I appeared before the House of Commons Industry Committee to discuss Bill C-54 (Electronic Commerce Privacy Legislation).
Appearance before the Industry Committee, March 4, 1999
Good morning, and thank you for inviting me to appear before this committee to provide my views on the intersection of the privacy protections afforded by Bill C-54 and the Internet.
I’m a professor of law at the University of Ottawa law school, and I specialize in Internet law. Unique to Canadian common-law schools, I teach two Internet law courses, one on the regulation of Internet commerce and the other on the regulation of Internet communication, which focuses on speech and privacy. I’ve written several law review articles on Internet law; I’m co-editor of JURIS Canada, which is a legal education web portal; and I’m creator of the Canadian Internet law resource page, a web site dedicated to Canadian Internet law issues.
Let me begin by congratulating the government for this privacy initiative. Given the alternative of self-regulation, Bill C-54 is a major step in the right direction. In fact one need only look at activities this week in the United States, where the Online Privacy Alliance, the country’s leading self-regulation advocacy organization, is pleading with on-line enterprises to post privacy policies. The reason? Next week the Federal Trade Commission begins their second annual privacy audit, and the fear is that such little progress has been made in the widespread adoption of privacy policies that the government may move towards some form of regulation. As the U.S. experience illustrates, legislation is needed to effectively protect the privacy of individual citizens.
The focus of my remarks today will be on the application of Bill C-54 to the Internet. I certainly recognize that the bill’s application extends well beyond just the net, but it’s fair to say the growth of the Internet has been the major driving force behind the growth of electronic commerce and, by extension, this bill.
From an Internet law perspective, nothing is more important than strong and effective privacy legislation. As you are by now no doubt aware, in several surveys, Internet users have cited privacy as their primary concern. However, I would submit that the issue is even more serious than these polls indicate. As more and more people gravitate to the Internet, I see a widening gap between what might be called the haves and the have-nots.
The haves are aware of the privacy implications of Internet activity: the collection, use, and sale of their data. They frequently take steps to combat privacy concerns by using anonymizing technologies or, in other instances, providing false information when data is requested.
Sadly, there are far more have-nots than haves. The have-nots are simply unaware of the privacy concerns raised by the Internet. These users are more likely to think that cookies come in oatmeal or chocolate chip as opposed to being a source of potential privacy concern.
Given the large number of have-nots, there are really two sources of protection. One is education, and I certainly applaud Bill C-54 for recognizing the importance of increased public education with regard to the issue of privacy. The other protection is this bill, so when all else fails, the have-nots must be able to rely on this law to protect their private data.
The question, then, is whether it does. With your indulgence, I’d like to spend a couple of minutes tracing the experience of a typical Internet user, highlighting the privacy concerns and speculating as to whether Bill C-54 provides sufficient protection.
Our typical, and some might say fortunate, Internet user uses her new computer, equipped with a Pentium III chip, and has cable modem access using the cable provider @Home to access the web. She visits a site that offers some interesting content or maybe free e-mail, and in return for the content, she’s asked to fill out a form that asks a variety of personal questions.
Consider the privacy implications of this simple and very common experience. The Internet service provider, in this case @Home, has access to information, as we’ve just heard, on where the user has visited. ISPs in Canada have tended to protect the user’s interest, but consider a recent controversy in the United States involving TCI@Home.
Several weeks ago they announced they were amending their terms of service policy to allow the company to reproduce, publish, distribute, and display worldwide any content that was published, transmitted, or distributed over the TCI@Home Network. This was seen to include users’ e-mail correspondence and their browsing habits. The haves became aware of this change and a protest ensued. Earlier this week, TCI@Home announced they were rescinding the change, characterizing the entire incident as a misunderstanding.
Would Bill C-54 protect a user from this sort of circumstance? Well, maybe, but by no means for certain. Consent would clearly and reasonably be assumed as part of agreeing to a service contract, and of course consent is at the very heart of the CSA code. However, clause 4.3.3 of the CSA code provides that you cannot make supply of a service conditional on consent to data collection beyond that required for an explicitly specified and legitimate purpose. It would have been interesting to have a user challenge the policy on the basis of that provision in the CSA code.
Let’s move on to the P-III chip found in the computer. As I believe you have heard, the P-III chip contains a digital identifier that allows sites to identify which computer is accessing their site. Since each computer contains a single identifier, it’s possible for different web sites to share their information and thereby obtain a detailed consumer profile.
Initially, Intel activated the identifier as the default setting, and computers that are currently shipping—they just began shipping over the past week or so—retain that configuration. When the haves learned of this, yet another protest ensued. Intel partially backed down by providing a software utility that allows for a change in the default setting and a promise that future shipments would set the default setting as an inactive identifier.
But consider that last week, Intel released the technical specifications on the P-III. Within 24 hours, a German software developer had designed a utility that allows the identifier to be switched on and off by an external user; someone else can control it.
Now assume an organization wants to collect and use the identifier information. The question: Would Bill C-54 protect that user? If the identifier is off, they can’t collect the information, so there isn’t a problem. If they were to condition service on turning it on, clause 4.3.3 would kick in, and they would have to justify the use. If they turned it on themselves, using something such as the German software utility, they would probably violate Criminal Code provisions for tampering with computer data.
But if the identifier were on—let’s say the user bought a new computer with the default setting turned on, or perhaps an unscrupulous web site happened to use that same utility to turn on the identifier unbeknownst to the user—then the user might not be protected. Clause 4.3.6 of the CSA code provides for implied consent, and given that the default of the identifier is off, it might be reasonable to argue that consent can be implied by virtue of the fact that the identifier has been turned on.
Finally, let’s review providing data to the web site. On this site, the forms for the private data are contained right at the top of the web page, below is some general information, and then right at the very bottom is a negative-option check-box that requires the user to check if they do not consent to collection and use of their private data. Many users will never see this check-box, since they will never make it to the bottom of the page. They fill out the form, they hit the accept button, there’s no reason for them to even make it to the bottom of the page. For these users, Bill C-54 is of no assistance. Paragraph 4.3.7(b) of the CSA code expressly provides that this form of obtaining consent meets the CSA standard.
Furthermore, consider a situation where the site doesn’t even include a check-box. There is no indication that the personal information is going to be used. Does Bill C-54 protect against this? One would certainly hope so. However, an exception contained in paragraph 7(1)(b) of the bill, not in the CSA code, may provide an argument that nothing wrong has occurred. The paragraph provides that information may be collected without knowledge or consent if it is reasonable to expect that collection from the individual would compromise the accuracy of the information. Combined with paragraph 7(2)(d) of the bill, which covers use, a company might look to this provision to justify its actions.
As I noted, many Internet users have taken to providing false data to protect their privacy. As the bill is currently drafted, companies might be able to rely on this fact to justify an absence of obtaining consent, since to do so might reasonably result in the receipt of inaccurate information.
In summary, Bill C-54 is much better than the alternative of no legal privacy protection. However, I would submit that for the sake of the have-nots who are new to the Internet, the bill should be strengthened to remove some of the weaknesses I’ve articulated here this morning.