Principle 10 -- Challenging Compliance
An individual shall be able to address a challenge concerning compliance with the above principles
to the designated individual or individuals accountable for the organization's compliance.
The Paper discusses these Principles. In a few cases it suggests that small changes of wording
would be required for legislative purposes, but the most important parts of the discussion relate
to what Principle 2 means when it talks about "identifying purposes," what Principle 3 means by
"consent" and "except where inappropriate," and what Principle 9 requires in terms of an
individual's right to information. These are all things that the CSA Code describes in the
Commentary that it attaches to its Principles. This Paper suggests that legislation, too, would
need to deal with some of these things.
A recurring theme of the discussion is whether these Principles are as readily applicable in small
organizations as in large ones. The CSA Code is stated as being intended to be applicable across
the board, but several of its Principles are expressed in language that is more appropriate to large
organizations than to small ones. For purposes of discussion, the Paper starts from the CSA
Code's premise that it should be all-encompassing, and considers the areas which seem
problematic from the point of view of small organizations. An important point for consideration
is whether private sector data protection legislation, if adopted, should be as wide-ranging as the
CSA Code aims to be, or whether a more focused approach is called for.
The Paper also deals with the enforcement of possible data protection legislation based on the
CSA Code. It discusses whether penal remedies (prosecutions and fines), civil remedies
(damages, declarations and injunctions) or administrative remedies (which could be of various
natures, but would be available from an administrative entity rather than a court) might be
appropriate. Contrary to what is often said in relation to data protection legislation, the Paper
suggests that administrative remedies are not essential to a data protection Act. However, they
are a policy option. Key issues in relation to possible administrative remedies are these. What
powers of compulsion, if any, should be given to an administrative entity for data protection
purposes? Should the resolution of complaints be the entity's only function?
Part II of the Paper, Privacy in General, focuses on the two central legislative options that are
available to the Province if it wishes to reinforce existing legal protections for privacy in New
Brunswick at a general level. One is to establish a `tort' of invasion of privacy. (A tort is a
wrongful act which would entitle the person whose privacy had been invaded to go to court
seeking the ordinary remedies of damages, declarations and injunctions.) The other is to create
non-judicial remedies for infringements of privacy -- remedies that would be available from an
agency other than the courts.
As to the tort option, the Paper describes briefly the existing legal remedies by which privacy
interests may be protected, and then focuses attention on the Uniform Privacy Act prepared by
the Uniform Law Conference of Canada. The Paper suggests that legislation establishing a tort
of invasion of privacy in New Brunswick would be likely to be substantially similar to the
Uniform Act. Several provinces have similar legislation already. The Paper discusses the Act as
a possible model for legislation, and suggests that there are three key issues for public discussion.
Should an invasion of privacy be a tort at all? Would legislation based on the Uniform Privacy
Act adequately describe an invasion of privacy and pose no threat to desirable activities? Does
caution dictate that any development of a tort of invasion of privacy should be left to the courts
rather than undertaken by legislation?
Finally the Paper examines the possibility of establishing non-judicial remedies for infringements
of privacy. The Paper starts by pointing out that there is a difference between the kinds of
conduct that might that might amount to a tort, a wrongful act for which damages, declarations
and injunctions could be available, and less extreme infringements of privacy. It mentions things
such as video surveillance, workplace testing and workplace monitoring as examples of practices
which, in some people's view, are symptoms of a progressive loss of individual privacy in today's
society. The question is whether non-judicial avenues might be established as a means to
addressing some of these privacy issues.
There may be different views on this. Privacy, though a thing that everybody values, is in some
people's view best left to be dealt with as an issue in the purely social sphere. On this view,
appropriate standards of respect for privacy emerge organically from social interaction; at any
given point in time there will be some activities that raise questions about what the appropriate
standards are, but in the long run the only true measure of what is acceptable is what persists.
Some people may also feel that there is an incongruity in even considering administrative
remedies -- a bureaucracy, they might call it -- for the purpose of protecting and promoting
There are, however, existing models of agencies with a privacy mandate. The Paper mentions
examples, and notes that an agency with a broad privacy mandate could include data protection
as one of its functions. The Paper suggests that the key issues for public discussion in relation to
non-judicial remedies for infringements of privacy in general are much the same as they are in
the specific case of data protection. Is a non-judicial avenue needed at all? Should its functions
be exclusively complaints-oriented? Should it, or should it not, have compulsory powers? Of
course, the answers to these questions might be different in the particular context of data
protection as opposed to the broader context of privacy in general.
The items discussed in this Paper are both independent and potentially inter-dependent. Any
one, or any two, or even all three of the approaches reviewed might form the basis for legislation
designed to promote the privacy of New Brunswickers. On the other hand, some people may feel
that there is no need for legislation at all.
The purpose of this Paper is to allow a full public debate on what the appropriate legislative
choices should be.