Canada Aligns with EU on Privacy
by Matt Friedman, mwf@netcom.ca

MONTREAL -- While the United States remains at loggerheads with the European Union over its Data Privacy Directive, Canada is moving quickly to embrace the rules.

The Personal Information Protection and Electronic Documents Act, known as C-54, entered the final phase of the legislative process late last week and could hit the books in Ottawa before the end of the summer.

If passed, the law would require Canadian companies to comply with Europe's series of measures designed to give consumers more control over their own data. The directive prohibits European companies from transmitting consumer data to countries that do not offer equal levels of access and control.

"[The measure] is a direct response to the EU directive", said Anne Cavoukian, privacy commissioner for the province of Ontario. "There was [no similar law] in Canada except in the province of Quebec, so Quebec could do business with Europe, but the rest of Canada couldn't."

The directive is at the center of tense, ongoing trade negotiations between Europe and the United States. Many US companies that regularly exchange data with Europe -- including Internet companies and airlines -- are resisting government controls over consumer data. So far, industry has offered "self-regulation" measures, such as seal-of-approval programs, to protect the privacy of consumers.

But the industry-led effort in the United States has so far failed to impress Brussels.

"The United States is having a hell of a time trying to convince the EU that their voluntary solutions satisfy EU standards", Cavoukian said. "In fact, it's safe to say that they haven't convinced them at all." The imminent passage of the Canadian privacy bill may leave the United States -- Canada's largest single trading partner -- alone in its opposition to the European plan.

Tara Lemmey, executive director of the San Francisco-based Electronic Frontier Foundation, said the Canadian law may place more pressure on Washington.

"We've seen that Canada, the European Union, and the [Organization for Economic Development and Cooperation] have raised the issue", said Lemmey. "That reminds the United States that the Internet is a global medium and that we can't ignore privacy."

The Canadian law would require consent from consumers before a company could collect or distribute personal information about them. It would also grant Canadians access to the data. Though the proposed law focuses on electronic commerce, it will apply to offline transactions as well.

Though there has been some grumbling from the private sector, law enforcement, and some provincial governments, the privacy measure has broad support.

"We're breaking new ground here, so we tried to be inclusive", said John Manley, the minister for Industry Canada.

"The existing Canadian Standards Association industry standard is the basis of the bill, so [Canadian companies] know what's involved", said Manly. "A lot of companies have applied the standard voluntarily and they want their competitors to comply as well."

Washington has been negotiating with Europe since the directives went into effect last fall, but some observers believe the United States will have to pass similar legislation sooner rather than later.

At least two privacy bills, one sponsored by Congressman Edward Markey (D-Massachusetts) and the other by Senator Conrad Burns (R-Montana) are planned for the 106th Congress.

Lemmey is encouraged by the early signals from Washington.

"I'm fully confident that we'll have legislation for privacy protection by the end of the summer", she said.

"The area that seems to be most difficult, however, is consumers' access to personal information", she said. "For the most part, industry is pushing back on this. But an access requirement like in the Canadian bill is important."

The Canadian bill still has to pass through a vote in the House of Commons and then in Canada's appointed Senate before it becomes law. Late last week, Canadian information and privacy advocates formed a coalition to ensure it goes through without further amendments.

"The legislation is less than perfect, but Parliament would be remiss if it chipped away at it now", said Murray Mollard, policy director of the British Columbia Civil Liberties Association.

"There's already leeway for legitimate security issues, there's no legitimate argument to weaken it further."

The measure's enforcement provisions are relatively weak, and that worries Mollard.

"We would have liked to have seen the privacy commission empowered to audit management and privacy practices randomly or on its own initiative", he said. The proposed measure "needs 'reasonable grounds,' like a complaint, to investigate. But then, that's not really an audit."

If approved, the law will come up for review in four years, at which time lawmakers will have the opportunity to strengthen its provisions, said Richard Rosenberg, vice president of Electronic Frontier Canada.

"It's important to have privacy protections of some sort, even if they're not ideal", he said. "It makes a statement of principle, and the way technologies keep changing, it's important for the law to be strong in principle."

Even if it becomes law without further amendment, Canadians will continue to face a privacy issue that is well out of their government's hands.

"We can expect everyone to respect our privacy in Canada, but that only applies to our jurisdiction", said Cavoukian.

"In a sense, all a Canadian consumer can do to be sure that his privacy rights are being protected will be to only visit Canadian sites. But that's just not realistic."