May 03, 2006

Northern Exposure: Lessons From Canada?s National Privacy Law Regime

The Canadian Internet Policy and Public Interest Clinic (CIPPIC) made a presentation on compliance with Canada's national privacy law at the Computers, Freedom and Privacy 2006 conference in Washington, D.C., this afternoon. A few quick notes:

CIPPIC just released a report finding widespread violations of Canada's privacy laws, though Canadian industry was on board for implementing the law in the first place because consumers were becoming increasingly nervous about online ecommerce and other activities.

The PIPEDA federal legislation began being phased in about six years ago. The act applies generally and provinces can enact their own legislation based on the act.

Companies must designate a chief privacy officer and must have a privacy policy. What information is collected and how is it used and disclosed? To whom is it disclosed? How can consumers access and correct information, because organizations are obliged to correct mistakes and share changes with other organizations it has shared data with. Companies may not require consent for supply of service, beyond what is reasonably necessary.

What happens if an organization doesn?t comply? Anyone can complain and privacy commissioners have broad investigatory powers. However, commissioners have no order-making powers and courts are the next recourse.

CIPPIC found widespread non-compliance. In a survey, several companies had no privacy policies. Over half could not name the person responsible for privacy. Overall, 70% of privacy policies failed to fully comply with PIPEDA.

Other data showed that 86% of companies that did share data did not say in their privacy policies who they share with. Over a third of companies did not respond at all to access requests. Only 21% fully complied.

Enforcement is key. Companies need incentives to comply. Market forces are not providing these incentives. The law needs teeth. Companies are still not complying after five years. There is no real risk of penalty for non-compliance. Companies know they will only be slapped on the wrist behind closed doors.

In the question period the difference between ?reasonable? and ?necessary? information came up. PIPEDA keeps talking about "reasonable" however Quebec legislation states "necessary," and "reasonable" is much more open to interpretation.

Posted by Paul at May 3, 2006 11:55 AM