SUBMISSION TO THE
CANADIAN RADIO-TELEVISION AND
TELECOMMUNICATIONS COMMISSION (CRTC)
THE INFORMATION HIGHWAY
David H. Flaherty
Information and Privacy Commissioner of BC
4th Floor 1675 Douglas Street
Victoria, British Columbia
Phone: (604) 387-5629
Fax: (604) 387-1696
January 12, 1995
In response to the call for submissions by the Canadian Radio-television and Telecommunications Commission (CRTC) to its Report under section 14 of the Telecommunications Act and section 15 of the Broadcasting Act to the Govenor General in Council, the Information and Privacy Commissioner for British Columbia submits the following comments.
I. The Information Highway and the Privacy Issue
A. The Problem
The massive capacity for profiling individuals through the linkage of transactional information about them is the critical privacy issue in the evolving debate over the Information Highway. Since the promotion of the Information Highway is largely commercially-driven, the significant value attached to personal data by commercial interests is a serious challenge to the privacy interests of individuals. The unwanted result is that a set of records intended for a particular purpose is used for novel and unintended purposes without individual consent.
The public must be made aware of the impact of current and prospective data collection and use practices on the privacy rights and interests of individuals. Lack of governmental and corporate sensitivity to the preservation of the right to privacy will lead to significant risk of hostile consumer response to real and perceived privacy problems associated with technological innovations.
Despite the positive efforts by some companies in Canada to develop self-regulatory privacy codes, none of them have the force of law and, according to our interpretation of recent Canadian privacy surveys, none are perceived as being fully responsive to the privacy concerns of individuals. (I recommend to your attention the findings of the current research for the Canadian Standards Association by Professor Colin Bennett of the University of Victoria on the implementation of voluntary privacy codes in advanced industrial societies.)
Therefore, it is essential that government agencies or private sector concerns prepare privacy-impact statements as a prerequisite to the promotion and application of new information technology, new products, and new services on the Information Highway. Such privacy-impact statements should identify competing interests to the fullest extent possible and suggest how a balance may be achieved.
B. Proposed Solutions
1. The issue of who has jurisdiction over the Information Highway is not seriously problematic. In short, it is unnecessary to implement a uniform federal statutory response to all of the privacy problems posed by the Information Highway.
A typical Canadian solution would involve both federal and provincial regulatory initiatives to respond to the social aspects of the Information Highway. The existence of the regulatory structure of the Canadian Radio-television and Telecommunications Commission is a positive aspect of the existing regulatory scene, since the agency has taken some positive initiatives on telecommunications privacy in particular.
2. All efforts at regulation must be prefaced by ongoing empirical efforts to understand proposed uses of technology and how various parts of the current and proposed technologies of the Information Highway actually operate.
Unless one understands the flow of personal information in a particular system, one cannot meaningfully prescribe fair information practices for it. Thus the practice of technology assessment is an essential and ongoing prerequisite to fashioning intelligent regulations to protect the privacy interests of all Canadians.
3. The application of fair information practices can take care of most of the privacy problems posed by the Information Highway.
The formulation and implementation of fair information practices in national and provincial data protection laws has a thirty-year history in advanced industrial societies. Fair information practices are at the heart of national and provincial data protection legislation.
A table of twelve primary data protection principles and practices for the treatment of personal information is included in Appendix A, below. 4. Informed consent is the most specific concern in the application of fair information practices. In every instance, opportunities for informed consent should be maximized.
The perception that "consent cures all," however, requires careful qualification. Too often an individual is given no real choice but to "consent" in order to obtain a benefit or a service. Further, the transfer of one's personal data to third parties should occur only on the basis of an individual's choice to "opt-in" to a proposed new and unrelated data use and not follow the "opt-out" model favoured in particular by the private sector. Thus, for example, a direct marketer should obtain individual consent for recontact with a customer or for the sale of a customer's name to a third party.
5. Every agency and organization holding personal data in the private sector in North America should engage in as much voluntary self-regulation as possible. Fair information practices should be the basis of such voluntary privacy codes. Following Quebec's 1993 legislated model and the European Union's draft Directive on Data Protection, such private sector codes should ultimately have the force of law with an outside body responsible for monitoring compliance.
C. Our Submission to Industry Canada on the Information Highway
In our submission to Industry Canada on the Information Highway, we stated that we are supportive of the following proposed solutions Industry Canada presented:
· the extension of the federal Privacy Act to all sectors of the marketplace within federal jurisdiction; · the avoidance of `data havens'and interprovincial trade barriers caused by differing privacy protection requirements and practices among provinces and territories; · the enactment of progressive legislation and regulations to protect the enormous information holdings of all levels of government, including medical, welfare, tax, immigration, and police records; · the creation of voluntary codes and standards to apply to private sector business and industry associations; · the use of technological solutions to safeguard personal data, such as reliance on encryption and smart cards; and · the need for consumer education to raise their awareness of how to protect themselves from invasion of privacy.
D. The European Model
The European Union's draft Directive on Data Protection has specific applicability to the Canadian situation. The Directive provides for the protection of personal privacy as a basic human right. It also seeks to establish general principles of fair information practices and some precise rules that can be incorporated and implemented in national and provincial data protection legislation for both the public and private sectors.
The most important thing about the draft Directive, from a North American perspective, is that it exists and is moving forward with all deliberate speed. This Directive will potentially have a negative impact on the EU's trading partners that do not have reciprocal protections in place.
Although British Columbia, Alberta, Ontario, and Quebec are now governed by freedom of information and protection of privacy legislation, and other provinces recognize in less comprehensive legislation the pressing need for the protection of privacy of their citizens, most parts of the private sector, except in Quebec, are not formally regulated and do not have voluntary codes of fair information practices in place.
The European Union Directive seeks to set both high standards for data protection and equivalent data protection rules for the handling of personal information. This will establish a set of minimum standards that can be translated into legislation and strengthened at will by national or provincial regimes. The draft Directive covers manual and automated records in both public and private records systems.
Privacy advocates emphasize the necessity of an independent administrative authority for the promotion of fair information practices. Such an authority can also be expected to investigate and process complaints from individuals. The absence of an independent administrative authority is a reason why contractual arrangements cannot fully handle the implementation of data protection, since auditing of compliance, or the enforcement of rights of individuals to access their own data, cannot otherwise be done.
Informational self-determination for the individual, ensuring the transparency of personal data use, and ensuring the existence of enforceable legal rights to fair information practices are the fundamental principles which underlie the Directive. These principles need to be reflected in Canadian law and practice.
II. The Information Highway and the Access to Information Issue
A. The Problem
As set out in the discussion paper produced by the Coalition for Public Information ("Future-Knowledge -- A Public Policy Framework for the Information Highway"); an appendix to this document ("Access and Privacy Principles") produced by the Information and Privacy Commissioner for Ontario; and the CRTC's own comments on the economic and cultural benefits of the Information Highway, the Information and Privacy Commissioner for British Columbia concurs that the information highway should be recognized as an opportunity to enhance access to information of interest to the public.
Yet, advances in new technology, new products and new services often create barriers for those with special needs, such as persons living in remote regions of Canada, persons on low income, and those with literacy, disability, or language skills problems.
B. Proposed Solutions
1. The development, management and application of all new Information Highway technology in Canada should be informed by and correlate with basic access to information standards. These standards should derive from three primary access to information principles:
2. The minimum standard of access to information should include universal and affordable access to government services and information. The precedent for a standard of universal access to important issues of Canadian culture and government is located in the historical role and function of the Canadian Broadcasting Corporation (CBC Radio and CBC Television).
3. The government should ensure that the necessary funding and other resources for public education and training are available to individuals and groups who wish to access government services and information.
For those persons or groups wanting access to non-governmental services and information, subsidy arrangements for cost-sharing between government and the private sector to educate, train or serve the public could be implemented. Practically, this would express itself in the location of government-funded Internet access through such public venues as public libraries, colleges, universities, and community centres or organizations. This would provide educational programs and essential information that are simple, affordable, and accessible by all members of Canadian society.
The thrust of our submission to the Canadian Radio-television and Telecommunications Commission Review is concern about the pressing need for active, effective, and visible privacy and access to information standards in the development, management and application of the Information Highway in Canada.
We note with regret that although the issue of privacy is set out in the CRTC's Review and call for submissions as one of the four primary operating principles, that it is not addressed, not even in a perfunctory way, in the body of the review. Important access to information issues are similarly disregarded, except in the context of Canadian economic or cultural identity concerns. Access should reflect more than facilities connectivity and interoperability or cultural content; it must address systemic participation and inclusion issues which affect all Canadians, especially those with primary disadvantages.
In our view, privacy and access to information issues are paramount to the organization and implementation of the Information Highway in Canada. Individuals must be protected from potential abuse of their personal information in the vast exchange of data that will take place on the Information Highway, and they must also be guaranteed universal, affordable, and functional access to the great wealth of public information that will be available on such a network.
Further, an Information Highway that involves 2200 public bodies in British Columbia who are subject to the Freedom of Information and Protection of Privacy Act, (1992) will have to operate with full accountability and sensibility to its privacy and access principles. In short, the Information Highway cannot flow through British Columbia without compliance with the Act.
In conclusion, it is our view that the final Report by the CRTC to the Govenor in Council should reflect throughout its analysis important privacy and access to information concerns as they affect each technological issue of the Information Highway. Further, recommendations for overarching policy statements about privacy and access to information standards should form an essential part of the ethical guidelines prefacing the Report. These are necessary first steps to making the Information Highway a welcome and useful innovation to all members of Canadian society.
Table 1. Data Protection Principles and Practices for Personal Information Systems ________________________________________________________________________
1. The principles of publicity and transparency (openness) concerning government personal information systems ( no secret data banks).
2. The principles of necessity and relevance governing the collection and storage of personal information.
3. The principle of reducing the collection, use, and storage of personal information to the maximum extent possible.
4. The principle of finality (the purpose and ultimate administrative uses for personal information need to be established in advance).
5. The principle of establishing and requiring responsible keepers for personal information systems.
6. The principle of controlling linkages, transfers, and interconnections involving personal information.
7. The principle of requiring informed consent for the collection of personal information.
8. The principle of requiring accuracy and completeness in personal information systems.
9. The principle of data trespass, including civil and criminal penalties for unlawful abuses of personal information.
10. The requirement of special rules for protecting sensitive personal information.
11. The right of access to, and correction of, personal information systems.
12. The right to be forgotten, including the ultimate anonymization or destruction of almost all personal information. ________________________________________________________________________ Source: David H. Flaherty, Protecting Privacy in Surveillance Societies, The University of North Carolina Press, Chapel Hill, NC, 1989, p. 309.