In January, the Canadian government released a privacy report that takes a step toward fulfilling a 1996 promise by the Minister of Industry that the federal government would develop legislation to protect personal information in the private sector.
The goal is to legislate by the year 2000. Privacy is not the only goal of the Canadian policy. The Internet and computer networks provide the broader context. The government wants to allow all Canadians to participate in the expanding information and knowledge infrastructure.
The government sees electronic commerce at the heart of the information economy. For electronic commerce to succeed, it wants a clear, predictable and supportive environment where citizens, institutions and businesses can feel comfortable and secure. Privacy is a necessary element of that environment.
In developing its privacy policy, Canada has an advantage over the United States. It already has a basic consensus on the substance. The Canadian Standards Association issued a Model Code for the Protection of Personal Information in 1996, making it the first country in the world to adopt a privacy standard.
In typical Canadian fashion, the standard was developed with broad participation and support. The Model Code is based expressly on the code of fair information practices found in the Organization for Economic Cooperation and Development's 1980 guidelines. Fair information practices also form the core of the European Union data protection directive as well as many national privacy laws around the world. That includes the United States, by the way.
The CSA Model Code has been endorsed by the Canadian Direct Marketing Association (which also endorsed privacy legislation years ago), Equifax Canada, the Canadian Bankers Association, Reader's Digest and lots of other information-intensive companies and industries. The Model Code also has support from labor and public interest organizations.
The same companies and industries that run screaming from the room when privacy is mentioned here in the United States support strong, enforceable privacy policies and legislation through their Canadian subsidiaries and counterparts. I continue to be amazed at this contrast. Why are fair information practices compatible with profits in Canada and Europe but not in the United States?
Even with a measure of consensus, however, it doesn't mean that drafting legislation will be easy. Translating policy into law and practice is hard, and the report illustrates why. It offers more questions than answers, with the hope that the responses will provoke the right kind of debate and that practical solutions will emerge. The questions are frank and challenging to answer. The report provides a refreshingly honest analysis of the difficulty of the task.
For example, how should a new Canadian law recognize sectoral privacy codes? Sectoral codes are a common feature of data protection laws around the world, and there are different models. Some countries (e.g., Great Britain and the Netherlands) recognize sectoral codes, but do not make them legally binding. Others (e.g., New Zealand) allow mandatory codes to be adopted by the privacy commissioner. Which is the best model for Canada?
Who should develop sectoral codes? Is it a job for industry alone or should the government play a role? If the codes are to be legally binding, then how to avoid conflicts between those who prepare the codes and those who oversee them? Is there a role for someone other than the government and industry in the process, perhaps an accreditation agency?
Plenty of other issues remain. Canada has a federal structure not unlike the United States, and some Canadian provinces already have privacy legislation and privacy commissioners.
Quebec already has an omnibus privacy law that covers both the public and the private sectors. Any legislation will have to take into account existing laws and institutions. Power and responsibility may have to be shared between the federal and provincial governments.
Canada is clearly worried about possible European Union restrictions. In the absence of legislation, Canadian businesses may have to undertake individual contractual negotiations with EU regulators in order to show compliance with international standards.
Although many U.S. companies cling to the notion that contractual solutions will avoid privacy clashes with Europe, the Canadian report suggests that contracting will be fraught with uncertainty and expense. Legislation may offer Canadian companies a simpler and cheaper solution.
No one who reads this column should leave with the impression that I support private sector privacy legislation in the United States like that promised in Canada. I don't see omnibus legislation as either a practical or politically viable solution here.
To be sure, some sectors (e.g., health) have a desperate need for legislation. The United States also needs a better privacy policy apparatus. Perhaps I should say instead that we need a privacy policy apparatus. We really don't have one at all right now.
But much progress could be made here if the business community were willing to undertake a fair and honest self-regulatory approach to privacy. Self-regulatory privacy codes to date provide mostly rhetoric and do not meet international fair information practice standards.
Things may not change until U.S. companies see business opportunities flowing to countries that have modern privacy policies in place. After the year 2000, Canada may well be one of those countries. Maybe those Canadian subsidiaries want to take a little business away from their American parents.
The title of the Canadian report is The Protection of Personal Information: Building Canada's Information Economy and Society. It is available, of course, on the Internet. The address is http://strategis.ic.gc.ca/privacy. Have a look for yourself — and join the debate if you do business in Canada.
Robert Gellman is a Washington-based privacy and information policy consultant and former chief counsel to the House subcommittee on information, justice, transportation and agriculture.