Ontario to create its own privacy law

The Ontario government wants to help businesses trying to understand “unclear” federal legislation by creating yet another law. It’s help that the CATA Alliance says companies are better off without.

Ontario claims that the language of Bill C-6, federal legislation governing privacy rights in the private sector, is unclear. It’s taking advantage of an opt-out clause allowing provinces to create substantially similar legislation by 2004. Those provinces that don’t create their own legislation by that time, must adopt C-6.

“There are certain interpretations of C-6 that are difficult to make because of the language in the act. We’re hoping to clarify a lot of the provisions that the businesses are have trouble with,” said Fazila Nurani, a senior policy advisor with Ontario’s privacy branch in Toronto.

But the very act of creating yet another piece of legislation that businesses will have to deal with will cause confusion, said David Paterson, CATA’s executive director in Ottawa.

The law will mean just another set of rules that companies already contending with international and federal laws will have to understand, comply with and create business rules for.

“We prefer that companies of all kind have to deal with only one piece of legislation rather than 14,” Paterson said.

His concerns are not uncommon, Nurani admitted.

“That’s a concern that I’ve heard many times. I don’t think that’s right just because C-6 is creating a lot of confusion out there,” she said.

Ontario will create legislation similar to C-6, Nurani promised, though she said the government could not yet make any details available. Any company in compliance with C-6 would be in compliance with the law Ontario hopes to have in place by fall, she said.

“I don’t think it’s a problem to try to improve on the legislation,” she said.

But Paterson doesn’t see any need for improvement.

“(Bill C-6 is) a very fair piece of legislation. Our industry is very satisfied with it, that it does provide a very good balance between the interests of consumers and their concern for privacy and the interests of business.”

The bill covers all aspects of the privacy issue, he said. “We think a thorough job was done. And trying to ring in embellishments or additions or that sort of thing to that act are counterproductive. They’re not likely to provide anything that’s of significantly greater benefit. And what they do is create disparities between different jurisdictions and make it more difficult and most costly for companies to do business.”

He urges the provinces to work together to avoid creating disparate laws that would mean businesses would have to take multiple approaches in creating their privacy practices and rules.

He doesn’t have trouble understanding the language of Bill C-6.

“From the commentary that we’ve seen on Bill C-6, there didn’t seem to be any great difficulty in understanding its provisions, either by the business community or by the consumer associations,” Paterson said.

Federal-provincial dynamics

C-6, which comes into effect in 2004, governs how businesses in the private sector can collect and use information from individuals. Under C-6, companies must obtain negative consent from clients to gather information. If they decide to use that information in a different way than originally intended, then they must again obtain consent to do so.

“Given the federal-provincial dynamic, there was certainly at least some mild resistance to the notion that the federal government would regulate provinces. And so a number of provinces have been active,” Cavoukian said. Alberta and B.C. are also considering creating new legislation, though neither have made any decisions. Quebec already has its own privacy legislation governing the private sector.

“Privacy is the next business imperative,” Cavoukian said.

“Regardless of what legislation you may or may not have, you must compliment that legislation with technology.” Businesses must look at privacy as a business management tool, she said.

“I call it privacy by design.”

A recent survey indicated that among veteran ‘net users, 86 per cent looked for a company’s Web site privacy policy before giving information.

“So once you get people who are on-line who are experienced, they’re starting to look for privacy policies. And they leave if it doesn’t satisfy them. This is not something that isn’t going to go away overnight. Businesses have to pay attention, Cavoukian said.

She thinks C-6 is a step in the right direction.

Though the $25,000 fine that companies who violate the law are subject to is small, Cavoukian said the real incentive for companies to comply with the law will be the fear of negative publicity.

A bill that required positive rather than negative consent would have provided more privacy protection for consumers, Cavoukian said.

Negative consent means that consumers have to proactively opt out of a companies plans to use their information. Unless consumers carefully look through Web sites, bills and other forms they get for a box that says they don’t want their information used, their consent is given by default. With positive consent or opt-in, businesses cannot use information unless they can get consumers to click a box saying it’s OK to use their information.

“It’s very hard for anyone to agree to an opt-in except for very sensitive information – lets say health-related information. For general commercial transaction data, it’s really hard to get companies to move to an opt in,” Cavoukian said.

“Remember not that long ago, there wasn’t even an opt out that was required of them. So think of it as a continuum. Privacy protection is increasing slowly but surely.”