| Over the past two years, Canada’s Privacy Commissioner, George Radwanski, has been a busy man. He has condemned big banks, disparaged airlines and become a kind of patron saint of the suspicious.
Radwanski is the man charged with investigating companies that abuse the private information of Canadian consumers under extensive new legislation called the Personal Information Protection and Electronic Documents Act (PIPEDA). It isn’t just those with a Big Brother complex Radwanski is responding to – he’s fielding complaints from all sorts of Canadians who feel their privacy is being abused.
The act sets limits on how companies can use the personal information of their customers, something privacy watchdogs have worried about for years. In 2001, federally regulated companies like banks and airlines came under the act, and Radwanski hasn’t been shy about taking them to task for their abuses.
In March, he slapped down Air Canada’s Aeroplan program for forcing customers to opt out of its policy of using customer information for sales and marketing purposes. He says the program should be set up so customers must opt in so they know what they are getting into.
In 2004, all companies in Canada will be governed by PIPEDA, bringing Canada’s privacy legislation in line with the strict measures that have been in place in some European countries for years.
Calgary lawyer Gary Dickson, a privacy consultant and former Alberta MLA, praises PIPEDA for bringing Canada in line with the international trend towards stronger privacy protection. He expects Alberta, and most other provinces, to adopt similar legislation in the coming months (provincial governments can maintain jurisdictional control in such situations if they enact legislation that is "substantially similar" to federal laws).
But Dickson says Canadians need to be vigilant when it comes to protecting their privacy, especially when civil liberties are being traded in for beefed-up security in response to supposed terrorist threats.
"There was a time when personal information was in lots of places, but it was in hard-copy form sitting in someone’s filing cabinet," Dickson says, adding that the digital collection of information is more difficult to control. "Even my dry cleaner collects personal information now.
"I think people are starting to understand the enormous potential for abuse – I think the risk is huge and I think Canadians understand that."
In Alberta, Dickson says privacy protection has improved, although it’s "sometimes one step forward, two steps back." He says Alberta’s Health Information Act, for example, doesn’t do enough to give citizens the right to manage their own health information.
The act was implemented in 1999, partly as a way to protect patient privacy, according to the Alberta government. But Dickson says it allows too much sharing of information within the system – personal information can be used for reasons unrelated to patent health, such as management.
"As a competent adult, you or I can choose to say ‘No’ to medical treatment… but with our health information, we really don’t have the last word," Dickson says. "It’s quite paternalistic."
Alberta’s Auditor General also says the government is failing to protect privacy in its motor vehicles registry. It says there are no standards governing the disclosure of personal information, something it first recommended four years ago.
Hugh MacDonald, Alberta Liberal critic for Government Services, thinks the government has bungled the privatization of motor vehicle registry services and opened the door to abuse.
"The minister (of government services) is making statements in the legislature like ‘Be happy, don’t worry,’… there’s quite a list of agencies or registry offices where wrongdoing, nevertheless, is going on," MacDonald says. "There’s certainly a lot of talk, but in my view, talk is quite cheap."
For its part, the provincial government says it plans on bringing in its own legislation similar to PIPEDA before 2004, and recently completed a review of its Freedom of Information and Protection of Privacy Act (FOIP), which guides privacy matters in the public sector.
The review still has to work its way through the legislative process, but it makes recommendations to strengthen the protection of personal information on the Internet, to close the holes in the motor vehicles registry and strengthen privacy protection in a number of other areas, according to Government Services Ministry spokesperson Eoin Kenny.
"FOIP covers the (public) sector… but has left the private sector to its own devices, and now we, as Ottawa, feel that there’s a responsibility in the private sector as well," says Kenny.
Fingers can’t be pointed solely at the government, however. The real problem PIPEDA is meant to address is the abuse of personal information by private companies – customer lists are a prize for any company looking to target its market.
Many companies have detailed privacy policies available to customers, but they are still reluctant to talk about the issue. Inquiries directed to several companies for this article went unanswered or were bounced around to nowhere.
These companies may be a little gun shy these days because of Privacy Commissioner Radwanski. In several cases, he has lambasted companies for being too vague in their privacy policies, leaving them wide open to interpretation. In one ruling, Radwanski said an unnamed major Canadian bank’s privacy policy was "so broad in each case as to virtually preclude understanding, unless the individual is to understand that the bank intends to use personal information however it may see fit and disclose it to whomever it may see fit." He also said the wording was too "legalistic" and printed too small to be read.
Such comments may have private companies scrambling to update their privacy policies before 2004.
That example also illustrates the power Radwanski holds from making his findings public. The legislation counts largely on bad PR from rulings against abusive policies to keep companies honest.
"In the U.S., if someone feels their privacy has been violated they are expected to hire a lawyer," Dickson says. "In Canada, we have these powerful commissioners."
Perhaps the threat of investigation will be enough, but to many corporations, the easy money that can be made selling customer information databases is a siren’s song. That means adequate funding to the privacy commissioner’s office is essential, and extending the power to conduct thorough investigation is crucial.
It also means Radwanski may want to take a vacation now. Come 2004, he could be a busy man. |
