Canadian Press
Thursday, October 1, 1998

Government table privacy legislation, encryption policy

by Jennifer Ditchburn

OTTAWA (CP) -- Giving Canadians control over their personal information in the digital age is at the heart of two key policies announced Thursday by the federal government.

The privacy legislation will require industry to follow a set of standards for why and how it uses the information it collects from consumers.

Guidelines for encryption technology will allow Canadians and businesses to encode their on-line transactions and communications to protect it from prying eyes -- including those of the authorities.

Both initiatives are designed to strike at the heart of the anxiety that keeps one-in-five Internet users in North America from making purchases on-line.

"The main thing in terms of rolling out the information highway and electronic commerce is whether or not people trust the system", said Nick Mulder, president and CEO of Stentor Telecom Policy Inc.

"If they can show us that all the private-sector companies only ask for the information they need and don't misuse it, it increases the whole opportunity in the marketplace to make this stuff happen."

The privacy legislation entrenches into law the Canadian Standards Association's principles on fair information and affects federally regulated industries, such as the banking and telecom sectors.

Knowledge and consent are the cornerstones of the proposed law: an individual must be informed about why information is being collected and must consent to its use or disclosure every step of the way.

Canada's privacy commissioner would become the arbiter of the privacy law, with the power to receive complaints from the public and conduct audits of companies suspected of violating the law. Canadians would be able to take their complaints to the courts if their cases are deemed to have merit.

Jim Savary, chairman of the Canadian Standards Association's technical committee, applauded the government's decision to entrench the privacy principles, but questioned how effective a complaints-triggered system would be in the long-term.

"The problem with privacy is that you have no real way of knowing your privacy has been violated until so late after the actual event that it's impossible to follow any kind of audit trail to see how it happened", Savary said.

"Companies don't object to having financial audits every year, but the idea of having an audit on procedures they seem to think would be horribly invasive and horribly expensive."

The federal government is also looking to the provinces to develop their own privacy legislation -- currently only Quebec has such laws. Sectors such as health, education, and insurance are areas of provincial jurisdiction.

As for commercial activities, such as retail stores, federal privacy laws will apply within three years if the provinces don't come up with their own first.

The cryptography policy articulates the notion that Canadians can use any type of technology they like to encrypt what they do on-line, without having to provide a spare digital key to the police.

Law enforcement officials had advocated a regulated collection system where users of the technology would be required to give a copy of their private code to the authorities, so that they could intervene in suspected criminal activity that would otherwise be invisible.

To answer their concerns, the government has pledged to make legislative amendments which would make it an offence to use cryptography to commit or hide evidence of a crime.

Industry Minister John Manley said international agreements that curb the export of encryption technologies to certain countries would be upheld. In the meantime, the government would monitor the export policies of other countries to determine whether Canadian manufacturers are being placed at a competitive disadvantage.

The cryptography guidelines and the privacy legislation are integral part of the government's electronic commerce policy, which has been more clearly articulated in the run-up to next week's Organization for Economic Co-operation and Development (OECD) conference in Ottawa.

Privacy is shaping up to be one of the biggest areas of disagreement at the conference. the United States has come out strongly against government intervention, while the European Union stands by its policy of privacy legislation.

Copyright © 1998 by The Canadian Press. All Rights Reserved. Reprinted with permission.