Adequate Data Protection by the Year 2000: The Prospects for Privacy in Canada

Colin J Bennett. International Review of Law, Computers, and Technology. Volume 11, Issue 1. March 1997.

Under the terms of the 1995 European Union Directive on Data Protection (EU, 1995), personal information may only transmitted outside the European Union if the receiving jurisdiction can offer an ‘adequate level of protection.’ It is doubtful at the end of 1996 whether Canada can make a convincing claim that it meets that standard. While there are public sector laws at the federal level, and in most provinces, the regulatory picture in the private sector has been described by the Federal Privacy Commissioner as a ‘privacy patchwork’ (Privacy Commissioner of Canada, 1994, p. 5). A comprehensive dataprotection law covering all private sector organizations in Quebec (Bill 68) contrasts with a hodgepodge of voluntary codes and isolated statutory provisions in the rest of the country.

In September 1996, the federal Justice Minister and Attorney-General, Allan Rock, announced that ‘by the year 2000, we aim to have federal legislation on the books that will provide effective, enforceable protection of privacy rights in the private sector’ (Rock, 1996). This article reviews recent attempts to remedy the incoherence of Canadian privacy protection. It offers an interim assessment of the consensus that currently exists about the way to provide for comprehensive privacy protection, and suggests the key features of the emerging ‘Canadian model’ for personal data protection. It will also review the conflicts and questions that still remain to be answered if Minister Rock’s promise is to be fulfilled.

The Policy Arenas

Privacy protection policy has been debated and reviewed in three different, but overlapping, arenas: the Canadian Standards Association, the principal standards-setting and certification organization in Canada; the Information Highway Advisory Council, established in 1994 to advise the Department of Industry on the range of policy issues raised by the convergence of computer and telecommunications technologies; and the Uniform Law Conference, organized under the auspices of the Federal Department of Justice.

The National Privacy Standard

Any discussion of recent developments in Canadian privacy protection should properly begin with the initiative that has attracted the most international attention to date, the successful negotiation of a certifiable standard for personal data protection (Q830) through the Canadian Standards Association (CSA). Since 1992, a committee representing Correspondence: Colin J. Bennett, Department of Political Science, University of Victoria, Victoria, BC V8W 3P5, Canada.

Government, business and consumer interests has been negotiating a Model Code for the Protection of Personal Information. The starting point was the 1981 OECD Guidelines (OECD, 1981), revised and adapted to the Canadian context with reference to the Quebec legislation, and the EU Directive. This was finally approved without dissent in September 1995, subsequently approved by the Standards Council of Canada and published as a ‘National Standard of Canada’ in March 1996.

Brokered among the major stakeholders, the code is designed to add some uniformity to data protection policy and practice within the Canadian private sector. It represents a very important consensus, and it has doubtless been a very valuable opportunity for participants in the process to think about the problems of privacy protection and to grapple with these complex issues from scratch.

The CSA Model Code is based upon ten interrelated principles.

  1. Accountability. An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with the following principles.
  2. Identifying purposes. The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.
  3. Consent. The knowledge and consent of the individual are required for the use or disclosure of personal information, except where inappropriate.
  4. Limiting collection. The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.
  5. Limiting use, disclosure and retention. Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.
  6. Accuracy. Personal information shall be as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used.
  7. Safeguards. Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
  8. Openness. An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.
  9. Individual access. Upon request, an individual shall be informed of the existence, use and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
  10. Challenging compliance. An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization’s compliance.

To each is attached a commentary, designed to explain how each principle should be interpreted and applied. The CSA Model Code will also be accompanied by a workbook, which will provide in greater detail practical advice about how organizations might implement the principles (CSA, 1996b).

It is crucial to appreciate the distinction between this instrument and the traditional company or sectoral ‘code of practice.’ The CSA Model Code is a ‘standard’ that might be subjected to the same kind of certification and registration procedures used for other standards, despite the fact that it is not the kind of ‘hard’ standard typically used within manufacturing industry. Nevertheless, it does have certain parallels to the range of ‘quality management standards’ within the ISO 9000 series that have been rapidly permeating the Canadian and American private sectors, as well as with environmental standards in the ISO 14000 series. Thus, in the same way that a company might be forced to register to ISO 9000 in order to convince its clients and customers that it has adopted a level of ‘quality management,’ a similar system of accreditation could be developed to the privacy standard, where effective data protection is demanded within the Canadian or international market place. The price of maintaining a registration to the standard would be the development and implementation of an appropriate privacy policy and subscription to independent and regular privacy audits.

Of course, not all businesses would be expected to go to the kind of trouble and expense of registering to ISO 9000. The registration scheme for privacy would also require procedures applicable to the smaller business. The scheme requires an appropriate balance between the encouragement of registration on the one hand, and the prevention of symbolic claims about policies and practices on the other. It also requires an appropriate publicity vehicle, so that any consumer can find out who has registered to the standard and who has not. A ‘Privacy Good Book’ in the form of a Privacy Register would have to accompany the registration scheme (Bennett, 1995).

In September 1996, the Quality Management Institute (QMI) of the CSA announced its ‘Recognition Program’ based on a three-tier process of declaration, verification and registration, each with progressively more onerous and regular auditing requirements. The standard might spread through a number of different incentives: by moral suasion; by the desire to avoid adverse publicity; by the desire to gain a competitive advantage; by reference to the standard in private contracts; by registration to the privacy standard in conjunction with registration to ISO 9000; by reference to the standard when government ‘contracts out’ data processing services; by pressure from research-funding agencies; by the regulation of inter-provincial data flows in Quebec’s Bill 68; and by the use of the ‘adequacy’ provisions in the EU Directive by European data protection authorities (Bennett, 1995). Canadian and foreign regulatory bodies can even now insist that the receipt of personal data within Canada be accompanied by a registration to the CSA Model Code.

As outlined, registration to the CSA Model Code would provide a more consistent yardstick by which to observe and evaluate company personal information practices. It could promote higher levels of consumer awareness. It could raise the levels of responsibility and accountability within Canadian business and initiate more and better privacy auditing. The system would build a more consistent and credible system of verification than now occurs and would be able to monitor claims made by organizations about their policies and practices. It could satisfy international contractual requirements, such as that negotiated by Citibank for the implementation of the Germany Railway Card system (Dix, 1996).

However, without legislation, the spread of the standard is bound to be incremental and piecemeal. It could never achieve the kind of uniform policy needed to remedy the ‘patchwork protection’ problem.

The ‘Information Highway’ Debate

The Canadian federal government, like many governments elsewhere, decided in 1994 to establish a high-profile commission to examine all aspects of the Canadian ‘information highway,’ including issues of privacy and security. In its 1995 report, the Information Highway Advisory Council (IHAC), which comprised a majority of business representatives, advised the federal government to:

create a level playing field for the protection of personal information on the Information Highway by developing and implementing a flexible legislative framework for both public and private sectors. Legislation would require sectors or organizations to meet the standard of the CSA Model Code, while allowing the flexibility to determine how they will refine their own codes.

The report goes on to recommend that the federal government, ‘in cooperation with the CSA Working Group on Privacy and other interested parties, study the development of effective oversight and enforcement mechanisms’ (IHAC, 1995, p. 141).

On 23 May 1996 federal Industry Minister John Manley released the government’s response to the IHAC report, in which it was concluded that ‘the right to privacy must be recognized in law, especially in an electronic world of private databases where it is all too easy to collect and exploit information about individual citizens.’ Hence:

As a means of encouraging business and consumer confidence in the Information Highway, the Ministers of Industry and Justice, after consultation with the provinces and other stakeholders, will bring forward proposals for a legislative framework governing the protection of personal data in the private sector. (Industry Canada, 1996, p. 25)

In September 1996, Justice Minister Allan Rock addressed the Annual Conference of the International Privacy and Data Protection Commissioners in Ottawa and clarified this commitment: ‘By the year 2000, we aim to have federal legislation on the books that will provide effective, enforceable protection of privacy rights in the private sector.’ Thus the government of Canada has reconsidered its two-tiered approach of legislation for the public sector and voluntary self-regulation for the private: ‘The protection of personal information can no longer depend on whether the data is held by a public or a private institution.’

The Uniform Law Conference of Canada

Canada is one of the most decentralized federations in the world. Few policy areas are solely the responsibility of the federal government. In this, privacy protection is no exception. Any constitutional justification for a federal responsibility in this area immediately confronts a division of powers that grants ‘property and civil rights’ to the provincial governments. Moreover, constitutionally, the federal government is only responsible for regulating the financial, telecommunications and transportation sectors. All else, including retail, consumer credit, insurance and so on, is strictly under provincial competence. Thus, any legislative approach to data protection not based on a uniform policy would not only fail to solve the ‘patchwork’ problem, it might also create market place distortions and ‘unlevel playing-fields’ (Bennett, 1996b). Therefore, ‘adequate’ data protection in Canada can only arise through close federal/provincial cooperation. Negotiations have only just begun with a meeting on 30 September 1996 of federal and provincial ministers for the ‘information highway.’ A consultation paper, calling for provincial input, is also planned.

In addition, however, a regular forum for federal-provincial legal development has existed in the Uniform Law Conference (ULCC). In 1995, the ULCC decided that it could play a vital role in the development of legislation by ensuring a consistency between federal and provincial approaches. It decided to create a task force to come up with recommendations for a ‘Uniform Personal Information Protection Act.’ This consultation took place with private sector, consumer and government representatives and other data protection experts throughout 1996, with a report published in August (ULCC, 1996).

This ULCC process is notoriously slow. Nevertheless, the initial round of consultations did reach some conclusions on the following recommendations: that the ULCC should support the drafting of a uniform statute that could serve as a model for federal and provincial legislation; that such a law should apply to everyone in the private sector regardless of size; that the principles within the CSA Model Code represent a good base upon which to build a uniform statute; and that existing data protection agencies be given mandates for public education, powers to receive complaints and conduct investigations, mediation and adjudication. Beyond these basic issues, however, it is apparent that there is a great deal of further analysis and negotiation required.

The Value Added of Data Protection Law

Although support for uniform privacy legislation is broad and growing, there is continuing opposition from the private sector. So far, only the Canadian Direct Marketing Association (CDMA) and the Information Technology Association of Canada have publicly endorsed a legislative approach. Most industry associations still state publicly that legislation is premature, and that the process of code development under the CSA standard should be allowed time to work (Akay, 1995). Some business leaders would admit privately, however, that provided the law is uniform, based on the CSA Model Code and not accompanied by burdensome regulatory obligation, then such a law would probably not be opposed in principle. What would a legal regime add to the standards certification approach outlined above? Five arguments have been prominent within the Canadian debate.

First, only law can express the values of the community, the line beyond which no organization should be allowed to cross. This is what Bruce Phillips, the Federal Privacy Commissioner, has in mind when he argues that ‘unless some sensible rules of traffic management are a part of these systems, the first roadkill will be our personal privacy and dignity’ (Privacy Commissioner of Canada, 1994, p. 2). The metaphor of the ‘information highway’ does lead naturally to the undeniable argument that there need to be some consistent ‘rules of the road.’ For many businesses the rules of the road might be attractive to create a ‘level playing-field’-a clear and consistent set of privacy rules that apply across the entire Canadian market place.

Law does not necessarily provide that standard. ‘Far too frequently,’ Oscar Gandy reminds us, ‘we tend to talk about the law as the even-handed instrumentality that ensures that the universal values claimed for any society are protected and guaranteed.’ Any advocate for a legal regime must recognize the vast inequalities within the operation of the law, especially when it is used as a ‘strategic weapon’ rather than as ‘an expression of a basic moral vision, a set of guiding principles that serve as foundations supporting relations among persons’ (Gandy, 1993, p. 177).

Second, therefore, those ‘rules of the road’ are more likely to be even-handedly applied under the guidance of an impartial ‘traffic cop’ (Privacy Commissioner of Canada, 1995, p. 4). The CSA Model Code states that each organization shall designate an individual who is responsible for compliance, and that organizations shall make it clear how consumers might challenge compliance with the principles (Principles 1 and 10). Under current circumstances, the highest mechanism for complaint resolution within most sectors is within the business that is processing the personal data. Only legislation can establish a final arbiter external to the organization. Only legislation can involve the institutions that to date have the best experience with resolving privacy complaints within Canada-the offices of the federal and provincial information and privacy commissioners.

Third, only law can bring the recalcitrants into line. However successfully the CSA Model Code can regulate the practices of the most responsible businesses, there will always be free-riders that will see a competitive advantage in processing personal data in contravention of the standard. Undoubtedly, the fear of the CDMA that the image of its responsible members is being tarnished by a minority of non-members motivated its call for national legislation based on the CSA standard (CDMA, 1995). This move is fascinating. It indicates that at a certain point for some sectors, legislation becomes the acceptable alternative to continued bad publicity.

Fourth, an economic argument has been advanced. As Ian Lawson has argued: ‘To the extent that business obtains and uses personal information without a market mechanism to govern the exchange, business is a classic free rider in the economy. It consumes a common property resource without covering the externalities related to its extraction and use’ (Lawson, 1995, p. 4). So when organizations benefit from the use of the information, either themselves or by trading that information to third parties, no benefits accrue to the original information provider. That situation has perpetuated because of the reluctance of many businesses to be transparent about their practices and to establish mechanisms to obtain informed consent when they wish to use personal information for secondary uses. Business remains a free-rider as long as individuals are kept in the dark about how their information is being used and disclosed.

Classic economic theorizing would contend that an imperfect market place can be rectified by two mechanisms. First, one can give a value to personal information so that the costs and benefits of transactions are allocated more appropriately. There have been some proposals for market-based solutions to rectify this imbalance; all rest on schemes to give individuals some property rights over their information with appropriate compensation when it is used for purposes other than those for which it was originally supplied (Laudon, 1996). The other solution is regulatory intervention to redress the market place imbalance. It is contestable, of course, that economic theorizing has any role to play in the protection of a fundamental human right. Nevertheless, even according to the principles of neoclassical economic reasoning, the arguments for regulatory intervention are hard to resist.

Fifth, only the law can harmonize the standards of the public and the private sectors. Where the ‘public’ sector ends and the ‘private’ sector begins is increasingly difficult to determine. The distinction is also being eroded by efforts to privatize or ‘hive off, government functions. Thus ‘private’ organizations are increasingly performing ‘public’ functions, and often require the use of ‘public’ data to fulfil those obligations. Illustrations include: the use of smart cards and automatic teller machines for the dispensing of government benefits; the matching of data on welfare recipients with bank or financial records to ascertain eligibility; the trading of government personal information to enhance revenue; the use of credit reports for security checks; and so on. The pervasiveness and flexibility of the new technologies will make it increasingly difficult to determine which data are ‘in’ the public sector, and which ‘in’ the private. The need for ‘seamless protection’ between the private and public sectors was a prominent message within the Privacy Commissioner of Canada’s Annual Report 1996.

Finally, and in my judgment the least important reason, concerns the interpretation of Article 25 of the new European Directive on data protection:

The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection.

Notwithstanding the stipulation in Article 26 that ‘professional rules and security measures which are complied with’ may be taken into account in determining the ‘adequacy of protection,’ Article 25 could mean that European regulators might legitimately interrupt flows of data to every part of Canada except Quebec, unless legal protections are forthcoming. An ‘adequate level of protection’ could be interpreted to mean a legislated regime, overseen by an independent ‘supervisory authority.’ At the very least, it would require that any professional rules (such as codes of practice) have to be complied with. Any dataprotection system in Canada has to demonstrate that it is seriously and effectively implemented.

On the other hand, it is critically important that Canada develop this policy in response to Canadian concerns and consistent with Canadian institutions and values. There is plenty of survey evidence that Canadians have a strong but quite distinctive set of privacy concerns (Ekos, 1993; Harris and Westin, 1995; PIAC, 1995). Any law that is passed in order to satisfy Article 25 of the European Directive is in danger of being a symbolic law. Canadian policy should be ‘adequate’ and should be ‘complied with,’ not to satisfy European data protection agencies but to respond to the clear concerns of the Canadian public.

The Elements of a Canadian Data Protection Policy

What is the current consensus about a Canadian data protection policy? The developments traced above lead me to conclude that a distinctively Canadian privacy protection policy is taking shape. It has the following features.

Legislation to the Standard

It is probable that any federal and/or provincial legislation will be based on the CSA Model Code. Justice Minister Allan Rock described this agreement as a ‘milestone’ on the road to legislation for the year 2000, because it provides a national ‘consensus document.’ Even before national legislation is drafted, the CSA standard can be referenced in law, as have been approximately one-third of CSA’s published standards. Most of these standards relate to minimum technical specifications for products procured by government. Increasingly, however, performance standards, such as those for quality management or environmental protection, are being used in order to implement statute, regulation and court order. There is nothing to stop federal and/or provincial authorities using Q830 in a similar way.

The federal government, however, envisages more comprehensive ‘framework’ or ‘shell’ legislation at the federal level; a general statement of principles and obligations, leaving the functions of complaints resolution, investigation, auditing and so on as a matter for further analysis. Individual business sectors would still have the freedom to develop their own specific codes of practice in conformity with the general standard. Thus, as Lawson (1995, p. 43) points out, the ‘higher purpose of the Model Code is for it to be adopted-by-reference as a legislative standard to which the private sector must comply as a condition of using personal information on the information highway.’

This general approach is supported by the Canadian Direct Marketing Association, which called upon Industry Minister Manley to:

place before Parliament framework federal legislation that requires each industry sector to develop its own specific privacy code that meets a national standard. We do not think this legislation needs to be complex, nor would it be expensive to administer. We suggest a similar model to that of the Canada Health Act that sets minimum national standards but allows each province to develop and run its own health care system to meet its specific needs. (Gustavson, 1995)

The CDMA goes on to explain that ‘each code would reflect the needs of the individual sector and meet the standards set by the OECD and/or draft CSA codes.’ Moreover, the CDMA also has ‘concerns that regulatory authority could be used to make the principles more onerous. We think the concept of allowing industries to create standards that protect privacy and meet their particular needs will prevent undue regulatory interference’ (CDMA, 1995). The CDMA would delegate a small complaints-resolution function to the Federal Privacy Commissioner.

The Federal Privacy Commissioner has a slightly different vision, suggesting that the CSA Model Code could form an amendment to the Privacy Act (which only regulates the federal public sector). This option is attractive to the Privacy Commissioner, as it would ‘embody in law a set of rules devised by a committee representing a broad cross-section of Canadian private enterprise.’ However, the Privacy Commissioner says nothing about ‘codes.’ For him the advantage of legislating to the standard is that ‘observance of the CSA standards would become a legal obligation and would be supported by a system of independent oversight’ (Privacy Commissioner of Canada, 1995, p. 6).

The Privacy ‘Toolkit’ Approach

There are a range of tools within the repertoire of possible policy instruments. Four are outlined within Industry Canada’s publication Privacy and the Canadian InformatIon Highway (1994): legislation and regulation; voluntary codes and standards; technological solutions; and consumer education. Clearly technologies of privacy (such as public-key encryption) have a crucial role to play in any privacy policy. Moreover, no policy can succeed without the actions of an informed and vigilant citizenry. Each of these four approaches contributes to a ‘mosaic of solutions’ (Cavoukian and Tapscott, 1995). Each is a necessary condition for privacy protection on the information highway; none is a sufficient condition.

The recognition of the complementarity of these privacy solutions is perhaps stronger in Canada than in most other societies. Justice Minister, Allan Rock speaks about policy development taking place along four tracks:

One track runs through the legislatures of the land. In this case, the task includes the updating of existing statutes and the writing of new ones that respond to the needs of the time. Another track runs through the research and development labs of the information technology industry … New information technology not only generates new pressures on effective privacy rights, but new methods for containing them … The third track runs through every business enterprise and private sector institution in Canada. Total privacy protection will never be achieved simply by legislation. To be effective, the system must engage the wholehearted support and cooperation of the private sector in general … The fourth track runs right down Main Street. In any system designed to protect human rights-and privacy is exactly that-an informed public is an essential component. (Rock, 1996)

There is then a stronger recognition of the need for a multiplicity of approaches in Canada than in most other countries. This is explained by the coincidental arrival of private sector privacy protection policy on the federal agenda with the advent of innovative policy solutions. In particular, the development of new privacy-enhancing technologies in the past ten years has allowed federal policy-makers to consider these solutions on a par with more traditional regulatory and self-regulatory approaches (Ontario Information and Privacy Commissioner, 1995).

A Central Role for Self-Regulation

I have concluded elsewhere that ‘almost by default, Canada has become the only country in the advanced industrial world that has begun seriously the process of promoting privacy protection from the bottom up’ (Bennett, 1995, pp. 119-20). There are probably more privacy codes in Canada than in any other society, especially from sectoral trade associations (e.g. CTSC, 1991; Stentor, 1992; CDMA, 1993; CLHIA, 1993; CBA, 1996). Codes of practice are, and will continue to be, a feature of privacy protection policy in Canada.

There is, however, a key distinction between voluntarism and self-regulation. The former implies that public policy should remain indifferent to the policies and practices pursued. It implies that government should simply trust business to pursue privacy-friendly practices but has no interest in setting an overall standard. This has been the position of the Canadian and American federal governments to date. A self-regulatory regime, on the other hand, establishes in law the standard and grants business the authority to regulate its own practices. The key difference is that a legislated standard is set, and that both individual and organization know that when self-regulation breaks down, the policy instruments established under the law can intervene.

Privacy codes will obviously continue to play an important role within any legislated regime in Canada. They presumably will continue to be developed as a result of market demand and consumer pressure. Of course, the standards-registration process of QMI will independently motivate the development of privacy codes. The question remains what status they should enjoy under a legislated data protectionsystem. Overseas experience suggests that codes of practice that enjoy any form of legal status (beyond the evidentiary value) can be difficult and time-consuming to negotiate (Bennett, 1996a).

‘Light’ Oversight and Enforcement

Canada will undoubtedly avoid the costly and bureaucratic licensing and registration systems that have been established in some European societies. No Canadian advocate has seriously put forward regimes that even in Europe are being revised and made less onerous as a result of the EU Directive. The Canadian data protection regime for the private sector is, therefore, likely to resemble that for the public sector. It will probably continue to be based on the ‘data commissioner’ or ‘ombudsman’ model that exists in Germany, New Zealand and Australia (Flaherty, 1989; Bennett, 1992, p. 160).

The central oversight agencies will probably continue to be federal and provincial information and privacy commissioners, as these offices have established an independence, credibility and expertise. They are uniquely located within the regulatory landscape to oversee private sector legislation and resolve issues that span the public-private divide. However, these agencies only exist at the moment in Ottawa, Quebec, British Columbia, Ontario and Alberta. The allocation of oversight responsibilities in the other provinces will need some very careful consideration in the light of the constitutional division of powers and widespread policies of fiscal constraint.

Any legislated scheme needs to establish a balance of responsibilities for the following functions: complaints resolution and mediation; complaints investigation; audits; advice on the privacy implications of new technologies; the promotion of codes of practice; public education; and research. It is probable that responsibilities will be allocated on the principle that the most effective remedies may be those that are general in nature and proactive rather than reactive. The implementation of data protection law is as much an educational effort as a regulatory one (Raab, 1993). Much can be achieved in anticipation of policy and system development if privacy protection is built in at the outset, rather than ‘added on’ afterwards. All Canadian legislation recognizes this fact, and grants responsibilities to the commissioners to comment on the privacy implications of proposed legislation or on new automated personal record systems.

A Continuous Role for Standards Enforcement

Registration to the CSA Model Code contributes a crucial mechanism for enforcement within any potential regulatory system. Registration to the privacy standard can complement almost any current or future, contractual or regulatory, provincial or federal, sectoral or comprehensive provisions for personal data protection. It can be used to reward good practice and to bring the recalcitrants into line. It is also becoming apparent that standards certification is entirely consistent with the personal data practices on the Internet. Recent pilot projects, such as that of the Center for Democracy and Technology (, have tried to classify Web pages according to their ‘privacy friendliness.’

Some have also suggested that regulators be given the power to order registration to the standard. Thus if a pattern of complaints arose about a particular business, privacy commissioners or the courts could require registration to the standard, triggering the code development and audit process and passing the costs to the data user. A process of registration to the standard adds a compliance instrument that is not present within any other data protection regime. The potential to require (by law or regulation) a registration to the standard can relieve privacy commissioners (and other regulators) of expensive and time-consuming compliance monitoring functions. Registration to the standard is also potentially a more effective sanction than a fine. The loss of the CSA ‘mark’ can have real consequences for business. I quote Jason Meyers, chief economist at the Canadian Manufacturers Association: ‘The prospect of a $50,000 government fine for breaching the law pales in comparison to losing your entire customer base because the firm fails to meet its ISO-9000 requirements’ (McInnes, 1996, p. 34).

Future Questions and Issues

In conclusion, it must be recognized that the necessary policy analysis has only just begun. A range of very tricky and potentially controversial issues still needs resolution.

First, what role should ‘codes of practice’ perform within a legislated data protection regime? If codes are not formally endorsed by a data protection authority, then they may contain language that conflicts with the wording of the law, and confusion about applicability and enforcement might ensue. If a more formal ratification process is laid out, then (as in New Zealand and the Netherlands) this can lead to the bureaucratization of a process that, in theory, is supposed to allow the flexibility of self-regulation.

Second, what powers would be given to the privacy commissioners to order compliance with the privacy protection principles? Here we see an existing contrast between the federal and provincial approaches. The federal Privacy Commissioner’s powers are generally limited to those of investigation and recommendation. This approach is defended because it avoids the adversarial relationships that arise when enforcement powers are used or threatened. Besides, it is argued that bad publicity for privacy protection can be a more effective sanction against business than it is against government. In contrast, others contend that the ability to negotiate with data users is facilitated by the existence of an enforcement power at the end of the day, even if those powers are rarely used. Moreover, government and business organizations need certainty and consistency in the application of data protection rules. The provision of a formal order-making process assures a greater level of consistency, transparency and accountability over time in the implementation of the law.

Third, how consistent is the CSA Model Code with existing federal and provincial public sector data protection law? This code was negotiated as a voluntary and practical guide to practice, not as a model for legislation. If the principles within the CSA Model Code are to be given the force of law, there clearly needs to be careful analysis of the relationship between the wording of these principles and that within existing privacy legislation, including the federal Privacy Act, the provincial Information and Privacy Acts and especially Quebec’s Bill 68.

Fourth, what is the future relationship between the information and privacy commissioners and other federal and provincial regulators? What should be the continuing role of federal regulators such as the Canadian Radio-Television and Telecommunications Commission (CRTC) and the Office of the Superintendent of Financial Institutions (OSFI)? The former has been active in regulating uses of new technologies within the telecommunications sector. There is an argument that this regulatory power should not be diluted simply in favour of constructing a neater oversight regime. At the provincial level, there are similar questions with respect to the future role of regulators for insurance and consumer credit.

Fifth, should the privacy commissioners be empowered to restrict flows of personal data to societies that do not have adequate data protection? One concern of the European data protection authorities is that personal data can flow through societies with ‘adequate’ protection to those without (including, of course, the United States, Canada’s largest trading partner). Ideally, each national data protection law would contain a transborder data flow restriction similar to that within Articles 25 and 26 of the EU Directive. If so, how should this power be exercised in Canada, and by whom? At what point do the fleeting and rapid electronic impulses that characterize international data flows become a matter for Canadian regulation?

Sixth, will compliance monitoring under the CSA standard be consistent with existing auditing schemes under the public sector legislation? If registration to the standard is to be employed as a compliance monitoring process, we need a consistent audit guide, an accreditation scheme for privacy auditors, an appropriate publicity mechanism, a method to monitor claims made about business policies and practices, and possibly an appropriate symbol or cachet for the ‘privacy-friendly’ business. Privacy commissioners need to have full confidence in the registration process if the CSA Model Code is to be employed in the same way as other quality management standards.

Finally, what should be the balance of responsibilities between federal and provincial privacy protection commissioners? The federal-provincial constitutional question underpins this entire analysis. Little is possible without a cooperative arrangement between the federal and provincial governments on the appropriate legislative process, on the powers that should be given to provincial commissioners (where they exist), on the possibility of establishing effective oversight bodies (where they do not), on the process of complaints resolution for businesses that span the federal-provincial divide and on the distribution of the costs of enforcement.


Canada is a unique country whose federal political system touches all aspects of public policy. It is important for overseas analysts and policy-makers to recognize that distinctiveness and not to impose European solutions on this different institutional environment and political culture.

That having been said, Canada does occupy a unique position within the international economy. Canadian privacy officials and experts are conscious that both Europeans and Americans are watching Canadian policy-making with very keen interest. To the extent that European data protection authorities (collectively and individually) can continue to press home the message about ‘adequate’ data protection, the issue will be kept on the political agenda. But privacy legislation is not a priority for the current Liberal Government, and most provincial governments (with the obvious exception of Quebec) have barely given the question of privacy protection in the private sector a moment’s attention. And of course this issue, like so many others, can easily be pushed from the political radar screen by the overwhelming and on-going constitutional problems about the relationship between Quebec and the rest of the country. The development of an ‘adequate’ privacy protection policy in Canada could be obstructed, not through opposition to privacy, but through some inherent and peculiar structural barriers that have impeded the construction of coherent public policy in so many areas of Canadian life.

Nevertheless, this paper has argued that slow and incremental progress is being made towards a data protection policy that displays some distinctive and perhaps innovative qualities. This approach emphasizes the use of all instruments within the ‘toolkit’ of privacy protection. It recognizes that voluntary action from the ‘bottom up’ is just as necessary as regulatory action from the ‘top down.’ And it comprises an innovative combination of the traditional ombudsman approach with the use of the new privacy-enhancing technologies and with instruments from the world of standards-setting and certification. If our federal and provincial institutions can strike the appropriate balances, Canada just might end up with a policy that is not only ‘adequate’ to meet European expectations, but far more sensitive than European approaches to the myriad privacy issues raised by the distributed and networked computing environment of the ‘information highway.’