Privacy Plus+: Make Privacy Nice. Like the Canadians
Privacy, Technology and Perspective
Make Privacy Nice. Like the Canadians – Everybody likes the Canadians, and not only because of their courage, whiskey, openness, and art, reason enough as those reasons are. But also because Canadian law is often characterized by straight-forward, principle-based, balanced, and “balancing” approaches which reflect and address their pluralistic, digital society.
Hold that thought. More about Canadian law later.
Here in the United States, the foundation of privacy governance is the Federal Trade Commission’s Privacy Principles: (1) Notice/Awareness, (2) Choice/Consent, (3) Access/Participation, (4) Integrity/Security of data, and (5) Enforcement/Redress. It is generally agreed that the most fundamental of these principles is “notice and consent.” It requires companies to give customers clear, upfront, complete “notice” about what of their personal information is about to be collected, how it will be used and shared, and so forth, all so they can make informed decisions about whether to proceed (“consent”).
Notably, the disclosure/notice and consent orthodoxy has existed in nearly its modern form since at least the Securities Act of 1933 and the state-based “blue sky” progeny that followed. Disclosure/notice and consent requirements are great for preventing (or at least redressing) fraud, but they have marked limitations. The biggest limitation may be that the disclosure one thing compels the disclosure of another, then another, until the notice itself becomes awkwardly long and overly complex. Like securities prospecti, offering memoranda, and franchise disclosure documents, privacy notices aren’t usually read by consumers, until those consumers have already been disappointed.
Consumer “disappointment” is one reason why “notice and consent” has always been accompanied by some level of substantive regulation, outlawing pernicious things you can’t do whether the consumer consents or not. The Securities Exchange Act of 1934 well illustrates. Apropos privacy notices, a fellow of the Berkman Klein Center for Internet and Society once explained very well: “I don’t want you to give me full disclosure about how you’re going to scr-w me, and then ask for my consent. Just don’t scr-w me.”
Well put, we think, albeit very American.
So now back to Canada. Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”), www.priv.gc.ca, governs personal information protection at the federal level by businesses. PIPEDA is based on ten (10) Fair Information Principles which will be familiar to every privacy pro but with a peculiarly practical, Canadian twist.
Number 3 catches our attention. The Purpose of this Act (described elsewhere as the “overriding” purpose) is to “establish rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals … and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances” (emphasis added). The focus is on the reasonable person and her circumstances – a focus that is within everybody’s grasp and understanding; is readily administrable; and avoids the consumer “disappointment” engendered by both of notice/consent and of substantive regulation.
In the early 1980’s, a major Montreal newspaper ran a fill-in-the-blank contest: “As Canadian as [blank].” Popular entries included, “Mounties!;” “maple leaves!’ “ice hockey!’ and “clear Rocky Mountain water!” The winner? “As Canadian as….
…possible under the circumstances.”
Perhaps in our Privacy Notices and our substantive regulation we should try to be as Canadian as possible under the circumstances, too.
That would be nice.
Hosch & Morris, PLLC is a Dallas-based boutique law firm dedicated to data protection, privacy, the Internet and technology. Open the Future℠.