Home / Privacy Resources / Article Search / PrivaTalk - March 2001

PrivaTalk - March 2001

PrivaTalk

March 2001
Volume 1
Issue 2

Putting the Customer List up for Sale

Customer lists, often containing detailed and even sensitive information on customers, are the most valuable asset of many struggling dot-coms. A key privacy concern is when and how such a list can be sold. The issue was directly addressed in the context of both a sale and bankruptcy in the prominent U.S. case involving Toysmart, a failed on-line retailer of children's toys. Toysmart had represented in its online privacy policy that "when you register with toysmart.com, you can rest assured that your information will never be shared with a third party". When the company began to have financial troubles, it sought to sell all of its assets, the primary one being its customer list, which included an estimated 250,000 names, with associated addresses, credit card numbers and shopping preferences. Following an investigation by the Federal Trade Commission (the "FTC"), the FTC charged Toysmart with deceptive trade practices.

Toysmart filed for bankruptcy protection in June, 2000 seeking permission from the U.S. Bankruptcy Court to sell all of its assets including its customer database. A subsidiary of the Walt Disney Co., which held a 60% interest in Toysmart and was cognizant of the developing public relations disaster, offered to buy the list for US$50,000 and then destroy the list so that it would no longer be available for use. Toysmart initially rejected the offer with the hopes of getting a better offer for its list, which they would have gotten if it wasn’t for the chilling effect caused by the negative publicity. A better offer did not materialize. The issue was finally resolved at the beginning of February, 2001 when the Bankruptcy Court decided that rather than transfer the list to the Disney subsidiary, the list will be kept in the hands of Toysmart attorneys until all of the claims against the company are settled, at which point the company must destroy the list.

The Toysmart incident highlights the importance of well-conceived privacy policies, particularly for companies with valuable customer lists. The Toysmart case can be credited for Amazon.com's new privacy policy, which states that "in the unlikely event that Amazon.com Inc. or substantially all of its assets are acquired, customer information will of course be one of the transferred assets”.

While it was the misleading promises in the Toysmart privacy policy that caused the concerns about the sale, faced with the same situation, similar restrictions are imposed by the Canadian privacy legislation on ordinary corporate transactions or restructurings. Under the Personal Information Protection and Electronic Documents Act, an asset sale could be regarded as involving a disclosure by the seller to the buyer of any personal information that forms part of the business assets of the seller. Thus, consents would have to be obtained from all individuals for whom the seller holds personal information, which will surely extend the length of time required to complete corporate transactions, be it in the context of a bankruptcy, a buy-out or a joint-venture.

In July of last year, the FTC proposed a settlement which would have allowed Toysmart to transfer the customer data, provided that among other things, the data was transferred as one asset as part of a sale of the entire company, which would become Toysmart's successor. However, this proposal was rejected by the Bankruptcy Court on the grounds that it would be counterproductive to the interests of the creditors to restrict the sale to a particular type of offer. The Canadian Bar Association – Ontario made recommendations for the proposed Ontario Privacy Act which parallel the proposed FTC settlement in some respects, in that it was recommended that the new Act contain an exemption for disclosure of personal information where such disclosure is incidental to a transfer of the assets of a business, and where the new owner(s) of the assets will both carry on substantially the same business within the jurisdiction, and make use of the personal information for substantially the same purposes as the previous owner. Such an exemption makes good business sense and only time will tell whether the Ontario government will accept this proposal.

In Canada, businesses have a lot to learn from privacy battles such as Toysmart in the States, with respect to being open about practices and with respect to customer expectations. With Canadian laws in the picture that have no U.S.-equivalent, it is clear that privacy obligations are onerous. However, the negative consequences of non-compliance, such as bad publicity, far outweigh the costs of compliance.

Getting Consent for Identified Purposes is an Achievable Goal

The purposes that an organization must set out as their reasons for collecting, using and disclosing personal information define the scope of consent that is required to be obtained under the Personal Information Protection and Electronic Documents Act (the “PIPED Act”). Where previously collected personal information is to be used or disclosed for a purpose not previously identified to the individual, the new purpose must be identified and a new consent obtained prior to that use or disclosure.

There is a natural temptation for a business to draft consents that either use highly detailed language to itemize every possible purpose for which personal information may be used or disclosed, or, at the other end of the spectrum, to use general language describing very broad purposes. However, for a number of reasons, neither of these two extremes should be implemented. First, the Act requires that organizations collect, use or disclose personal information only for purposes that “a reasonable person would consider appropriate in the circumstances”. Using highly complex consents to list every possible purpose for which the personal information may be used, may result in "inappropriate" purposes being included. The Privacy Commissioner may likewise determine that an overly generic consent that is generally worded to give the organization in question the benefit of a broad interpretation, is also broad enough to encompass inappropriate purposes.

The Act also requires that consent be “meaningful”, which suggests that an extremely complex or broad consent might result in a consent which is not meaningful. At the same time, there is the requirement that consent be "informed". It is not clear how detailed the information provided must be in order for an individual to be appropriately informed as to how their information will be used. For example, in the case of contemplated disclosure to a third party, does the requirement for informed consent require that the name of the third party be provided, or just the fact that the third party will perform a particular function? In most circumstances, the title of the third party who will have access to personal information will suffice. What is clear is that organizations must provide enough details about the purposes identified, in a clear and concise fashion, and without the legalese. The requirement of informed consent is softened somewhat by the statement in the Act that the "reasonable expectations" of the individual are also relevant in obtaining consent. The concept is helpful to a business in that it explains how an individual’s consent could reasonably be said to encompass certain uses and disclosures other than those specifically identified to the individual at the time. The example given in the Act is that of a magazine subscription, as follows: where an individual supplies personal information to a magazine as part of buying a subscription, the individual would reasonably expect that the magazine, in addition to using the personal information to facilitate mailing and billing, will also contact the individual to solicit the renewal of the subscription. Purposes which are not within the reasonable expectations of the individual would arguably include a sale of information to the publisher of another magazine, in order for that publisher to solicit the individual.

The Act contemplates the use of both express and implied consent but encourages express consent for sensitive information. The Act states that any information can be sensitive, depending on the context. While the Act provides medical and income records as the relatively clear examples of sensitive personal information, it is important, in a specific business context, for organizations to put themselves in the shoes of their customers when determining what other personal information will be sufficiently sensitive to require express consent.

It is worth noting that most of the available exemptions to the requirement of obtaining consent do not assist a commercial business. For example, there are no for exemptions for disclosures that result from a sale of a business, or from information passed to a parent organization, however, exemptions are available for information collected, used or disclosed solely for journalistic, artistic or literary purposes, or for statistical, or scholarly study or research purposes. Also, many exemptions do not equally apply to collection, use and disclosure, so every organization will need to carefully review each exemption to confirm that it applies.

As with all legislation, much of the inherent ambiguity regarding consent, and many of the problems raised by the consent requirement in the context of transactions, may be resolved through the enactment of regulations to the Act, through policies or guidelines provided by the Office of the Privacy Commissioner in its role as administrator of the Act, or simply through the judicial enforcement of the Act. For now, however, organizations should at a minimum ensure that they are cautiously aware of the potential problems raised in the corporate context by the consent requirement. Through application forms, revised contracts, notices and other methods, organizations must attempt to get as much comprehensive consent as they reasonably can.

Proposed Ontario Personal Health Information Privacy Act has Serious Flaws

Without health information privacy legislation at a provincial level, there can be no assurances that health care records will be properly used and protected. However, Ontario’s controversial Bill 159 probably won’t cut it. Ontario’s Privacy Commissioner, Ann Cavoukian, expressed her concerns at the legislative committee in early February and stated that the proposed law would unacceptably extend the government’s reach into a patient file. The difficulty lies in the Bill’s broad definition of “health information custodian” which includes health care professionals, hospitals, health clinics, and nursing homes, but also includes the Health Minister and those who maintain registries of personal health information such as medical researchers. The Health Minister and researchers would not only have access to patient records but would be able to disclose personal health information to others for the purpose of managing or evaluating programs or services or the health system in general.

Section 50 of the Act states that an individual who believes that there is an error or omission in their record may request that the health information custodian holding the record make the appropriate changes. However, even if the custodian acknowledges the record to be inaccurate, the custodian has the choice to either amend it or attach a “statement of disagreement” to the record indicating that the custodian has not made the changes requested by the individual.

Bill 159 is littered with language demonstrating that an individual in Ontario will have little control over their own personal health information. Significant amendments or even a fresh start with a new Bill may change that. The Privacy Commissioner of Canada urged the Ontario government to kill Bill 159 stating that it fails to meet the test of substantial similarity to federal privacy legislation. He stated that the new law permits far too many people to get their hands on personal health information “without regard to whether it is necessary for the care of the individual”.

The Protection of Personal Health Information Working Group created by Health Canada is currently developing a Harmonization Resolution which will outline a set of voluntary principles for the protection of personal health information across Canada. It is hoped that in both the private and public sector and in provinces across Canada, legislation consistent with the Resolution will evolve. The initiative stems from the fact that there are provincial health information laws as well as the federal Personal Information Protection and Electronic Documents Act which will apply to personal health information in the private sector as of January 1, 2002 or January 1, 2004, depending on the organization (unless substantially similar legislation is in place – a test which Ontario’s Bill 159 does not meet). Meanwhile, public sector health institutions continue to be governed by Canada’s Privacy Act. The confusing mix of federal and provincial legislation that will eventually apply to organizations dealing with health information is of great concern, and makes harmonization efforts all the more important.

The first reading of Bill 159 can be found at http://www.ontla.on.ca/Documents/StatusofLegOUT/b159.pdf.

Will Canada’s Privacy Legislation meet European Standards?

The primary impetus for the introduction of the Personal Information Protection and Electronic Documents Act (“PIPED Act”) was the European Union’s Directive on Personal Data Protection (reference 95/46/EC), which prohibits the transfer of personal information to jurisdictions which do not adequately protect that information. Although there are exceptions, businesses in Europe transferring data to their Canadian operations would be prevented from doing so without adequate privacy legislation in Canada. The Office of the Federal Privacy Commissioner has expressed confidence for some time that the EU Commission will approve the Canadian legislation, thus allowing data on EU citizens to be freely transferred to Canada. The EU Working Party on the protection of individuals with respect to the processing of personal data expressed its opinion in February 2001 with respect to the finding that should be made by the EU Commission on the adequacy of Canada’s PIPED Act. This opinion can be found at
http://europa.eu.int/comm/internal_market/en/media/dataprot/wpdocs/wp39en.pdf.

Two of the recommendations made by the EU Working Party that directly address Canada’s PIPED Act are as follows:

- A higher level of protection is required when sensitive data is processed. The EU Directive defines sensitive information as information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, or information concerning one's health or sex life. Explicit consent is required in the EU for the collection, use and disclosure of such sensitive information. The PIPED Act on the other hand does not define sensitive information and only states much more generally that “An organization should generally seek express consent when the information is likely to be considered sensitive”. Guidance on what information is considered sensitive may be addressed through amendments to the law when the Privacy Commissioner of Canada engages in its 5 year review of the PIPED Act.

- Canadian authorities should provide guidance with respect to the contractual provisions required when data is transferred outside of Canada. Schedule 1 of the PIPED Act states that an organization is responsible for information that has been transferred to a third party for processing, and that the organization must use contractual or other means to ensure a comparable level of protection by the third party. Hopefully this is a recommendation the Privacy Commissioner of Canada will take to heart, given the significant amount of personal information being transferred to the United States for processing in a variety of contexts.

Overall, the EU Working Party did not recommend that the EU Commission find the PIPED Act to be adequate or inadequate. The Working Party warned the EU Commission to keep in mind the limited application to commercial activities and the long phase-in period of the law before full implementation in 2004, when making its finding about the adequacy of Canada’s PIPED Act. It is clear that the Working Party would have preferred privacy legislation in Canada with a broader application and a tighter timeline, and it is not as clear as the Privacy Commissioner of Canada hoped that a finding of adequacy is on the way. However, the chances of such a finding are high given the EU Commission’s respect for Canada’s initiatives in developing a national standard on privacy protection.

The European Committee for Standardization Information Society Standardization System is in place to establish privacy standards and ensure that the EU Directive is consistently applied in each EU member country. The group will be producing a report on the Initiative for Privacy Standardization in Europe (“IPSE”) for full public consultation towards the end of April. The confidence in Canadian initiatives is obvious given that Stephanie Perrin, Chief Privacy Officer of Zero Knowledge Systems in Montreal has been selected to lead the IPSE project team in its development of the standardization proposal.

The U.S. has had a longstanding tradition of letting industry groups regulate themselves with respect to privacy, whereas in Europe, government bodies strictly regulate data protection. Canada takes the admirable middle ground with a private sector privacy regime intended to be tough enough to represent adequate privacy protection in the eyes of the Europeans but relatively light and flexible so as not to drastically impede business. Those Canadian businesses conducting business in a EU country need to be cognizant of the greater privacy obligations that may exist, particularly while the EU Commission has not yet made a finding with respect to the adequacy of Canada’s privacy law.

An International Comparative Study of Privacy on the Internet

Consumers International, a global federation of consumer organizations, issued the results of its study on the privacy protection offered by 751 consumer-based Internet sites at the end of January. Consumers International set out to establish whether there was a significant difference in approach among Web sites in Europe and the United States. The research revealed that the majority of Internet sites selling products and services both in the United States and Europe do not come close to meeting international standards on data protection.

Despite the presence of the European Union’s Directive on Personal Data Protection, the survey found that EU sites were no better at disclosing how personal information is used than sites based in the States. In fact, the best privacy policies were found on American sites, despite the void of legislation in the States. Overall, it was found that only 58% of the sites that collect personal information had a privacy policy. Also, the majority of sites assessed by Consumers International ignored even the most basic principles of fair information use, such as telling consumers how their data will be used, how it can be accessed, what choices the consumer has about its use, and how security of that data is maintained. A privacy policy is of no value if it does not provide adequate information to the consumer.

The most popular U.S. sites were more likely than the EU ones to give users a choice about being on the company's mailing list or having their name passed on to affiliates or third parties, despite the legal requirements which oblige EU-based sites to provide users with a choice. It was also found that U.S.-based sites were much more likely to make the privacy policy accessible from the site’s home page than EU-based sites.

Consumers International called on policy makers to enact laws and adopt rules to ensure that:
- users are given control over the collection, use and disclosure of their personal information and that personal information is only collected and held as long as necessary to fulfill the original purpose for collecting it;
- users can easily check, correct or delete any data a site may hold about them and the data is collected, stored and transmitted in a secure manner appropriate to the sensitivity of the data; and
- an independent oversight body is established to ensure compliance and provide for adequate sanctions for violations.

Likewise, Consumers International stressed that companies need to incorporate internal practices in line with all existing legislation and guidelines regarding the protection of personal data. It appears that Canada has taken the lead with its private sector privacy legislation that came into force on January 1, 2001 – all the recommendations made by Consumers International are specifically addressed in Canada’s law. However, greater efforts need to be made by businesses in Canada to disclose practices and develop sound privacy policies. Whether the privacy legislation is stringent as is the EU Directive, or flexible, as in Canada, the laws don’t help an individual on-line if a company’s Web site does not disclose how personal information is used. How do we make sense of the results of the Consumers International study? Since U.S. consumers do not have general legal protection in this area but privacy problems have achieved a great deal of media attention, companies in the States are reacting with greater efforts to reassure their Web site users that their privacy will be protected. On the other extreme, EU customers not only witness stringent legislation, but also have a data protection commissioner in each country looking out for their rights. Customers in the EU may not have the same privacy concerns, and thus companies in the EU don’t have the same privacy-promoting outlook. Exclusively relying on the policy makers is problematic though – the corporate world must take the lead, particularly if customers are located in various jurisdictions. Every business must take responsibility for customer relations and reveal their information-handling practices, if they want to continue doing business on the Web.

The full report of Consumer International’s study can be found at http://www.consumersinternational.org/news/pressreleases/fprivreport.pdf.

E-mail Wiretapping makes Communications Vulnerable

An increasingly common form of e-mail known as HTML mail enables users to send and receive e-mail messages that look and act like Web pages. However a computer engineer in British Columbia, Carl Voth, found a loophole that allows HTML mail messages to be spied upon. The Privacy Foundation, a Denver-based research organization, publicized the technique in early February.

The technique essentially involves embedding a few lines of programming language called JavaScript, often used on Web sites to create pop-up windows and navigational aids, into an HTML mail message. This code enables the text to be secretly returned to its original sender every time it is forwarded to another recipient, as long as the recipients' e-mail program is set up to read JavaScript. Thus, the sender has access to not only the e-mail addresses of everyone who receives the message, but also their comments on the subject.

Although HTML mail often includes images and animations, it can also be made to look like a plain text e-mail. To figure out whether a message is HTML or text, a user can right-click on the message body. If one of the menu choices that appears is "view source," it is HTML mail. By choosing "view source," a user is able to see any JavaScript code embedded in the
Message, but whether the code was designed to spy on a message is difficult to tell for someone unfamiliar with JavaScript.

Invisible HTML tags, called “pixel tags” by on-line marketers and “Web bugs” by privacy advocates, are widely used in HTML mail by marketers and others to detect whether an individual has opened an e-mail message. It is now clear that JavaScript can be used to create a more powerful tool that not only allows one to find out when a message has been read, but also what is being said about it. Although the media has called this a ‘bug’, it is really a JavaScript feature that is being exploited and not a security flaw.

Because many e-mail users continue to hit "reply" during long e-mail exchanges rather than initiating new messages, the JavaScript code could enable an individual to eavesdrop on an entire conversation between business associates about a proposal e-mailed to one of them, or any other privileged business communication that spreads through a company's internal e-mail system.

For the script to work, both the sender and recipient of the tapped message must use an HTML/JavaScript-enabled e-mail reader. The widely used e-mail programs that are vulnerable include Microsoft Outlook, Outlook Express and Netscape Messenger 6. These programs use HTML/JavaScript-enabled e-mail by default. Only newer versions of Microsoft's Outlook come with JavaScript disabled by default.

By going to the "preferences" command under the Edit menu in Netscape Messenger, users can turn off JavaScript in about five steps. To disable JavaScript in Microsoft Outlook and Outlook Express takes about 15 steps, which are outlined on the Privacy Foundation’s Web site . However, turning off JavaScript does not necessarily mean that e-mail cannot be
spied on, because the message will still be returned to its original sender if it is replied to or forwarded to someone who has JavaScript enabled.

The easiest way to secure your inbox against snoopers and spammers is to use a text e-mail reader as opposed to HTML. This is a must for those who use e-mail for confidential business communications without encrypting their messages.