:
Thank you for the invitation.
I represent two organizations here, actually, the B.C. Freedom of Information and Privacy Association and the B.C. Civil Liberties Association.
On February 9, 1999, I appeared before the Standing Committee on Industry to present my views on behalf of Electronic Frontier Canada on , PIPEDA.
We supported the bill in principle. Now, on behalf of BC FIPA and BCCLA, I wish to renew our support for privacy protection in Canada by means of PIPEDA. However, there are a number of issues that must be addressed in order to ensure that the privacy of Canadians continues to be protected by this important piece of federal legislation.
In this submission, I will address a number of issues related to both the legislation itself and the operation of the Office of the Privacy Commissioner.
It's important to emphasize that privacy rights are increasingly under attack, and a necessary bulwark in defence of these rights is at the very least adequate legislation supported by a vigorous agency to defend privacy rights and to draw attention to current and anticipated problems.
The most important recommendation I will make in these notes is that the current ombudsman model for conflict regulation employed by the OPC be replaced, providing the minister with order-making powers.
I draw your attention to a story that appeared early in November in the newspapers, in which the British Broadcasting Corporation, the BBC, reported that Richard Thomas, the information commissioner of Britain, had referred to Britain as “waking up to a surveillance society that is all around us”.
Some of its characteristics are given as follows: by 2016, shoppers could be scanned as they enter stores; schools could bring in cards allowing parents to monitor what their children eat; and jobs might be refused to applicants who were seen as a health risk.
The report referred to above is a report on the surveillance society, and I take this as a very serious report. Britain, of course, has been described frequently as one of the most surveillant societies in existence.
To set the tone of some of the remarks that follow, let me turn to some comments I made a little more than six years ago, about the time PIPEDA was approved. I gave some examples of privacy invasions. I argued that one of the reasons for having a law in Canada was that it was necessary that both companies and government be responsible in their privacy activities, and that there be a possibility for questioning the privacy activities, and that the legislation could and should provide this.
Let me describe some of the concerns I have, and I think that will be the focus of my remarks. I have nine concerns, the first of which I'm calling publicizing complaints.
For the most part, the Office of the Privacy Commissioner, the OPC, has decided not to reveal the names of complainants, nor the organizations and companies against which complaints have been launched. It appears that under the current regimen there is little cost to companies that do not resolve their privacy issues; not properly implementing a required privacy regimen is just a small cost of doing business. Public attention would be a much more effective means to achieve compliance.
Second, a much more effective education function is required. The OPC could serve a more effective role than it has up to now; namely, to bring the office and its role under PIPEDA to the attention of the Canadian public. In my classes and talks I have rarely found anyone who knows about Canada's privacy law, his or her rights under the law, or the existence of the OPC, the current Privacy Commissioner, or the activities of the office.
A survey commissioned by the Office of the Privacy Commissioner in March of this year showed that something like 8% of Canadians had heard of PIPEDA. Clearly, if you're not aware of laws protecting you, it's going to be hard to take advantage of the protection they provide.
My third concern is the response of companies to breaches of their security. What, if anything, should companies be required to do when their security barriers are breached, with a resulting release of personal information? Such events have become fairly frequent, and most of the attention has been directed towards companies whose primary activity is the collection, compilation, and marketing of personal information.
When PIPEDA came into effect, the term “identity theft” probably was little known. Now ID theft is well known as one of the major crimes associated with Internet technology. In the body of the submission, I include a table showing the numbers of breaches that have occurred in the U.S. in the last couple of years.
The fourth point is on the transborder data flows of personal information of Canadians. The OPC has brought this issue to the attention of the Canadian public, especially with regard to the possible access to the personal information of Canadians held in the U.S. by the FBI under the U.S.A. Patriot Act. In 2004 this issue arose in British Columbia because the government had outsourced medical records to a subsidiary of the Maximus corporation, a U.S. company. It took B.C. Privacy Commissioner David Loukidelis's holding of hearings to find and determine what threats might occur because of this activity. Very briefly stated, the B.C. government introduced and passed legislation in response, which had some of the following requirements: no remote access to data from outside Canada; special restrictions on data access; and requirements for supervision of U.S. employees. I have more listed here. What's important is that the federal government has to deal with these possibilities as well.
Number five, on workplace privacy issues, PIPEDA does not cover information collected by employers about non-federally regulated private sector employees. Workers in three provinces--B.C., Alberta, and Quebec--have protection in the workplace, but basically there is a real lack of it. I should add, for full disclosure, that a researcher and I did a six-month research project for the Office of the Privacy Commissioner on workplace privacy, and we submitted a report to that office expressing our concern about the future of the rights of workers in Canada.
Number six is the development of the electronic medical record, the EMR, and its privacy implications. We recall that when PIPEDA was enacted, the application of the law to the protection of medical records was postponed for one year in order to provide for additional consultation to deal with any special issues associated with such records. I take medical information to be the most sensitive of all personal information and deserving of the highest degree of protection. We're now in the process, across the country, of instituting information systems that will contain, in part, the medical record of every patient who has been involved in the medical system.
Some serious questions arise as to who has access to this medical record and to what degree patients have a chance to say yes or no. One very simplistic model has most of the information about drugs and so on, or about visits, which are not of the most sensitive nature, being available in general without any special permission, but that particular information that's most sensitive might be considered to be in a special lock box, so that only when a patient gives direct permission can that information be released. You ask to whom it would be released. That would be to other doctors, to administrators to make sure that the health process is being conducted efficiently, and to researchers who would like to have access to medical records.
Point seven is on the challenges of emerging privacy-threatening technologies. The law, generally speaking, always seems to be behind new technologies that appear and have good uses, and all of a sudden they start applying to areas that hadn't been thought of. Obviously the law will still apply, but to try to figure out what's going on is the difficulty. I bring your attention to RFID technology, which is being used in U.S. passports. It's part of inventory control, and it also has possibilities for more sinister use. I don't think that's too strong a word.
Let me read you this story, which appeared earlier this year:
A Cincinnati video surveillance company CityWatcher.com now requires employees to use Verichip human implantable microchips to enter a secure data centre. Until now, the employees entered the data centre with a VeriChip housed in a heart-shaped plastic casing that hangs from their keychain.
The VeriChip is a glass encapsulated RFID tag that is injected into the triceps area of the arm to uniquely identify individuals. The tag can be read by radio waves from a few inches away.
If it had slightly higher power it could be read from several metres away.
How do you feel about this? How should a privacy commissioner act in response to these kinds of activities? There is now talk about medical records going on chips to be implanted. Then you can't forget things, and you'll have this medical record. This is just one of the kinds of technologies to which we're really going to have to pay attention.
My eighth point is on current views of some aspects of consent. This is a very long area of great concern. Of a document released by the Privacy Commissioner to stimulate discussion, half of it had to do with various questions of access. Who has rights? Is there blanket access? In some of this, there was some concern about access now taking place under various acts of Parliament meant to deal with terrorism, and the requirements to gain information about individuals without informing them it's being taken. The general question is, how much information can you take from people without getting their assent or at least informing them you're taking it? I use the general term “access” to cover many of these things, but there isn't time to go into them in detail.
Let me turn very quickly to the last of my comments, which is where I began. The Office of the Privacy Commissioner of Canada is committed to the ombudsman model of mediation. Complaints are heard, meetings are held, and non-binding recommendations are issued, with the names of all parties almost always concealed. If they are dissatisfied, a complainant can bring the case to the Federal Court at his or her own expense.
Has this model been effective? There's some disagreement in public responses to this question. Certainly the OPC seems to be committed to its current mode of operation. It is significant that in the three other provinces in Canada with their own versions of PIPEDA, British Columbia, Alberta, and Quebec—and of course the Quebec model came in several years earlier—the model used involves order-making powers. That is, complaints are heard, decisions with legal force are made public, and parties are named. So the full force of public scrutiny is serving as a constant light shining on the privacy practices of companies and organizations, for whom negative publicity is not in their self-interest. That clearly is the single most important recommendation I'm making in this submission.
Let me thank you for the opportunity to appear before you on this very important matter.
To get to the point of this statute, the first point, a very important one, is that it is about giving individuals the right to control the information that relates to them. For 30 to 40 years now we've been hearing about the way personal information is captured by organizations, by technologies, and that process has gone on. It's an incredibly important human right and value, which virtually every advanced industrial society now has enshrined in law. It's a right and a value supported by public opinion. Consistently Canadians have said that they are extremely concerned about the threats to their privacy.
The basic aims, however, of PIPEDA are not substantially different from those found in other western societies. It's based on a set of principles, which are in schedule 1 of the legislation, that you see throughout western Europe in other countries as well. It's very important to recognize that PIPEDA really has to be seen within this larger international context. In fact, international agreements such as those from the OECD, from the Council of Europe, and from the European Union have influenced the way PIPEDA was drafted, and indeed the way it has been implemented.
The forces that brought privacy to the agenda in Canada in the 1970s and 1980s were no different from those elsewhere. But one thing that was somewhat different here is that we were relatively late in legislating a set of safeguards for our private sector. Most other countries were ahead of Canada. That has had some implications, I think. Firstly, it meant that when this law was drafted it had to take into account what was going on elsewhere. There was considerable pressure from the European Union and from other countries as well for Canada to get its act together and to join that family of nations that had privacy protection statutes for their private sector. Although our law has been shaped by some distinctively Canadian concerns and interests, it's important to recognize that inescapable international context.
The second thing that I think is important to understand about PIPEDA is that before the law was promulgated there was a great deal of activity in Canada by its private sector. There were a lot of codes of practice developed, and indeed the standard itself was negotiated through a committee that involved both the private sector and consumer organizations. Therefore, the theory behind this legislation was that it would build upon activity that was already going on in the marketplace. There would be codes of practice, there would be a standard, and then the legislation would come over the top of that. Those are two very distinctive things about the history of this legislation that need to be kept in mind.
On oversight and enforcement, laws differ in the various countries about how you actually enforce these various privacy principles. In Canada we have, at the federal level at any rate, opted for the so-called ombudsman model, and you will be receiving a great deal of advice about whether that ombudsman model actually works. I have some mixed feelings about it. I think you need to look extremely carefully at the prospect of replacing the ombudsman model with an order-making model that is currently in existence in Alberta and B.C.
I have been a complainant under PIPEDA, and I would like to briefly recount that story for you.
Back in November 2001 I received a product survey through the mail that I believed was not in compliance with the legislation. There had been some media stories about this at an earlier point. I objected to three things in this survey. I objected to the fact that it was distributed as a kind of fact-finding survey, with very little indication there would be any direct marketing involved. I was concerned about the position of the opt-out box on the survey. I was also concerned about the fact that there was no way one could complain, no website, and no 1-800 number. There were some quite precise issues of general legal compliance that really had nothing to do with my individual rights. I was not seeking redress here. I was seeking for the company to simply clean up its act and comply with the law.
The Privacy Commissioner agreed with my complaint, agreed that it was a well-founded complaint, and in fact in some respects went even further. But what happened was a long period of negotiation, quite a period of resistance, a lot of to-ing and fro-ing. And the complainant is put in a difficult position in regard to knowing what to do with the information you have, and whether or not to in fact publicize the name of the company concerned. Therefore, they were stalling, and it wasn't until another complaint came in about this company that there was some resolution of the process.
The lesson I draw from this is that the ombudsman model, which is very good at mediating and resolving disputes between individuals and organizations, may not be very good when you're looking at a compliance model or regulatory model like this, where you're simply trying to get the organization concerned to comply with the law. Therefore, I think there's a mismatch between some of the goals of the law and the ombudsman model that is used to enforce it.
Thirdly, I'd like to just say something about the CSA standard. This is a notable innovation. There was an explicit reason why the drafters of PIPEDA decided to legislate by reference to the CSA model code for the protection of personal information. It was believed that if the private sector had already negotiated this standard, the legislation would do nothing more than force companies to live up to their own rules.
Also, I think it's important to note that embodied within this legislation is a method of compliance. There's a standard there. Any organization can take that standard, go out and be registered to that standard, use it as evidence if there's a complaint against them, and use it as evidence that they're pursuing good practices. There are many ways in which that standard can be used more effectively in the implementation of the law. I have a couple more specific recommendations about that, but I see my time is running out.
Is PIPEDA working? You're going to get a lot of advice on both sides of this issue, but businesses in Canada can be divided into three groups.
First of all, there are those large, high-profile companies that have in fact been leaders on this issue. These were the organizations that, early in the process, developed their codes of practice through their trade associations, and that, in the mid-1990s, participated in the development of the Canadian Standards Association's code. My impression is that while these businesses certainly face important challenges and there are clearly privacy issues there, there is a general compliance. They're not necessary compliant because of the law, but because they largely raised their standards before the act was promulgated.
A second category, on the other end of the spectrum, is the free riders, the companies that deliberately attempt to make money out of the processing of personal information without individuals' knowledge and consent. My impression also is that many of these businesses have either been exposed as a result of PIPEDA or have been put out of business.
By far, the largest category of business is in the middle: companies that process the full range of consumer and employee information, but which have never really been concerned about the issue, nor have they been pressed by the media, by their trade associations, by the Privacy Commissioner, or by privacy advocates, to do anything more than the minimum. They may have made an early effort to get a privacy policy and appoint a responsible person, but have had no further exposure to the issue.
There's a good deal of evidence from surveys that most businesses are not generally aware of PIPEDA and are not generally aware of their obligations. My impression is that they're in that large category of organizations that are in the middle of the spectrum, and to which I think the intention of the law needs to be addressed.
The committee will no doubt receive some testimony that PIPEDA is a heavy-handed piece of legislation. I do not think it is. By comparison, it's quite a light form of regulation. If you compare PIPEDA with equivalent statutes in France, Germany, and other European countries, it really is relatively light. But it does depend on the building of compliance from the bottom up. Indeed, the entire regime was founded on the theory that the CSA standard would build upon existing codes of practice and that the legislative framework would build upon the CSA standard.
I've argued before that this kind of approach has a chance of encouraging a more effective system of privacy protection than would the top-down command and sanction model that is enforced through law alone. I'm still of that view, but I also believe the law needs to be reformed. I also think this committee needs to look very seriously at the powers that the Privacy Commissioner has in order to enforce this extremely important piece of legislation.
Thank you very much.
I'd like to come back to the issue of a distinction between the protection of personal information and the exemption of same when it comes to work product or professional information.
Mr. Bennett, you said that it would have to be very carefully crafted, in order to ensure that it doesn't become wide-ended. If you put your mind to it, would you be in a position to perhaps—maybe not today—suggest an actual definition that would allow for that distinction to be made, that exemption to be made, and at the same time ensure that it's not overly broad?
Mr. Rosenberg, in your brief you end with a number of recommendations. One of them is that the Privacy Commissioner should have the power to make orders. The British Columbia Civil Liberties Association recommended the power to render orders that could be tabled before the Federal Court and rendered immediately executory. I'm assuming that you're in agreement with that.
The other thing you raise in your brief is the issue of the lack of protection in the workplace for the personal information of employees, for whom that regulation or protection comes under federal jurisdiction. So in that case we're actually talking about in all the provinces and territories that have not brought in their own protection of personal information legislation, and that has been found to be similar to that of the federal and therefore we vacate that jurisdiction.
Do you have a preference...? You know the legislation better than I do the protections that already exist in B.C., Quebec, and Alberta. Do you think that one of those three models is better than the others, or are they pretty much similar in that protection? Because if this committee is going to look at the possibility of strengthening PIPEDA, in order to provide those clear protections, which do not exist, we would need some guidance on what models actually exist that in your view are good models to follow.
Following that, Mr. Bennett, would you like to add to this issue?
:
I think the Alberta and B.C. legislation are fairly similar and the Quebec is different, but I have to admit that I'm not as familiar with the Quebec legislation as I should be.
What I've been concerned with in my research is gathering the variety of ways in which the privacy of workers is threatened. It's not just keystroke monitoring and Internet activity and television or video cameras in the workplace. It's also endless tests that are required of people now for various occupations--drug tests, genetic tests, psychological tests--and these can go on both in the hiring processes and in the ongoing work process. These bring a lot of issues. It will be very difficult to try to figure out how to regulate these in appropriate ways to allow the worker some sense of humanity, without there being this constant threat.
I think a lot of it results from the fact that there is very much a general rubric about technology--if you can do it, why not do it? If it's possible to have a technology that gives you this and this seems to be useful, then do it, and that seems to be what's going on.
I have to say, also, that things are terrible in the States, where there is no privacy protection. Employers basically have complete rights to do whatever they want.
One of the at least temporary measures has been to try to work out a common agreement between management and workers about general rules on how the technology will operate. Are they going to watch everything you do? When you're on your lunch break, can you use the computer in the company without it being monitored? We know that the telephone brought these issues. Is it okay for a worker to call home to see how her sick child is doing? No management would say no, you can't call home. Is it okay to sit at your computer during lunch break and plan your vacation for next year? Well, you're not actually working, then, but it's not your machine, not your software, not your anything. Are you okay with doing that?
There's an endless number of these kinds of issues about which you would think people could come to a common agreement without the law intruding, but it's not the case.
:
Of course, there's a federal institution, which I think is the Canada Health Infoway, which has been providing money and advice, and they've taken the benefits of work in different parts of the country.
It's clearly an area that should have a uniform system so they can talk to each other. Obviously, one of the benefits of an electronic health record is that it could be accessible anywhere. If your record is sitting in B.C., but you're injured in Ontario or something happens and you need the record, it's really important that it's accessible. That would be one of the major benefits.
If you're trying to understand how well certain kinds of medications are working, what the costs really are, and where there are areas of higher cost, there are an enormous number of questions you can answer with an electronic medical record.
The questions that are still of concern have to do with rules of access. In a lot of cases, the simple rules of access will be straightforward. If you're a doctor and you are of a certain category, you can access things at a certain level.
It means information will have to be structured in terms of different levels of sensitivity. It will therefore require different levels of access by physicians, government bureaucrats, ministers, associate ministers, and deputy ministers of health on the kind of information they can get and the permission level they will be at.
As I said, these things are currently being discussed.
I think this is really important. It will obviously affect PIPEDA, because it will regulate these things for the provinces without any other privacy legislation.
I think it goes back to the question on whether we should wait. I don't think we're going to wait. There is such urgency with medical records that we're not going to wait.
For whatever measures are taken in the provinces, I assume provinces that don't have their own legislation will look very carefully at what's going on elsewhere in Canada as they formulate policies of use.
:
I have another question on the whole issue of consent.
I'm aware of a study that was done at an institute. I forget the full name of the institute, but the University of Ottawa looked at a certain number of company practices on the issue of consent, implied consent, express consent, and the kind of privacy protection for personal information and policies that these companies have in place.
I was appalled at the results, in part because there was a debate at the industry committee when the legislation was first brought to us at second reading. I think it needs to be strengthened, and I think it needs to be clarified.
The whole issue of giving consent, even when it's express consent to a company to be able to use personal information in a very clearly defined way, involves the whole issue of a company with its affiliates, for instance, that may not be working in the same domain, offering the same service or product and the sharing of that information. It then goes completely beyond that to third parties that are not part of the company “family”.
I had a personal experience with a credit card company, which I did to see what would happen. You get them in the mail, and I filled one out. When it came to the section for consent, I crossed everything out and wrote that they could only use my personal information within their company. They could not share it with any affiliates that had no direct relationship to the issue of my credit and credit rating. The company literally sent the same form back three times, saying they had a problem and needed me to fill it out again.
For me, it was clear that if I filled it out, my personal information, my shopping habits, and my leisure habits would be stripped out. Maybe my name wouldn't be given, but it would be stripped out and sold to third parties for advertising or whatever. I don't think most people realize that.
I'd like to hear whatever suggestions you have, either today or, if you need further reflection, in the future, in writing to the committee through the chair, on how the definition of consent and its different forms can be tightened up to ensure that when people give consent, it's actual consent.
In my view, there should be virtually no implied consent. It should be express consent.