Radwanski criticizes B.C.'s privacy legislation, says in it's current form it won't replace PIPEDA
The Privacy Commissioner of Canada, George Radwanski, sent the following letter to Sandy Santori, Minister of Management Services, Government of British Columbia, regarding Bill 38, the Personal Information Protection Act, B.C.'s proposed private-sector privacy legislation.
May 7, 2003
Dear Minister Santori:
Re: Bill 38 - Personal Information Protection Act
I have reviewed with great interest Bill 38, the Personal Information Protection Act, your government's proposed legislation to provide privacy protection in the provincially-regulated sector.
The Bill has many positive elements. But I consider it important to inform you now, before it becomes law, that Bill 38 has a number of very grave deficiencies that would in my view make it impossible for the Government of Canada to recognize this legislation in its current form as substantially similar to the federal Personal Information Protection and Electronic Documents (PIPED) Act.
As you know, effective Jan. 1, 2004, the PIPED Act will extend to the collection, use or disclosure of personal information in the course of any commercial activity within a province, subject to one crucial exception: Where a province has passed privacy legislation governing the private sector that is "substantially similar" to the federal Act, the Governor in Council may exempt all or part of the provincially regulated private sector from the application of the Act to activities within the province's boundaries and the provincial law will apply.
If a province enacts private sector privacy legislation that is not found to be substantially similar to the PIPED Act, the provincial law will of course remain in effect. But effective Jan. 1, 2004, it will operate concurrently with the federal law. Where the PIPED Act sets higher standards for privacy protection than the provincial legislation, the federal provisions will take precedence to the extent of any inconsistency and all organizations
carrying out commercial activities will have to comply with them.
Subsection 25(1) of the PIPED Act requires me as Privacy Commissioner of Canada to report annually to Parliament on "the extent to which the provinces have enacted legislation that is substantially similar to the PIPED Act." I expect that this reporting will be a key consideration for the Cabinet in determining whether it is appropriate to grant any given province an exemption on the basis of substantially similar legislation.
In my first report on the matter of substantially similar provincial legislation, in May 2002, I formally set out the criteria that I will use in assessing provincial legislation: In assessing provincial legislation, I will interpret substantially similar to mean equal or superior to the PIPED Act in the degree and quality of privacy protection provided. The federal law is the threshold or floor. A provincial law must be at least as good, or it is not substantially similar.
The standard set by the PIPED Act is a high one, but certainly not unattainable. In May 2002, I reported to Parliament that Quebec's Act Respecting the Protection of Personal Information in the Private Sector is substantially similar to the PIPED Act.
In view of my statutory obligation to report and advise on whether any provincial law meets the test of substantial similarity, I believe that the most helpful and constructive course is for me to share my preliminary views when proposed legislation is still subject to possible amendment and improvement, rather than wait for it to be definitively enacted.
It is in that spirit that I write to you today, to inform you that in my view the Bill as it stands has deficiencies — albeit deficiencies that can be remedied easily enough — that would be fatal to any possibility of it being regarded as substantially similar.
First, the "grandfathering" provisions of the Bill make it significantly different from the PIPED Act, which does not distinguish between personal information collected before and after its coming into effect. These provisions constitute failure to ensure that the most important protections of the proposed legislation apply to personal information that was collected before it comes into force. The Bill effectively eliminates any need for consent to use or disclose information that has already been collected.
There may appear to be some consolation in the fact that any use or disclosure of information that was collected before the Act came into force must be consistent with the purpose that was stated at the time it was collected. But this is largely illusory. What is overlooked in this formulation is the obvious: There was no requirement to specify purposes when
the information was collected. An organization can use or disclose this personal information for any purpose and claim that this purpose was intended when it was collected. It would be extremely difficult for an individual to challenge the use of this grandfathered personal information.
This is clearly inconsistent with the PIPED Act, which takes a much more privacy-protective, and very straightforward, approach: To use or disclose information collected before the Act came into force, organizations require consent.
Second, the Bill is clearly inferior to the PIPED Act with regard to the concept of consent, which is at the heart of any statute purporting to protect privacy. It is by exercising the right of consent that individuals control personal information about themselves.
The problem with the Bill is that it specifically refers to implicit consent - a weak form of consent that is acceptable only in certain limited circumstances - but says nothing about express or written consent.
This is a critical omission, because it could very well lead an organization to assume that it can rely entirely on implicit consent. There is nothing in the legislation to prevent an organization from doing so, nor anything that the Commissioner could use to require express consent.
In contrast,the PIPED Act strongly recommends the use of express consent with respect to the collection, use or disclosure of sensitive information. A statutory scheme that allowed organizations to rely entirely on implicit consent would provide a significantly lower level of protection than that provided by the PIPED Act.
Third, the Bill is clearly inferior to the PIPED Act with regard to privacy rights in employment. The workplace is where most people spend most of their waking lives; in few circumstances are privacy rights more important. Yet Bill 38 specifically allows the collection, use and disclosure of employee personal information without consent - completely depriving an employee or a prospective employee of any control over his or her information.
I recognize that the bill requires that the collection, use or disclosure of employee personal information be reasonable for the purposes of establishing, managing or terminating an employment relationship. This is a weak test, however, and meagre consolation for employees or prospective employees concerned about privacy. Since these provisions appear to approach employee privacy rights from the perspective of the employer, it would be possible to argue cogently that almost any intrusion on employee privacy is "reasonable" in the sense that it is potentially helpful for establishing, managing or terminating an employment relationship.
It is not difficult to imagine situations in which an employer may think that the collection, use or disclosure is reasonable where the employee might think otherwise. An employer might think it reasonable to collect and disclose information about a prospective employee's health or religion or sexual orientation. This Bill would allow the employer to do that, without consent.
Yes, the employee could complain after the fact that this was not reasonable - but the information would have already been collected and disclosed. Once privacy has been violated, it cannot be unviolated. The damage has been done.
The PIPED Act, in contrast, makes no distinction between information collected, used, or disclosed in employment and in commercial activities. The protection afforded employees covered by Bill 38 would be drastically inferior to that enjoyed by employees covered by the PIPED Act.
It is important to note in this regard that these provisions of the PIPED Act have now applied for more than two years to employers in some 15,000 federal works, undertakings and businesses - primarily banks, broadcasters, transportation and telecommunications companies - without any indication that these organizations have thereby been prevented from effectively managing their workforces.
Fourth, a fundamental component of the PIPED Act is the power of individuals to find out what personal information organizations have about them and to correct any information that is incomplete or wrong.
The access and correction provisions in Bill 38 fail to provide similarly effective protection. First of all, individuals would be prevented from obtaining access to information about themselves if it would reveal the identity of individuals who provided the information. For example, an individual would not be able to obtain access to negative comments provided by a co-worker or supervisor if it would reveal the identity of the person who made the comments. Without access to this information, an individual would not even know it existed and obviously would not be able to challenge its accuracy.
As well, there is no requirement, when the accuracy of information is in dispute, that the organization in control of the information inform other organizations that have access to the information about the substance of the dispute. The other organizations can retain, use and even disclose personal information, regardless of whether its accuracy is in dispute. The PIPED Act contains such provisions, as should any proper privacy legislation, and the failure of Bill 38 to do so is a substantial weakness.
Finally, the draft legislation allows collection, use or disclosure without consent for the purposes of an investigation or proceeding. This is a necessary feature of any privacy protection law, but the wording of the Bill is far too open-ended.
The definition of the term "investigation" in the bill is much broader than the way in which the term is used in the PIPED Act. The PIPED Act limits the term to investigations of "a breach of an agreement or a contravention of the laws of Canada or a province."
The definition in Bill 38 also includes an investigation related to "a circumstance or conduct that may result in a remedy or relief being available under an enactment, under the common law or in equity" "the prevention of fraud" and trading in securities. The Bill also contains a similarly broad definition of "proceeding."
These definitions are detrimental to the level of protection afforded by the Bill. Allowing an excessive number of situations in which personal information can be collected, used or disclosed without consent seriously erodes the fundamental principle of consent that is the underpinning of any sound privacy legislation.
In bringing these various deficiencies to your attention, I wish to emphasize that the issue is not one of debating the merits of the relevant provisions of this Bill in isolation. The issue is solely whether they provide a level and quality of privacy protection that is as good or better than the corresponding provisions of the PIPED Act. Clearly, they do not. Consequently, the Bill in its current form cannot be regarded as substantially similar.
I appreciate the opportunity to provide these comments. If I or my Office can provide any further clarification or assistance, we would be glad to do so.
Yours sincerely,
George Radwanski
Privacy Commissioner of Canada
May 7, 2003
Dear Minister Santori:
Re: Bill 38 - Personal Information Protection Act
I have reviewed with great interest Bill 38, the Personal Information Protection Act, your government's proposed legislation to provide privacy protection in the provincially-regulated sector.
The Bill has many positive elements. But I consider it important to inform you now, before it becomes law, that Bill 38 has a number of very grave deficiencies that would in my view make it impossible for the Government of Canada to recognize this legislation in its current form as substantially similar to the federal Personal Information Protection and Electronic Documents (PIPED) Act.
As you know, effective Jan. 1, 2004, the PIPED Act will extend to the collection, use or disclosure of personal information in the course of any commercial activity within a province, subject to one crucial exception: Where a province has passed privacy legislation governing the private sector that is "substantially similar" to the federal Act, the Governor in Council may exempt all or part of the provincially regulated private sector from the application of the Act to activities within the province's boundaries and the provincial law will apply.
If a province enacts private sector privacy legislation that is not found to be substantially similar to the PIPED Act, the provincial law will of course remain in effect. But effective Jan. 1, 2004, it will operate concurrently with the federal law. Where the PIPED Act sets higher standards for privacy protection than the provincial legislation, the federal provisions will take precedence to the extent of any inconsistency and all organizations
carrying out commercial activities will have to comply with them.
Subsection 25(1) of the PIPED Act requires me as Privacy Commissioner of Canada to report annually to Parliament on "the extent to which the provinces have enacted legislation that is substantially similar to the PIPED Act." I expect that this reporting will be a key consideration for the Cabinet in determining whether it is appropriate to grant any given province an exemption on the basis of substantially similar legislation.
In my first report on the matter of substantially similar provincial legislation, in May 2002, I formally set out the criteria that I will use in assessing provincial legislation: In assessing provincial legislation, I will interpret substantially similar to mean equal or superior to the PIPED Act in the degree and quality of privacy protection provided. The federal law is the threshold or floor. A provincial law must be at least as good, or it is not substantially similar.
The standard set by the PIPED Act is a high one, but certainly not unattainable. In May 2002, I reported to Parliament that Quebec's Act Respecting the Protection of Personal Information in the Private Sector is substantially similar to the PIPED Act.
In view of my statutory obligation to report and advise on whether any provincial law meets the test of substantial similarity, I believe that the most helpful and constructive course is for me to share my preliminary views when proposed legislation is still subject to possible amendment and improvement, rather than wait for it to be definitively enacted.
It is in that spirit that I write to you today, to inform you that in my view the Bill as it stands has deficiencies — albeit deficiencies that can be remedied easily enough — that would be fatal to any possibility of it being regarded as substantially similar.
First, the "grandfathering" provisions of the Bill make it significantly different from the PIPED Act, which does not distinguish between personal information collected before and after its coming into effect. These provisions constitute failure to ensure that the most important protections of the proposed legislation apply to personal information that was collected before it comes into force. The Bill effectively eliminates any need for consent to use or disclose information that has already been collected.
There may appear to be some consolation in the fact that any use or disclosure of information that was collected before the Act came into force must be consistent with the purpose that was stated at the time it was collected. But this is largely illusory. What is overlooked in this formulation is the obvious: There was no requirement to specify purposes when
the information was collected. An organization can use or disclose this personal information for any purpose and claim that this purpose was intended when it was collected. It would be extremely difficult for an individual to challenge the use of this grandfathered personal information.
This is clearly inconsistent with the PIPED Act, which takes a much more privacy-protective, and very straightforward, approach: To use or disclose information collected before the Act came into force, organizations require consent.
Second, the Bill is clearly inferior to the PIPED Act with regard to the concept of consent, which is at the heart of any statute purporting to protect privacy. It is by exercising the right of consent that individuals control personal information about themselves.
The problem with the Bill is that it specifically refers to implicit consent - a weak form of consent that is acceptable only in certain limited circumstances - but says nothing about express or written consent.
This is a critical omission, because it could very well lead an organization to assume that it can rely entirely on implicit consent. There is nothing in the legislation to prevent an organization from doing so, nor anything that the Commissioner could use to require express consent.
In contrast,the PIPED Act strongly recommends the use of express consent with respect to the collection, use or disclosure of sensitive information. A statutory scheme that allowed organizations to rely entirely on implicit consent would provide a significantly lower level of protection than that provided by the PIPED Act.
Third, the Bill is clearly inferior to the PIPED Act with regard to privacy rights in employment. The workplace is where most people spend most of their waking lives; in few circumstances are privacy rights more important. Yet Bill 38 specifically allows the collection, use and disclosure of employee personal information without consent - completely depriving an employee or a prospective employee of any control over his or her information.
I recognize that the bill requires that the collection, use or disclosure of employee personal information be reasonable for the purposes of establishing, managing or terminating an employment relationship. This is a weak test, however, and meagre consolation for employees or prospective employees concerned about privacy. Since these provisions appear to approach employee privacy rights from the perspective of the employer, it would be possible to argue cogently that almost any intrusion on employee privacy is "reasonable" in the sense that it is potentially helpful for establishing, managing or terminating an employment relationship.
It is not difficult to imagine situations in which an employer may think that the collection, use or disclosure is reasonable where the employee might think otherwise. An employer might think it reasonable to collect and disclose information about a prospective employee's health or religion or sexual orientation. This Bill would allow the employer to do that, without consent.
Yes, the employee could complain after the fact that this was not reasonable - but the information would have already been collected and disclosed. Once privacy has been violated, it cannot be unviolated. The damage has been done.
The PIPED Act, in contrast, makes no distinction between information collected, used, or disclosed in employment and in commercial activities. The protection afforded employees covered by Bill 38 would be drastically inferior to that enjoyed by employees covered by the PIPED Act.
It is important to note in this regard that these provisions of the PIPED Act have now applied for more than two years to employers in some 15,000 federal works, undertakings and businesses - primarily banks, broadcasters, transportation and telecommunications companies - without any indication that these organizations have thereby been prevented from effectively managing their workforces.
Fourth, a fundamental component of the PIPED Act is the power of individuals to find out what personal information organizations have about them and to correct any information that is incomplete or wrong.
The access and correction provisions in Bill 38 fail to provide similarly effective protection. First of all, individuals would be prevented from obtaining access to information about themselves if it would reveal the identity of individuals who provided the information. For example, an individual would not be able to obtain access to negative comments provided by a co-worker or supervisor if it would reveal the identity of the person who made the comments. Without access to this information, an individual would not even know it existed and obviously would not be able to challenge its accuracy.
As well, there is no requirement, when the accuracy of information is in dispute, that the organization in control of the information inform other organizations that have access to the information about the substance of the dispute. The other organizations can retain, use and even disclose personal information, regardless of whether its accuracy is in dispute. The PIPED Act contains such provisions, as should any proper privacy legislation, and the failure of Bill 38 to do so is a substantial weakness.
Finally, the draft legislation allows collection, use or disclosure without consent for the purposes of an investigation or proceeding. This is a necessary feature of any privacy protection law, but the wording of the Bill is far too open-ended.
The definition of the term "investigation" in the bill is much broader than the way in which the term is used in the PIPED Act. The PIPED Act limits the term to investigations of "a breach of an agreement or a contravention of the laws of Canada or a province."
The definition in Bill 38 also includes an investigation related to "a circumstance or conduct that may result in a remedy or relief being available under an enactment, under the common law or in equity" "the prevention of fraud" and trading in securities. The Bill also contains a similarly broad definition of "proceeding."
These definitions are detrimental to the level of protection afforded by the Bill. Allowing an excessive number of situations in which personal information can be collected, used or disclosed without consent seriously erodes the fundamental principle of consent that is the underpinning of any sound privacy legislation.
In bringing these various deficiencies to your attention, I wish to emphasize that the issue is not one of debating the merits of the relevant provisions of this Bill in isolation. The issue is solely whether they provide a level and quality of privacy protection that is as good or better than the corresponding provisions of the PIPED Act. Clearly, they do not. Consequently, the Bill in its current form cannot be regarded as substantially similar.
I appreciate the opportunity to provide these comments. If I or my Office can provide any further clarification or assistance, we would be glad to do so.
Yours sincerely,
George Radwanski
Privacy Commissioner of Canada