| |
| |
Apr. 19, 2004. 07:26 AM | | Weak enforcement undermines privacy laws MICHAEL GEIST LAW BYTES
At a recent meeting of Canadian privacy professionals, the United States' approach to privacy was derisively characterized as amounting to little more than a privacy policy placebo, a reference to the reliance on privacy policies under the U.S. system. The comment reflects the perspective of many in the privacy community outside the U.S., who view the legislative approach employed in Canada, Europe, and Australia as a superior method of protecting personal privacy. Although the U.S. system is not perfect privacy policies do not necessarily equate to effective privacy protection several recent studies do suggest that major U.S. companies respect their privacy obligations and strictly adhere to the commitments set out in their policies in greater numbers than companies in countries with privacy legislation.The reason behind the U.S. findings may well rest with the very active enforcement mechanisms found there. While U.S. privacy laws may not be as comprehensive as those found in Canada, enforcement agencies have levied millions in fines for privacy violations, sending an unmistakable signal that privacy legislation is serious business.By contrast, PIPEDA enforcement has thus far not resulted in the pursuit of cases in federal court nor in public fines being levied. As former IBM CEO Louis Gerstner once noted, "people do what you inspect, not what you expect." Given that there have been few, if any commissioner-initiated inspections, it should be a matter of concern that Canadians are beginning to expect precious little when it comes to their privacy law.While Canada has opted for an ombud-type approach that is designed to resolve outstanding privacy complaints rather than encourage increased litigation, it may be time to consider how we can instil a greater commitment to privacy within our chosen approach. In fact, the privacy commissioner of Canada recently raised the question of responsibility for privacy in a decision titled "A Question of Responsibility."The case involved a workplace dispute in which a union representative sent a confidential letter on behalf of an employee from the company fax machine without a cover sheet. The employee's manager picked up the fax receipt, which included a copy of the letter. After the employee noticed the manager reading the confidential information, he asked that the manager stop reading the letter and promptly return it to him. The manager ignored the request and returned the letter only after reading it in its entirety.While privacy-watchers might have expected the commissioner (and the assistant commissioner who is credited with the decision) to side with the employee most jurisdictions with privacy legislation would have required the manager to have stopped reading the letter once advised of its private nature the commissioner surprisingly issued a not well-founded decision.The reasoning apparently rests with the new commissioner's view of who bears responsibility for protecting personal privacy. According to the summary of the decision, responsibility rested with the union representative and the employee to take the steps necessary to ensure that the letter was kept private given the public nature of the fax machine. Although the commissioner's view of the public nature of the fax machine is certainly supportable, the willingness to excuse the disregard for the employee's privacy sends a disturbing message to all Canadians concerned with their personal privacy. It suggests that individuals are only entitled to privacy protection if they take active steps to protect their personal privacy, a condition certainly not found in the law. While the commissioner has focused on the need for both individuals and companies to shoulder their share of the burden in fostering a privacy-friendly environment in Canada, responsibility for privacy should also be examined from the perspective of both the office of the privacy commissioner and the federal government. As noted above, the privacy commissioner must ensure that PIPEDA is not rendered ineffectual through weak enforcement. The danger that the Canadian law will be viewed as having more bark than bite can be addressed if the commissioner's office can marshal the financial resources to use all of the statutory powers placed at its disposal.It also must jump at the opportunity to take a leadership position on emerging issues such as spam. While private companies such as Yahoo, Amazon.com, and Earthlink have all launched actions against Canadian organizations for spamming activity, the commissioner's office has been inactive on an issue that affects millions of Canadian businesses and Internet users.To the credit of the commissioner's office, it has recently improved the search functionality of its Web site. More can be done to improve the dissemination of privacy-related information to the public, however. For example, decisions continue to be released in summary form, many of which are difficult to decipher. The entire privacy community would benefit from greater transparency in this area by being provided with more information, not less.If the commissioner's office is to take the lead on cutting edge issues and increase its enforcement activity, the federal government must step up to the plate to provide it with much-needed resources. In the wake of last year's scandal involving former privacy commissioner George Radwanski, the office has faced significant budget pressures that have constrained new hiring and sadly transformed the current privacy legislation into a complaints-only-driven process. While there is no doubt the will at the commissioner's office to ensure that PIPEDA meets expectations, the federal government must help pave the way. It is evident that privacy laws without effective enforcement and genuine transparency may provide Canadians with little more than placebo privacy protection. Ensuring that this does not happen is, in the words of the privacy commissioner, a question of responsibility. Michael Geist is the Canada Research Chair in Internet and E-commerce Law at the University of Ottawa and technology counsel with the law firm Osler Hoskin & Harcourt LLP. He is online at http://www.michaelgeist.ca and http://www.osler.com (mgeist@u ottawa.ca). The opinions expressed herein are personal and do not necessarily reflect those of the University of Ottawa or Osler, Hoskin & Harcourt LLP.Additional articles by Michael Geist
Pay less than $3 per week for 7 day home delivery. |
| |
| |
|