With nod to Europe, Canada tightens data privacy
A new law that took effect Jan. 1 meets EU demands, takes a middle-ground approach.
TORONTO — When it comes to the Internet, US companies aren't the only ones feeling pressure from Europe.
European Union rules on data privacy are credited with prompting Canada to pass legislation that went into effect Jan.1. The federal data-privacy law, more comprehensive than anything so far in the US, requires any company collecting personal information online to explain to individuals - including customers and employees - who is doing the gathering, and why and how it will be used.
In the Internet age, Web surfers can inadvertently send all manner of personal information off into cyberspace with a few unguarded keystrokes.
The new law in part reflects a desire at Industry Canada, a government ministry, to bolster consumer confidence in e-commerce. But "everybody recognized the EU directive had the potential for becoming a trade barrier," says Heather Black, legal adviser to the federal privacy commissioner in Ottawa.
The EU directive forbids the export of data - customer mailing lists, for instance - from an EU member to any country lacking what it terms "adequate privacy protection."
"It's fair to say that the EU is driving the international agenda on privacy issues," says Michael Geist of the University of Ottawa, a leading authority on cyberlaw. The directive "effectively exports EU privacy law around the world," he adds, citing new legislation in Australia and India in response to the European policy. "They're raising the bar on privacy, and that's a good thing."
But Canada hasn't been merely reactive, Mr. Geist suggests. Rather, Canadians for some time have been working to develop "sensible, middle-of-the-road approaches" to privacy issues which, he says, "set some good examples and show that there is some role for government." Says Ms. Black: "Canada is kind of in between" the US, which prefers to let industry groups regulate themselves, and Europe, where government bodies regulate data protection.
The Canadian system is intended to be tough enough to represent adequate privacy protection in the eyes of the Europeans. But it was also "designed to be relatively light and flexible," says Black. It does not take the European approach of forbidding any collection of data not explicitly consented to by the individual.
Electronic commerce is changing so rapidly that it's hard to say who's ahead and who's lagging on privacy protection, says Geist. A study he made last year of 259 leading websites based in or targeting Canada found that "despite the absence of privacy legislation, US sites targeting the market north of the border typically provide better privacy protections than their Canadian counterparts."
The US is seen as having better sectoral or issue-based privacy legislation - protection for children online, for instance - but as having something of a regulatory patchwork. The Canadian law sweeps across all sectors.
As of this year, the new law applies to federally regulated companies, such as airlines, financial institutions, and other companies that sell information across national or provincial borders. When it is completely phased in, in 2004, the law will apply to all companies collecting personal information for commercial purposes.
The refusal of the US to adopt the European standards of data protection has led the US Commerce Department to negotiate a set of "safe harbor" principles, with which individual American companies can comply in order to do business with Europe.
Only about a dozen companies have registered compliance so far.
(c) Copyright 2001. The Christian Science Publishing Society