Government Information in Canada/Information gouvernementale au Canada, Volume 2, number/numéro 1 (summer/été 1995)

Protecting Privacy in Canada: Evaluating Recent Solutions Proposed for and by the Private Sector 1

Melanie Millar 2

© 1995 Melanie Millar

ABSTRACT: This paper compares the Quebec private sector data protection legislation and the Canadian Standards Association draft data protection code. These documents are examined from the perspective that privacy is an increasingly important issue for Canadians and that unlike the public sector, the private sector has escaped regulation.

RÉSUMÉ: Ce travail compare la loi sur la protection des données du secteur privé au Québec et le code de protection des données proposé par l'Association canadienne de normalisation. Ces documents sont examinés à partir du point de vue que le respect de la vie privée est un sujet d'importance croissante pour les Canadiens et que contrairement au secteur public, le secteur privé a échappé à la réglementation.

Data protection is a pressing issue not only because files of personal information are being kept in greater detail and for longer periods of time, but also because the data can be retrieved and compared or matched without delay, regardless of geography. Because of this fact, of all the concerns arising out of the frenzied evolution of information technologies, threats to personal privacy are gaining special prominence. A nationwide survey conducted in 1993 found that 52% of Canadians were "extremely concerned" about invasion of privacy.3 This despite the fact that there is federal legislation embodied in the Privacy Act4 , despite the federal Privacy Commissioner, whose purpose it is to audit data collection, use and disclosure in government, and despite the existence of a number of provincial commissioners with similar mandates. Why, given these safeguards, do Canadians continue to worry about their personal privacy?

Despite the relative successes of federal and provincial commissioners to protect information on Canadians held by governments, very few data protection guidelines have been developed within the private sector, and no jurisdiction has effective legislation in place, with the exception of Quebec.

Even that part of the private sector that is federally regulated has thwarted attempts to regulate its databanks. When the Standing Committee on Justice and the Solicitor General reviewed the federal Privacy Act in 1987, it recommended that the Act be extended to that part of the private sector that is federally regulated and to the 56 Crown corporations and their 127 subsidiaries.5 Previously, the Progressive Conservative government had declared that both Air Canada and Petro-Canada (in addition to the other Crown corporations), would become subject to the privacy legislation before 1989, but this target was abandoned.6

If there was such reluctance to apply data protection rules to Crown corporations and their subsidiaries, then there was little hope for regulating invasion of privacy by the private sector. Indeed, by 1986, the best the federal government could do was to encourage the private sector to self-regulate their treatment of personal information, based on the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.7 Canadian companies and organizations were slow to comply with this recommendation, if they were inclined to do so at all. Indeed, one of the few reasons for compliance was as a means of improving public relations. Not surprisingly, this government initiative was largely unsuccessful.

Throughout the 1980s, there were very few factors motivating private organizations to respect personal privacy. However, developments like the release of the EC draft Data Protection Directive in 1990 and a revised draft in late 1992 brought data protection onto the corporate agenda.8 The evidence was becoming clear: Europeans were developing ground rules for transborder data flows, and companies wanting to conduct business in Europe would require adequate data protection regulations to participate. Canadian corporations began to develop voluntary data protection codes, but they balked at government regulation.

One of the underlying issues in this regulation/self-regulation debate is the value of public sector regulation in the absence of private sector data protection. Under the federal Privacy Act it is easy to obtain data from the public sector by means of engaging in work that is contracted out to the private sector by the government. And once personal data can be accessed by the private sector, it is no longer under the control of the Privacy Act. Indeed, as the federal Privacy Commissioner stated in his annual report of 1991-1992,

personal files handed over to private firms get no formal privacy protection unless specific clauses are written into the contracts...almost without exception, the contracts are deficient.9
It is fair to say that the Commissioner has made attempts to rectify this situation, but there is no mechanism in place to know that data protection is written into each contract dealing with personal information. By mid-1993, there were two dominant personal information banks servicing the needs of Canada's private sector: Equifax Credit and Collection Bureau and the Medical Information Bureau.10 Both organizations receive information from public sources for dissemination to the private sector.11 Integral to this issue, of course, is the improved transfer of data between public and private sectors with the development of the so-called "information highway".

The central concern of this article is whether recent proposals by the private sector constitute adequate responses to threats to personal privacy. First, I will explain some of the assumptions about privacy and technology that inhibit regulation of data gathering technologies and the organizations that operate them. In the following section, I will examine Quebec data protection legislation for the private sector and the draft data protection code of the Canadian Standards Association, an attempt at self-regulation. In the third section, I will compare and analyze the personal data protection models presented in both documents.

Conceptions of Privacy and Technology

Different understandings of privacy and technology are integral to the personal data protection debate, and explain much about the ways in which guidelines and legislation are formed. There are many definitions of privacy, and it is not possible to discuss each of them here. What is most important is the distinction between individual and collective conceptions of privacy. More specifically, some people conceive of privacy as an individual right and others perceive it as a social value.

The right of the individual over that of collective society dominates the American legal conception of privacy. Privacy advocate Alan Westin argues that these values are the "egalitarian democratic balance, in which privacy supporting values of individualism, associational life and civil liberty are under constant pressure from privacy-denying tendencies toward social egalitarianism, personal activism and political fundamentalism."12 The solution following from this definition is to ensure that personal information is considered personal property. In her recent book Who Owns Information? Anne Branscomb articulates and updates this way of thinking about privacy.13

There are problems with this approach. As Agre suggests, the crucial issue is bargaining power: "Establishing property rights in your personal information might actually be a good idea, but it's not nearly sufficient. What's really needed is machinery that establishes parity of bargaining power between individuals and organizations -- the informational equivalent of unions or cooperatives that can bargain as a unit for better terms with large organizations."14

It might be preferable to define privacy as a social value. Privacy should be facilitated by society, not constrained by it. An example of this would be the use of the Office of the federal Privacy Commissioner, where Canadians have an established mechanism to challenge invasions of privacy by the federal government. While there continue to be many constraints on the effectiveness of the Privacy Act, it is fair to say that, at least in relation to the public sector, Canada has made privacy a symbolic priority. As F.D. Shoeman's definition suggests, privacy is "central to social life and not a principle that stands in opposition to it."15

In terms of protecting personal data, Kenneth Laudon's definition of privacy is useful:

Privacy is a value which describes a power relationship between individuals and organizations. This relationship can be seen as a continuum marked on the one side by complete informational moral supremacy of the individual, and on the other by complete supremacy of the organization and its needs for efficiency and survival.16
This definition does not negate the notion of privacy as a social value; privacy can be accommodated by achieving a consensus within a society about limiting the invasive capabilities of the organization. When the organization is in control of personal information there are threats of surveillance, for example, by means of transactional data trails. Over time, organizations can come to predict habits and preferences, thereby developing detailed individual profiles. Neither surveillance nor commodification of personal information are new developments, but advances in information technology have increased the speed of information processing. This is where it is important to understand the different conceptions of technology that inform the privacy debate.

Proponents of self-regulation would argue that some trade-offs, compromising personal privacy, must be accepted. To limit the development of information technology, they argue, would be to reduce data management productivity and limit the progress that could be made toward a society with more conveniences. Technological innovation is construed to be a positive development, and the negative effects can always be remedied by future technological developments.17

In contrast, supporters of data protection regulation -- and individual control over personal information -- would argue that technology is not politically or economically neutral: legislation must protect "soft values", such as personal privacy from abuse. In this view, "technology is not a destiny but a scene of struggle."18 If the second view is more appealing, it is because there is more room to negotiate the terms of how personal information will be collected, used and disclosed, whereas in the argument based on a neutral understanding of technology there is little room for negotiation.

Developing Private Sector Data Protection

The Quebec private sector legislation and the CSA draft code are prime examples of different poles in this regulation/self-regulation debate in Canada. Admittedly, the first is already legislation and the second is only a draft code; however, both were developed to reflect the principles of the OECD guidelines. By contrasting these two, divergent approaches to data protection, the central problems of the issue are highlighted, especially with regard to individual control over personal information.

The Quebec Private Sector Data Protection Legislation

On December 16, 1992 the Quebec Minister of Communications, Mr. Laurence Cannon, introduced Bill 68: An Act Respecting the Protection of Personal Information in the Private Sector.19 This legislation was developed as a means of implementing articles 35 to 41 of the new Civil Code.20 Not surprisingly, many Quebec businesses and business associations strongly opposed this legislation. Professional associations lobbied for exemptions, based on the argument that their practices were already highly regulated.21

Prior to the passing of this legislation, self-regulation of the private sector had been characterized as "fragmentary and voluntary"22 and therefore, ultimately inadequate. All sections of this data protection act were based on the OECD guidelines and each took into consideration the principles laid out in the revised EC Directive. With the adoption of the Act in June 1993 and its implementation on January 1, 1994, Quebec has the distinction of having the most progressive privacy legislation in North America.23

Quebec had already been a leader in the area of data protection for over a decade; the province began developing its freedom of information and data protection legislation concurrently with the formulation of the federal legislation. The legislation was a response to both the failure of self-regulation and the advent of the draft EC Directive. Further, privacy advocates in Quebec argued that personal information held by the public sector was no less valuable when transferred to the private sector, as it often was.24 It was not so much an issue of which sector possessed the information, so long as Québécois could be assured of some measure of privacy.

The Canadian Standards Association Draft Data Protection Code

In the fall of 1990, the Canadian Standards Association (CSA) began consultations to develop a national standard for privacy protection. The goal was to include personal data protection in the International Organization for Standardization's quality management standards (ISO 9000 series).25 The CSA received comments on its draft code, released December 15, 1994, until February 28, 1995. Chaired by D. McKendry of the firm Price Waterhouse, there is wide representation on the code's technical committee, including members of government departments, both Ontario and federal Privacy Commissions, academia, public advocacy groups, unions and associations representing the interests of the private sector. Despite the variety of representation and perhaps due to the strength of the business presence, the proposed code is weakly formulated. If the current text of this code is adopted, it will be little consolation to privacy advocates.

The draft CSA code was based on a loose interpretation of the OECD guidelines. That this code is based on international principles is reflected in the introductory section of the code: one could suggest that the CSA is not drafting the code for the protection of Canadians so much as it is trying to placate governmental organizations representing citizens outside Canada, perhaps the authors of the EC Directive in particular:

Canada is part of a global economy based on the creation, processing and exchange of information. The technology underlying the information economy provides a number of benefits that improve the quality of our lives. This technology also gives rise to concerns about the protection of privacy rights and the individual's right to control use and exchange of personal information.26
These introductory sentences clearly state that Canadian corporations and organizations want to remain competitive in the international information economy. This is a laudable goal as long as the ways in which Canada participates do not compromise basic values such as privacy.

Some Points of Comparison

Definition of Personal Information

Personal information is defined in section 2 of the Quebec legislation as any list of names and particulars drawn either from material already gathered or from individuals themselves.27 There are no restrictions on the format in which the personal data may be stored: it can be written, graphic, taped, filmed or computerized. Similarly, the CSA code defines personal information as "information about an identifiable individual that is recorded in any form."28

Creation and Management of Files

Sections 4 to 9 of the Quebec Act include specific requirements to indicate on personal files the purpose of the collection as well as the names of those who view and use the data.29 This is a useful strategy for increasing the accountability of data managers in the private sector. One drawback of the Quebec Act, however, is the imprecision of the phrase "serious and legitimate" reason for the creation of a personal information file. Undoubtedly, this vague statement could lead to a wider interpretation of the file creation clause than would be desirable for protection of privacy.

Data collection in the CSA code is defined as "the act of gathering, acquiring or obtaining personal information by any means, including from third parties."30 Explicit in the definition of collection, then, is the intent of collecting information from third parties; if this definition was amended to read "subject to exemptions for personal data protection," it would be more acceptable to privacy advocates. Like the Quebec Act, the CSA code recommends that organizations "document the purposes for which personal information is collected."31 However, there is no recommendation to advise the client, whose information is being used, when the corporation decides to change the use of the information: it is suggested that "organizations using personal information for a new purpose must document this purpose."32 It is small comfort to the individual that, within a file they may not know exists, there is a list of the new uses to which their personal information is being put.

The CSA code also states that "personal information that is no longer required to fulfil the identified purposes should be destroyed, erased, or made anonymous."33 Ostensibly, making personal data anonymous suggests the removal of the individual's name and address, or any other personal identifiers. Ultimately, the CSA should not be encouraging its members to equate the terms "destroyed, erased or make anonymous;" exercising the first two options makes the personal data unavailable, whereas the third options merely recycles the data by changing its form.


The Quebec legislation upholds the principle of ownership of personal information in its data collection provision. Sections 70 to 79 concern personal information brokers. All brokers must be registered with the Commission and must provide information on fees and a list of all the broker's locations province-wide. In addition, according to Maurel, "brokers must establish and enforce rules ensuring that their information is accurate and up-to-date." Quebec addressed the issue of information as personal property by stating that the "take it or leave it" attitude of organizations cannot be inflicted. As Richard Maurel, of the office of federal Privacy Commissioner, has pointed out:

Goods, services or employment cannot be refused to the individual for failure to provide the requested information unless: the information is necessary for completion or processing of the contract; the provision of the information is statutory; it is suspected that the request for the goods, services or employment is unlawful. In cases of uncertainty, information is deemed not to be necessary.35
Here, the onus is on the organization to prove why personal information is necessary; clearly, this safeguard is beneficial to citizens of Quebec and of other provinces with which the Quebec private sector does business. Direct marketing firms are required by the Act to offer their clients or employees opt-out options before using their information for marketing purposes. Moreover, the "specific, informed, time-limited and free consent of the individual"36 is required for an organization to use the information beyond the uses noted in the file. This detailed description of the kind of consent required to use the information is a powerful victory for personal privacy protection.

The most critically flawed aspect of the CSA's draft data protection code concerns the notion of consent. Consent is defined as either "express or implied". While there are no ambiguities relating to the definition of express consent, the definition of implied consent is problematic: "implied consent arises where consent may reasonably be inferred from the action or inaction of the individual."37 The invasions of privacy and breaches of personal data protection that could be sanctioned by this definition are central to the flaws of this code. Moreover, section 4.3.3 of the code defines the form of consent according to the corporation's or organization's subjective conception of "sensitive information". It is evident in this revealing, if lengthy, paragraph how the CSA recommends that the private sector could arbitrarily decide what constitutes sensitive information for its clients:

The form of the consent sought by the organization will vary depending upon the circumstances and the type of information. In determining the form of consent to use, organizations shall take into account the sensitivity of the information. Although some information, for example medical records and income, is almost always considered to be sensitive, any information can be sensitive depending on the context. For example, the names and addresses of subscribers to a news magazine would generally not be considered sensitive information. However, the names and addresses of subscribers of some special interest magazines might be considered sensitive.38
That this is an inadequate definition of sensitive information is clear in section 4.3.5 where it is recommended that "an organization should generally seek express consent when the information is likely to be considered sensitive. Implied consent would generally be appropriate when the information is less sensitive."39

Some of the exceptions for failing to seek the consent of the individual are also faulty. For example, in section 4.3.0, the CSA suggests that "organizations that do not have a direct relationship" should not be compelled to seek consent. The example they cite is that "seeking consent may be impractical for a charity or a direct marketing firm that wishes to acquire a mailing list from another organization."40 Because seeking consent may be impractical, it will not be attempted, because "the organization providing the list would be expected to obtain consent before disclosing personal information."

Section 4.2.3 of the code regarding identifying the purposes for which the information will be used is also unclear and therefore inadequate. It is recommended that "where appropriate, the identified purposes should be specified to the individual from whom the personal information is being collected at the time of collection."41 It is difficult to conceive of a situation where it would not be appropriate to indicate the purported use of an individual's personal information upon its collection. To suggest as the code does that legal, medical and security reasons make it "impractical" to obtain an individual's consent allows the organization too much latitude for using personal data without consent.

To the code's credit, it has stipulated that the principle of knowledgeable consent should be upheld42 and "consent must not be obtained through deception."43 Despite this fact, it is unclear how in practice these notions would be reconciled with the previous points.


There are explicit data protection requirements for Quebec enterprises that give data to persons outside Quebec: the corporation that is releasing the information must verify that the data is used only within the legal context of the Quebec Act and ensure that, as Maurel points out, "that if the information is a marketing or philanthropic soliciting list, that the individuals are given a suitable opt-out and deletion option."44

Confidentiality in the CSA draft data protection code requires educating employees;45 confidentiality, in this sense, means retaining a measure of respect for the clients' personal information. There are also adequate provisions for data security, including restricting office access, implementing security clearances and using encryption.46

Access to Personal Information

Sections 27 to 41 of the Quebec Act outline the procedure for accessing personal information. Individuals can request and gain access to their personal information contained in private sector databanks and correct misleading or incorrect information.47

The CSA code allows for individuals to "be informed of the existence, use and disclosure" of their information and can "challenge its accuracy."48 However, one of the code's exceptions to access, the restriction for "commercial proprietary reasons", is unnecessarily vague and restrictive; just about any request for personal information could be denied on these grounds by an unenthusiastic data protection representative.

Section 4.9.3 of the code recommends that "when it is not possible to provide a list of the organizations to which it has actually disclosed information about the individual, the organization should provide a list of organizations to which it may have disclosed information about the individual."49 This recommendation is fundamentally inadequate. It is simply efficient data management to have a precise record of the instance where an individual's information is disclosed. The technology that is so effective in transferring these files can undoubtedly be fine tuned to support a tracking system of this nature.

The principle of openness in the CSA code is laudable. However, without changes to the other sections, the recommendations under this principle would offer no substantial privacy protection. Regarding educating the public about the company's personal information policies, section 4.8.2(a-c) suggests that names and numbers for individuals to contact regarding data queries be publicized. Along with brochures to outline general information on data use, the CSA recommends that the corporations and organizations indicate "what personal information is made available to related organizations (e.g. subsidiaries)."50 That separate consent is not required for each company is an oversight in the code.

Implementation and Enforcement Provisions

The Quebec Act will be implemented and enforced by the Commission in charge of public sector data protection. It might be more effective if another body could be developed to fulfil these tasks because the Commission is already overextended. However, if data protection becomes a higher priority with the Quebec government -- and it might given the increasing importance of information trade and transborder data flows -- perhaps a separate mediating and enforcing body will be created at some time in the future. Currently, however, when receiving complaints, the Commission will first designate a mediator to seek a resolution. In the case of further disagreements, the Commission has the power to render a binding decision. This decision, in turn, may be subject to an appeal to the Court of Quebec. The Commission must report every five years on the application of the Act, and at this point the recommended amendments can be made.

Fines will be imposed on businesses in the private sector that fail to comply. Also, it is important to note that the "physical individual who heads an offending enterprise or who is personally responsible for the offense is as guilty" as the company or organization.51

The CSA code contains valuable strategies for maintaining data protection accountability within an organization: this is the strongest aspect of the code. It suggests that organizations appoint one or more individuals to implement the policies and practices of the code. Of the four areas clearly outlined, three are of specific interest: "establishing procedures to receive and respond to complaints and inquiries, training staff and communicating to staff information about the organization's policies and practices; and developing information to explain the organization's policies and procedures."52 In other words, the CSA is recommending that the private sector raise awareness both internally and externally about data protection. This is an extremely valuable recommendation.

However, there is no enforcement mechanism in this data protection code. While it is true that the code recommends that the organizations should "investigate all complaints," there is little recourse for the individual if the organization finds the complaint unjustified.53 As it states in section 4.9.6, "when a challenge is not resolved to the satisfaction of the individual, the substance of the unresolved challenged should be recorded by the organization."54 If a challenge is only recorded, it is not adequately resolved. This recommendation would be of little consolation to individuals challenging personal privacy violations.

Transborder Data Flow Provisions

It is highly probable that the Quebec data protection legislation will comply with the requirements of the EC Directive. The one point of contention might be that there is no limitation on the collection or disclosure of sensitive information in the Quebec legislation and the Directive specifically requires protection of this kind of information.

However, Quebec has a clearly formed and restrictive transborder data flow policy -- so much so that it could be considered a potential non-tariff barrier in Canada. As Colin Bennett has observed,

Could these powers disrupt the free flow of personal information about banking, insurance, hotel reservations, credit and so on? How do these restrictions equate with the proposed elimination of inter-provincial tariff barriers, or with the North American Free Trade Agreement? How does the Quebec Act affect federally-regulated private sector enterprises such as banks?55
These are important questions, but perhaps more interesting is the fact that Canada is the only country in which the scope of privacy protection in one of its member jurisdictions exceeds that of the federal government.56

The CSA addresses data transfers in section 4.1.3 of the code. It states that an organization is "responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing" and that "the organization should use contractual or other means to provide comparable level of protection while the information is being processed by a third party."57 The first part of this section would seem to pertain to the private sector practice of sending labour intensive data-entry work to lesser developed countries. The second, referring to contractual agreements for comparable protection, addresses the issue of transborder data flow with Europe and other nations. Without any guarantees of "comparable data protection", however, this safeguard will undoubtedly be inadequate under the terms of the draft EC Directive.


Legislation that provides for protection of private information held by governments has contributed to the shape of the data protection environment in Canada. The private sector needs to begin working within this environment. Recalling the opposing arguments of the privacy debate, one can say that Quebec's legislation reflects a more sincere attempt to protect personal privacy. Moreover, this legislation establishes reference points for personal privacy within Quebec as a society, if not Canada as a whole. The developers of this legislation did not fall prey to a neutral view of technology.

In contrast, the CSA draft code supports a more individualistic conception of privacy and uses language that suggests that the manner in which technology is developing is inevitable. It conflicts with the data protection environment that has been established in the public sector. More specifically, the introduction to the code suggests that little can be done to protect personal information because Canada wants to be a part of the global information economy. While we can enjoy the conveniences yielded by technological development, concessions must be made for these conveniences. It is suggested that privacy is costly to protect, when in reality it would cost nothing if safeguards were built into the technology at the stage of its design.

While the CSA code supports the informational supremacy of the organization, the Quebec model allows some room to negotiate relations with organizations. There are indications that, despite its inadequacies, the CSA code is being held up as a more workable model. For example, the Information Highway Advisory Council is reviewing the code. As for the threat of the EC draft data protection Directive, the CSA code is remarkably unsuitable, given that it was developed partly in response to the Directive. In contrast, because of its legislation, Quebec will be well positioned to trade with Europe; once the Directive is passed, the Canadian private sector will be scrambling to put effective, enforceable, as well as consistent personal data protection into place. For the sake of Canadians, it can only be hoped that this development will come about sooner rather than later.


[1] May be cited as/On peut citer comme suit:

Melanie Millar, "Protecting Privacy in Canada: Evaluating Recent Solutions Proposed for and by the Private Sector," Government Information in Canada/Information gouvernementale au Canada, Vol. 2, no. 1.3 (summer 1995).

This article is based on a research paper written for a graduate course in March 1995 and is being incorporated into a M.A. thesis on privacy and data protection in Canada.


Melanie Millar
c/o School of Journalism and Communication
Carleton University
Ottawa, Canada
[3] Privacy Revealed: The Canadian Privacy Survey, 1993. The major sponsors of this survey were the federal Privacy Commissioner, Equifax Canada, AMEX Bank.

[4] R.S.C. 1985, c. P-21 as amended.

[5] Tom Riley, "Privacy Law Could Extend to Private Companies," Office Equipment & Methods, July/August 1987, p. 59.

[6] "Tories Backtrack on Privacy Issues: Air Canada, Petro-Canada Personal Data Available," Globe & Mail, January 24, 1989, p. A3.

[7] A summary of the OECD Guidelines on the Protection of Privacy and Transborder Data Flows of Personal Information, Part One: General is available in Peter Gillis, "The Privacy Act: A Legislative History and Overview," Canadian Human Rights Yearbook (vol. 4) 1987, p. 125.

[8] See "Amended Proposal for a Council Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data," Official Journal of the European Communities 21.11.92, 92/C 311/04, COM (92)422 final - SYN 287 and 288.

[9] Canada, Privacy Commissioner, Annual Report, 1991-1992, p. 76.

[10] René Laperrière,"Protection of Privacy in The Private Sector in Canada and Quebec," a paper based on a presentation at the GRID (Groupe de recherche informatique et droit) seminar on privacy, held in Montreal on April 16, 1993, p. 3.

[11] According to Laperrière, Equifax credit and collection bureau is "a subsidiary of one of the three largest organizations of this type in the United States" and the Medical Information Bureau's parent company is located in Boston, Massachusetts.

[12] Alan Westin, Privacy and Freedom (New York: Atheneum, 1967), p 27.

[13] Anne Branscomb, Who Owns Information? From Privacy to Public Access (New York: Basic Books, 1994).

[14] P. Agre, "Strange Ideas about Privacy," The Network Observer, (vol. 1, no. 10) October 1994.

[15] F.D. Schoeman, Privacy and Social Freedom, (Cambridge: Cambridge University Press, 1992) p. 137.

[16] Kenneth Laudon, Dossier Society: Value Choices in the Design of National Information Systems, (New York: Columbia University Press, 1986) p. 67.

[17] José Sanmartin, "The New World of New Technology," in Stephen H. Cutliffe et al, eds. New Worlds, New Technologies, New Issues, (Bethlehem: Lehigh University Press, 1992), p. 73.

[18] Andrew Feenberg, Critical Theory of Technology, (New York: Oxford University Press, 1991) p. 14.

[19] Quebec, National Assembly, 34th National Assembly, Second Session, Bill 68: An Act Respecting the Protection of Personal Information in the Private Sector.

[20] Laperrière on the pre-history of Bill 68: "The passage in April 1987 of Bill 20 adding to the Civil Code a chapter on the respect of reputation and privacy (S.Q. 1987, c.18, art. 35 to 41), constituted progress in the recognition of the rights of persons on whom information is collected, and its implementation would have avoided perpetuating two sets of legal rules for personal data, depending on whether they are held by a public or private organization." 1993, p.12.

[21] René Laperrière, "La protection des renseignements personnels dans le secteur priveé et la loi québécoise de 1993," Vie privée sous surveillance, 1994, pp. 66-67.

[22] Laperrière, 1993, p.12.

[23] Paul-André Comeau, "Quebec's New Privacy Law Covering Private Sector Operational in 1994," Privacy Laws & Business, December 1993, p. 6.

[24] Paul-André Comeau, "Quebec's New Privacy Law Covering Private Sector Operational in 1994," Privacy Laws & Business, 1993, p. 7.

[25] Privacy and the Canadian Information Highway, Industry Canada discussion paper, (Ottawa: Minister of Supply and Services, 1994), Section 5, "Voluntary Codes and Standards".

Also available:

[26] "Model Code for the Protection of Personal Information," (draft), Canadian Standards Association, CAN/CSA-Q830, December 1994, p. 2.

[27] Article 2: Renseignements personnel: "un renseignement personnel, tout renseignement qui concerne une personne physique et permet de l'identifier." La Loi sur la protection des renseignements personnels dans le secteur privé, L.Q. 1993.

[28] CSA, 1994, p.5, section 2.1.0.

[29] Richard Maurel, "Quebec's Legislation on Privacy Protection in its Private Sector: Analysis," working paper, (Ottawa: Office of the Privacy Commissioner, 1993) p. 3.

[30] CSA, 1994, p.5, section 2.1.0.

[31] CSA, 1994, p.7, section 4.2.1.

[32] CSA, 1994, p.10, section 4.5.1.

[33] CSA, 1994, p.10, section 4.5.3.

[34] Richard Maurel, "Quebec's Legislation on Privacy Protection in its Private Sector: Analysis," working paper, (Ottawa: Office of the Privacy Commissioner, 1993) p. 7.

[35] Richard Maurel, "Quebec's Legislation on Privacy Protection in its Private Sector: Analysis," working paper, (Ottawa: Office of the Privacy Commissioner, 1993) p. 3.

[36] Article 14, Qualité du Consentement: "Le consentement à la communication ou à l'utilisation d'un renseignement personnel doit être manifeste, libre, éclaire et être donné à des fins spécifiques. Ce consentement ne vaut que pour la durée necessaire à la réalisation des fins pour lesquelles il a été demandé."

[37] CSA, 1994, p.5, section 2.1.0.

[38] CSA, 1994, p.8, section 4.3.3.

[39] CSA, 1994, p.9, section 4.3.5.

[40] CSA, 1994, p.8, section 4.3.0.

[41] CSA, 1994, p.7, section 4.2.3.

[42] CSA, 1994, p.8, section 4.3.2.

[43] CSA, 1994, p.9, section 4.3.4.

[44] Richard Maurel, "Quebec's Legislation on Privacy Protection in its Private Sector: Analysis," working paper, (Ottawa: Office of the Privacy Commissioner, 1993) p. 4.

[45] CSA, 1994, p.11, section 4.7.6.

[46] CSA, 1994, p.11, section 4.7.5.

[47] As stated and discussed in Laperrière, "La Loi sur la protection des renseignements personnelles dans le secteur privé: Commentaire et guide d'interprétation," Vie privée sous surveillance, pp. 198-213.

[48] CSA, 1994, p.12, section 4.9.0.

[49] CSA, 1994, p.12, section 4.9.3.

[50] CSA, 1994, p.12, section 4.8.2(e).

[51] Richard Maurel, "Quebec's Legislation on Privacy Protection in its Private Sector: Analysis," working paper, (Ottawa: Office of the Privacy Commissioner, 1993) p. 8.

[52] CSA, 1994, p.7, section 4.1.4.

[53] CSA, 1994, p.13, section 4.10.4.

[54] CSA, 1994, p.13, section 4.9.6.

[55] Colin Bennett, "The Regulation of Personal Data in Canada's Private Sector: How We Have Privacy Law For The BC Turkey Marketing Board But Not For The Direct Marketing Industry," Address to the Conference on Information Policies in the 1990s: The Dawn of Freedom of Information and Privacy Protection in BC, November 29-30, 1993, p. 4.

[56] Richard Maurel, "Quebec's Legislation on Privacy Protection in its Private Sector: Analysis," working paper, (Ottawa: Office of the Privacy Commissioner, 1993) p. 2.

[57] CSA, 1994, p.7, section 4.1.3.


Agre, P. "Strange Ideas about Privacy," The Network Observer, vol. 1, no. 10 (October 1994).

Bennett, Colin. "The Regulation of Personal Data in Canada's Private Sector: How We have Privacy Law for the BC Turkey Marketing Board but do Not for the Direct Marketing Industry," Address to the Conference on Information Policies in the 1990s: The Dawn of Freedom of Information and Privacy Protection in BC, November 29-30, 1993.

Canada. Privacy Commissioner. Annual Report, 1991-1992.

Canada. Privacy Commissioner. Annual Report, 1993-1994.

Canada. Privacy Commissioner. Quebec's Legislation on Privacy Protection in its Private Sector: Analysis. (Working Paper). July 14, 1993.

Canadian Standards Association. Model Code for the Protection of Personal Information [draft]. December, 1994.

Comeau, Paul-André. "Quebec's New Privacy Law Covering Private Sector Operational in 1994," Privacy Laws & Business, December, 1993.

EKOS Research. Privacy Revealed: The Canadian Privacy Survey. 1993.

Feenberg, Andrew. Critical Theory of Technology. New York: Oxford University Press, 1991.

Industry Canada. Privacy and the Canadian Information Highway. (Industry Canada Discussion Paper). Ottawa: Minister of Supply and Services Canada, 1994. Also available:

Laperrière, René. "Protection of Privacy in the Private Sector in Canada and Quebec," a paper based on a presentation at the GRID (Groupe de recherche informatique et droit) seminar on privacy, held in Montreal on April 16, 1993.

Laperrière, René. "La protection des renseignements personnels dans le secteur privée et la loi québecoise de 1993," in Vie privée sous surveillance. 1994.

Laudon, Kenneth. Dossier Society: Value Choices in the Design of National Information Systems. New York: Columbia University Press, 1986.

Riley, Tom. "Privacy Law Could Extend to Private Companies," Office Equipment & Methods, July/August 1987.

Sanmartin, José. "The New World of New Technology," in New Worlds, New Technologies, New Issues. Bethlehem: Lehigh University Press, 1992.

Shoeman, F.D. Privacy and Social Freedom. Cambridge University Press, 1992.

"Tories Backtrack on Privacy Issues: Air Canada, Petro-Canada Personal Data Available," Globe & Mail, January 24, 1989, p. A3.

Westin, Alan. Privacy and Freedom. New York: Atheneum, 1967.

Home page/Page d'accueil

Letters to the Editor / Lettres au rédacteur en chef