This report is also available in Adobe PDF format.

Table of Contents

• Executive Summary
  
  
• Introduction
  
  
• Project Achievements
  
  
• Telecommunications: "Mathew Englander - Toonie or Loonie? - Assessing the Impact of the Englander v. Telus Decision"
  
  
• Airlines: "Assessing the Level of Protection Afforded in Canada for the Transmission of Passenger Name Record (PNR) and Advance Passenger Information (API) From Airlines"
  
  
• Banking: "An Evaluation of the Privacy Notices of CIBC and Scotiabank in Light of the Article 29 Data Protection Working Party Opinion on More Harmonized Information Provisions"
  
  
• Retail: "An Industry-Specific Approach to Privacy Statements in the Retail Sector"

Appendices (Unlinked Appendices available upon request)

• Appendix 1 - Conference Materials (March 18, 2005)
  
  
• Appendix 2 - Participation in the Ottawa student salon and attendance of the Anonequity Conference (March 3-5, 2005)
  
  
• Appendix 3 - REB approved letter and Research Questionnaire (MS Word Documents)
  
  
• Appendix 4 - Faculty of Information Studies research day (April 1, 2005)
  
  
• Appendix 5 - Budget
  
  
• Appendix 6 - Researcher Biographies

Office of the Privacy Commissioner of Canada

Contributions Program

Implementing PIPEDA: A review of internet privacy statements and on-line practices

Submitted by Rajen Akalu

May 6, 2005

Centre for Innovation Law and Policy

Faculty of Law

University of Toronto

78 Queen's Park

Toronto, ON

M5S 2C5

Contributors

Rajen Akalu - Lead researcher, Bell University Manager (Law), Centre for Innovation Law and Policy

Aniz Alani - Researcher, JD Candidate, Faculty of Law

Lisa Austin - Research Advisor, Associate Professor, Faculty of Law

Barbara Bressolles - Researcher, LL.M Candidate, Faculty of Law

Nadia Caidi - Research Advisor, Associate Professor, Faculty of Information Studies

Andrew Clement - Principal investigator, Professor, Faculty of Information Studies

Sooin Kim - Co-researcher, Librarian, Centre for Innovation Law and Policy

David Ley - Web Master, MISt Candidate, Faculty Information Studies

Robert Luke - Researcher, PhD Candidate, Faculty of Information Studies

Sapna Mahboobani - Researcher, MISt Candidate, Faculty of Information Studies

Andrea Slane - Research Advisor, Adjunct Professor, Osler, Hoskin and Harcourt LL.P

Executive Summary

This document constitutes the final project report of an investigation funded by the Office of the Privacy Commissioner (OPC) Contributions program. A project proposal was submitted to the OPC on August 13, 2004 and an award of $48,300 was publicly announced on January 27, 2005 with a completion date of March 31, 2005 for expenditure of funds related to the project.

Research was undertaken by the Centre for Innovation Law and Policy in close partnership with the Information Policy Research Program (IPRP). This culminated in a full day conference which highlighted preliminary research on March 18, 2005. The conference was webcast and included leading experts in the field of information privacy.

The central aim of this project has been to evaluate the implementation of the Personal Information and Protection of Electronic Documents Act[1] ("PIPED Act") by reviewing privacy policies posted on the Internet by companies in the telecommunications, airlines, banking and retail sectors.

Where possible we have made use of publicly available information regarding corporate information management practices and combined this with a discussion of topical issues facing the target industry sector in light of developments at the national and international levels.

There are four substantive papers included in this report based upon investigations into three federally regulated industry sectors and the retail sector. Since the PIPED Act had been applied to federal works since its enactment, we were interested in determining whether experiences in these industries could be transferred to the retail sector.

In the absence of clear legislative mandate at the federal level to regulate privacy with respect to ‘all commercial activity', movements at the international level, particularly the European Union with its Data Protection Working Party Opinion on information notices and advance passenger information and passenger name record are likely to have the greatest impact on privacy discourse in this country.

What we find is that despite having considerable resources to devote to the issue of privacy the implementation of the PIPED Act has been ad hoc at best and non-existent at worst. Companies it would appear are motivated to communicate their information management practices in large measure as a result of business prudence rather than concerns for individual privacy.

While might be expected, the unwillingness on the part of the OPC to name respondents that are culpable of the most egregious violations of individual privacy even where so doing would be ‘in the public interest' does little to cultivate the jurisprudence in this area, much to the chagrin of privacy advocates. The dual role of recognizing business interests and individual rights with respect to privacy - a value that is far from absolute results in uncertain interpretation and application of the Act. Coupled with tenuous legal drafting, this hybrid of legislative instrument and industry code is at times in many instances ill-suited to further refine our understanding of the privacy interest and the consequences of the harm caused by the loss of it.

---

[1] R.S.C. 2000, c. 5.

Prev - Next >>