Policy discussions around privacy usually include several divergent perspectives on the role of privacy in the public sphere. Governments tend to frame privacy as a priority that must be balanced with others, such as national security and law enforcement. This makes some sense. For the most part, citizens’ personal information should only be accessed with their informed consent, but there are circumstances where this is not always possible or desirable – for instance, criminal investigations and emergency health services. Businesses, on the other hand, tend to view privacy as a liability to be weighed against the advantages of collecting personal information for use in targeted marketing. Different from both of these perspectives is the concept of “privacy by design” promoted by the Ontario Privacy Commissioner and others. A few of the key aspects of this philosophy are: that privacy is not a balancing act, but a basic right; that personal information should be kept private by default; that information management practices should be transparent; and that individuals should be given as much control as possible over the privacy of their personal information. Situations in which citizens’ personal information is accessed without their knowledge or consent should be exceptions rather than the rule, and should be strictly regulated.
Bill S-4, called Canada’s Digital Privacy Act, has been touted by the Canadian government as strengthening online privacy. This legislation, which amends the Personal Information Protection and Electronic Documents Act (PIPEDA), includes a couple of positive changes. The most significant of these is a requirement that organizations notify individuals if their personal information is lost or stolen, keep records of all data breaches, and report them to the Privacy Commissioner of Canada. However, Bill S-4 also includes significant and under-publicized changes to privacy in the areas of healthcare, finance, insurance, employment, and law enforcement. As a federal act, the Digital Privacy Act supersedes provincial legislation in these fields, enacting broad changes to the way personal information is collected, used, and shared by organizations across the country. As a whole, these changes tilt away from a policy of privacy by design and towards increasing information access for both government agencies and private organizations. Most concerning are several provisions allowing public and private organizations to “collect, use and disclose personal information, without the knowledge or consent of an individual” for several broad purposes:
Emergency health services
The Digital Privacy Act is mostly in line with existing health privacy laws regarding emergency services. Provincial health privacy legislation across Canada allows healthcare providers to access personal health information necessary to treat a person in an emergency state without consent. In Ontario, this is implemented through an access override in the Online Laboratories Information System (OLIS), which provides physicians with a 4-hour window to access healthcare information needed in an emergency. The Digital Privacy Act does not specify a time frame for emergency access, and also broadens the personal information that can be accessed to include contact information for next-of-kin. While these changes are not necessarily problematic, the new legislation will require healthcare organizations across the country to re-examine their privacy policies.
The Digital Privacy Act allows government and private organizations to access personal information for the purpose of preventing, detecting, or suppressing fraud. The legislative changes proposed are fundamental in nature: existing legislation outlines specific purposes for which specific types of information can be accessed, whereas the Digital Privacy Act names only the broad purpose of fraud prevention and investigation. It is unclear what information fraud investigators are permitted to access, and to whom it is permitted to disclose information. Currently, banks and credit card companies generally obtain customers’ consent, when they open an account, to monitor their spending patterns to prevent fraud by flagging unusual purchases. The new legislation allows this type of access without consent, and does not prevent financial institutions from obtaining personal information about customers from other sources or disclosing customer information to other organizations. For instance, with these legislative changes, banks could seek to buy customer records from credit card companies or other banks to increase their ability to detect identity theft.
The Digital Privacy Act also allows insurance companies to retain and use information from witness statements for the purposes of insurance claims. This effectively means that any statement made on public record in the course of a legal proceeding, which can be obtained through a public access to information request, can potentially be used by insurance companies to assess and settle claims. Insurance companies could, for example, access court records from a trial related to a vehicle accident and use these in evaluating insurance claims without the claimant’s knowledge or consent. From this type of practice, it would be a small step to purchasing records of insurance assessments from other companies. Individuals would have no way of knowing what information had been used to assess their claims, let alone challenging this information. If insurance companies are allowed to gather information about individuals without their knowledge or consent, incorrect or misleading information could have a major impact on people’s ability to secure insurance coverage and access benefits. It is even possible that information pertaining to a different person with the same name could be added to a customer’s file, without the customer having any opportunity to discover and correct the mistake.
The Digital Privacy Act permits “federal works, undertakings and businesses to collect, use and disclose personal information, without the knowledge or consent of an individual, to establish, manage or terminate their employment relationships with the individual.” This could allow employers to run credit checks, criminal record checks, or extensive internet searches on employees or prospective employees without informing them or obtaining their consent. As in the case of insurance, this creates the risk that incorrect or misleading information, or even information pertaining to another person, could have a major impact on an individual’s employment without the individual having any opportunity to explain or correct it.
Breach of agreement and criminal investigations
As law professor Michael Geist notes in an April 10 blog post, “Why the Digital Privacy Act Undermines Our Privacy,” the Digital Privacy Act permits organizations to disclose individuals’ personal information to other organizations for the purpose of “investigating a breach of an agreement or a contravention of the laws of Canada.” This allows organizations to disclose individuals’ personal information to investigate the breach of an agreement or law without a court order and without notifying the individual being investigated. This would allow companies (such as telecom companies) to hand over customer data to police and federal intelligence agencies without a court order or warrant, without any risk of liability. A second likely consequence of this change could be the type of “copyright trolling” common in the United States, where companies obtain information from telecom companies about individuals who have illegally downloaded copyrighted content, and then contact these individuals threatening legal action and demanding compensation. This new legislation effectively removes court oversight of investigations and allows law enforcement and private companies to access personal records without any warrant or court order.
The Canadian government has been promoting the Digital Privacy Act as a law that strengthens online consumer protection against identity theft and increases the powers of the Privacy Commissioner of Canada. In reality, this legislation covertly amends banking, insurance, and other laws and grants public and private organizations broad permission to collect, retain, use, and disclose individuals’ personal information without informing them or seeking their consent. The Digital Privacy Act does not strengthen privacy, but erodes it, and needs to be challenged by privacy advocates.
Michael Geist. 2014. “Why the Digital Privacy Act Undermines Our Privacy: Bill S-4 Risks Widespread Warrantless Disclosure.” Michael Geist Blog, April 10.