Developments in new technologies have perhaps inadvertently facilitated the invasion of personal privacy. The conflict between technological advances and privacy protection concerns has resulted in a number of responses worldwide. There are three main models for privacy protection: the co-regulatory model, comprehensive model and the sectoral approach. Depending on how they are applied, they can be complementary or contradictory. Countries that most effectively protect privacy apply strategies and components from all three models simultaneously.
Certain countries prefer to create specific sectoral laws on privacy protection which apply to some, but not all, industries. The sectoral approach is based on a combination of legislation, regulation and self-regulation.
Self-regulation refers to companies and industry associations which establish codes of practice and implement self-policing techniques. This policy is currently promoted by the governments in the United States, Singapore and Japan. For the most part, the self-regulatory approach is rarely effective, due to the inadequacy of requirements and lack of enforcement.
An example of the sectoral approach can be found in the United States’ model of privacy protection, in which data protection legislation as adopted on a needs basis, when specific sectors and circumstances require. For instance, the following Acts were passed at different times, in different sectors to reinforce privacy rights in the US:
- Fair Credit Reporting Act (1970)
- Video Privacy Protection Act (1988)
- Cable Television Consumer Protection and Competition Act (1992)
A significant disadvantage of the sectoral approach is that new legislation is required each time new technology is introduced, so the scope of protection is often inadequate. Another challenge is the lack of oversight agency. While the Privacy Act (1974) governs personal data stored in government computers, crucial areas such as financial records, medical records and Internet usage remain unprotected.
Many countries choose to implement sectoral legislation in addition to a more comprehensive approach. In this way, governments are able to provide more specific and detailed protections for certain types of personal information.
This refers to a general law governing the collection, use and dissemination of personal information by the public as well as private sector. It is characterized by an oversight body, which ensures compliance with the legislation.
There is a distinct trend towards the legislation of comprehensive data protection acts worldwide. Over 40 countries and jurisdictions currently have or are in the process of adopting comprehensive data protection laws which regulate the collection and management of personal information by both the government and private sector.
There are three key reasons for the movement towards the comprehensive model of privacy protection:
1. Remedy past injustices
- Countries in Central Europe and South America look to comprehensive privacy laws in order to provide redress for privacy violations that may have occurred under past authoritarian regimes.
2. Promote e-commerce
- Comprehensive laws recognize that consumers are uncomfortable with sharing personal data over computer networks.
- Comprehensive privacy laws can facilitate e-commerce by establishing a uniform set of rules and regulations.
3. Ensure consistency
- Most countries, including Canada and in South America, are adopting laws that reflect those set out in the European Union Data Protection Directive to prevent difficulties in trade.
The comprehensive model is favored by the EU to secure compliance with its Data Protection Directive. The Directive insists on increased privacy protections and more consistent privacy legislation throughout EU member states. It also sets out a requirement for specific minimum standards of data protection in countries that will be receiving information from EU member states. One area of concern is that the current US privacy standards do not meet the Directive’s requirements.
Within EU member states, a supervisory authority is established to monitor the level of data protection. This independent body is responsible for advising the government on administrative measures and regulations as well as initiating legal proceedings when data protection legislation has been violated. Individuals may take their report violations and complaints to this supervisory body or to a court of law.
The co-regulatory model is closely linked to the comprehensive model of data protection. In the co-regulatory approach, industry develops the rules for privacy protection. These rules are enforced by the industry and overseen by the state privacy agency. This multi-tiered approach aims to involve individuals, organizations, industry associations and governments, within a legal framework. This model has been most notably adopted in Canada and Australia.
Elements of a co-regulatory data protection model include:
- Establishing regulations and incentives for compliance, as well as consequences for privacy violations is absolutely crucial.
- Effective legislation must reinforce the power of monitoring organizations (e.g. industry associations, supervisory authorities) to ensure compliance.
- Must impose a comprehensive set of data protection principles which apply to specific sectors as well as general practices.
- A government privacy protection agency must have the appropriate resources and adequate jurisdiction to ensure compliance with privacy legislation.
- Watchdog Agencies
- These agencies help to enforce privacy legislation by providing expert consultation; negotiating and approving codes and standards; supervising compliance; imposing penalties on violators; researching new technologies; and providing a means to adapt the law in a practical context.
- The public must be empowered and enabled to take actions to protect their personal information.
- People should be aware of the privacy legislation in place, privacy agencies, industry agencies and complaints processes.
What Can Co-Regulation Look Like?
As mentioned earlier, Canada’s privacy protection framework offers a working example of a co-regulation model.
- The fundamental right to privacy is protected in the Canadian Constitution, the Charter of Rights and Freedoms.
- At the federal level, Canadian privacy legislation includes the Privacy Act (1983), which regulates 150 federal government departments regarding the collection, use and disclosure of personal information.
- The Personal Information Protection and Electronic Documents Act (PIPEDA) is federal legislation which governs the use of electronic documents.
- Provincial and territorial governments (excluding the province of Newfoundland) have also set out legislation regarding the collection, use and disclosure of personal information within provincial or territorial government agencies.
- The Privacy Commissioner of Canada is a designated ombudsperson and officer of Parliament who can investigate complaints and violations of the Privacy Act or the PIPEDA.
- The Office of the Privacy Commissioner (OPC) investigates complaints, conducts audits, publishes information about personal data handling practices, researches privacy issues and promotes awareness and understanding of privacy issues.
- Watchdog Agencies
- The Public Interest Advocacy Center (PIAC) is a non-profit organization which functions to provide legal assistance and research into consumer vulnerabilities. It also demands responsible provision of public services and has a history of reporting violations and complaints to the Privacy Commissioner.
- The Canadian Access and Privacy Association (CAPA) is another national non-profit organization which aims to promote knowledge and understanding of privacy legislation at the international, federal, provincial and local levels.
- Electronic Frontier Canada (EFC) is a non-profit civil rights organization which conducts research and promotes awareness of new computer, communication and information technologies. Its goal is to promote the right to privacy on the internet.
- The OPC regularly encourages and organizes informal awareness-raising activities with the public. It also maintains that both businesses and individuals have the responsibility of safeguarding personal information.
With the advent of new technologies and the information-driven society, it has become increasingly difficult for governments to safeguard the privacy rights of their citizens. Various models of privacy protection have been developed in response to concerns and violations of personal information. This article discusses the three main models: sectoral, comprehensive and co-regulatory approaches to privacy protection. Specific examples of each model are also provided.
In preparation for the Certified Information Privacy Professional/Canada exam, a privacy professional should be comfortable with topics related to this post, including:
- Co-regulatory model (Canada) (II.B.a.)
- Comprehensive laws (EU model) (II.B.b.)
- Sectoral approach (United States) (II.B.c.)