Skip to main content
Start of content;

CHAPTER 2: THE PATCHWORK OF PRIVACY PROTECTION

Despite our enthusiasm for international efforts to protect privacy, Canada has done too little to legislate against domestic privacy violations. To date . . . only Parliament and [some] provinces . . . have enacted data protection laws. And even these are not true privacy laws because their scope is limited to controlling their respective governments' collection, use and disclosure of personal information. These laws do not regulate the private sector. Nor do they specifically address such privacy issues as electronic surveillance in the workplace, genetic testing or the use of the polygraph as an employment screening tool.1
Trying to understand the privacy protection for individuals in this country is like viewing the world through rose coloured glasses. Perception and reality are two different things.

THE PERCEPTION

Certainly, "privacy is a right with a grand tradition"2. Thus Canadians cannot be faulted for assuming that given the fundamental human value that they place on it, the right to privacy is adequately protected in this country. This is a logical, if not unjustifiable, conclusion.

In the aftermath of the Second World War, human rights issues, including the right to privacy, reached new levels of international consciousness. The horrifying acts that took place in the 1930s and 1940s served as a catalyst for the adoption of a series of international human rights instruments. The Government of Canada took an active role in orchestrating the development of these documents. Indeed, a Canadian, John Humphrey, was one of the architects of the Universal Declaration of Human Rights. Adopted by the United Nations in 1948, the Universal declaration sets out the basic rights to which all human beings are entitled and has since become a kind of ``Magna Carta'' of Human Kind.

Article 12 of the Universal Declaration explicitly states that "No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation." A similar privacy guarantee was repeated in Article 17 of the 1966 International Covenant on Civil and Political Rights to which Canada acceded in 1976.

The aftermath of the Second World War also had a profound effect on Canadians at home. They naturally assumed that the same vigilance taken by Canada in the international arena, to ensure the preservation of human dignity and individual autonomy, would be applied domestically. At first glance, this appears to have been the case. Human rights are both entrenched in the Constitution and safeguarded in legislation at the federal, provincial and territorial levels. Numerous court decisions have recognised the existence of a constitutional right to privacy under sections 7 and 8 of the Canadian Charter of Rights and Freedoms. Today, privacy acts exist federally and in most of the provinces. Some provinces have also passed laws that provide civil remedies through the courts for privacy invasions.

THE REALITY

Upon closer scrutiny, however, the privacy picture is neither so rosy, nor so complete. Major pieces of the jigsaw puzzle are missing. A comprehensive and interlocking system to ensure and maintain control over our interactions with each other, with commercial enterprises and with the state is far from a reality in Canada.

Privacy protection in this country is clearly skewed in favour of safegarding personal information. While data protection is clearly a critical part of the spectrum of privacy interest, in a world of increasingly intrusive technologies, it is by no means the only game in town. As we discovered through our examination of video monitoring, genetic testing and biometic identification technologies, other privacy interests are at stake here. Privacy is a wide-ranging right that is currently under siege in a number of ways, and yet Canadians and their governments are still fumbling with tools that are not up to meeting the current, let alone the future, challenges of privacy protection.

A. Constitutional Privacy Protection

While Canada has no express constitutional right to privacy, the courts have interpreted sections 7 and 8 of the Canadian Charter of Rights and Freedoms as guarding against unreasonable privacy invasions. Section 7 provides for the right to life, liberty and security of the person and the right not to be deprived of these except through some form of due process. Section 8 protects against unreasonable search and seizure. The privacy value in these rights, however, has largely been recognised in the criminal law context, and it is for this reason, among others, that calls continue to be made for the entrenchment of an explicit and broad right to privacy in the Canadian Constitution.3

Even if the Charter accorded special legal status to the right to personal privacy, there would still be some limitations on its reach. Charter rights are by no means absolute. Section 1 of the Charter allows for reasonable limits on any Charter right when those limits can be demonstrably justified in a free and democratic society. In addition, the Charter only applies to the laws and activities of governments. In other words, Charther rights do not apply directly to the private sector.

While no constitutional documents at the provincial level safeguard the right to privacy, the Quebec Charter of Human Rights and Freedoms has attained a kind of quasi-constitutional status within that province. It prevails over other provincial laws unless there is express wording to the contrary. Article 5 of the Quebec Charter guarantees every person the right to respect for his or her private life.

B. Privacy of Personal Information

Until our courts began to grapple with the concept under the Canadian Charter of Rights and Freedoms in 1982, the right to privacy enjoyed very low public, and for that matter, governmental profile in Canada. It was often lost amidst human rights or access to information legislation. The federal and provincial governments in this country seemed neither concerned about the impact that new technologies, such as the development of the computer, might have on individual privacy interests, nor were they committed to addressing the situation fully.

Although the federal government did enact the Privacy Act in 1982 as a means of regulating the collection, use, disclosure and disposal of personal information that is held by the federal government, the legislation only protects data. It has nothing to do with the concept of privacy in its broadest sense. Moreover, while the Act covers all federal government departments and most federal agencies, it does not extend to every Crown corporation or to the federally-regulated private sector. It requires each government institution, with certain exceptions, to record in a central index the nature and extent of personal information under its control. While the Privacy Commissioner is appointed to receive complaints and investigate non-compliance under the Act, the Treasury Board Secretariat has general responsibility for co-ordination of the implementation of the Act, and the Department of Justice maintains general responsibility for policy implications.

Interestingly, unlike some jurisdictions where freedom of information legislation has been used to subvert informational privacy laws, Canada has recognised the complementary nature of the concept of privacy and access to information. The federal Access to Information Act was proclaimed in force at the same time as the federal Privacy Act with the result that information of a personal nature held in government institution databanks is to be kept private, whereas information of a non-personal nature held by a public body is to be publicly accessible.

While the Canadian government was taking a hands-off approach to the dawning of a networked world, the European community was responding to what it perceived as a serious threat to a human right of fundamental importance. Realising the huge potential for massive abuses to privacy from computers that no longer stood alone, but could now talk to one another and exchange information, the Council of Europe enacted the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data in 1980. The Convention provided member states with a framework pertaining to the collection, use, access, accuracy, and disposal of personal information. Following on the heels of the European Convention, the Organisation for Economic Co-operation and Development (OECD) released Guidelines on the Protection of Privacy and Transborder Flows of Personal Data in 1980. The OECD's objective was to ensure that all international data flows were not completely blocked by protective measures taken nationally. At the same time, the OECD sought to harmonise the data protection practices of member countries by establishing some minimum standards for handling personal information.

In 1984, Canada joined 23 other industrialised countries in adhering to the OECD Guidelines. In fulfillment of its international commitments, Canada has passed information privacy laws adopting the fair information principles contained in the Guidelines. However, it has done so in a rather haphazard manner. Due to the federal nature of this country, with a division of powers between the federal and provincial legislatures, data protection acts have sprouted up at both the federal, and in some cases, the provincial level in varying intervals.4 Not only has this given a patchy effect to the Canadian privacy garden, but the lack of careful attention to the landscape as a whole has allowed certain weeds to develop. For example, little in the way of any kind of privacy protection exists in the Atlantic provinces. As the result, these so-called "data havens," like weeds, tend to choke the overall growth and sustainability of privacy rights around them.

Essentially, federal and provincial data protection laws do adopt the OECD principles for the collection, use, disclosure of and access to information about an identifiable individual. The weaknesses in the Canadian approach, however, lie with the enforcement mechanisms and general scope of this legislation. For example, while most OECD countries have adopted either a licensing (i.e. Sweden, Denmark, Austria) or a registration5 (i.e. Germany, Japan, Spain) data protection regime, Canada is one of the few that uses a privacy commissioner as its principal mechanism for safeguarding personal information. The approach to data protection in this country has been much more passive and more narrowlly focused than in Europe. Privacy Commissioners essentially investigate complaints about infringements of the Act; however, they are usually limited to moral suasion or using public embarrassment to ensure compliance. The legislation itself is also usually devoid of any real penalty provisions.

Does this limited approach to data protection indicate the level of commitment to privacy protection in this country? What is the reason for the lack of a comprehensive national data protection system in this country? Does the low profile attached to the issue of privacy, or the fact that Canada as a federal state that constitutionally divides legislative powers between the federal and provincial governments, explain why there is a lack of comprehensive national data protection?6

At the federal level, the extent to which the Treasury Board Secretariat, the ultimate supervisor of government personal information and a central agency of government, is the actual informational control keeper is worthy of consideration. From what we could tell, all Treasury Board does is issue data protection guidelines that accord with the Privacy Act. It appears to do little else. It does not even follow up on the implementation of their guidelines by monitoring departmental compliance. If it is, the next question is to what extent is its privacy protection agenda politically driven, and how transparent is this process?

Interestingly in choosing the commission approach to privacy protection, the Canadian government was well aware of the data protection regimes chosen by its European counterparts. Canada also recognised that the option existed for the use of an information auditor as a method of securing legislative compliance. We cannot help but ask why Canada seems to consistantly have taken a passive approach to such a critical issue as privacy protection? One wonders about the influence that our neighbour to the south has had on the Canadian decision-making process, for the United States has long downplayed the importance of an independent and proactive data protection regime.

In terms of the scope of our data protection laws, the patchwork effect is perpetuated. While the vast majority of countries in the OECD have enacted data protection legislation that extends to both the private and public sectors, Canadian laws, with the sole exception of Quebec, apply only to the actions of governments and government agencies.

Quebec's Act Respecting the Protection of Personal Information in the Private Sector, which came into force in 1994, applies the principles of the OECD Guidelines to all personal information, whatever its form and in whatever medium that it is collected, held, used or distributed by another person, confined mainly to enterprises engaged in an "organised economic activity." It provides a detailed framework for implementing the Quebec Civil Code's provisions pertaining to the collection, use and disclosure of personal information. It has been heralded as the first comprehensive regulation of private sector personal data practices in North America and so far, the feared negative impact on Quebec business has not materialized.

While the extension of data protection to the private sector in Quebec has been a positive move within that province, data protection outside of Quebec is considerably weak in comparison. The implications are, for example, that consumers in Quebec enjoy greater privacy protection than their fellow Canadians who reside elsewhere, and businesses everywhere are burdened with the costs and inconveniences of trying to figure out and ensure compliance with a patchwork of information privacy requirements across the country.

Moreover, the private sector vacuum that exists outside of the province of Quebec has, in the spirit of patchwork solidarity, developed in a rather piecemeal fashion. Specific types of data protection legislation has developed, but only in response to limited needs that arose, for example, in the consumer credit and telecommunications sector.7 Moreove while the federal government, in 1986, attempted to comply with its commitment under the OECD Guidelines by encouraging all private sector corporations to develop and implement voluntary privacy protection codes, this approach has met with very little success.

Self-regulating codes of fair information practices have emerged on a sectoral basis, in most cases, along the lines of the OECD Guidelines. Most of these "privacy" codes are company, industry or industry association-based. For example, the Canadian Bankers Association's model code guides individual banks in establishing their own privacy guidelines. In the insurance sector, the Canadian Life and Health Insurance Association set out Right to Privacy Guidelines and the Insurance Bureau of Canada has adopted its own Model Privacy Code. The Canadian Cable Television Standards Council incorporated privacy principles into its Customer Service Standards and the Canadian Direct Marketing Association (CDMA) implemented a compulsory code of informational practice in 1993 for its members. Unfortunately, the CDMA could not force non-members, usually the worst offenders, to apply its code to their activities. It has, therefore, taken the unprecedented step, as an industry association, of calling on government to take legislative action in the private sector.

While we applaud these individual initiatives, we believe that Canadians should not become too complacent in their belief that all our privacy interests have been duly considered and safeguarded. Perhaps Colin Bennet best sums up the overall problem when he recently wrote that:

Privacy codes of practice operate within a complicated and fluctuating set of political, organisational, cultural, technological and economic incentives that vary between and even within business sectors. The entirely voluntary approach always suffers from the perception that the individual's privacy rights are in the hands of those who have the most to gain from the processing of personal data.8
Even more disconcerting to this Committee is the fact that much more is at stake here than simply a lack of domestic co-ordination. In 1998, the European Union (EU) will require all member countries to adopt or adapt national data protection laws that comply with the Union's Directive on Data Protection. Significantly, in terms of non-member countries, such as Canada, Article 25 prohibits member countries (and businesses within those countries) from transferring personal information to non-members of the EU if that country's laws do not adequately guarantee protection of that information. With the exception of Quebec, Canada will not meet this standard unless appropriate action is taken.

A bright light on the horizon is the Canadian Standards Association's Model Code for the Protection of Personal Information that was published in March 1996. A committee of consumer, business, government and labour representatives developed the Code in response to the lack of national data protection standards, particularly in view of the European Union's Directive. Devised under the auspices of the Canadian Standards Association (CSA), the Code sets out privacy protection principles in 10 key areas, including the consent for the collection, use, or disclosure of personal information. These principles have now been approved as a national standard by the Standards Council of Canada.

The Achilles heel of the CSA Model Code system, however, is the fact that to date no enforcement mechanism is in place to ensure compliance with these principles. Some critics even contend that a consensual approach to developing a national standard entails too much compromise, waters down the regulatory regime and therefore is perhaps not desirable when our privacy interests are on the line. Finally, there is the argument that it could prove difficult to keep a set of national standards current or subject to regular review, in a non-legislative regulatory regime.9

C. Safeguarding the Rest of Our Private Lives

Other than data protection, privacy protection mechanisms have emerged, if at all, in response to particular interests in specific contexts (e.g., the Criminal Code). Not only have these ad hoc developments contributed to the patchwork nature of privacy protection in this country, they have also tended to suffer from a general inability to deal effectively with emerging technologies and tactics.10

Just to illustrate the ad hoc way in which the protection of personal privacy has developed, Part VI of the Criminal Code currently creates a comprehensive legislative scheme for the invasion of privacy involving the interception of private communications. For example, it is an offence, punishable by up to five years, for anyone to wilfully intercept private communications through the use of a technical device (i.e. "wiretapping" or "bugging" ) without the consent of one of the parties or a warrant. Ironically, there is no such prohibition against secretly taking photographs or videotapes that have no voice recordings. Moreover, only the police need obtain a warrant to surreptitiously videotape people's private activities. No prior authorisation is required for ordinary citizens, such as security guards.

In a similar vein, the rules governing the confidentiality of health records vary according to the actual location of an individual's medical file. For instance, the relevant provincial data protection legislation, if it exists, would apply if the file is located in a hospital. Such protection would not, however, extend to a file with the same information in a doctor's office.

From patchwork to overarching protection

Clearly, Canadians are left with privacy protection that is far from comforting. In reality, Canada has an inconsistent, incomplete and incoherent set of laws, regulations, voluntary codes of practice and policy guidelines pertaining to privacy that add up to a patchwork.

This hodge podge is due in part to the division of legislative powers between the federal and provincial governments, neither of which has exclusive authority over privacy, and the lack of an unequivocal constitutional right to personal privacy in its broadest sense. It also stems in large part from the fact that commercially-driven thirsts for personal information and resultant consumer concerns about "dataveillance" have served to conceptualize privacy in this country as being only about informational privacy.

This Committee believes that what is therefore needed is overarching legislation that would serve as a privacy protection umbrella under which all Canadians, in all circumstances, can seek shelter.

1
Privacy Commissioner of Canada, Entrenching a Constitutional Privacy Protection for Canadians: A submission to the Special Joint Committee on a Renewed Canada, 1991.

2
Evidence, 22:23

3
There have been numerous attempts to entrench the right to privacy in the Constitution. Proposals were made by the federal government itself to first ministers in 1979 suggesting the inclusion of privacy as an essential right in the Canadian Charter of Rights and Freedoms. Throughout the 1981 debates of the Joint Committee on the Constitution, several recommendations were put forward by the Canadian Bar Association to include privacy in the Charter. The Standing Committee on Justice and Solicitor General in its 1987 report Open and Shut, which reviewed the federal Privacy Act, unanimously recommended a specific consitutional right to privacy. Finally, the Canadian Privacy Commissioner made a strong argument in 1991 for the constitutional enhancement of the right to privacy to the Special Joint Committee on a Renewed Canada.

4
The first provincial privacy legislation came from Quebec in 1982. This was followed by the federal Privacy Act which came into force in 1983. Ontario introduced legislation which came into force in 1988 and Saskatchewan's data protection law came into force in 1992. British Columbia enacted legislation in 1992, Alberta in 1994 and several other provinces incorporate fair information principles within their access to information laws.

5
Basically, personal information is protected by requiring data users to record the details of their activities in a public register. For more information on these systems see Ian Lawson, Privacy and the Information Highway : Regulatory Options for Canada, A Study Prepared for Industry Canada, 1995.

6
David Flaherty, Protecting Privacy in Surveillance Societies, University of North Carolina Press, 1989, p. 246.

7
In the late 1970s and early 1980s, some provinces enacted legislation that allowed consumers a right of access and the ability to make corrections to their credit information. Controls were also imposed on the collection, retention and disclosure of credit reports. The Canadian Radio-Television and Telecommunications Commission has recently been given a mandate to respond to the economic and social requirements of users of telecommunications services, including the protection of privacy of individuals. See s. 7(i) of the Telecommunications Act.

8
``Rules of the road and level-playing fields: The politics of data protection in Canada's private sector", International Review of Administrative Sciences, Vol. 62 (December 1996), p. 481-2.

9
Lawson, p. 34.

10
Lawson, Privacy and Free Enterprise: Legal Protection of Personal Information in the Private Sector, prepared for the Public Interest Advocacy Centre, August 1992, p. 526

;