October 13, 1998

CANADA VAULTS OVER THE PRIVACY BAR, LEAVING UNITED STATES IN THE DUST

by Andy Oram
American Reporter Correspondent

CAMBRIDGE, MASS.—As a global deadline looms, Canada is joining other countries in comprehensive legal protections for electronic privacy. This leaves the United States virtually alone in leaving it up to businesses to decide by themselves how much to respect the privacy of their clients and customers.

The Canadian government is hoping to save themselves a fate that the United States imminently faces, and that quite a number of other countries—including Hong Kong, Japan, Korea, Australia, and New Zealand—have scrambled to avoid. On October 25, the European Union requires its member nations to have strong laws in place protecting the privacy of citizens’ online data, and to withhold data from companies whose nations lack such protection.

European laws for data protection arose as far back as 1970, when it became clear that businesses as well as governments could use computers to maintain and match up huge amounts of information on people. Over the past 30 years several European countries passed laws regulating in great detail what information organizations were allowed to collect, and how they could use and share it.

To answer those who worry that privacy laws are intrusive and costly regulation, long-time privacy advisor Deborah Hurley points out that all businesses operating in those countries—including American businesses—have been obeying the laws for years without any harm to their bottom line.

The October 25 deadline comes from a directive on data protection issued exactly three years ago by the European Parliament. This directive laid out strict requirements for conduct by governments and businesses—requirements that could boggle the mind of the average American.

Anyone collecting data must tell the subject what is being collected, specify the purpose for which it is collected, and indicate to whom it will be given. The collector must ask the individual’s consent for each use of the data. To underline the sanctity of the agreement, the directive stipulates that data must be deleted when it is no longer needed for the specified purposes.

Safeguards for data’s integrity are also required. Thus, individuals can look at and correct information about themselves. Security measures must be in place to prevent unauthorized leaks.

Reasonable exemptions for public health and other purposes are provided, of course, but the directive is surprisingly thorough. For instance, to prevent the misuse of data for socially destructive ends, the directive limits the collection of any information about such sensitive topics as racial origin and religious or political beliefs.

The fuse on the October 25 bomb is a brief clause in the directive stating that “the transfer of personal data to a third country which does not ensure an adequate level of protection must be prohibited.” The clause effectively means that companies from non-conforming countries couldn’t do any business in Europe—and thus, that no American could use a credit card in Europe, reserve an air flight to Europe, and so forth.

Of all countries developing electronic commerce, only the U.S. belittles this threat from the European Union. The term “adequate level of protection” is too vague to drive our government or businesses to investigate the consequences. We just can’t imagine they’ll put all trans-Atlantic commerce in jeopardy by cutting us off.

But other countries around the world who wish to use electronic commerce have taken the directive quite seriously. Laws have been passed in these countries along the European lines, though usually not as stringent. The Global Internet Liberty Campaign recently released a survey of 50 countries, showing that 40 had strong privacy laws or were in the process of passing such laws.

On October 1, Canada appeared to squeeze under the wire. It joined the world by introducing a Personal Information Protection and Electronic Documents Act into Parliament.

The proposed bill caps a long, public process. It was drawn up after the Canadian Standards Association released a model privacy code in 1996 for businesses to follow. Members of the public contributed to the code, and privacy advocates consider it a good one.

But according to Canadian lawyer and privacy advocate Phillippa Lawson, not a single company announced its adoption of the code—a lesson for those who hope for American companies to find a non-government solution to privacy.

While Canada’s new law clearly is drafted to meet the European “adequacy” provision, its framers believe they reflected a Canadian preference for putting responsibility at the level of business than government.

Lawson lauds the new bill, although she says privacy advocates would prefer it to directly promote privacy as a right, rather than be marketed as “An Act to Support and Promote Electronic Commerce.”

She also points out a few places that need tightening. For instance, the confidentiality clause is so broadly drawn that it could keep information about possible privacy abuses out of the public eye. A tribune should be set up to handle people who believe the law has been broken, instead of requiring them to take the more costly route of going to court.

On the other hand, a later section creates a gaping loophole. Information can be collected “without the knowledge or consent of the individual” if such consent would “defeat the purpose or prejudice the use for which the information is collected.” The law needs to place some limitations on that clause, because plenty of sleazy people collect information for bad purposes. (Ever run into an unscrupulous divorce lawyer or business competitor?)

I myself worry about the broad powers given to the government’s Privacy Commissioner to investigate complaints. A Commissioner who “is satisfied that there are reasonable grounds to investigate a matter” can “at any reasonable time, enter any premises, other than a dwelling-house, occupied by an organization,” collect its records, and interview its staff.

Lawson is not so concerned with this, believing that safeguards exist against unreasonable searches. She says that investigations should be permitted without “grounds to believe” because it’s so hard to tell from the outside when data has been used illegally. Still, it would make me feel safer if there was some reference in the bill to a court warrant. Otherwise, the law meant to ensure privacy could conceivably end up violating it.

Even now, the Canadian bill represents an achievement well worth emulating in the United States. Here, the Clinton Administration blithely assures the public—reported in the press as recently as October 8—that differences with Europe will be worked out without laws thanks to business “self-regulation.”

Canada is a step ahead of the U.S. on another important privacy-related issue: the right to use encryption. The Canadian government has announced that it will not seek the “key recovery” restrictions that law enforcement in the U.S. is asking for. However, Canada will leave export restrictions in place, so their current policy is almost identical to that of the U.S.

Feeling the breath of the European dragon, several U.S. companies suddenly made a fuss in the press last week about promoting a service called TRUSTe, which provides privacy guidelines and (most important) monitors compliance. TRUSTe has actually been available for over a year, but even now you can’t find businesses rushing to sign up.

But the American public itself is running out of patience. Recent trade announcements boast more and more extensive corporate networks for exchanging whatever information they manage to pick up from customers at Web sites (purchases made, contact information, and so forth). A poll of people who don’t use the Internet found that the largest factor keeping them off, by far, was concern over the protection of their personal data.

One branch of government, the Federal Trade Commission, has broken ranks with the proponents of self-regulation. After a much-publicized hearing and a year of investigation, they asked in June for a law prohibiting the collection of data from children on the Web without parents’ consent. A bill meeting those criteria is expected to pass Congress, thus becoming the first restriction in the U.S. on what businesses do with data obtained on the Internet.

Further doubts about the ability of businesses to protect customers without laws have been expressed from many sides over the past year, even by the President’s electronic commerce advisor Ira Magaziner. But most of the time, one finds Magaziner, the FTC, and the Commerce Department playing it safe. They shake a stick regularly, hoping to speed up the pace at which businesses adopt better policies.

Undoubtedly, some back-room deal or last-minute extension will be worked out. But the European public is serious about privacy—as are Americans—and one cannot expect U.S. businesses to hold out forever in a world where personal data is respected.


Editor, O’Reilly Media
Author’s home page
Other articles in chronological order
Index to other articles