Home / Privacy Resources / Article Search / PrivaTalk - June 2003

PrivaTalk - June 2003

PrivaTalk

June 2003
Volume 3
Issue 6

Federal Court Refuses to Review Privacy Commissioner’s Decision

A Canadian Federal Court has ruled that it does not have jurisdiction to address an appeal of a Canadian Privacy Commissioner decision.  The case involved an employment dispute and disclosure of information to a trade union, which the court ruled fell under the exclusive jurisdiction of a labor arbitration panel under the Canadian Labour Code.


This case has interesting implications:  the Privacy Commissioner issues a report of findings and recommendations but does not have the authority to issue binding orders.  The only way for a complainant or the Commissioner to force a company to change its practices in accordance with the Commissioner’s report is to apply to the Federal Court.  If the Court does not take jurisdiction when a trade union is involved, and a labour arbitration panel gets involved to issue a binding order, there is a great deal of labour case law that will influence the panel’s perspective on privacy.  If certain disclosures are considered legitimate in accordance with labour laws, the privacy provisions may be interpreted in a watered-down approach to make them “fit” with historic labour practice.


The complainant, Diane L’Ecuyer, a former employee of the Airport Authority,  had made the complaint to the Commissioner’s office after having submitted requests under the Personal Information Protection and Electronic Documents Act for access to information held by her employer. The employer subsequently sent her a letter of response to the effect that the organization was refusing her requests. This letter also indicated that copies were being sent to two union representatives.  The complainant had not sent copies of her access requests to the Union and had not explicitly consented to having copies of the response letter sent to them.


The employer argued that the complainant had implicitly consented to the disclosures. The complainant maintained that she had submitted the access requests personally on her own behalf, without union intervention.


The Privacy Commissioner agreed that there was disclosure of information without consent to Ms. L’Ecuyer’s trade union. The Commissioner found that no implied consent had existed as far as the union representatives were concerned. Furthermore, in consideration of section 5(3) of the Act, he was satisfied that a reasonable person would have considered the disclosure to the union representatives to be unacceptable.


Dissatisfied with other aspects of his decision, Ms. L’Ecuyer proceeded to take her complaint to the Federal Court.  The Federal court dismissed her complaint on jurisdictional grounds. Noting that the case involved a unionized worker subject to a collective agreement, the court ruled that the Canada Labour Code is granted the exclusive right to address disputes that arise out of a collective agreement.  


Though the decision is consistent with earlier Quebec case law, it comes as a surprise to privacy watchers since it exposes an important shortcoming in the federal legislation.   While the law envisions a right of action at the Federal Court, apparently not everyone is entitled to exercise that right.  


With this case now sitting alongside disputes surrounding the introduction of provincial privacy legislation, it is clear that the Canadian privacy law framework is undergoing significant uncertainty well beyond what most anticipated at the start of the year.  


The French version of the Federal Court decision, Ecuyer v. Aeroports de Montreal, can be found at http://decisions.fct-cf.gc.ca/cf/2003/2003cfpi573.html
The original Commissioner decision can be found at
http://www.privcom.gc.ca/cf-dc/cf-dc_011105_04_e.asp        

B.C and Alberta Introduce Private Sector Privacy Legislation

On April 30, 2003 the B.C. government introduced Bill 38,  the Personal Information Protection Act.  The Alberta government introduced a similar piece of legislation (Bill 44) on May 14, 2003.  Both governments appear to be pushing privacy legislation through with little opportunity for the public to make substantive comments.  Both the Alberta and B.C. legislation incorporate the 10 privacy principles of the CSA Model Code for the Protection of Personal Information, and are scheduled to come into force on January 1, 2004.  Highlights of both bills include:  



  • Provisions for implicit and opt-out consent.  Implicit consent means an individual can be deemed to have consented if the information was voluntarily provided and the purpose for its collection/use/disclosure is reasonably obvious.

  • An organization may collect, use or disclose employee personal information  without consent if it is reasonable to establish, manage or terminate an employment relationship.

  • The Commissioner has been given extensive investigation and audit powers, and the ability to issue binding orders with no right of appeal.

  • The legislation does not require consent to the use or disclosure of personal information collected before the law comes into force, as long as the purpose for the use or disclosure is consistent with the reason the information was collected in the first place.    

Examples of how the B.C. and Alberta laws differ include:



  • Personal information is defined as any information about an identifiable individual, but does not include:
                  - In B.C., business contact or work product information 
                  - In Alberta, business contact information only.

The “work product” definition would mean, for example, that in B.C. an interviewer’s working notes are not personal information about the interviewer.  The Alberta legislation on the other hand specifically states that individuals are prevented from obtaining access to information about themselves if it would reveal the identity of individuals who provided the information (that is, an interviewer’s comments are the interviewer’s personal information).



  • Outsourcing and subcontracting:

                          - B.C.: Consent is not required to outsource or subcontract to a third party who will be using the personal information exclusively to perform functions for the organization.  The federal legislation also allows outsourcing without consent, but requires that the third party have similar privacy protections in place.


                          - Alberta:  Silent on outsourcing. 



  • Alberta:  The legislation does not apply to non-profit organizations.  Although the federal legislation only applies to commercial activities, it does not provide an outright exemption for non-profits (many non-profits are indeed commercial in nature).    

The privacy bills of the Western provinces show a number of marked departures from the federal legislation.  


According to Canada’s Privacy Commissioner, George Radwanski, both the B.C. and Alberta laws contains “grave deficiencies” and cannot be recognized in their current form as “substantially similar” to the federal Personal Information Protection and Electronic Documents Act (PIPEDA). If that turns out to be the case, the federal legislation will apply within B.C. and Alberta on January 1, 2004, alongside the provincial laws, which will cause much grief for businesses operating within those provinces.
 
Although the Commissioner’s position is not binding on the federal government, it is expected that his annual report to Parliament will be a key consideration in determining whether a provincial law is substantially similar to the federal Act.  The Commissioner has made it quite clear that he will interpret “substantially similar” to mean equal or superior to the PIPED Act in the degree and quality of privacy protection provided.  It is unclear where the Commissioner gets the authority to set that standard. Industry Canada has outlined a 3-part test for substantial similarity (see the October 2001 issue of PrivaTalk), but it does not state that provincial legislation must be equal or better!

In the Commissioner's opinion, both the B.C. and Alberta bills, as introduced, fail to provide adequate privacy protection in several areas. For example, unlike PIPEDA, the B.C. and Alberta bills make a distinction between employment and commercial settings, specifically allowing the collection, use and disclosure of employees’ personal information without consent.  Given that the federal government does not have the jurisdiction to regulate employee relations in the provinces, if the provinces don’t introduce their own legislation, PIPEDA will never apply to employee information held by provincially regulated companies.  Thus, it seems strange that the federal Commissioner would find the employment protections that do exist in the B.C. and Alberta laws to be inadequate.  


The Commissioner also noted in his letters to the B.C. and Alberta governments that a “grandfathering” provision substantially weakens privacy protections by effectively eliminating the need for consent to use or disclose (for consistent purposes)  personal information collected before the legislation comes into effect.  The Commissioner contrasts this to PIPEDA, which does not express any different rule for information depending on when it was collected.  He takes the view that using (or disclosing) information collected before the Act comes into force requires a fresh consent after the Act comes into force.  


It is unclear whether this is a generally accepted or necessary reading of PIPEDA.  If the Act does indeed apply retroactively, this requires an express intention of Parliament (which there isn’t).  It can be argued that the Commissioner is being unduly aggressive in sending information holders out to collect express consents for existing information. Many federally regulated companies have used the concept of implied consent with opt-out  notices to continue using previously collected information. Although the Commissioner has not looked favourably upon the use of opt-out consent in many cases, practically speaking, the risk of going this route is worth it for many organizations.  


Frankly, given that Industry Canada and the Federal Privacy Commissioner had stated when PIPEDA was introduced that the Quebec private sector privacy legislation (in force since 1994) is substantially similar even though it does not incorporate the 10 principles of the CSA Model Code, it is ludicrous that the Commissioner thinks both the B.C. and Alberta bills are not – B.C. and Alberta have, in my opinion, done a great job in putting together privacy legislation that clarifies many of the ambiguities of the federal legislation and that responds to valid buisness concerns with respect to compliance.
 

 

Accountants Geared to Delve into the Privacy Market

The American Institute of Certified Public Accountants, in collaboration with the Canadian Institute of Chartered Accountants, recently issued a proposed Privacy Framework for public review and comment.


The proposed Framework provides criteria and related material for protecting the privacy of personal information and can be used by certified public accountants (CPAs) in the United States and chartered accountants (CAs) in Canada, both in industry and in public practice, to guide and assist the organizations they serve in implementing privacy programs. The Framework incorporates concepts from significant domestic and international privacy laws, regulations, and guidelines. The Framework is intended to be the intellectual capital and body of knowledge that will provide the foundation for privacy advisory and assurance services provided by CPAs and CAs.


CPAs and CAs in public practice will be able to offer clients a full range of services, including privacy planning, privacy gap and risk analyses, benchmarking, privacy policy design and implementation, performance measurement, and independent verification of privacy controls.


The proposed AICPA/CICA Privacy Framework is intended to help companies apply a common standard or benchmark for their privacy practices. The Framework includes ten privacy components and related criteria that cover Management, Notice, Choice and Consent, Collection, Use and Retention, Access, Disclosure to Third Parties, Security, Quality, and Monitoring and Enforcement. These components are intended to guide companies in protecting and managing their personal information assets, both on-line and off-line.  


A reliable framework that incorporates the ten key privacy principles in tandem with existing privacy laws is very useful to companies looking for the right thing to do with respect to how they handle personal information.  However, it is critical to highlight that meeting the Privacy Framework does not necessarily equate to compliance with the law.  Although there are no direct conflicts between the federal Personal Information Protection and Electronic Documents Act for example, there are many specific requirements in the privacy legislation that are not a part of the Privacy Framework, such as timelines around access and exceptions to the consent or access principles. Thus, having a CA certify that a company meets the framework is an important step towards compliance, but does not mean a company is home free from the privacy legal requirements.  


The draft framework is available at www.aicpa.org, with comments due no later than August 31, 2003.

The European Commission Releases Data Protection Implementation Report

The European Commission has issued the first report on the implementation of the 1995 Data Protection Directive.  The report notes that the Directive has broadly achieved its aim of ensuring strong protection for privacy while making it easier for personal data to be moved around the EU, but that late implementation by some member states along with differences in national approaches, has prevented the EU from obtaining the full benefit of the Directive. The full report can be found at:  http://europa.eu.int/comm/internal_market/privacy/lawreport_en.htm


The report concludes that results in terms of the free movement of personal data are broadly satisfactory. The Directive has achieved its aim of removing legal obstacles to the free movement of data that arose from differences in national legislation and from the fact that two Member States (Italy and Greece) had no data protection laws at all.


The free flow of personal information is essential for the efficient conduct of almost any economic activity on an EU-wide basis. For example, before the Directive was adopted, businesses often faced difficulties in transferring employee data to another Member State, which is necessary if a business works all over the EU but has its central personnel administration in one Member State. Workers who had acquired pension rights in several Member States encountered difficulties when it came to the exchange of personal data needed for the actual accumulation of these rights. Conducting Europe-wide clinical trials for medical research was problematic, given the huge differences in data protection standards.


Only four Member States, including the UK, passed national laws implementing the Directive within the October 1998 deadline agreed by Member States themselves when they adopted the Directive in the Council.


The Commission decided in December 1999 to take France, Germany, Ireland,  Luxembourg and the Netherlands to the European Court of Justice. Germany and the Netherlands, along with Belgium, then implemented the Directive in 2001 and Luxembourg, after the Court found against it, implemented the Directive in 2002.


More than seven years after the adoption of the Directive and more than four  years after the deadline for its implementation (October 1998), France has  still not passed the legislation necessary to bring its old data  protection law of 1978 fully into line with the Directive. Ireland has passed legislation recently, which has not yet been notified to the Commission.


The result of delays at a national level is that experience with the implementation of the Directive is very limited. The report is a first step in analysing whether the Directive is achieving its objectives. It would be premature at this stage to propose amending the Directive.


However, the report sets out a work plan to narrow divergences between national legislation where necessary by amending that legislation. The proposed work plan - for completion by the end of 2004 - focuses on improving implementation in the Member States and on a more consistent application and interpretation of the Directive. Progress will be reviewed in 2005.


The Commission noted that businesses still see a need to make the rules work in a more business-friendly way, although this was an improvement from an earlier attitude of  “outright hostility” on the part of businesses.

Security Survey Claims Canada’s Financial Institutions Lag Behind

According to the 2003 Global Security Survey conducted by Deloitte & Touche, Canada’s financial institutions have the lowest adoption of security standards worldwide, the least deployment of biometrics, and are the only companies of those surveyed globally with less than 100 per cent use of baseline technologies, including anti-virus software.

The study surveyed 78 of the world’s top 500 global financial institutions in the first quarter of 2003. Thirteen Canadian organizations were involved in the study, which included four of the country’s five top banks, two of Canada’s largest insurance companies, as well as other financial institutions.


Highlights of the report, which can be found at http://www.deloitte.com/dtt/cda/doc/content/2003%20Global%20Security%20Survey.pdf, include:



  • Nearly 40 percent of respondents reported experiencing a security breach during the past year – and more attacks were from external rather than internal sources.

  • IT security budgets, while increasing overall, are still only a single digit percentage of the overall IT budget, typically between 6-8 percent.

  • Different regions vary in their attitudes about and the motivations for implementing security, as well as the level and sophistication of technologies and practice – for instance, Asia-Pacific companies have the lowest levels of concern regarding interoperability of different products and sign-on provisioning.
     

Canada’s financial institutions may not be adopting globally-recognized information security standards because they don’t need to.  According to WhiteHat, an Ontario based company specializing in security solutions, the Canadian financial sector has developed their own standards that are quite secure, as opposed to embracing standards such as ISO 17799.


In terms of the adoption of biometrics, North Americans – not just Canadians – are lagging behind the rest of the world.  This is likely true because biometrics is as much acultural issue as a technological one, with Canada’s privacy legislation a major factor. Until the world of biometrics matures, lagging behind isn’t a bad thing.

I’m not quite convinced of the study’s findings regarding Canadas financial institutions’ deployment of baseline technologies. Most major corporations have fully implemented anti-virus software and firewalls at a minimum. It is clear that financial institutions are more proactive than reactive in this regard.

Despite some of the study’s negative results, financial institutions are better equipped to handle security issues than most industries. There are many other industries, including many at comparable levels of risk that are vastly less prepared.

GPS Technologies – Do the Rewards Outweigh the Risks?

As the use of GPS (Global Positioning System) technology increases, the question that needs to be addressed is whether the rewards of that technology outweigh its risks. GPS is a constellation of 24 satellites which is used for navigation and precise geodetic position measurements. Daily position estimates are determined from satellite signals which are recorded by GPS receivers on the ground.  


The threat is that you can now easily purchase equipment that uses GPS technology to track a vehicle either in real time or by recording its movements for playback and analysis later. The driver and occupants of the vehicle need not know this is happening, and the person who places the device need not physically follow the vehicle.  


This equipment is available for as little as a few hundred dollars to over $1000 from a variety of vendors. Obviously, installing a GPS device into someone’s car without their knowledge could be seen as violating their privacy. But what about the parent who is worried about where their teenagers are taking the family car?  Would installing such a device be violating privacy or simply exercising parental responsibilities? What if, an employer drops such a device into a company car to keep track of it? Would the employer be violating the privacy of its employees?  There are instances where the use of GPS may  not only be justified but where there are specific exemptions in applicable privacy laws, to the requirement of obtaining consent, that would apply to the use of GPS.  


A U.S. federal court recently ruled that police “bumper beeper” transmitters used to track vehicles aren’t a privacy violation because the person is driving in public and can be readily observed.  


A couple of years ago, a car rental agency in the States made news for monitoring its cars to make sure customers weren’t speeding. At the time, most people seemed to think that was overboard. There are now car rental companies both in the States and in Canada that are using GPS technology to make sure vehicles aren’t taken out of the country. Trucking companies are already using GPS-based automated vehicle monitoring (AVM) systems to transmit truck locations back to dispatchers.  


At the other end of the spectrum is something like the OnStar system [http://www.onstar.com/ ], which uses GPS to plot the location of a vehicle. The service can, for example, call a vehicle when its airbag activates; if there’s no answer or if someone in the vehicle confirms that there’s been an accident, the system can send help. OnStar can also be used – at the request of police only – to find a stolen vehicle.  So if the car thieves are driving an OnStar-equipped vehicle, there’s no escaping. Is that a privacy violation?  


As with most surveillance technology, it all comes down to the use that is made of it.  The more privacy invasive the use, where there are no good reasons to deviate from protecting privacy, the more the risks outweigh the rewards.