For those who are struggling with privacy laws and compliance, I recommend two new tools that will help in different ways.
The first is a book about the new Canadian privacy law. The title is “The Personal Information Protection and Electronic Documents Act: An Annotated Guide.” The authors are a distinguished lot. I know most of them personally, and I am slightly surprised that they managed to finish the book without fisticuffs. In the end, they all pulled together and produced a gem.
Stephanie Perrin is the privacy officer at Zero Knowledge and was formerly on the staff of Industry Canada, a government agency, and was responsible for privacy. Heather Black is a lawyer from the Canadian Department of Justice who was heavily involved in drafting the law. David Flaherty is the former information and privacy commissioner for British Columbia and an internationally recognized scholar and authority on data protection. T. Murray Rankin is a British Columbia lawyer with impressive credentials in privacy and freedom of information law.
The Canadian privacy law, which took effect in large part in January, is an unusual mixture of statute and standard. The Canadian Standards Association had previously reached broad agreement among all sides in Canada for a Model Code for the Protection of Personal Information. The Canadian Parliament incorporated this model code directly into legislation. The legislation literally enacts the code into law, with a few changes. As a result, you cannot understand the law without understanding the code, and vice versa. It takes awhile to get into the swing of this type of act.
An interesting and complex feature of the Canadian law is the federal-provincial interplay. In the United States we are used to Congress exercising sweeping powers, sometimes to the complete exclusion of state law. In Canada, federal powers are more limited, and the law had to take into account areas where provincial law prevails. The act remains controversial for this reason.
Don’t be quick to dismiss the Canadian law as irrelevant to U.S. companies. Remember that the European Union has privacy requirements that affect data exports from Europe to the United States. The Canadian law has a similar requirement that applies when data is transferred to a third party for processing. If your Canadian subsidiary sends personal data to the United States, the data must receive a comparable level of protection in the United States.
It appears likely that the European Union will accept the Canadian law as adequate. If so, data exports from the European Union to Canada could be possible without contracts or “safe harbor” protections. Some U.S. companies may find it worthwhile to move data processing to Canada and avoid hassles from the European Union.
The book delivers exactly what it promises. It contains a section-by-section review of the law and the code, with background and explanations. The law is too new for there to be any case law or significant other interpretative materials. Luckily, there could not be a more authoritative guide at this stage. My only complaint is that the index is sparse.
The appendixes contain a wealth of valuable stuff, including the text of the act, the Organization for Economic Cooperation and Development guidelines and the European
Union Directive. You also will find a wonderful privacy impact assessment guide and some privacy codes that might serve as models.
I recommend the book enthusiastically. Do not process personal data in Canada without it. Look on the publisher’s Web site at www.irwinlaw.com/home.cfm for more information.
The second resource is entirely different. It is a software tool aimed at anyone responsible for online privacy compliance.
Imagine that you are the privacy officer at your company. You have a corporate set of privacy policies and some legal requirements that specify how cookies are to be used, what information can go to banner ad companies, whether clear GIFS (Web bugs) can be used and general rules for the collection of personal data.
How do you know that your company complies with its own policy? That is not a trivial issue. Even a medium-size company may have a couple of Web sites and a large number of Web pages. Are all sites and pages really complying with company standards? After all, each component may have its own site designers and coders, and everyone may not be properly aware that company policy prohibits persistent cookies?
If this is your problem – and it should be a problem for any privacy officer – then you should take a look at the PrivacyWall Site Monitor from a company called IDcide, Saratoga, CA. The Site Monitor is a tool that analyzes Web sites for privacy compliance. It will also come in handy to show regulators that you have audited your Web site for privacy. Monitoring your own Web sites is also a lovely way to keep the trial lawyers from knocking on your door with a class-action suit over violations of your own privacy policy.
IDcide has really put its finger on a problem that every Web site faces. The company can be found at idcide.com. See if it will help with your privacy compliance activities. The software is not cheap, but it is a lot cheaper than paying an overpriced accounting firm half a million bucks for a privacy audit.
Use the software to examine your site before the Federal Trade Commission or a European Union data protection authority does – not to mention the trial lawyers.
