privacy in North America
page looks at legislation and developments in North America.
It covers -
As in Australia, the Canadian regime involves a mix of
federal legislation, provincial legislation and industry
At the federal level the 1982 Privacy Act (PA)
covers all federal government departments and most federal
agencies or statutory corporations. It gives Canadians
the right to access and correct personal information held
by those agencies. It places limits on the collection,
use and disclosure by federal agencies of personal information.
The enactment built on earlier legislation such as regulation
of wiretapping under the 1974 Protection of Privacy
Act and privacy provisions in Part IV of the 1977
Canadian Human Rights Act.
The Canadian federal Personal Information Protection
& Electronic Documents Act (often known as C-6
or the PIPED
Act) received a strong endorsement from the EU. It
is intended to cover collection, use and disclosure by
private sector entities of personal information in the
course of commercial activity. Individuals have the right
to access and ask for corrections to information that
an entity may have collected about them.
PIPED is broader than the Australian Bill and was implemented
in two stages, commencing in 2001.
It initially applied to those private sector activities
that are regulated by the federal government and to personal
information that is traded "inter-provincially and
internationally." From 1 January 2002 it encompassed
personal health information collected, used or disclosed
by entities engaged in federally-regulated activities.
As of 1 January 2004 it covers personal information collected,
used or disclosed in the course of any commercial activity
within a province, including provincially-regulated organisations.
A Canadian government guide is here.
Organisations or activities within Canada’s provinces
will be exempt from the Act if the province has adopted
provincial privacy legislation of a substantially similar
nature. Quebec for example passed An Act Respecting
the Protection of Personal Information in the Private
Sector in 1998 - the only broad-brush legislation.
Manitoba has established a more restricted Personal
Health Information Act, with a similar Health Information
All but two provinces - Prince Edward Island and Newfoundland
- have privacy legislation governing the collection, use
and disclosure of personal information held by government
PIPED and the CSA code
Federal, provincial and territory Ministers have agreed
to support the Canadian Standards Association (CSA)
Model Code for the Protection of Personal Information
as a minimum standard for privacy protection in all jurisdictions.
The Code reflects international frameworks and embodies
ten Fair Information Practices,
consistent with the Australian National Privacy Principles
Key principles are:
An organization is responsible for personal information
under its control and shall designate an individual
or individuals who are accountable for the organization's
compliance with the following principles.
2. Identifying Purposes
The purposes for which personal information is collected
must be identified by the organization at or before
the time the information is collected.
The individual's knowledge and consent are required
for the collection, use, or disclosure of personal information,
except where inappropriate.
4. Limiting Collection
The collection of personal information shall be limited
to that which is necessary for the purpose identified
by the organization. Information shall be collected
by fair and lawful means.
Limiting Use, Disclosure and Retention
Personal information must not be used or disclosed for
purposes other than those for which it was collected,
except with the consent of the individual or as required
by law. Personal information shall be retained only
as long as necessary for the fulfilment of those purposes.
Personal information is to be as accurate, complete,
and up-to-date as is necessary for the purposes for
which it is to be used.
Personal information must be protected by security safeguards
appropriate to the sensitivity of the information.
8. Openness An organization must make readily
available to individuals specific information about
its policies and practices relating to the management
of personal information.
Upon request, an individual must be informed of the
existence, use, and disclosure of his/her personal information
and shall be given access to that information. An individual
shall be able to challenge the accuracy and completeness
of the information and have it amended as appropriate.
10. Challenging Compliance
An individual shall be able to address a challenge concerning
compliance with the above principles to the designated
individual or individuals accountable for the organization's
is examined in The Personal Information Protection
& Electronic Documents Act: An Annotated Guide
(Toronto: Irwin Law 2001) by Stephanie Perrin, Heather
Black, David Flaherty & Murray Rankin, in the 2001
Guide to the Personal Information Protection &
Electronic Documents Act (Markham: Butterworths 2000)
by Colin McNairn & Alexander Scott and in the 2000
Canadian Privacy Law Handbook (ENS
eLearning) by Suzanne Morin & Murray Long.
For wider coverage of federal and provincial regimes
Privacy Law in Canada (Markham: Butterworths 2001)
by McNairn & Scott is of particular value; the former
co-authored Government Information: Access & Privacy
(Toronto: Carswell 1992).
There is a thoughtful discussion of the Canadian legislation
in relation to international developments in a report
by Colin Bennett.
The European Commission has published FAQs
on its 'adequacy finding' regarding the EU Directives
The United States has had a slow and uneven development
government rather than the private sector. A succinct
and intelligent introduction is provided by Ken Gormley's
1992 Wisconsin Law Review paper
One Hundred Years of Privacy, Joel Reidenberg's
2004 Privacy Wrongs in Search of Remedies paper
and Martin Kuhn’s Federal Dataveillance: Implications
for Constitutional Privacy Protections (New York:
Lfb Scholarly Publishing 2007).
The Privacy Act of 1974 resulted from studies by consumer
groups and the federal Department of Health, Education
& Welfare among others. The legislation - and an associated
Privacy Protection Study Commission - centred on data
collection and use by government agencies. It was followed
by a range of specific federal and state enactments such
as the 1970 Fair Credit Reporting Act, 1984 Cable
Communications Policy Act, 1974 Family Educational
Rights & Privacy Act, and 1986 Electronic
Communications Privacy Act.
In the following decade there was increasing interest
in medical and online privacy, both because digital technologies
'crystalised' traditional privacy (and intellectual property)
concerns and because civil liberties groups sought to
grapple with electronic commerce issues.
unsettled, in part because of ambiguity about cost incidence,
ambiguity about underlying philosophy (property, free
speech, and other theories are debated), and asymmetrical
political clashes that chiefly involve data collectors/processors
and privacy advocates. It continues to be easier (but
not necessarily "easy") to progress when there is a
specific objective that can evoke broad agreement, such
as the 1999 Children's Online Privacy Protection
Act and Gramm-Leach-Bliley Act. The perceived
privacy threat has shifted toward the private sector,
although concern about the government remains and has
evolved. Advocates invoke a constitutional right to
privacy, but support through case law and state-level
actions remains limited when it comes to informational
years have seen a move by the US federal government and
major state governments (eg California and New York) towards
stronger online privacy regulation, despite claims that
privacy law is unecessary, unAmerican or simply too expensive.
Some industry groups for example have welcomed stronger
legislation and recognised that best practice is good
business; others have lamented that it will strangle economic
Robert Hahn's 2001 An Assessment of the Costs of Proposed
Online Privacy Legislation (PDF)
for example claimed proposed legislation will result in
direct costs of US$36 billion.
The Online Privacy Alliance (OPA)
- an advocacy group under the aegis of the US Direct Marketing
Association - concurrently issued reports such as Customer
Benefits from Current Information Sharing by Financial
Services Companies (PDF),
The Impact of Data Restrictions on Consumer Distance
and The Value of Comprehensive Credit Reports: Lessons
from the US Experience (PDF)
warning that restrictions on corporate sale/sharing of
customer information without permission would cost 90
of the largest financial institutions US$17 billion a
year of added expenses and involve a US$1 billion 'information
tax' on consumers as costs are passed on through snailmail
catalogues and websites.
Other advocates have warned that government, not business
is the privacy 'enemy'.
The "free-market, pro-technology" advocacy group
- characterised by some as a privacy wolf in sheep's clothing
- accused Washington agencies of breaking their own rules
and sniffed in Privacy & Federal Agencies: Government
Exchange & Merger of Personal Information is Systematic
& Routine (PDF)
that "new government information-sharing programs
have been announced more than once every two weeks".
Further to the right, the Citizens Against Government
Waste (CAGW) released Keeping Big Brother From Watching
You, a study
that concludes "the federal government’s vast incompetence
to secure data puts it in an unsound position to legislate
Amid the smoke and shouting there has been substantial
progress. The EU-US Safe Harbor Agreement, in which major
US businesses have committed to meet EU data protection
standards (something applauded by US consumers and eminently
sensible if IBM, Amazon and others wish to sell goods/services
in Europe) is discussed here.
Private sector compliance is explored in the detailed
October 2004 Safe Harbor Decision Implementation Study
for the European Commission by Jan Dhont, María
Verónica Pérez Asinari, Yves Poullet, Joel
Reidenberg & Lee Bygrave (PDF),
which notes "significant levels of non-compliance
with the Safe Harbor by self-certified companies.
Developments such as the Financial Services Modernization
Act (Gramm-Leach-Bliley Act), which requires financial
institutions to send consumers yearly notices on how their
personal financial data is used, have resulted in incremental
changes and heightened awareness of issues.
A useful overview of recent
US developments is provided in the online briefing
by the bipartisan Congressional Internet Caucus.
In September 2000 the US House of Representatives moved
to create a 17-member bipartisan 'privacy commission'
to explore the growing online personal privacy debate
and recommend a comprehensive legislative approach.
The commission, first proposed in March, was opposed by
the Clinton administration as likely to delay privacy
legislation. With representatives from business,
academia and consumer groups it would present recommendations
to Congress in 18 months time.
The proposal is similar to the Commission on Online Child
Commission), established in 1998 in conjunction with the
Child Online Protection Act (COPA) - recently struck
down by a Supreme Court decision - to "identify technological
and other methods that will help reduce access by minors
to material that is harmful to minors on the Internet".
The Commission presented its final report
on 20 October 2000. The report embraced rating systems,
filters, age verification
systems and a special 'X' domain.
COPA is distinct from the Children's Online Privacy
Protection Act (COPPA), described below.
The Advisory Committee on Online Access & Security
of the Federal Trade Commission (FTC)
released a 220 page Privacy Online: Fair Information
Practices in the Electronic Marketplace report
on consumer access to information collected by commercial
websites and the security of that information. Coming
after a spate of privacy breaches by bodies such as CDNow,
DoubleClick, Amazon, and RealNetworks, it reflects the
FTC's 1998 Privacy Online and 1999 Self-Regulation
reports to Congress.
Transcripts from the 1999 FTC workshop
on online profiling are now available. Peter Swire has
a thoughtful paper
on Financial Privacy & the Theory of High-Tech
Government Surveillance, arguing that individuals=
payments will become increasingly traceable, with possible
advantages for government (taxation, revenue distribution,
crime deterrence) along with disadvantages.
The 1998 US Children's Online Privacy Protection Act
(COPPA), requires that US sites obtain parental permission
before collecting, disclosing or using personal data from
children younger than 13.
Recent studies by the Federal Trade Commission suggest
that under 50% of US sites geared to kids are compliant
and reports indicate that industry is in disarray, with
some sites ceasing to collect the data, some confusing
the Act with the anti-pornography COPA
legislation and others experiencing administrative problems
as kid pretend to be their parents.
major US federal enactments
The salient federal legislation is
Communications Policy Act (CCPA)
Online Privacy Protection Act (C0PPA)
Proprietary Network Information Electronic Communications
Privacy Act (CPNI)
Electronic Communications Privacy Act (ECPA)
Credit Reporting Act (FCRA)
Education Rights & Privacy Act (FERPA)
Trade Commission Act (FTCA)
Insurance Portability & Accountability Act (HIPAA)
Theft Assumption & Deterrence Act (ITADA)
to Financial Privacy Act (RFPA)
1996 Health Insurance Portability & Accountability
Act (HIPAA) covers health care providers, insurers
and information clearinghouses. Those entities were to
be in full compliance by April 2003. Rules for Patient
under that legislation were belatedly published in 2001.
Detailed coverage of HIPAA and state medical privacy legislation
is provided by the Health Privacy Project (HPP)
at Georgetown University.
Federal and state case law is significant. One point of
entry is Christopher Slobogin's Privacy At Risk: The
New Government Surveillance and the Fourth Amendment
(Chicago: University of Chicago Press 2007).
The American Library Association points to state legislation
regarding privacy of library records,
about 'the FBI In Your Library' and features
privacy in the 'Library Bill of Rights'.
next page (government