Privacy implications of the extractive sector transparency measures act
The Extractive Sector Transparency Measures Act (ESTMA) came into force on June 1, 2015. Throughout consultations on the Bill, key stakeholders raised questions regarding privacy implications, still unanswered. In particular, in establishing new mandatory reporting on payments in the commercial development of oil, gas and minerals industry (the extractive sector), how specific will the information need to be and could it be linked to identifiable individuals? By requiring that reports be made publicly available, is there a risk of disclosure of personal financial information? By requiring to keep records for a still non-prescribed period of time, but of seven years in absence of prescription, is there an increased risk to the protection of personal financial information?
Analysing the privacy impact of legislation, and the legitimacy of that impact, requires first to focus on the objective and scope of that legislation. Legitimacy rests upon the proper integration of the individual right to privacy and the collective right to law and order. In this case, the objective of the Act is stated in its full title: “to implement Canada’s international commitments to participate in the fight against corruption through the imposition of measures applicable to the extractive sector”. The scope of the Act extends to extractive sector companies as “entities” making payments to “payees”, defined as governments and bodies established to perform duties and functions of governments. A payment made to an employee or a public office holder of a payee is deemed to have been made to the payee. On this basis, privacy risks appear totally manageable:
- Entities are companies and payees are governments – neither are individuals and therefore do not trigger the application of the Personal Information Protection and Electronic Documents Act which defines personal information as information “about an identifiable individual”. It follows that entities’ reports would meet the objectives of the Act without disclosing personal information.
- Employees and public office holders of governments are subject to accountability obligations that reduce their reasonable expectations of privacy in the exercise of their functions. An established framework, organized around sections 19 of the Access to Information Act and section 8 of the Privacy Act, already governs the interface between protected personal information and publicly accessible information.
Still, privacy risks exist and should be mitigated by corporate policies and coming government regulations.
Corporate policies should,
- Establish that there be no collection or retention of personal information beyond what is demonstrably necessary to meet the objective of the Act, and provide for supervision to ensure compliance in that regard;
- Provide that reports under the Act shall not contain personal information unless demonstrably necessary to meet the objective of the Act.
Government regulations will need to,
- Establish reporting requirements that do not call for information specific to individuals except in accordance with current privacy law, namely where the information is already publicly accessible or where it is necessary to disclose it in the public interest.
- Allow redaction of personal information before making a report publicly available, where a reporting entity would have deemed it necessary to include it in the report to the Minister but where it is not in the public interest to make it publicly available.
- Establish the lowest retention period possible for record keeping under the Act.
In one sentence, while the Extractive Sector Transparency Measures Act may, in theory, have privacy implications, in practice, they are easily manageable, and should be managed.
Chantal Bernier is Counsel in the Global Privacy and Cybersecurity Group at Dentons Canada LLP and former Interim Privacy Commissioner of Canada.