Ms. Seigel will deliver our presentation, but I would like to say a few words first to put it into context.
Our association represents Canadian information and communications technologies, or the ICT industry, including everything to do with computers, software and telecommunications from equipment to service.
This industry is highly interested in every aspect of privacy protection, and has been for quite some time.
In 1996, when I was chief privacy officer at Bell Canada, we were already operating under an extensive set of regulations that dated back to 1955 in matters of privacy protection. But the industry as a whole, the broader industry, also saw at that time, as the Internet was about to explode in terms of usage, that privacy protection and confidence in the Internet and the e-economy was absolutely critical to our future. Therefore, our industry was really the first proponent of tackling the issue with legislation. We also had to consider that we couldn't take a regime that applied to a heavily regulated industry, like telecom was at the time, and transpose that holus-bolus to the whole economy in matters of privacy protection.
We were very happy to evolve a regime that was quite innovative and quite effective that involved a first layer of taking ten principles developed by the OECD in a multi-party manner, where they had consumers, businesses, and governments evolve these principles. They were taken, again, in a multi-party approach by the Canadian Standards Association, which developed a code on them. And the legislation reflects this, that we had a base of self-regulation on which we then imposed a government body, the Office of the Privacy Commissioner, in an ombudsperson role, and then the courts to do enforcement, if, as, and when required.
This mixed model, which, as I said, is quite innovative and quite effective, has been recognized worldwide as truly an effective way of tackling this, this made-in-Canada solution.
So I would say, when you hear suggestions, I would be very loathe to take on anything that changes the fundamental structure. There's really no reason to undo that very successful approach.
I have a final comment in terms of context.
The vast majority of the members of our association are small businesses and the vast majority of the businesses that are clients of our technology companies, who have to deal with these information protection measures, are small businesses. These businesses do not have the means to continually adapt to changes in their operating approaches.
They don't have in-house law departments; they don't have the resources to have a lot of legal advice to change the way they do things.
So I would say, again, as a general approach, our industry feels you should be very cognizant of the maxim that if it ain't really broke, don't fix it; don't change the legislation unless absolutely necessary.
I'll pass it on to Ariane.
My name is Ariane Siegel. I am a partner in the law firm of Gowling Lafleur Henderson, practising in the area of privacy and telecommunications law. I am also the chair of ITAC's privacy task force, and it is in this capacity that I'm addressing you today.
As you've already heard, a well-respected international think tank, Privacy International, ranked Canada at the top of the list of countries for privacy protection in its most recent survey--second only to Germany. The high degree of accessibility under PIPEDA did not go unnoticed by Privacy International, and the report correctly states that “anyone can complain to the Commissioner about an alleged violation of PIPEDA”.
ITAC suggests that contrary to the survey of 64 companies put before you by the Canadian Internet Policy and Public Interest Clinic, there has been a very good level of privacy compliance by Canadian organizations. Most organizations work diligently at compliance and have extended significant resources in this regard. Especially noteworthy is the profound impact that Canadian privacy laws are having on international privacy compliance. For example, many U.S. companies with Canadian subsidiaries are adapting Canadian privacy compliance frameworks for use in operational settings south of the border.
Let's begin with ITAC's general position regarding PIPEDA in the context of the ongoing review process. ITAC, as you've heard, believes it's far too soon to make significant changes to PIPEDA. Most companies have had less than three years to implement and refine their privacy policies and procedures. Furthermore, many customers and employees are only now becoming familiar with how to exercise their rights under the legislation. ITAC supports cooperation with industry to create guidelines for security implementation and operational standards to enhance the transparency and consistency of the exercise of existing powers under the legislation.
I'd like to focus on ITAC's views on several issues that have been raised over the course of this review process. First is with respect to PIPEDA's inherent flexibility. PIPEDA's flexibility allows for the implementation of privacy principles in all organizations, no matter how large or small, and across all industries, however different their business processes may be. Consumers and employees also benefit from PIPEDA's flexibility, which provides an accessible, effective, and low-cost dispute resolution mechanism.
Secondly, with respect to the commissioner's order-making powers, ITAC believes that the existing ombudsperson model provides an effective, informal, accessible, and cost-effective dispute resolution process, while also allowing for a formal and binding review process by the court in certain instances. If decisions of the commissioner were to become binding orders, organizations would have to implement a more formal and costly compliance infrastructure. Adherence to PIPEDA's broad principles would give way to a very strict and literal approach and much less openness and collaboration with the Office of the Privacy Commissioner. Binding orders also raise the stakes for businesses in any dispute, and consumers could expect to find themselves pitted against experienced legal counsel in the process. Such a formal and adversarial process might well be avoided by consumers altogether.
Next, with respect to mandatory data breach notification, ITAC opposes mandatory notification of privacy breaches. ITAC is of the view that organizations take their responsibilities for data security very seriously. In the case of a data breach that poses risk to individual privacy, no organization would want to take on the additional potential liability of not taking adequate steps to mitigate further risks or damages that could be suffered to individuals. Many organizations currently contact the Office of the Privacy Commissioner to get guidance on how to deal with data breaches.
ITAC is of the view that mandatory notification requirements would result in notification fatigue for customers. CIPPIC pointed out in its submissions to this committee that several U.S. jurisdictions currently have notification requirements in place. However, these notification requirements do not mean that privacy protection is better in the United States or that somehow Americans are less prone to identity theft.
Canada is an international leader on the data protection front. Canadians have also been early adapters of leading-edge technologies, and many of the organizations are in the forefront of leading efforts to develop new privacy-enhancing technologies and processes. ITAC would support and would itself be interested in working with the Office of the Privacy Commissioner to develop guidelines on addressing data breaches.
Another issue is the commissioner's discretion to identify complaint respondents.
Currently, case summaries are reported for the most part on an anonymous basis. The commissioner has taken the position that naming respondents in each and every case would not meet the public interest threshold of the legislation.
ITAC supports this approach. The commissioner has the discretion she requires in order to name respondents. ITAC believes that a mandatory practice of naming respondents in each and every instance would not benefit parties to any dispute, and, in fact, could result in negative consequences.
Complaint resolution often results in a change to business policies or procedures such that the benefit naturally accrues to all customers. In this way, positive results are achieved with a high degree of efficiency.
Fifth, ITAC would like to respond to the issue of increased restrictions on transborder flows of personal information. Commercial practices often demand that personal information flow across borders. This has become an irreversible economic reality, driven by globalization and new technological opportunities.
Fortunately, PIPEDA's accountability principle demands that businesses in Canada communicate their privacy practices to the public and requires businesses to enter into contractual agreements to ensure a similar level of protection for personal information transferred outside of Canada.
Placing further restrictions on transborder flows of information under PIPEDA could reduce the global competitiveness of Canadian businesses. Canadian privacy legislation does not need to be modified to ensure that organizations safeguard data in any outsourcing, whether local or transborder.
PIPEDA very clearly recognizes the need for organizations to safeguard data. The Office of the Privacy Commissioner has set out a very practical framework for dealing with transborder data outsourcing in two recent case summaries.
Most importantly, the long-established common law of agency imposes obligations on organizations to protect data in their custody and control and would extend to the need to impose adequate protection when data is processed elsewhere.
In conclusion, ITAC believes that the provisions of PIPEDA are sound and continue to provide the appropriate balance between the interests of the public and industry as technology and expectations evolve over time. PIPEDA balances various legislative approaches, setting the tone for other jurisdictions and enabling Canadian businesses to remain competitive in the global arena.
ITAC members have invested significantly in the operational, legal, technical, and training aspects of privacy protection. ITAC itself has demonstrated leadership in educating its members about privacy, and we have worked with the federal and provincial privacy commissioners in doing so. We plan to continue our efforts in this field.
On behalf of ITAC and its member companies, I would like to thank you for the opportunity to address this committee.
I submitted them about a week ago. They perhaps didn't come through translation.
It perhaps goes without saying that computers, databases, networks, surveillance cameras, cookies, spyware, radio frequency identification, and other automated means of collecting, using, and disclosing personal information directly threaten our ability to control personal information.
You've heard about this from many of your previous witnesses. I have significant expertise on these issues, and I'm happy to provide more information about any of them for you, if you wish, during the question period.
My testimony today, however, will be to suggest that there is a much bigger threat to privacy that comes from a much more primitive and much more basic technology. It is a technology that all of you are familiar with, even those of you, like our honourable chair, who avoid computers, PDAs, and the Internet like the plague.
The threat I'm referring to is in fact a legal threat.
In French it is called the “contrat d'adhésion”.
In English, we call it the standard form contract.
While computers, surveillance cameras, and RFID chips technologically enable aggressive, voluminous, and sometimes surreptitious collection of information, it is the standard form contract that legally enables the so-called “implied consent”, “deemed consent”, and “opt-out” consent-gathering processes that are said to justify the use of surveillance technologies under our current privacy law. These means of using the law to deem consent, when there is in fact none, can be highly problematic.
Standard form contracts are mass-produced documents that prevent and preclude negotiation and agreement. They are drafted exclusively by parties in an economic position to offer them on a take it or leave it basis. In an information age, where the business handshake has been replaced by mouse clicks, where the bilateral negotiation process is supplanted by global, one to many transactions, the standard form contract is regularly invoked by organizations to circumvent various privacy protections prescribed by PIPEDA and other data protection regimes.
Whether in the sale of goods or the licensing of services, many organizations use standard form contracts, clickwraps, and end-user licence agreements as ways to justify what is sometimes an unreasonable and overarching so-called consent to excessive collection, use, and disclosure of personal information. Through these sometimes one-sided contracts, organizations are able to extend their personal information practices well beyond the bounds of what might otherwise be permitted by Canadian privacy law. They do this by compelling consumers, customers, and citizens to sometimes contract out protections that would otherwise be afforded through PIPEDA.
In my written submissions, which I guess you don't have in front of you, I offer a series of detailed recommendations on how to amend PIPEDA in light of these, to fix the enormous problems of obtaining genuine consent that are generated by the contractual model.
I am happy to answer any questions you might have on those, but let me first provide you with two crunchy examples that should hit close to home.
We automatically track, collect and compile User Information and Transaction Data (as defined below) when you utilize the Site.
You agree that HHC shall own all Information.
By accessing the Site, you voluntarily, expressly and knowingly acknowledge and agree with all of the foregoing and further agree to each and all of the following: (i) such Information belongs to HHC and is not personal or private proprietary information; (ii) such Information, wherever collected, may be processed, used, reproduced, modified, adapted, translated, used to create derivative works, shared, published and distributed by HHC in its sole and absolute discretion in any media and manner irrevocably in perpetuity in any location throughout the universe without royalty or payment of any kind, without, however, any obligation by HHC to do so;
So instead of me, let's imagine that the honourable member, Mr. Tilson, stayed at the Hilton Hotel and sent an e-mail to his colleague, Mr. Wallace, an e-mail containing some communications perhaps about these committee deliberations, perhaps about some more personal things.
Under the terms of service referred to above, Hilton will claim that the personal information and private communications generated by these two honourable members is in fact not personal or private information, by way of their consent, and it is therefore not subject to PIPEDA, and that in fact Hilton owns the information in perpetuity, anywhere in the universe. As David Bowie might have once sung, “Planet Earth is blue, and there's nothing you can do”.
According to Canadian contract law—and I've been teaching it for more than ten years—I suspect that Hilton would likely prevail. Regardless, most individuals would be forced into submission during a lengthy and protracted litigation process in the courts about what is certainly, at this point, an unclear point in the law. I recommend we clarify the law with this.
Example number two. Like me, everyone around this table is a consumer of many intellectual products every day. You read the newspaper, specialty magazines or books, or maybe you watch TV, movies, or listen to music or talk radio. If you are like me, sometimes you don't care who knows what you are reading about or listening to, and sometimes you probably do, but l'II bet that you would care a lot if you learned that someone was always able to know about every single intellectual product that you consumed: how often, where, when, etc. Everyone around this table, I suspect, cares about intellectual privacy, the ability to consume intellectual products free from public scrutiny and corporate or governmental surveillance.
Imagine that you go out and buy a CD or DVD, or maybe you borrow it from the library. You put it into a device that you own and you play it. You watch or you listen. All the while, unknown to you, a small software routine written into the code of that CD or DVD causes an automated communication via your wireless Internet connection. The CD or DVD reports back to Sony--or whoever--who you are, where you are, what machine you use, which software you run, what you are watching or listening to, when you watched or listened, how often, etc.
By now in the course of these proceedings, and having heard many witnesses, you are, I suppose, no longer surprised by the realities of the digital age, but here is something that might surprise you.
You decide to investigate whether the company's practice infringes on your privacy rights under Canadian law. You come to learn that it probably does not, or at best that the law is unclear with respect to any of this. In fact, you come to learn that you have probably legally consented to letting the CD phone home and rat you out to the mother ship. ln the standard form contract of more than 3,000 words--which, by the way, is about 700 words more than it took Edgar Allen Poe to tell the tale of the thousand injuries of Fortunato--52 words provide your so-called consent to the automatic installation of a rootkit; Sony calls it “a small proprietary software program”.
Because of this provision, the organization collecting your personal information will claim that you have contracted out of the protections otherwise afforded to you under PIPEDA. According to their agreement, you also supposedly consented to allow them and their information-sharing partners to give that information to any member of the government who makes a request, without a court order and without any form of due process--and there is nothing you can do about it.
The main point I want to impress upon this committee today is that this form of legal manoeuvring--something that each and every one of us around this table is subject to multiple times each and every day--is hugely problematic and is not sufficiently addressed in PIPEDA. Standard form contracts, as well as a number of other so-called consent-gathering processes, can sometimes--not always, but sometimes--undermine the nature and value of genuine consent, and in those instances will fly in the face of what our privacy laws are actually trying to achieve.
I would submit that PIPEDA's attempt to balance individual privacy rights with the needs of organizations to collect personal information is undermined if--irrespective of PIPEDA's many protective provisions--intrusive, unfair, or unwanted collection, use, or disclosure can be imposed on individuals with impunity through standard form contracts or other similar so-called consent-gathering processes such as those used in the past by Sony, by Hilton and other hotels, by instant messaging services, by mobile phone providers, by other online service providers, by health care providers, etc. I can assure you this same strategy is used often and with great success in other sectors as well, all of which tells us we do need much tighter sets of consent provisions than those currently provided in PIPEDA.
ln my written submission, I offer concrete recommendations to fix this. If I have another thirty seconds, I'll go on the record to lend my support for other recommendations that have been made by other witnesses. In particular, the law should be amended to provide the federal Privacy Commissioner with order-making power; the law should remove any lingering doubt about the power of the federal Privacy Commissioner to regularly name names in well-founded findings; the law should include a mandatory security breach disclosure requirement; and finally, Ottawa must seriously begin to address the growing concern in Canada over the outsourcing of personal information to non-Canadian organizations, particularly data flows to the United States.
I know there is no time to address these points now, but I am happy to respond to any questions you might have.
Thank you very much for your time.
Mr. Chairman, honourable members, thanks very much for the opportunity to speak with you today.
In my brief remarks to you this afternoon, the CBA section wishes to highlight four key areas or themes among several we've addressed in detail in our submission to Industry Canada, which we've just referenced.
These themes reflect particular areas of PIPEDA that six years of experience have demonstrated to be deficiencies in the law or that represent emerging policy issues that were not adequately recognized when the law was first enacted. After nearly six years of interpretation by the courts and by the Office of the Privacy Commissioner, we believe it's prudent and necessary to consider amending PIPEDA.
Privacy legislation has been enacted in British Columbia, Alberta, and Ontario since PIPEDA came into force. These provincial developments respond to our experience with PIPEDA and in some instances have addressed deficiencies in both drafting and interpretation.
The CBA section’s recommendations for amendments to PIPEDA are shaped by the following principles. First, while respecting the balancing of interests in the collection, use, and disclosure of personal information, vigilance is necessary in monitoring and opposing unnecessary erosions of privacy by both government and non-governmental organizations. Second, the basis for protecting privacy in Canada should be fair information practices as they continue to evolve. Third, privacy legislation and practices across Canada should be harmonized to the extent possible.
I'll touch on the first theme, and that is that PIPEDA should be neutral in regard to the litigation process. In other words, it should not affect pre-existing and commonly held litigation processes that have evolved for decades and hundreds of years. PIPEDA contains a number of specific exemptions to the consent requirement that require amendment. The current exceptions relating to litigation are too narrow and should, at a minimum, be broadened to ensure that well-established litigation procedures are not impeded.
This narrowness is evident in the investigation exceptions, the one-way disclosure, the collection and use of debt disclosure information, and the limitation on disclosure throughout the litigation process. The result is inadequate coverage of all aspects of the process: pleadings, oral discovery, mediation, private arbitration, settlements, solicitor communications, and other non-court ordered exchanges of information.
There should be a broad exclusion for information legally available to a party to a proceeding that would override specific exceptions currently found in PIPEDA. Related to this concern, PIPEDA should be amended in its application to law enforcement. Specifically, the provisions for the collection, use, and disclosure of personal information without consent for legitimate law enforcement purposes should be clarified. The current provisions relating to investigations and the enforcement of laws are confusing and internally inconsistent. A single standard should be applied for collection, use, and disclosure relating to law enforcement.
Finally, the provisions respecting investigative bodies should be streamlined. For example, organizations should be permitted to carry out their own investigative activities without unnecessarily being required to use other investigative bodies to collect information from third parties. The CBA recommends an amendment to create a broad exclusion for information available by law to a party in a proceeding to permit collection, use, and disclosure without consent where reasonably required for an investigation.
The second theme I'll touch on is as follows: PIPEDA enforcement should be more effective while continuing to reflect principles of fundamental justice. The lack of order-making powers in PIPEDA significantly affects the likelihood of complainants bringing forward issues of non-compliance. Complainants must apply to the Federal Court to obtain a remedy or compensation, but they may only do so after the commissioner has issued a finding. At present, it takes up to a year to receive a finding. Also, taking a matter to the Federal Court effectively requires hiring legal counsel and places the complainant at risk of an adverse cost award.
Further, there is no mechanism for the commissioner to compensate an individual who has incurred significant expense or suffered loss in connection with a complaint. However, under the current structure, conferring order-making powers on the commissioner could result in a violation of principles of fundamental justice. Currently, the commissioner acts as an ombudsman who advocates protecting personal information. The commissioner's office also investigates alleged violations of PIPEDA. Combining advocacy, investigative, and decision-making roles may place the commissioner in a conflict of interest and undermine the credibility of the office.
More effective enforcement could be achieved by assigning a separate office or body, functioning in a reasonably informal manner with decision-making authority. We've previously suggested an impartial tribunal with order-making powers and the ability to award damages, while the commissioner would retain the investigative powers and an advocacy role. The commissioner could be required to issue a finding within six months, which would then be referred to the tribunal. Therefore, the CBA section recommends an effective enforcement mechanism for PIPEDA be considered, such as an establishment of an impartial tribunal that would operate relatively informally, with power to make orders and award damages.
The next theme is that any requirement for notification of breaches of privacy should be balanced in approach. To date, federal and provincial privacy legislation has required public and private organizations to apply security safeguards when handling personal information. Several U.S. states have recently enacted additional legislation to require organizations to notify individuals in the event of a security breach involving improper disclosure of their personal information.
The EU has recently announced that it may consider information security incident notification. In contrast, Canadian privacy legislation does not explicitly contain such a requirement, with the exception of Ontario's Personal Health Information Protection Act. Therefore, the CBA section recommends that a balanced privacy breach notification requirement be considered, such as a duty to notify only where an organization is not covered by security mechanisms such as encryption, or has received notice that such protection mechanisms have been breached, and the information that has been compromised is sensitive personal information.
The final theme I'll touch on is that transborder information intended under Canadian privacy laws to flow unimpeded should be subject to appropriate precautionary requirements.
The commissioner has stated that the review of PIPEDA would be an opportunity for developing further privacy protection measures related to transborder information sharing by the private sector. One such measure is found in the commissioner's submission to the British Columbia Privacy Commissioner concerning the impact of the U.S. Patriot Act on personal health information of B.C. residents. The federal Privacy Commissioner recommended that Canadian companies that outsource information processing to organizations based abroad should notify their customers that the information may be available to the foreign government or its agencies under a lawful order made in that country.
Section 17 of Quebec's Act Respecting the Protection of Personal Information in the Private Sector specifically addresses the issue of transborder transfer of information. It obliges people communicating information about Quebec residents to persons outside the province to take all reasonable care to ensure that such information is not disclosed to third parties without consent, except as provided in the legislation.
PIPEDA currently contains general rules requiring parties holding information or outsourcing information to ensure its protection, but doesn't necessarily contain any rule specifically directed at protection of information transferred outside of Canada. Under PIPEDA, each organization, as you know, remains responsible for personal information in its custody or control, including information transferred across a border.
PIPEDA should contain appropriate precautionary requirements to protect information when it is transferred across borders. We have previously considered a number of alternatives to achieve this objective, such as a requirement that organizations transferring information to foreign entities enter into written agreements that would ensure security and protection of information against unauthorized access or disclosure in accordance with Canadian privacy law. Another alternative is a more generalized approach of protecting information transferred outside of the jurisdiction found in Quebec's privacy law.
In its earlier submission, the CBA section also analyzed options for notification or consent requirement for information transferred across a border. Each of these options would involve some form of notice to be provided to or consent obtained from the individuals whose information would be transferred outside of Canada. Amending PIPEDA to implement either a notice or a consent requirement to cross-border transfer of information requires a very careful consideration of the potential advantages and disadvantages of the approach.
The CBA section recommends that where personal information is to be stored or processed in a jurisdiction outside of Canada, PIPEDA require additional provisions to enhance security of personal information and ensure conformity to Canadian law, such as contracts between organizations and entities storing or processing personal information.
The CBA section appreciates the opportunity to share its views with the committee today. We believe our suggestions will provide some assistance in amending PIPEDA to address deficiencies that have become apparent since its enactment. Our goal is to improve the legislation for the benefit of Canadians, consistent with PIPEDA's purpose of establishing rules that recognize both individual privacy rights and the organizations' needs to collect and use information in an appropriate and reasonable manner.
Thank you very much.