permitted only where the individual consents to them. This consent must be manifest, free, and enlightened, and must be given for specific purposes. Section 17 of Bill 68 prohibits a business within Quebec from transferring personal information to another province unless the transferor has satisfied itself that the information will be protected in the new jurisdiction.

Special provisions apply to “nominative lists,” which are defined as lists of individuals’ names, addresses, and phone numbers. These provisions are of particular interest to direct marketers. Bill 68 states that when a business seeks to use its own nominative list for commercial or philanthropic canvassing, the individuals named on the list must be given a valid opportunity to request that their names be deleted. When a business seeks to transfer its own nominative list to another business outside Quebec, it must ensure that the list will be used only for commercial or philanthropic canvassing and, before transfer, ensure that the individuals named on the list have a valid opportunity to have their names deleted. Guidelines published by the Commission d’accès à l’ information suggest that, in either of the above-noted cases, a letter must be sent to each individual on the list, providing instructions on how to have his or her name deleted.

Bill 68 clarifies the rights of access and correction set out in the Civil Code. Under Bill 68’s provisions, the business must confirm the existence of a file of personal information on the individual’s request and answer an access request within 30 days of its receipt. The business must provide access free of charge, however, a reasonable fee may be charged for the transcription, reproduction or transmission of information. Bill 68 includes a small set of exemptions from the right of access.

Disputes under Bill 68 are to be resolved by the same body responsible for resolving disputes under Quebec’s public sector access and privacy statute, the Commission d’accès à l information. Decisions of the Commission will be binding on the parties, unless it is appealed to the Court of Quebec. In addition to these dispute resolution procedures, Bill 68 includes penal enforcement provisions. A business which collects, holds or communicates information in a manner contrary to the statute is liable to fines of $1,000 to $10,000 for a first offence and $10,000 to $20,000 for a second or later offence. Directors or administrators of businesses may be found personally liable where they have authorized, ordered or consented to the offending act.

Bill 68 was the first comprehensive attempt to regulate the use of personal information in North America. At the time of its enactment, there was some debate about its potential effects. Some warned that Bill 68 would impose heavy burdens on businesses and would increase the cost of doing business. However, others suggested that businesses would not have a great deal of difficulty complying with the legislation and that compliance would provide public relations benefits. Materials available from the Commission itself suggest that it has not been overwhelmed by private sector privacy complaints. For example, in 1995-96, the Commission received 151 complaints respecting the privacy sector, and in 1996-97, the Commission received 224 such complaints.

Before the coming into force of the federal private sector privacy law in January of this year, the Quebec Act put Canada in the unusual position of having a province whose level of privacy protection was higher than what existed at the federal level. Now, with the federal legislation in place, provinces discussing private sector laws to respond to it, and health privacy laws in place in some provinces, we are starting to see an array of privacy laws in Canada that may not be harmonized. It is hoped that inconsistencies are minimal and interpretations similar, but as it stands, the Quebec legislation looks quite different from the federal legislation, which is based on the Canadian Standards Association Model Code for the Protection of Personal Information.

The Quebec law is flexible enough to apply to all groups in the private sector, obviating the need to have special rules depending on the way in which the information is used. In this sense, the Quebec law anticipates the CSA Model Code, which are designed to apply to businesses across the board. National and international businesses with offices in Quebec need to pay heed to multiple privacy schemes, and must run at least some of their operations in accord with the Quebec legislation.

The Commission d’accès à l information opened itself to public criticism a few years ago during the five-year legislative review of the private sector legislation. The Commission noted that it was well aware of inappropriate and illegal trade in personal information, and it became clear that it had not taken effective steps to stop such practices. The commission also took criticism for approving a computer matching project proposed by the Ministry of Revenue that was opposed by the provincial ombudsman and was rejected by the Legislature. As a result, citizens have looked to the ombudsman for leadership on privacy issues and the Commission does not seem to have been able to fully restore its credibility.

Quebec’s experience is something the federal Privacy Commissioner and provincial commissioners, in provinces where private sector privacy legislation is introduced, can learn from. Privacy Commissioners across the country are used to dealing with public sector privacy and access issues. Regulating the private sector is a radically different mandate that Quebec’s Commission can provide guidance and words of caution and wisdom on, with respect to enforcement and education efforts needed for private sector privacy laws to be effective.

The European Parliament Works Towards Regulating Cookies

The European Parliament voted in favour of introducing an amendment to the directive on electronic data collection and privacy, due to be launched on January 17, 2002, that would restrict the use of cookies and spam across Europe. The directive has a long way to go before it becomes law, given that it would have to be adopted by individual EU countries once it clears procedural hurdles. Member states would have between 12 and 18 months to ratify the legislation once approves by Parliament.

Essentially, such legislation would require EU-based direct marketers to ask for consumer consent before sending unsolicited advertisements to mobile telephone and fax systems, and would allow e-mail users to opt out of receiving spam in their in-boxes. The legislation would also bar companies doing business on the Internet from placing cookies on users' computers to track their movements online, without obtaining users’ prior consent.

The EU Parliamentary document states: “so-called cookies, spyware, Web bugs, hidden identifiers and other similar devices that enter the user's terminal equipment without their explicit knowledge or explicit consent in order to gain access to information or to trace the activities of the user may seriously intrude the privacy of these users”.

The controversial legislation is likely to receive a great deal of scrutiny and numerous amendments as it moves through the legislative process. The proposed directive amendments have received much criticism, particularly from the Internet advertising industry, and particularly with respect to the attempt to regulate cookies. The UK Interactive Advertising Bureau warned that British companies could lose $269.6 million (187 million pounds) if the directive was ratified.

Cookies are small pieces of code used mainly by commercial sites to track Web surfers. They are downloaded to browsers and can be used to recognize and authenticate people when they return to a Web site so they don't have to log in every time. Some ad companies place cookies on individuals' computers when an advertisement is delivered, giving the companies the ability to track consumer behaviour online and gauge the effectiveness of an ad campaign or target marketing to consumer preferences. Some Web sites also use cookies to hold passwords and personal information for custom services such as Web-based e-mail.

But consumer advocates have long criticized cookies for their technical vulnerabilities and potential privacy problems in the event of a computer security breach. The mere fact that cookies can hold years of data about consumer travels on the Web is enough to result in loud criticism from privacy advocates. It was such concerns that led to the amendment to the draft directive on electronic data collection and privacy being tabled.

Internet companies are joining forces to mount a campaign against the proposed European legislation and the outlawing of cookies. The opposition is being organized by the Internet Advertising Bureau (IAB) in Europe, who says it plans to lobby national governments in hope that they may have a better understanding of the role of cookies in supporting business. IAB has said that cookies are legitimately used to protect users and ensure they are genuine visitors to a site. Cookies also speed up users' identification and e-commerce transactions and recognize preferences for all types of websites and search engines. IAB is trying to push that life without cookies would be incredibly irritating for Web users, which is true for some Web users but not for all.

The implications of such a proposal could be massive, should several European states accept it. Many sites have been designed to only work with cookies turned on. It's also potentially harmful to many Web enterprises seeking to do business in the EU, since major sites, marketers and ad networks typically use opt-out cookies and similar techniques to deliver personalized content and promotions, and to track user behaviour.

Indeed legislation such as the Data Protection Act and the Human Rights Act may already provide enough protection to individuals' privacy. The Members of the European Parliament don’t seem to understand that some cookies do nothing but store information about the computer, which is necessary for site functionality, so called session cookies. Session cookies are necessary for users to move between Web pages once they have logged into a site but that disappear when the user shuts down their browser. If cookies are used to find personal information, that seems to already be illegal under existing laws.

The directive states that “Member States shall prohibit the use of electronic communications networks to store information or to gain access to information stored in the [computer] of a subscriber or user without the prior, explicit consent of the subscriber or user concerned”. However, the EU Parliament has agreed to give individual member states greater room to make their own decisions in the matter.

In the classic European way, some members of Parliament expressed concern that as strong as the legislation would be in protecting consumer privacy, when it comes to EU-based online businesses, it would do nothing to prevent companies in other countries from using unsolicited e-mail or cookies on EU citizens' e-mail accounts and computers. It wouldn’t be surprising if Europe attempted to expand its regulatory reach by dictating what non-European sites can do with cookies when accessed in Europe. The result would be caotic – but that hasn’t stopped the EU before.

Network Security – More than just a Technical Issue

KPMG is expected to release a report on a network security risk assessment study conducted by interviewing 500 U.S. and European executives of multinational corporations. Its clear that many of the largest companies are still far off from securing their networks and seem to be focusing on the wrong threats. KPMG discovered that although 85% felt they gave enough attention to protecting their information, 41% still believe their company is susceptible to a serious breach of security.

About 40% of respondents viewed information security as a strategic business issue, whereas 60% said it’s a technology problem. With the majority of the decision-makers in the companies interviewed believing that buying the right technology is sufficient, it is clear that there is a lack of a big-picture perspective on security. Organizations will remain vulnerable until more executives regard information security as a strategic business issue that extends beyond technology solutions and technology departments.

Rather than focusing exclusively on buying new software and systems, companies should be looking toward education, training and policy initiatives. Although almost 90% of the executives said they had an ongoing security training program, only 11% said that non-management employees were informed about security policies. Also, compliance with security policies still falls far below the levels needed to make a difference.

Companies need to move aggressively in educating and informing employees on how to protect company data. Making the problem worse, companies seem to be focusing on the wrong risks. The report found that a third of executives considered hackers attacking from the Internet to be the greatest threat, but the reality, it said, is that almost 80% of attacks originate from inside a company's network, due to incorrectly set up access levels and carelessness with passwords.

It is important to note that there have been conflicting studies. Last March, the 2001 Computer Crime and Security Survey found that although attacks by on-line hackers didn't account for major dollar losses, the Internet has become a major source of attacks for most organizations. Companies that found themselves the victim of attacks via the Internet increased to 70% in 2001, but the number of companies experiencing insider attacks fell to 31%.

What’s clear is that a security policy aimed exclusively at preventing outside intrusions is destined for failure.

Some results of the KPMG study indicated that companies were improving security practices. Nearly eight out of 10 multinational corporations had developed a catastrophic response plan, and almost six out of 10 had hired full-time security specialists. What seems to be lacking is the involvement of senior management in developing and implementing security practices, so employees know that security is being taken seriously and everyone in the company has a role to play.

Software to Assist Companies Create a P3P-Compliant Website

P3P (Platform for Privacy Preferences) is a technology that lets Web surfers match their privacy preferences against the information-gathering practices of the sites they visit without having to read the sites' privacy policies. P3P is built into Microsoft's new Internet Explorer 6.0 browser. If you are unfamiliar with P3P, please visit the Technology to the Rescue article in the April 2001 issue of PrivaTalk entitled “P3P – An Industry Standard for Privacy?” Under its default settings, Internet Explorer 6.0 will automatically block many cookies routinely placed on visiting browsers, unless a site has acceptable privacy provisions in place and those provisions are spelled out in the P3P format.

Consulting firm PricewaterhouseCoopers along with Watchfire, an Ottawa software company, recently announced new software they have co-developed called WebCPO, designed to help companies comply with P3P and thus work smoothly with Internet Explorer 6.0. Forrester Research Inc. says at least 10 million consumers will be using Internet Explorer 6.0 by yearend. Companies are worried because Web sites that are not P3P enabled run the risk of having a small 'privacy unsafe' icon appear at the bottom of the browser, or a pop-up warning if the site is the first one visited by the new browser.

The WebCPO software scans and monitors sites for potential privacy compliance issues by automatically reading each line of code for each Web page and creating reports on the company's data collection and data sharing practices – key information for setting up a P3P policy. The software will give companies ongoing analysis and reports of potential privacy compliance problems.

WebCPO only makes sense for large complex sites. Otherwise it is easy enough for companies to manually inspect each Web page on their site to check for P3P compliance conflicts. The bigger the Web site, the tougher that job would be.

The Direct Marketing Association recently released guidelines for Web marketers regarding the P3P. The guidelines (which can be found at http://www.the-dma.org/library/whitepapers/p3p.pdf) advise Web marketers on steps they can take to avoid having their cookies blocked or restricted by P3P.