Canada Gets Private
Legislation: Federal law aims to protect personal information.
Send your e-mail address to an online florist, and months later you may well get a marketing plug using-you guessed it-that same e-mail address. That’s a troubling development for those concerned about personal information winding up in corporate databases. Canada has taken these concerns seriously, passing legislation to better protect the privacy rights of its citizens. The new federal law, the Personal Information Protection and Electronic Documents Act, mandates rules businesses must follow in collecting and processing personal information; it requires, among other things, that companies obtain an individual’s consent for specific uses of data.
Much of the attention to privacy issues over the past year has focused on the Internet, and the opportunity the Net affords business and government to collect extensive information about citizens. But the Canadian law applies to all data collection activities. That means banks and insurance companies collecting data in traditional ways, as well as the latest e-commerce trading site.
“In order for Canada to become a leader in the knowledge-based economy and in electronic commerce, consumers and businesses must be comfortable with the new technologies and with the impact that these technologies will have on their lives,” said John Cannis, MP from Scarborough Centre, speaking shortly before the legislation passed the Canadian Parliament this spring. Cannis said the law creates a “level playing field” for all Canadian companies. “The direct marketing industry, information technology companies, telecommunications companies and banks all realize that we need a clear federal legislative privacy framework in Canada. And they recognize that flexible, but effective, legislation will help customers accept electronic ways of doing business and be less expensive for them than self-regulation alone.”
The Canadian privacy law was a long time coming, says Ann Cavoukian, Information and Privacy Commissioner for the province of Ontario. The principles incorporated into the legislation date back to 1995, when the Canadian Standards Association passed a voluntary privacy code; it called for companies to explain why information is being collected in the first place, obtain consent from the consumers, ensure accuracy of the collected data and provide safeguards against accidental disclosure.
The legislation essentially makes the voluntary code a law. “For companies that haven’t been doing anything,” says Cavoukian, “it will represent a fair amount of work at the beginning. For the first time, they will have to think about what is the primary purpose of the data collection, and then obtain the consent of their customers to use the information for other purposes.”
Cavoukian argues that it’s time for the United States to consider similar legislation. Currently, U.S. policy relies almost exclusively on self-regulation to protect consumer privacy. That only works, she says, if there is a “demonstrated commitment on the part of the businesses” to protect privacy. Looking over her country’s southern border, she says drily, “I haven’t seen this.”
Become an MIT Technology Review Insider for in-depth analysis and unparalleled perspective.Subscribe today