Author: Nola Young
If the feedback I received after my last column is an indication, it’s clear consumers are very concerned about Internet privacy issues and about the apparent lack of government legislation to protect them.
Estimates of business-to-consumer e-commerce vary widely, but some projections suggest Canadians will spend $8.5 billion to $17 billion on the Internet next year. (These estimates don’t include business-to- business sales or transactions using Electronic Data Interchange (EDI) over proprietary networks.)
Obviously, online consumer shopping is quickly gaining acceptance. Having said this, there still seems to be many consumers who say they would never buy over the Internet. So what’s stopping them? The typical answer is that they don’t feel comfortable giving credit card information over the Internet.
To explain what’s being done to give consumers more confidence, I sought the help of technology lawyer Joe Mattes of the Waterloo firm, Mattes Evans. Joe writes:
Privacy concerns are one of the major issues standing in the way of further development of business-to-consumer electronic commerce. Simply put, consumers are concerned that if they provide personal information to businesses, it may be misused to their detriment.
The federal government has tried to address this concern by enacting the Personal Information Protection and Electronic Documents Act, often called PIPEDA for short.
The Ontario government is also in the process of developing privacy legislation in the form of the Privacy and Personal Information Act, 2002, often called PPIA. It is not yet law.
Personal information is broadly defined in both the federal and provincial legislation so that most businesses (whether Internet dependent or not) can expect to be restricted in the way they use and disclose any personal information they collect.
The federal law is coming into force on a staged basis, with its initial provisions already effective as of Jan. 1 this year. Its primary purpose is to protect the privacy of personal information that is collected, used or disclosed in the private sector. The federal law will eventually apply to all organizations to restrict how personal information is managed in the course of a “commercial activity.”
It currently applies to organizations that disclose personal information inter-provincially or internationally, or that are involved with federal government work. This legislation will cover all commercial organizations in Canada by Jan. 1, 2004.
Essentially, the federal law will restrict organizations from collecting, using or disclosing personal information without the prior informed knowledge and consent of the individual from whom the information is collected.
Organizations will need to document the limited purposes for which the information will be used, and communicate those limited purposes to the individual.
Ontario’s legislation will cover private sector, not-for-profit and public sector privacy concerns in one piece of legislation once it comes into effect. It will then essentially take over from the federal law as the operative privacy legislation in Ontario.
Express consent of individuals will be required under the provincial law in order to use personal information, unless the use to which the information is to be put is relatively obvious, and provided further that the organization doesn’t use or disclose the personal information for any other purpose.
Canadian privacy legislation and that of other jurisdictions will be particularly relevant to those who use the services of e-commerce businesses. However, it will be subject to some practical limitations. For example, will individuals actually know their privacy has been breached if personal information is sold without their knowledge by a disreputable business?
The new privacy legislation will also have a substantial effect on many business organizations. Since there are no grand fathering provisions that exempt information already in the hands of organizations when
the new laws start to apply, organizations should strongly consider starting now to implement a system to obtain consents from individuals from whom personal information is collected.
Furthermore, the patchwork of legislation, the various jurisdictions involved and the exemptions that apply will make compliance by organizations difficult, particularly if they are working in an Internet environment.
The situation is made more difficult by the fact that substantial penalties apply for non-compliance. In many cases, professional advice will be needed to review the particular circumstances and put the necessary systems in place.
In my next column I will focus on what businesses and other entities operating in the online or electronic commerce environment can do to ensure the privacy of personal information.
Thanks to those who called or sent e-mails about this topic.
Nola Young is the president of KW Digital Solutions. Send your comments or questions by email or call 519-741-7641.