About Us Government Relations Public Policy Resources Publications Media


Print this pageSubscribeSend this page


The Web and Government Affairs Bill C- 6 Privacy Legislation

By Scott Proudfoot, Prinicipal
June, 2001

Bill C-6 will soon pass without serious opposition in the Canadian Parliament.  It is three bills in one.  It does the following:

• deals with the protection of personal information in the private sector;
• enables the use of digital signatures; and
• amends multiple federal statutes to give the electronic delivery of services the same status as paper based processes.

The privacy legislation component is based on a privacy standard developed by the Canadian Standards Association. The CSA privacy standard represented a broad consensus of business groups, government and consumer groups in Canada.  Similar principles are being promoted in the US and Europe.   A number of industry groups have already adopted privacy principles based on the CSA standard (e.g. the Canadian Direct Marketing Association, the Canadian Association of Internet Providers).  

The legislation will apply to the federally regulated private sector. The provinces have three years in which to introduce compatible legislation to cover the provincially regulated private sector or the federal Act will be applied.  (As of now, only Quebec has its own Privacy Legislation.)   The table below covers the jurisdictional intent of the legislation.

 

Personal information about employees, i.e. human resource information

Personal information about others (i.e. customers)

Federally regulated private sector

Covered when Bill C-6 comes into force

Covered when Bill C-6 comes into force

Trade in personal information that occurs inter-provincially or internationally

Not covered

Covered when Bill C-6 comes into force

Provincially regulated private sector

Not covered

Covered when Bill C-6 comes into force

Individuals who are unhappy with their treatment by corporations may make a complaint to the Privacy Commissioner.  The legislation provides the Commissioner with broad powers to investigate, compel appearances, demand information, enter premises, and conduct interviews.   The Commissioner may, with reasonable grounds, also initiate an audit of the information practices of a company.  Those powers may be delegated, with no limitation.

The Commissioner has the right to prepare a report and, if he so decides, publish the report publicly.  Individuals have the right to take an organization to court and/or the Commissioner also has the right to go to the courts and seek re-dress on behalf of an individual.

The courts may order a company to correct its practices and/or publish a notice of its intention to correct it practices and/or levy a fine of not more than $20,000 for punitive damages. In the event an organization has obstructed the Commissioner’s or his delegate, then fines between $10,000 and $100,000 may be applied.

This is not simply a Canadian issue. Companies operating in the US and Europe will have to comply with similar legislation.

The CSA standard envisions that “more sensitive information should be safeguarded by a higher level of protection.” 

Some companies handle more sensitive information than others (e.g. financial, health) and will be expected to have more stringent controls.  Encryption software may be required along with periodic independent security audits of your premises and your Internet based networks and servers.  It should be noted that the Canadian General Standards Board is developing a “Canadian Independent Security Auditing Standard for Internet Based Networks and Servers.”

Corporations are becoming more widely aware of how their information can be surreptitiously accessed electronically. As those threats multiply (and awareness of these risks multiply), companies will have to spend more to ensure their electronic data cannot be easily accessed and to reassure their clients (and regulators) that they have the necessary safeguards in place. 

It should be noted that this legislation is a business opportunity for a number of security related manufacturers and consultants.  Since these companies are often active participants in developing these general standards, it can be argued they have a vested interest in making the standards more, not less, stringent.  Over time, this may become a bit of a treadmill, as new benchmark practices are developed and companies are expected to increase their security related measures to maintain public confidence in their reliability.

A $20,000 fine is pocket change for many corporations.   The real threat under the act is public embarrassment.  In the event of a dispute, most corporations will negotiate a settlement with the Privacy Commissioner — even if they have a very good case.   They will conclude that it is better to settle than put up with the negative publicity of being cited in a public report of the Privacy Commissioner or having to defend themselves in a court action. 

A reasonable scenario would have the Privacy Commissioner allow the process to be truly complaints-driven.  The Commissioner would react to complaints and only initiate publication or legal proceedings when there has been a history of violations and the organization involved is an egregious violator, unwilling to offer serious remedial measures.  This would allow industry self-regulatory approaches to evolve.  Over time, most corporations would adopt a reasonable set of generally recognizable practices. Security standards would generally toughen over time.

Since the privacy practices used by company and association web sites can be checked most easily and cheaply by regulators, expect activity in this area.





Hillwatch Inc., 45 O’Connor St. Suite 1150, Ottawa ON K1P 1A4 tel: (613) 238-8700 fax: (866) 310-4955