Canada is new kid on privacy standards block
How and why does a nation act to protect the privacy of its citizens? This is a
complex, timely issue. The Canadians just proposed an interesting approach that is worthy
of attention. Let's begin with some context.
The United States invented modern concepts of privacy in the 1970s. We lost our
leadership of the issue when European countries began to enact omnibus privacy laws later
in the decade. The idea of fair information practices that originated in the United States
flourished in Europe. International organizations there used those practices as a central
theme for international privacy documents in 1981.
Today the European Union continues down the same path with its recently adopted
directive on data protection. The most controversial part of the directive prohibits
transferring personal data to countries that do not have adequate privacy. No one is quite
sure what this means, but other countries are paying attention to privacy policies as they
are outlined in the EU directive approaches.
In the United States, our low-level debate over the best ways to protect privacy
continues, but privacy is a tertiary issue at best. We have a few scattered laws, such as
the Fair Credit Reporting Act, but most records still have no legal protection.
Many in industry want to leave the issue to the marketplace and to self-regulation.
Some advocates want to protect privacy through property rights. Individuals would have a
property interest in their personal data and could prevent others from using it or would
profit when they do.
Others want sectoral legislation with specific protection for medical or other records.
Another approach would use technology to make personal data anonymous or to encrypt it. Of
course, these solutions are not all mutually exclusive.
The new kid on the privacy block comes from the Canadian Standards Association, which
has promulgated a privacy standard. The idea of industry standards is an old one.
Thousands of existing technical standards address such things as the dimensions of screw
threads for light bulbs.
In recent years, standards have been developed for nontechnical subjects like
management and quality. A company that demonstrates compliance with these standards can
offer customers additional assurances about the competence of management. There even are
standards for compliance with environmental objectives.
The new CSA standard is in the form of a model code for the protection of personal
information. The idea is to establish principles for personal data management, to specify
requirements for protection of personal data, and to provide a way for the international
community to measure privacy protection in Canada.
Why are the Canadians so interested in establishing and documenting privacy practices?
Because of the EU data protection directive, European privacy regulators will be looking
closely to see if Canada has adequate privacy laws.
Canada, with its small population and limited economic clout, is careful about meeting
international standards. It doesn't want to lose business opportunities because of
possible export restrictions. It is no coincidence that the CSA standards are similar to
the fair information practices central to European privacy laws.
Remarkably, the CSA Code was prepared with cooperation from industry, government, labor
and public interest groups. There is no chance of a similar consensus here in the United
The United States is less worried about the EU because the U.S. is more important in
world trade than Canada. No one is quite sure if the Europeans will really disrupt trade
with the U.S. over privacy. Most U.S. companies are betting that the Europeans will back
Standards offer a more formal approach than company or industry codes. They are a
common set of principles that can apply to personal data of all types, but leave the
details to be worked out elsewhere. Companies and industries can have their own codes, but
they must meet the established standards to qualify. Unlike voluntary codes, the CSA
standards require real enforcement. That is a key element.
It remains to be seen if the CSA code will work effectively. The Canadian government is
considering whether legislation will help to further acceptance and use of the standards.
This is an interesting and difficult exercise.
We may have much to learn by watching how the Canadians proceed. The CSA privacy code
is a noble experiment.
Robert Gellman, former chief counsel to the House Government Operations
Subcommittee on Information, Justice, Transportation and Agriculture, is a Washington
privacy and information policy consultant. His e-mail address is email@example.com.