Canada's privacy law changing some privacy policies

Computerworld - Seven months into Canada's privacy law, Murray Long said the law has already begun to have an impact on businesses despite its relatively short reach thus far.

Implementation of the law is broken into two parts, and because of that, most businesses are still outside the reach of the law, said Long, an Internet privacy expert based in Canada and author of the Canadian Privacy Law Handbook.

The first part of Canada's privacy law went into effect in January and for the next three years applies only to those industries that are currently regulated by the federal government, such as telephone companies, airlines, railways and financial institutions. In 2004, though, the law will apply to any commercial activity in Canada where personal information is collected. Also, any Canadian province that hasn't enacted its own law will have the federal law imposed upon it.

In addition, the law created the position of privacy commissioner, currently filled by ex-journalist George Radwanski.

Canada's law gives the commissioner broad powers in looking into the privacy practices of the nation's companies and eventually into companies doing business in Canada, as well. The law doesn't give the commissioner order-making power; he has to bring the cases to the federal court to force compliance. But it does give the commissioner a more subtle kind of power.

The law states that a potential privacy violation is whatever a "reasonable person" might feel is a violation. The law then goes on to define the commissioner as "a reasonable person." Long said this means the Radwanski can investigate anyone he wants.

Since the law has been enacted, many companies have begun to rewrite their privacy policies, Long said.

"It's changed the privacy landscape here," Long said. "We're seeing a lot more maturity in the privacy policies that are being posted."

Companies are specifically stating what kinds of information they take from customers, what they do with that information and who else they might talk to about that information.

Long said the law has also begun to get into some "complex kind of issues."

Recently, Radwanski sent an open letter to Air Canada after the airline began telling members of one of its frequent-flier programs that it would be using their personal information for five different purposes unless they contacted the airline and opted out.

Radwanski wrote that three of the five areas seemed to be reasonable, such as promotion of the airline and its products.

"However, the last two circumstances about the collection, use and disclosure of members' personal information