ABSTRACT: This paper compares the Quebec private sector data protection legislation and the Canadian Standards Association draft data protection code. These documents are examined from the perspective that privacy is an increasingly important issue for Canadians and that unlike the public sector, the private sector has escaped regulation.
RÉSUMÉ: Ce travail compare la loi sur la protection des données du secteur privé au Québec et le code de protection des données proposé par l'Association canadienne de normalisation. Ces documents sont examinés à partir du point de vue que le respect de la vie privée est un sujet d'importance croissante pour les Canadiens et que contrairement au secteur public, le secteur privé a échappé à la réglementation.
Data protection is a pressing issue not only because files of personal information are being kept in greater detail and for longer periods of time, but also because the data can be retrieved and compared or matched without delay, regardless of geography. Because of this fact, of all the concerns arising out of the frenzied evolution of information technologies, threats to personal privacy are gaining special prominence. A nationwide survey conducted in 1993 found that 52% of Canadians were "extremely concerned" about invasion of privacy.3 This despite the fact that there is federal legislation embodied in the Privacy Act4 , despite the federal Privacy Commissioner, whose purpose it is to audit data collection, use and disclosure in government, and despite the existence of a number of provincial commissioners with similar mandates. Why, given these safeguards, do Canadians continue to worry about their personal privacy?
Despite the relative successes of federal and provincial commissioners to protect information on Canadians held by governments, very few data protection guidelines have been developed within the private sector, and no jurisdiction has effective legislation in place, with the exception of Quebec.
Even that part of the private sector that is federally regulated has thwarted attempts to regulate its databanks. When the Standing Committee on Justice and the Solicitor General reviewed the federal Privacy Act in 1987, it recommended that the Act be extended to that part of the private sector that is federally regulated and to the 56 Crown corporations and their 127 subsidiaries.5 Previously, the Progressive Conservative government had declared that both Air Canada and Petro-Canada (in addition to the other Crown corporations), would become subject to the privacy legislation before 1989, but this target was abandoned.6
If there was such reluctance to apply data protection rules to Crown corporations and their subsidiaries, then there was little hope for regulating invasion of privacy by the private sector. Indeed, by 1986, the best the federal government could do was to encourage the private sector to self-regulate their treatment of personal information, based on the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.7 Canadian companies and organizations were slow to comply with this recommendation, if they were inclined to do so at all. Indeed, one of the few reasons for compliance was as a means of improving public relations. Not surprisingly, this government initiative was largely unsuccessful.
Throughout the 1980s, there were very few factors motivating private organizations to respect personal privacy. However, developments like the release of the EC draft Data Protection Directive in 1990 and a revised draft in late 1992 brought data protection onto the corporate agenda.8 The evidence was becoming clear: Europeans were developing ground rules for transborder data flows, and companies wanting to conduct business in Europe would require adequate data protection regulations to participate. Canadian corporations began to develop voluntary data protection codes, but they balked at government regulation.
One of the underlying issues in this regulation/self-regulation debate is the value of public sector regulation in the absence of private sector data protection. Under the federal Privacy Act it is easy to obtain data from the public sector by means of engaging in work that is contracted out to the private sector by the government. And once personal data can be accessed by the private sector, it is no longer under the control of the Privacy Act. Indeed, as the federal Privacy Commissioner stated in his annual report of 1991-1992,
personal files handed over to private firms get no formal privacy protection unless specific clauses are written into the contracts...almost without exception, the contracts are deficient.9It is fair to say that the Commissioner has made attempts to rectify this situation, but there is no mechanism in place to know that data protection is written into each contract dealing with personal information. By mid-1993, there were two dominant personal information banks servicing the needs of Canada's private sector: Equifax Credit and Collection Bureau and the Medical Information Bureau.10 Both organizations receive information from public sources for dissemination to the private sector.11 Integral to this issue, of course, is the improved transfer of data between public and private sectors with the development of the so-called "information highway".
The central concern of this article is whether recent proposals by the private sector constitute adequate responses to threats to personal privacy. First, I will explain some of the assumptions about privacy and technology that inhibit regulation of data gathering technologies and the organizations that operate them. In the following section, I will examine Quebec data protection legislation for the private sector and the draft data protection code of the Canadian Standards Association, an attempt at self-regulation. In the third section, I will compare and analyze the personal data protection models presented in both documents.
The right of the individual over that of collective society dominates the American legal conception of privacy. Privacy advocate Alan Westin argues that these values are the "egalitarian democratic balance, in which privacy supporting values of individualism, associational life and civil liberty are under constant pressure from privacy-denying tendencies toward social egalitarianism, personal activism and political fundamentalism."12 The solution following from this definition is to ensure that personal information is considered personal property. In her recent book Who Owns Information? Anne Branscomb articulates and updates this way of thinking about privacy.13
There are problems with this approach. As Agre suggests, the crucial issue is bargaining power: "Establishing property rights in your personal information might actually be a good idea, but it's not nearly sufficient. What's really needed is machinery that establishes parity of bargaining power between individuals and organizations -- the informational equivalent of unions or cooperatives that can bargain as a unit for better terms with large organizations."14
It might be preferable to define privacy as a social value. Privacy should be facilitated by society, not constrained by it. An example of this would be the use of the Office of the federal Privacy Commissioner, where Canadians have an established mechanism to challenge invasions of privacy by the federal government. While there continue to be many constraints on the effectiveness of the Privacy Act, it is fair to say that, at least in relation to the public sector, Canada has made privacy a symbolic priority. As F.D. Shoeman's definition suggests, privacy is "central to social life and not a principle that stands in opposition to it."15
In terms of protecting personal data, Kenneth Laudon's definition of privacy is useful:
Privacy is a value which describes a power relationship between individuals and organizations. This relationship can be seen as a continuum marked on the one side by complete informational moral supremacy of the individual, and on the other by complete supremacy of the organization and its needs for efficiency and survival.16This definition does not negate the notion of privacy as a social value; privacy can be accommodated by achieving a consensus within a society about limiting the invasive capabilities of the organization. When the organization is in control of personal information there are threats of surveillance, for example, by means of transactional data trails. Over time, organizations can come to predict habits and preferences, thereby developing detailed individual profiles. Neither surveillance nor commodification of personal information are new developments, but advances in information technology have increased the speed of information processing. This is where it is important to understand the different conceptions of technology that inform the privacy debate.
Proponents of self-regulation would argue that some trade-offs, compromising personal privacy, must be accepted. To limit the development of information technology, they argue, would be to reduce data management productivity and limit the progress that could be made toward a society with more conveniences. Technological innovation is construed to be a positive development, and the negative effects can always be remedied by future technological developments.17
In contrast, supporters of data protection regulation -- and individual control over personal information -- would argue that technology is not politically or economically neutral: legislation must protect "soft values", such as personal privacy from abuse. In this view, "technology is not a destiny but a scene of struggle."18 If the second view is more appealing, it is because there is more room to negotiate the terms of how personal information will be collected, used and disclosed, whereas in the argument based on a neutral understanding of technology there is little room for negotiation.
Prior to the passing of this legislation, self-regulation of the private sector had been characterized as "fragmentary and voluntary"22 and therefore, ultimately inadequate. All sections of this data protection act were based on the OECD guidelines and each took into consideration the principles laid out in the revised EC Directive. With the adoption of the Act in June 1993 and its implementation on January 1, 1994, Quebec has the distinction of having the most progressive privacy legislation in North America.23
Quebec had already been a leader in the area of data protection for over a decade; the province began developing its freedom of information and data protection legislation concurrently with the formulation of the federal legislation. The legislation was a response to both the failure of self-regulation and the advent of the draft EC Directive. Further, privacy advocates in Quebec argued that personal information held by the public sector was no less valuable when transferred to the private sector, as it often was.24 It was not so much an issue of which sector possessed the information, so long as Québécois could be assured of some measure of privacy.
The draft CSA code was based on a loose interpretation of the OECD guidelines. That this code is based on international principles is reflected in the introductory section of the code: one could suggest that the CSA is not drafting the code for the protection of Canadians so much as it is trying to placate governmental organizations representing citizens outside Canada, perhaps the authors of the EC Directive in particular:
Canada is part of a global economy based on the creation, processing and exchange of information. The technology underlying the information economy provides a number of benefits that improve the quality of our lives. This technology also gives rise to concerns about the protection of privacy rights and the individual's right to control use and exchange of personal information.26These introductory sentences clearly state that Canadian corporations and organizations want to remain competitive in the international information economy. This is a laudable goal as long as the ways in which Canada participates do not compromise basic values such as privacy.
Data collection in the CSA code is defined as "the act of gathering, acquiring or obtaining personal information by any means, including from third parties."30 Explicit in the definition of collection, then, is the intent of collecting information from third parties; if this definition was amended to read "subject to exemptions for personal data protection," it would be more acceptable to privacy advocates. Like the Quebec Act, the CSA code recommends that organizations "document the purposes for which personal information is collected."31 However, there is no recommendation to advise the client, whose information is being used, when the corporation decides to change the use of the information: it is suggested that "organizations using personal information for a new purpose must document this purpose."32 It is small comfort to the individual that, within a file they may not know exists, there is a list of the new uses to which their personal information is being put.
The CSA code also states that "personal information that is no longer required to fulfil the identified purposes should be destroyed, erased, or made anonymous."33 Ostensibly, making personal data anonymous suggests the removal of the individual's name and address, or any other personal identifiers. Ultimately, the CSA should not be encouraging its members to equate the terms "destroyed, erased or make anonymous;" exercising the first two options makes the personal data unavailable, whereas the third options merely recycles the data by changing its form.
Goods, services or employment cannot be refused to the individual for failure to provide the requested information unless: the information is necessary for completion or processing of the contract; the provision of the information is statutory; it is suspected that the request for the goods, services or employment is unlawful. In cases of uncertainty, information is deemed not to be necessary.35Here, the onus is on the organization to prove why personal information is necessary; clearly, this safeguard is beneficial to citizens of Quebec and of other provinces with which the Quebec private sector does business. Direct marketing firms are required by the Act to offer their clients or employees opt-out options before using their information for marketing purposes. Moreover, the "specific, informed, time-limited and free consent of the individual"36 is required for an organization to use the information beyond the uses noted in the file. This detailed description of the kind of consent required to use the information is a powerful victory for personal privacy protection.
The most critically flawed aspect of the CSA's draft data protection code concerns the notion of consent. Consent is defined as either "express or implied". While there are no ambiguities relating to the definition of express consent, the definition of implied consent is problematic: "implied consent arises where consent may reasonably be inferred from the action or inaction of the individual."37 The invasions of privacy and breaches of personal data protection that could be sanctioned by this definition are central to the flaws of this code. Moreover, section 4.3.3 of the code defines the form of consent according to the corporation's or organization's subjective conception of "sensitive information". It is evident in this revealing, if lengthy, paragraph how the CSA recommends that the private sector could arbitrarily decide what constitutes sensitive information for its clients:
The form of the consent sought by the organization will vary depending upon the circumstances and the type of information. In determining the form of consent to use, organizations shall take into account the sensitivity of the information. Although some information, for example medical records and income, is almost always considered to be sensitive, any information can be sensitive depending on the context. For example, the names and addresses of subscribers to a news magazine would generally not be considered sensitive information. However, the names and addresses of subscribers of some special interest magazines might be considered sensitive.38That this is an inadequate definition of sensitive information is clear in section 4.3.5 where it is recommended that "an organization should generally seek express consent when the information is likely to be considered sensitive. Implied consent would generally be appropriate when the information is less sensitive."39
Some of the exceptions for failing to seek the consent of the individual are also faulty. For example, in section 4.3.0, the CSA suggests that "organizations that do not have a direct relationship" should not be compelled to seek consent. The example they cite is that "seeking consent may be impractical for a charity or a direct marketing firm that wishes to acquire a mailing list from another organization."40 Because seeking consent may be impractical, it will not be attempted, because "the organization providing the list would be expected to obtain consent before disclosing personal information."
Section 4.2.3 of the code regarding identifying the purposes for which the information will be used is also unclear and therefore inadequate. It is recommended that "where appropriate, the identified purposes should be specified to the individual from whom the personal information is being collected at the time of collection."41 It is difficult to conceive of a situation where it would not be appropriate to indicate the purported use of an individual's personal information upon its collection. To suggest as the code does that legal, medical and security reasons make it "impractical" to obtain an individual's consent allows the organization too much latitude for using personal data without consent.
To the code's credit, it has stipulated that the principle of knowledgeable consent should be upheld42 and "consent must not be obtained through deception."43 Despite this fact, it is unclear how in practice these notions would be reconciled with the previous points.
Confidentiality in the CSA draft data protection code requires educating employees;45 confidentiality, in this sense, means retaining a measure of respect for the clients' personal information. There are also adequate provisions for data security, including restricting office access, implementing security clearances and using encryption.46
The CSA code allows for individuals to "be informed of the existence, use and disclosure" of their information and can "challenge its accuracy."48 However, one of the code's exceptions to access, the restriction for "commercial proprietary reasons", is unnecessarily vague and restrictive; just about any request for personal information could be denied on these grounds by an unenthusiastic data protection representative.
Section 4.9.3 of the code recommends that "when it is not possible to provide a list of the organizations to which it has actually disclosed information about the individual, the organization should provide a list of organizations to which it may have disclosed information about the individual."49 This recommendation is fundamentally inadequate. It is simply efficient data management to have a precise record of the instance where an individual's information is disclosed. The technology that is so effective in transferring these files can undoubtedly be fine tuned to support a tracking system of this nature.
The principle of openness in the CSA code is laudable. However, without changes to the other sections, the recommendations under this principle would offer no substantial privacy protection. Regarding educating the public about the company's personal information policies, section 4.8.2(a-c) suggests that names and numbers for individuals to contact regarding data queries be publicized. Along with brochures to outline general information on data use, the CSA recommends that the corporations and organizations indicate "what personal information is made available to related organizations (e.g. subsidiaries)."50 That separate consent is not required for each company is an oversight in the code.
Fines will be imposed on businesses in the private sector that fail to comply. Also, it is important to note that the "physical individual who heads an offending enterprise or who is personally responsible for the offense is as guilty" as the company or organization.51
The CSA code contains valuable strategies for maintaining data protection accountability within an organization: this is the strongest aspect of the code. It suggests that organizations appoint one or more individuals to implement the policies and practices of the code. Of the four areas clearly outlined, three are of specific interest: "establishing procedures to receive and respond to complaints and inquiries, training staff and communicating to staff information about the organization's policies and practices; and developing information to explain the organization's policies and procedures."52 In other words, the CSA is recommending that the private sector raise awareness both internally and externally about data protection. This is an extremely valuable recommendation.
However, there is no enforcement mechanism in this data protection code. While it is true that the code recommends that the organizations should "investigate all complaints," there is little recourse for the individual if the organization finds the complaint unjustified.53 As it states in section 4.9.6, "when a challenge is not resolved to the satisfaction of the individual, the substance of the unresolved challenged should be recorded by the organization."54 If a challenge is only recorded, it is not adequately resolved. This recommendation would be of little consolation to individuals challenging personal privacy violations.
However, Quebec has a clearly formed and restrictive transborder data flow policy -- so much so that it could be considered a potential non-tariff barrier in Canada. As Colin Bennett has observed,
Could these powers disrupt the free flow of personal information about banking, insurance, hotel reservations, credit and so on? How do these restrictions equate with the proposed elimination of inter-provincial tariff barriers, or with the North American Free Trade Agreement? How does the Quebec Act affect federally-regulated private sector enterprises such as banks?55These are important questions, but perhaps more interesting is the fact that Canada is the only country in which the scope of privacy protection in one of its member jurisdictions exceeds that of the federal government.56
The CSA addresses data transfers in section 4.1.3 of the code. It states that an organization is "responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing" and that "the organization should use contractual or other means to provide comparable level of protection while the information is being processed by a third party."57 The first part of this section would seem to pertain to the private sector practice of sending labour intensive data-entry work to lesser developed countries. The second, referring to contractual agreements for comparable protection, addresses the issue of transborder data flow with Europe and other nations. Without any guarantees of "comparable data protection", however, this safeguard will undoubtedly be inadequate under the terms of the draft EC Directive.
In contrast, the CSA draft code supports a more individualistic conception of privacy and uses language that suggests that the manner in which technology is developing is inevitable. It conflicts with the data protection environment that has been established in the public sector. More specifically, the introduction to the code suggests that little can be done to protect personal information because Canada wants to be a part of the global information economy. While we can enjoy the conveniences yielded by technological development, concessions must be made for these conveniences. It is suggested that privacy is costly to protect, when in reality it would cost nothing if safeguards were built into the technology at the stage of its design.
While the CSA code supports the informational supremacy of the organization, the Quebec model allows some room to negotiate relations with organizations. There are indications that, despite its inadequacies, the CSA code is being held up as a more workable model. For example, the Information Highway Advisory Council is reviewing the code. As for the threat of the EC draft data protection Directive, the CSA code is remarkably unsuitable, given that it was developed partly in response to the Directive. In contrast, because of its legislation, Quebec will be well positioned to trade with Europe; once the Directive is passed, the Canadian private sector will be scrambling to put effective, enforceable, as well as consistent personal data protection into place. For the sake of Canadians, it can only be hoped that this development will come about sooner rather than later.
Melanie Millar, "Protecting Privacy in Canada: Evaluating Recent Solutions Proposed for and by the Private Sector," Government Information in Canada/Information gouvernementale au Canada, Vol. 2, no. 1.3 (summer 1995).
This article is based on a research paper written for a graduate course in March 1995 and is being incorporated into a M.A. thesis on privacy and data protection in Canada.
Melanie Millar c/o School of Journalism and Communication Carleton University Ottawa, Canada mmillar@ccs.carleton.ca[3] Privacy Revealed: The Canadian Privacy Survey, 1993. The major sponsors of this survey were the federal Privacy Commissioner, Equifax Canada, AMEX Bank.
[4] R.S.C. 1985, c. P-21 as amended.
[5] Tom Riley, "Privacy Law Could Extend to Private Companies," Office Equipment & Methods, July/August 1987, p. 59.
[6] "Tories Backtrack on Privacy Issues: Air Canada, Petro-Canada Personal Data Available," Globe & Mail, January 24, 1989, p. A3.
[7] A summary of the OECD Guidelines on the Protection of Privacy and Transborder Data Flows of Personal Information, Part One: General is available in Peter Gillis, "The Privacy Act: A Legislative History and Overview," Canadian Human Rights Yearbook (vol. 4) 1987, p. 125.
[8] See "Amended Proposal for a Council Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data," Official Journal of the European Communities 21.11.92, 92/C 311/04, COM (92)422 final - SYN 287 and 288.
[9] Canada, Privacy Commissioner, Annual Report, 1991-1992, p. 76.
[10] René Laperrière,"Protection of Privacy in The Private Sector in Canada and Quebec," a paper based on a presentation at the GRID (Groupe de recherche informatique et droit) seminar on privacy, held in Montreal on April 16, 1993, p. 3.
[11] According to Laperrière, Equifax credit and collection bureau is "a subsidiary of one of the three largest organizations of this type in the United States" and the Medical Information Bureau's parent company is located in Boston, Massachusetts.
[12] Alan Westin, Privacy and Freedom (New York: Atheneum, 1967), p 27.
[13] Anne Branscomb, Who Owns Information? From Privacy to Public Access (New York: Basic Books, 1994).
[14] P. Agre, "Strange Ideas about Privacy," The Network Observer, (vol. 1, no. 10) October 1994.
[15] F.D. Schoeman, Privacy and Social Freedom, (Cambridge: Cambridge University Press, 1992) p. 137.
[16] Kenneth Laudon, Dossier Society: Value Choices in the Design of National Information Systems, (New York: Columbia University Press, 1986) p. 67.
[17] José Sanmartin, "The New World of New Technology," in Stephen H. Cutliffe et al, eds. New Worlds, New Technologies, New Issues, (Bethlehem: Lehigh University Press, 1992), p. 73.
[18] Andrew Feenberg, Critical Theory of Technology, (New York: Oxford University Press, 1991) p. 14.
[19] Quebec, National Assembly, 34th National Assembly, Second Session, Bill 68: An Act Respecting the Protection of Personal Information in the Private Sector.
[20] Laperrière on the pre-history of Bill 68: "The passage in April 1987 of Bill 20 adding to the Civil Code a chapter on the respect of reputation and privacy (S.Q. 1987, c.18, art. 35 to 41), constituted progress in the recognition of the rights of persons on whom information is collected, and its implementation would have avoided perpetuating two sets of legal rules for personal data, depending on whether they are held by a public or private organization." 1993, p.12.
[21] René Laperrière, "La protection des renseignements personnels dans le secteur priveé et la loi québécoise de 1993," Vie privée sous surveillance, 1994, pp. 66-67.
[22] Laperrière, 1993, p.12.
[23] Paul-André Comeau, "Quebec's New Privacy Law Covering Private Sector Operational in 1994," Privacy Laws & Business, December 1993, p. 6.
[24] Paul-André Comeau, "Quebec's New Privacy Law Covering Private Sector Operational in 1994," Privacy Laws & Business, 1993, p. 7.
[25] Privacy and the Canadian Information Highway, Industry Canada discussion paper, (Ottawa: Minister of Supply and Services, 1994), Section 5, "Voluntary Codes and Standards".
Also available:
http://info.ic.gc.ca/info-highway/privacy/
[26] "Model Code for the Protection of Personal Information," (draft), Canadian Standards Association, CAN/CSA-Q830, December 1994, p. 2.
[27] Article 2: Renseignements personnel: "un renseignement personnel, tout renseignement qui concerne une personne physique et permet de l'identifier." La Loi sur la protection des renseignements personnels dans le secteur privé, L.Q. 1993.
[28] CSA, 1994, p.5, section 2.1.0.
[29] Richard Maurel, "Quebec's Legislation on Privacy Protection in its Private Sector: Analysis," working paper, (Ottawa: Office of the Privacy Commissioner, 1993) p. 3.
[30] CSA, 1994, p.5, section 2.1.0.
[31] CSA, 1994, p.7, section 4.2.1.
[32] CSA, 1994, p.10, section 4.5.1.
[33] CSA, 1994, p.10, section 4.5.3.
[34] Richard Maurel, "Quebec's Legislation on Privacy Protection in its Private Sector: Analysis," working paper, (Ottawa: Office of the Privacy Commissioner, 1993) p. 7.
[35] Richard Maurel, "Quebec's Legislation on Privacy Protection in its Private Sector: Analysis," working paper, (Ottawa: Office of the Privacy Commissioner, 1993) p. 3.
[36] Article 14, Qualité du Consentement: "Le consentement à la communication ou à l'utilisation d'un renseignement personnel doit être manifeste, libre, éclaire et être donné à des fins spécifiques. Ce consentement ne vaut que pour la durée necessaire à la réalisation des fins pour lesquelles il a été demandé."
[37] CSA, 1994, p.5, section 2.1.0.
[38] CSA, 1994, p.8, section 4.3.3.
[39] CSA, 1994, p.9, section 4.3.5.
[40] CSA, 1994, p.8, section 4.3.0.
[41] CSA, 1994, p.7, section 4.2.3.
[42] CSA, 1994, p.8, section 4.3.2.
[43] CSA, 1994, p.9, section 4.3.4.
[44] Richard Maurel, "Quebec's Legislation on Privacy Protection in its Private Sector: Analysis," working paper, (Ottawa: Office of the Privacy Commissioner, 1993) p. 4.
[45] CSA, 1994, p.11, section 4.7.6.
[46] CSA, 1994, p.11, section 4.7.5.
[47] As stated and discussed in Laperrière, "La Loi sur la protection des renseignements personnelles dans le secteur privé: Commentaire et guide d'interprétation," Vie privée sous surveillance, pp. 198-213.
[48] CSA, 1994, p.12, section 4.9.0.
[49] CSA, 1994, p.12, section 4.9.3.
[50] CSA, 1994, p.12, section 4.8.2(e).
[51] Richard Maurel, "Quebec's Legislation on Privacy Protection in its Private Sector: Analysis," working paper, (Ottawa: Office of the Privacy Commissioner, 1993) p. 8.
[52] CSA, 1994, p.7, section 4.1.4.
[53] CSA, 1994, p.13, section 4.10.4.
[54] CSA, 1994, p.13, section 4.9.6.
[55] Colin Bennett, "The Regulation of Personal Data in Canada's Private Sector: How We Have Privacy Law For The BC Turkey Marketing Board But Not For The Direct Marketing Industry," Address to the Conference on Information Policies in the 1990s: The Dawn of Freedom of Information and Privacy Protection in BC, November 29-30, 1993, p. 4.
[56] Richard Maurel, "Quebec's Legislation on Privacy Protection in its Private Sector: Analysis," working paper, (Ottawa: Office of the Privacy Commissioner, 1993) p. 2.
[57] CSA, 1994, p.7, section 4.1.3.
Bennett, Colin. "The Regulation of Personal Data in Canada's Private Sector: How We have Privacy Law for the BC Turkey Marketing Board but do Not for the Direct Marketing Industry," Address to the Conference on Information Policies in the 1990s: The Dawn of Freedom of Information and Privacy Protection in BC, November 29-30, 1993.
Canada. Privacy Commissioner. Annual Report, 1991-1992.
Canada. Privacy Commissioner. Annual Report, 1993-1994.
Canada. Privacy Commissioner. Quebec's Legislation on Privacy Protection in its Private Sector: Analysis. (Working Paper). July 14, 1993.
Canadian Standards Association. Model Code for the Protection of Personal Information [draft]. December, 1994.
Comeau, Paul-André. "Quebec's New Privacy Law Covering Private Sector Operational in 1994," Privacy Laws & Business, December, 1993.
EKOS Research. Privacy Revealed: The Canadian Privacy Survey. 1993.
Feenberg, Andrew. Critical Theory of Technology. New York: Oxford University Press, 1991.
Industry Canada. Privacy and the Canadian Information Highway. (Industry Canada Discussion Paper). Ottawa: Minister of Supply and Services Canada, 1994. Also available: http://info.ic.gc.ca/info-highway/privacy/
Laperrière, René. "Protection of Privacy in the Private Sector in Canada and Quebec," a paper based on a presentation at the GRID (Groupe de recherche informatique et droit) seminar on privacy, held in Montreal on April 16, 1993.
Laperrière, René. "La protection des renseignements personnels dans le secteur privée et la loi québecoise de 1993," in Vie privée sous surveillance. 1994.
Laudon, Kenneth. Dossier Society: Value Choices in the Design of National Information Systems. New York: Columbia University Press, 1986.
Riley, Tom. "Privacy Law Could Extend to Private Companies," Office Equipment & Methods, July/August 1987.
Sanmartin, José. "The New World of New Technology," in New Worlds, New Technologies, New Issues. Bethlehem: Lehigh University Press, 1992.
Shoeman, F.D. Privacy and Social Freedom. Cambridge University Press, 1992.
"Tories Backtrack on Privacy Issues: Air Canada, Petro-Canada Personal Data Available," Globe & Mail, January 24, 1989, p. A3.
Westin, Alan. Privacy and Freedom. New York: Atheneum, 1967.