:
I'd like to call the meeting to order, please.
I wish to apologize to our witnesses and to my colleagues for being late. I was misinformed as to the room number, and then when I called the committee room there was no answer to the telephone, so I apologize.
We welcome today, for meeting number 33, from the Office of the Privacy Commissioner, Jennifer Stoddart, Privacy Commissioner, and Heather Black, assistant commissioner, who were kind enough to give us even more reading material before their appearance. Thank you for that.
We'll start with an opening statement, one presumes, from the commissioner.
Welcome.
:
Thank you very much, Mr. Chairman and committee members.
You have met Assistant Commissioner Heather Black, who has been here before and will present part of our position this morning.
We previously sent you the reading material that the chairman just referred to. We did this in an attempt to make reference materials organized and easy for you to consult.
I don't have a prepared opening statement. I'll simply remind you of our position, which we have tried to summarize for you in a way that I hope you found useful. It's on the second, unnumbered page, opposite the table of contents.
[Translation]
The summary is on the page across from the table of contents.
[English]
right at the beginning, on the right-hand side.
[Translation]
You can see a summary of our position in both English and French. There, we include suggestions on amendments to the legislation, as well as state the points we believe require no recommendation.
[English]
Just to summarize very quickly, you've heard many witnesses, from most walks of life in Canadian society. You've seen a wide variety of opinions. Some of them are radically opposite one from the other.
In our presentation, we're going to try to advise you on the reform of the law in a way that is both privacy-protective and takes into account wherever possible any consensus or any reasonable position that we could move to, given some of the diametrically opposed positions on these issues.
Let me begin, at the bottom of the first group of bullets, with the changes we would recommend you make in your report on possible PIPEDA modification.
Cooperation with other enforcement authorities is extremely important in a globalized world. The drafters of PIPEDA did a good job in ensuring my ability to cooperate fully with the provinces. For greater certainty on this, we would suggest that you extend that.
The duty to notify possible victims about data breach has emerged in the last few months in a very critical way. I am suggesting, honourable members, that your committee suggest there be a compulsory duty to notify about any violations in the security within which personal information is kept on behalf of Canadians.
I have some material on that. You'll see that we did a résumé in appendix 6. There's an overview of existing American data breach laws that can inspire you as to what would be the composite elements of a duty to notify.
Another practical issue that has arisen is the omission from PIPEDA of the disclosure of personal information before the transfer of businesses. This is known colloquially as due diligence. This is simply an omission. We suggest that you move to have this modified.
We have given as an example, in appendix 2 in your binder, the Alberta model, which we think is a reasonable model to follow.
Again, on the same level of omissions from PIPEDA, we think you could widen the public interest exceptions to consent in cases of emergency, such things as accident victims, dental records being required to identify after death, humanitarian grounds, and elder abuse, which was brought up by the banks, and so on.
[Translation]
To the notion of attempted collection without consent, we should add the notion of wilfulness. The Federal Court states that if an attempt is made to collect an employee's personal information, but the attempt is not successful, the legislation does not apply. So that notion of wilfulness needs to be included.
Lastly, when it comes to the thorny issue of national security, in section 7(1), our position is and has always been that PIPEDA should keep the form it had before the amendments brought to it in 2004 by the Public Safety Act. PIPEDA should return to its previous provisions, under which companies did not become agents of the state for the purposes of collecting personal information in order to provide it to security authorities.
[English]
Heather Black will go on to talk about the other three suggestions we make to you for legal reform.
:
Moving right along to the employer-employee relationship, it has become clear to us over the past six years that the consent model doesn't work very well in that context. We would propose that you consider the wording from the Alberta law, which establishes a reasonableness test, and temper it with the added notion of dignity of the person, from the Quebec law.
While we say that the consent model doesn't work very well, we are still concerned about the imbalance of power between employers and employees. We always need to consider that things employers are trying to do may not always sit very well with employees.
Business contact information is a relatively simple fix. There's already an exception to personal information. We would suggest it be broadened somewhat to include all business contact information, but that the exception be limited to the purposes of contacting an individual in their business capacity.
Solicitor-client privilege for us is a huge issue, as a result of decisions by the Federal Court. Individuals under PIPEDA have a right of access to their personal information. There are exceptions to that right of access. One of those exceptions is that the information is privileged.
We are not suggesting that privileged information be turned over to individuals. What we would like to be able to do is see that information, to ensure that the privilege is correctly being invoked. That's a very narrow focus, and it's all we're really asking for.
I would then like to move down to the areas where we're not recommending any changes and briefly explain to you why.
On the issue of the commissioner's powers, I maintain my position that this is not the time, given all the upheaval in the Office of the Privacy Commissioner and given the fact that we are one of the agents of Parliament and closely linked to other agents of Parliament legislatively, to do a wholesale change in the office.
The act, as it is presently constituted, has a number of powers. We've not had time to use all of them, so I would recommend the status quo on that.
You heard that the process of designating investigative bodies is seen by many as long and cumbersome. I'm not in a position to deny that it is. But I think the opposite—having no regulation and no approval process for investigative bodies—means that we have an open season for self-appointed detective agencies, spy agencies, and so on. It's a very good thing that the federal government has some process for regulating these: they would be operating until somebody made a complaint or somehow they came to our attention, which is very difficult in a country as large as Canada.
Blanket consent has not really been an issue at all, so we suggest we simply pass on that one.
Heather, could you talk about work product and our position on that?
Just to conclude, the issue of transborder flows of personal information is an issue that in our opinion we can deal with through the law as it stands and through contractual provisions in the private sector. I refer you to my first request, that we reinforce our ability to cooperate with other entities throughout the world.
Finally, I'd conclude with something that is not in PIPEDA but I think is a huge problem, and I took the liberty of addressing to this committee, Mr. Chairman, a copy of the letter I sent to on the issue of spam. I believe this has been distributed to you. I'm taking this opportunity, as you are the committee that deals with privacy matters, to remind you of how serious this problem is, how privacy-invasive it is.
[Translation]
The fact that we are the only G8 country not to have any legislation against spam is very worrying. I would encourage you to focus on the issue.
Mr. Chairman, that concludes our remarks. We would be pleased to answer any questions by committee members.
:
The law, as it is and as it has been interpreted, already distinguishes work product on the basis that it isn't personal information. So we are concerned that there's no reason to carve out for any particular constituency any type of personal information at this time.
Secondly, we're concerned, as you will see in the appendix that we submitted to this committee, that any kind of carve-out has an indirect effect on surveillance issues.
We're also concerned that if the members think of legislating in terms of work product, they take into account the context in which this particular amendment is requested, the particular industry that this request is involved in, and the legislative initiatives in other provinces that call, for example, in one province, for the consent of those whose work product it is.
That I think is a résumé of why we think it's inappropriate to proceed at this time with that.
Before we go to Monsieur Vincent, just so I'm clear, and the commissioner is clear, the issue of work product was addressed by IMS and a number of witnesses. In fact a number of witnesses, including the Insurance Bureau of Canada, recommended that we adopt the British Columbia model of work product.
I'm afraid it isn't as limited as you indicated, Commissioner.
:
Thank you very much, Mr. Chairman.
I believe that seven minutes will not be enough for me to ask all the questions I have.
First of all, I would like to thank you both for being here this morning. I think this will be a very significant meeting.
As I said, I have a number of questions and I don't know with which I should start since they all seem very important to me.
First of all, Mr. talked about harmonizing and combining all the legislation. If I may, Mr. Peterson, I would like to say that I do not really agree with you. In my view, the provinces sometimes go much further than the federal government. Quebec in particular is frequently a leader in many areas, and I cannot envisage a situation where we would have to be subject to the dictates of Ottawa.
Moreover, the issue of work product was mentioned by a number of witnesses. Representatives of IMS Health Canada even suggested a particular wording. What would the repercussions be if we were to pass the wording suggested by IMS? Have you read that wording?
I would refer you to the brief we submitted. I believe this is a very significant act. First of all, I'd like to point out what we seem to be forgetting—the current interpretation creates an exception, and implies that PIPEDA does not apply to the situations envisaged by IMS.
Thus, in the interpretations, we recognize the issue of work product where information—in Quebec—is considered personal professional information. We believe that it would not be a good idea to amend the act, given that the status quo is already the goal we seek. Amending the act, which took years of discussion to craft, would be very significant indeed.
If you were to amend the act, you should examine all the circumstances in which the amendments would be required. You should also examine all the possible implications of the amendments, particularly worker monitoring and intellectual product monitoring in other fields, and with people other than physicians or health workers.
I would repeat that, in my view, the status quo already establishes that such situations are not covered by PIPEDA.
:
Thank you, Mr. Chair, and thank you to our guests today.
I actually wanted to shine a little light on something that isn't in the brief here, but it has happened most recently. It's a bill that went through Parliament and is on its way to the Senate, and that of course is Bill , which touches on privacy issues.
It's interesting that while we're trying to deal with privacy here, we seem to be opening up opportunities for people who want to exploit privacy in other places in this precinct. That's because in Bill , in the original legislation, they provided birthdate information for purposes of verification of voters. I wrote to you about this concern I had, and that we have in our party, and the fact that it was then amended to further extend that information to political parties. I wrote to you on that; you sent me a letter last week, and I thank you for that.
I just want to clear something up. As recently as Tuesday, in a question in the House, I asked the government if they would be--
The government was saying to me and was saying to Canadians that your statement to the Standing Committee on Procedure and House Affairs last spring, in June, was that you didn't have concerns that the sharing of birthdate information could affect Canadians' privacy. In fact, in the letter you sent to me most recently--because in June there wasn't a bill in front of us, so you didn't have the privilege of seeing that--there are concerns that I have. I just want your take on the whole business of sharing birthdate information among political parties, and, for that matter, sharing it out there in the public sphere with those who work for Elections Canada.
Here we are trying to protect privacy, and it seems that this legislation will make citizens' privacy a little vulnerable. I just wanted your take on your concerns on the sharing of birthdate information.
:
Thank you, Mr. Chairman.
Of course anything dealing with personal information, its circulation, and the permission for it to circulate according to the laws of Canada is an important part of privacy. I refer the honourable member, Mr. Dewar, to the letter I wrote him trying to explain this.
To clarify my position, I'll say that in general we have to consider that the birthdate of somebody is key identifying information. In our society it is used in a way that unlocks the door to a lot of important personal information, so it should only be used very sparingly and when absolutely necessary. That's my position, and that's the philosophy that inspires my position on PIPEDA and any other advice that I would give the committee.
:
I think we did, and thank you to our witness for doing that.
I just want to get back to the duty to notify. In terms of your point 12, you talk about duty to notify and say, “We strongly encourage the Committee to recommend amending the Act to include a breach notification provision.” Our party supports that very strongly. We know that this provision and what you're recommending here exist in 32 states. We know that approximately three million Canadians have had their credit cards compromised--I'll use that word--with no financial loss in some cases, but with no notification. I'm hearing from constituents, and I hear generally from my colleague Mr. Martin, who's been following this, that it's a real issue when people find out something happened and they weren't aware of it because of the failure to notify.
Could you expand a little bit on why this is important, and why you say you're strongly encouraged? I would say we should have it, but just give us a little bit more on the importance of having this provision and this change.
:
The events of the last few months, which I think most of the honourable members would have followed, suggest very strongly that this would be an important addition to the law, so that there is no hesitation on the part of companies and organizations holding personal information on behalf of Canadians that when this happens, they do have to take positive steps to notify them and to make them aware and to take action to prevent identity theft.
There was a reputable study done in the United States about the link between data breach and identity theft, because that's always the question: how do we know that data breaches are linked eventually to some harm, because many of them aren't? The study suggested that 5% of those people whose personal information has been obtained because of a data breach would be subject to identity theft. I find that very interesting. If people say that a data breach does not necessarily mean that something is going to happen to you, it would seem from this study that it will happen to 5% of the people. So if you have a breach of the personal information of 100,000 Canadians, then this would suggest that 5,000 of them are going to have serious issues with fraud, identity theft, or the same.
That's a very recent study and that finding is significant. That's why I'm asking this committee to move to make this mandatory, so that we'll have increased attention on the part of organizations to the security in which they keep personal information and then to their duty to act swiftly and appropriately to help people take the right steps to monitor their personal information and their credit cards and even in some cases their mortgages, their land holdings, so that they'll at least be aware. If you don't know that you've been a victim of a data breach, you may not be paying special attention. How many of us have time to read all our credit card statements in detail and so on? I think that's true of many Canadians in their busy lives.
I think this is an important public measure. I have more suggestions for the contents of data breach notification, given our research, and I'd be very happy to help the committee if you were to decide to move in this direction.
:
Okay, I appreciate that.
What my suggestion to committee will be at the end of this.... We've heard from you right from the beginning, and at first you came and said basically the legislation is working. We heard from a number of private sector groups. It's only been around for the private sector for a couple of years. I personally think we're a little bit premature in reviewing this, so I'll give you a chance to comment on that. The other thing is we've not heard about a lot of changes from you, and then you provided these, some changes, based probably on testimony and issues.
The other piece is I'm interested in giving the minister an opportunity to have a look at what's been before us. So I'm going to be recommending to the committee that we ask the staff, the researchers, to do an interim report that we're able to provide to the minister before he appears before us--it happens to be a he--so that he can respond to issues, similar to what you've basically done here.
One, do you think that's an appropriate approach? And two, the legislation is only two years old and it may take a little longer for us to be able to review it properly. I want to know how you feel about the two-year issue.
:
Thank you. That's a very interesting question.
In the cases we have decided—and I remind you that 75% of our cases are settled in the course of investigation through mediation—we take into account the context in which we're dealing, and I think that's one of the merits of the case-by-case basis. Is it a corner store? Is it a family business?
We had one recently that was a very small, community-regulated radio station, and the assistant commissioner and I had quite an exchange, because I didn't realize it was that one. We were looking at the wording and what had happened there. We specifically took into account that it was basically a volunteer association, although caught in federal legislation; our expectations were tempered by the fact that this was not a major corporation.
This comes up all the time. We try to administer the law in a way that's sensitive to the burdens of business people all across Canada, and I can't say that we have any particular problem with small businesses. They're perhaps not as sophisticated as the larger ones, but when we explain the law to them, they are very happy to comply, in our experience.
The second one, Mr. Chair.... I hope it's okay if I ask this, since you brought it up, but you brought up spam. I've been here five weeks and I've had a number of e-mails and presentations from various groups before they have come here. But I've had a lot of e-mails from average citizens in my constituency about spam. They know I'm on this committee, so they want to talk about it.
We'll be going shortly into deliberations on how we're going to look at this as a committee. Can you give us some guidance or guidelines as to the whole spam issue and how you think we should address it? Could you give us some ways forward on it?
:
In terms of the law you're reviewing right now, we have a mandate to deal with spam. I thank our lucky stars that most of the population hasn't figured that one out, because we could be drowning in spam—not spam, but in complaints. We have had a couple of spam-related complaints.
The recommendations of the task force would have essentially augmented some of our powers to deal with spam. The true spammers are not organizations with whom we can enter into a dialogue in the way we can with the banks or small business or whatever, because they're not interested in complying with laws. So it would be very difficult for us.
We can deal with your average, unsolicited e-mail that you may get from a large corporation with which you may or may not have a relationship, but the true spam issue is something that essentially can't be dealt with under privacy legislation. It is something for the criminal law or for the Competition Bureau when dealing with misleading advertising and all of that stuff, with heavy criminal penalties. I think that's the only way we're ever going to come to grips with spam.
:
Thank you, Mr. Chair, and thank you for coming again.
What an experience this has been. I don't know how many Canadians realize what the implications are for PIPEDA. You and I talked about that at some length. The more we explore this, especially new members like Mr. Pearson and me, the more we realize the ramifications, and they are huge.
On most of the issues, the questions have been asked. I was wondering about jurisdiction and I was wondering about work product, but the report is excellent. I don't know if I agree with everything; as Mr. Wallace said, the original position was that we did not need to change it, but of course we had some good testimony, and that led us to believe that maybe we should look at some things. I'm still a little concerned about cost; I'm not convinced that this won't increase the cost. We have to look at that, of course.
There were two areas that concern me the most, the first being the work product, and you gave us your position on that. I'm not quite sure I agree with it.
The other is the collection and disclosure for law enforcement. We were visited by the RCMP and the chiefs of police, and they laid out a very good argument for their investigation. They talked about child pornography, how Internet providers or banks weren't compelled, whether or not they were doing an investigation. Will your recommendations, or do your recommendations, cover their concerns specifically?
:
In fact, our recommendations cover the issue of police obtaining information, but our suggestions are, perhaps not unexpectedly, opposite to the direction that the police recommended to you yesterday. We would like to go back to the pre-Public Safety Act version of PIPEDA.
PIPEDA, as it was passed by this Parliament in 2000, did not make into private companies, through extraordinary powers, prolongations of the state's ability to collect personal information without consent for the purposes of law enforcement and national security. This is a major change in a democracy. It's basically giving private organizations powers akin to that of the police. I protested against it when it was passed in 2004; I keep that position.
The police are concerned whenever they can't get information, and they are concerned that PIPEDA has raised privacy consciousness in many Canadian organizations. These organizations ask, under section 7, if they should be doing this--if they should be handing over this employee information if the police come knocking. This article says they may or they may not, so they are considering it. We think this is quite far enough for law enforcement purposes, and it's discretionary.
As Privacy Commissioner, I have to remind this committee that personal information is part of a person's basic rights as a citizen, as a person. The police should be required to go before the courts if they have serious doubts and serious suspicions and need to get people's sensitive information. Surely our Canadian courts can look at what the police record is--they should not go on fishing expeditions through people's places of work, for example.
:
I think the cost to our office is minimal, but we could certainly cost out if, as we suggest, corporations had to notify us. Certainly, we have to have some type of notification reception mechanism, and that could be an additional cost, but I'd think it would be minimal in the budget of the Privacy Commissioner.
To come back to your--I'd say appropriate--concern with the cost for small businesses, we have been working with the Canadian Federation of Independent Business. We are rolling out special modules for small businesses. We are testing these modules with members of small business because we are very conscious of not trying to impose additional regulatory burdens on small organizations.
In our experience too, the challenge in applying this law is not with small businesses, because they are anchored in the community. As we become more privacy conscious, if your local business messes up with your personal information, I think there will be community pressure. They'll do it once and they'll learn spontaneously. Each community business doesn't have the amount of personal information that huge multinationals do.
My concern as Privacy Commissioner is not the possible danger from small businesses that are doing their best--and we're trying to help them and we're in constant contact with their associations--but the huge amount of data that is pooled in large organizations where one spill can affect possibly millions.
I will come back to my wonderful question. There are some companies that are responsible enough, including those that deal with mutual funds. For the moment, legislation does not require that businesses notify clients. A friend of mine received this type of letter. I do not know if he has the same mutual funds as Mr. Wallace. In the letter, that I saw with my own eyes, this person was told that they simply wanted to let them know that they had more or less lost their personal information, but that the risk due to the loss was not very high.
Nothing is very clear. We are not aware of the consequences of the loss, nor of the theft of which they were a victim. People are not quite sure what to do either. Mr. Wallace decided to throw his notice into the garbage, but some people filed that information in their heads under worry and anguish.
Do you not believe, Ms. Stoddart, that the legislation should oblige all businesses to notify their clients, according to reasonable conditions? I know you put forward some proposals in your document. Let us presume that the consumer's financial security is at stake, that the risk is serious enough. I know that you have the necessary resources to identify such situations. Do you not believe that first and foremost, there should be a duty to notify the client? In this notice—and it would be a good idea to have that formula drafted by the people in your office—the risk that the consumer in question is facing could be clearly set out, along with the lost or stolen information. I think that the client should know that. It is not enough to tell him that a little problem has cropped up.
There should also be the possibility of some remedy. You mentioned that in Quebec, it is possible to launch a class action. The fact remains that the legislation we are discussing here was designed for the consumer who receives this kind of letter at home. When one considers a class action suit, it is not easy to know where to begin. The business should be responsible for specifying the type of remedy. It should also—and it was one of our witnesses that put forward this suggestion, which I found interesting—compensate in whole or in part the damages that were caused. How could that be done? By taking certain steps itself, for example by sending out the kind of fraud warning to businesses that collect credit information. Indeed, taking those kinds of steps themselves represents a lot of work.
In short, should businesses not have that duty?
:
Thank you, Mr. Chairman, and welcome, Commissioner and Assistant Commissioner.
First I'd like to apologize to my colleague Mr. Martin. At our last meeting we were discussing, and I'm going to be talking about, subsections 7(3) and 7(1). The copy of the act I have didn't have paragraph 7(1)(e) in it and the connection with collection of information, going back and referring to paragraph 7(3)(c.1) in this case. I see the connection there now, and much of our discussion was based on it, so I apologize to you, sir.
In regard to this question, though, we spent a considerable amount of time, particularly with the witnesses we heard from the law enforcement community, dealing with this issue in subsection 7(3) with respect to the discretion that is provided to the organization in choosing to release the information or not release it.
The law enforcement community suggested that the discretion that's provided in the fact that it says “an organization may disclose” was particularly problematic. I understand the point that protecting personal information is vital under our civil rights, under the independence of the laws that provide individuals.... There's another factor, though, at play here in relation to safety, which we need to find the right balance on.
We heard some very compelling evidence that suggested that in certain circumstances—for example, involving a real-time Internet service provider and a predator online with a young person, where there isn't the time and where law enforcement needs to intervene to stop fraud, to stop a situation in which the public is going to be harmed—they need the ability to have that information.
We spent a considerable amount of time on this question of “may”. Would it be possible to provide in subsection 7(3), for the purposes of an impending urgency or a vital public safety issue, for the organization to be obliged, and not just have the discretion, to provide this information, so that in fact they would be required to provide this personal information in the context of subsection 7(3)?
:
I would like to intervene in your last example, Mr. Chairman.
We suggest that for issues of public safety, humanitarian reasons, and so on, personal information should be shared without consent.
That is far different from the law enforcement public security issue. In our systems, we have judges who are always on call, and certainly large corporations have lawyers to advise them.
I wanted to reassure you on that point.
:
Thank you, Commissioner.
It's a pleasure to see both of you again.
Thank you, Mr. Stanton, for the clarification of our conversation in the last meeting. I'm partly to blame because I was unable to cite paragraph 7(1)(e), which I was referring to. I had everything but the number, and then you didn't have it here.
I think we understand each other now. I sense everyone understands the possible problem we were trying to point out. Our source was the information brought to this committee by the commissioner in November 2006, where it was quite clearly cited as a very real problem and concern.
You said you asked for its removal at the time the Public Safety Act was debated. Have you ever publicly called for its removal from PIPEDA, prior to November 2006?
I guess you couldn't have, as there wouldn't have been an opportunity.
a) an organization can now collect personal information without knowledge or consent for the purpose of making a disclosure to a government agency that has requested the information...and
b) an organization may now collect information on its own initiative to make a subsequent disclosure to a government agency for the aforementioned purposes.
That's the legal interpretation we have of this clause. We should all be concerned.
I think we're muddying the waters, if I may say, by using the example of the pedophile abusing a child in real time and the possibility of terrorist, national security issues. That's what I'm focusing on. I told the RCMP that I could relate to and sympathize with that example--drop all the rules out the window to save that kid. In the case of fishing around a person's private affairs on the suspicion that they may be remotely connected to some possible terrorist initiative, that's what worries me.
An hon. member: [Inaudible--Editor]
:
Thank you, Mr. Chairman.
I don't sit on this committee, Ms. Stoddart, so you'll have to allow me some flexibility with respect to my understanding of PIPEDA.
I have gained enough information with respect to the national security issue and the Public Safety Act to leave that to the others to pursue, although I did note that one of the issues you are concerned about was that businesses not be the collectors of information for the state. I understand there's a dilemma in terms of public safety. I'll leave that line of questioning to the committee.
There was one issue that had been brought up that did concern me, and I hope it's not irrelevant to the proceedings. It's on your role with respect to Elections Canada and the issue that was raised with respect to information involving birth certificates, date of birth, and, I suppose, addresses, places of residence. Do you initiate your response on a court order with respect to an investigation that has gone on after an alleged electoral abuse has taken place?
:
I completely understand your role. You're here to protect privacy. You're the Privacy Commissioner and with you is your assistant commissioner. Privacy is your issue. From my end of the table, there has to be a balance between security and privacy in today's environment, whether it's a great thing or not. And to be frank with you, and I know Robert agrees with me, “lawful authority” might be a difficult thing for them to explain. The “may” issue and “authorized” to provide it, I think in terms of wording, aren't a huge change but may help police in describing it.
Just give me an example. We've used this terrible example of the ISP user. We were told there are a thousand ISP providers and about 30%...that's 300, not a few. Now there are a few big ones, but they're small and they may be our problem.
Let's use another example, and tell me if I'm wrong, because I just don't know and I'd like to know this before I make any decisions on it. I own a company that produces guns, for example. I have a customer who happens to be buying guns lawfully but selling them to a group that's on our terrorist list. The police want to know whether that person is my customer. Am I entitled, as the owner of that company, to tell them, based on the law? Do they have to explain to me that I may tell them or I may not? Do you think “authorized” to provide it would help that situation or not, or do you think they really need a warrant to find out whether this person is my customer?
:
There are many issues that I've not been able to explore before the Federal Court--for example, the issue of damages. Interestingly, with a lot of foresight, the law provides for damages. I have not yet had a case in which there was a provable amount of damages that wasn't settled beforehand, where I could go to court to see how PIPEDA can help remedy Canadians' actual damages for privacy.
I have a power to do audits on private sector corporations, when I have reasonable grounds to believe that there may be a problem. That is being challenged by one organization. The hearing before the court has not yet come up, so I don't know the extent of this power, which I would argue is an important power.
There are many things, including penal clauses in the act that have not been used. They're not necessarily for me, so I'm just saying that in response to the issue about the commissioner not having power, there is quite a bit of power foreseen in the act, and we should look to see how these powers can be applied before moving to another model.
:
Yes, but they have direction.
This is not numbered. I guess this is point number 1 in your thing, and I quote: “This decision leaves a gap in the Commissioner's powers and will potentially allow” a broad claim of solicitor-client privilege over corporate-held documents to inhibit an OPC investigation, “with no possibility of independent verification” of the appropriateness of the solicitor-client claim, “other than through a formal application to court”.
What's wrong with a formal application to court, for a court to decide whether or not solicitor-client privilege has been lawfully claimed? With no disrespect to your office, I would think that a judge has the expertise and legal training to make that determination better than your office does.
My question is what's wrong with that? Is your concern that it would take too long for a decision to be made on this very specific issue? If so, and if that's the only issue, why can't you make an immediate application to the Federal Court to determine whether or not this particular claim for solicitor-client privilege is lawful? That is the only question.
:
Ms. Stoddart, I agree entirely with what you said about police officers, doctors and work products, and when you say that nothing should be revealed. However, I have a bit of trouble with you saying that losing just a single's day worth of information isn't that serious. You don't know who has got their hands on the information. The person may very well bring back the information that very same day, but having the information for just half an hour is half an hour too much. You don't know what the person has done with the information. The individual may have sold it, etc.
I hear my colleagues saying there needs to be a greater focus on small businesses. May I point out, however, that when representatives from the Canadian Federation of Independent Business testified before the committee, they said they provided training to small business operators. Members of the Chamber of Commerce also provide training sessions to small businesses on the legislation. So there shouldn't be any preferential treatment, be it for a small business or otherwise.
In my opinion, small businesses are especially important. A small shop or clothing store may, over the course of the year, have who knows how many clients. How many credit cards pass through their doors? It's especially important for these people to be aware of the importance of protecting the private information they are privileged with.
So on that note, I imagine that businesses should, to some extent, be made accountable under the act. If a small business operator thinks that he or she has lost private information then the client or clients should be contacted immediately. That way they can contact their credit card companies, banks, etc. to make sure nobody else uses their personal information, which may lead to legal hassles for them. Businesses should bear some of the responsibility when information is lost.
If somebody's identity has been stolen and this leads to financial losses or a crime being committed, the industry or the business should be held responsible and pay the individual back.
What's your opinion?
:
We'll have our first in camera meeting on Tuesday at 9 o'clock. I will find the right room in the right time. Right now it's 237-C, and hopefully we'll see you then to discuss that.
You will recall that at the request of the committee I wrote to the minister asking that he appear. The minister seems to be very busy. I offered many different compromises, including holding a special meeting and having a meeting in the evening, and it would appear that the minister is busy for 24 hours a day until the break. He has finally agreed to appear on March 20. I've indicated to him that the committee will not accept any changes to that, so that's when he will appear.
By that time we will have focused on some of the things we're thinking about that we're either unanimous on or have a majority on, and we can discuss them with him.
Thank you very much. We'll see you next week.
The meeting is adjourned.