While the U.S. government has been treating privacy as if it were just another issue to be inserted in a contract, there has been another North American approach to dealing with the implications presented by last year's European Union (EU) directive on data protection. That directive states that personal information should not be sent to countries where the protection of personal information is not adequate by European standards.
Since it has been clear from the beginning that U.S. statutory privacy protections were considered inadequate, particularly for private-sector information, the Commerce Department, acting on behalf of U.S. business, has been negotiating with the EU. Commerce has proposed what is known as a "safe harbor," a self-regulated privacy environment in which American companies could operate without running aground on the shoals of European data protection. Although Commerce Undersecretary David Aaron and European Union Internal Market Director-General John Mogg have been negotiating an agreement ever since the EU directive came into effect late last year, every self-proclaimed deadline to come to an agreement has come and gone without a final resolution. It seems likely that an uneasy truce will eventually be hammered out since neither the United States or Europe want this disagreement to lead to a trade war.
While U.S. business was sticking to laissez-faire frontier individualism, Canada was trying another approach. Privacy is more front and center in Canada than in the United States, and when Canadian industry commits itself to respecting personal privacy, it at least sounds more convincing than its American counterparts. With the help of government and industry representatives, the Canadian Standards Association (CSA) developed a model privacy code several years ago, which provided reasonably thorough protections under fair-information-practices principles. Armed with CSA code, Industry Canada put together a draft bill that built a framework of private-sector privacy around the features of the code, making the code enforceable through reliance on privacy commissioners and the courts.
Last year the federal bill was introduced into Parliament. Bill C-54, jointly sponsored by the minister of industry and the attorney general, was really two bills in one -- the private-sector privacy bill, which was Industry Canada's contribution, and an electronic-documents portion shepherded by the Ministry of Justice. Like the United States, Canadian officials had succumbed to the reality that such privacy protections stood a better chance of being written into law if they were sold on the basis of improving and expanding the economic environment for electronic commerce. The dividing line is clear -- private-sector privacy is needed in North America only if it benefits business, while in Europe, privacy is viewed as a basic human right.
From its inception the bill has been dogged by some basic constitution jurisdictional problems and many thought it could not succeed unless the provinces agreed to pass parallel laws. But when C-54 was introduced, it cast its net broadly, using the federal authority to regulate interprovincial commerce to extend the reach of the bill to records pertaining to the commercial aspects of any provincial business.
While this extended the federal law to a much greater universe of records, without the cooperation of the provinces in passing similar laws there would still be no coverage of personal information such as personnel files held by provincial companies since such records did not reflect on commerce. The bill gave provinces three years to pass their laws, at which time the provincial laws would supersede the federal law as it applied to provincial records. However, if the provinces failed to act, the status quo instituted by C-54 would remain. Quebec was specifically excluded from the bill's coverage because the province already has a law that protects personal information held by the private sector.
The bill received criticism from privacy advocates and business alike. When the law enforcement community insisted on various changes, followed by aggressive challenges by the insurance industry, privacy advocates complained that the bill was in danger of becoming too weak. But as the bill slowly got closer to passage, privacy advocates rallied behind it and urged Parliament to adopt it. Even so, some advocates felt lukewarm in their support, apparently viewing some federal law as better than none at all.
When provincial governments took any stand on the legislation, it was usually in opposition. The Ontario Ministry of Health testified against the bill. And Quebec came out against the legislation after law enforcement had managed to get fewer restrictions on their access to criminal information.
But as Parliament moved to wrap up its session, the nail biting began. The bill's proponents began to worry that there wasn't enough time left in the session for the bill to get through the House of Commons and the Senate. Time became critical with indications that Parliament would perogue -- end its session even though there were no elections and begin with a fresh agenda in the fall. Such a move might mean the end of any realistic chance to pass private-sector legislation.
Parliament missed its deadline and C-54 failed in the past term. A government official told reporters that the bill would be reintroduced in the fall, but indicated that its chances of passage before December were not very good.
The bill's failure leaves some unanswered questions in the dispute over North American reconciliation with the EU directive. While from a privacy perspective, the U.S. approach of treating privacy as a negotiating tool is not the way to go, the somewhat looser, more gentle, approach offered by Canada's embrace of the CSA code seemed like a good commonsensical middle ground. But with that middle ground cut out, Canada may now be in a worse position than the United States. It will be interesting to see what steps the Canadian government takes to move into line when dealing with the Europeans.
Harry Hammitt is editor/publisher of Access Reports, a newsletter published in Lynchburg, Va., covering open-government laws and information-policy issues. Email him.