The second day of PIPEDA hearings featured two privacy experts from B.C. – Richard Rosenberg of the B.C. Freedom of Information and Privacy Association and Professor Colin Bennett of the University of Victoria.  The discussion interestingly focused on several issues that I highlighted in my article this week including naming names and order making power.  Thanks to Kathi Simmons and Shiran Sabari, below is full look at the day's discussion.

OPENING STATEMENTS

Richard Rosenberg

• Privacy rights are being attacked in this country
• Most important recommendation of the day is that the current ombudsman model should be replaced; order-making power is necessary
• Mentioned report in BBC that said Britain is waking up to the fact that they are a “surveillance society”
• Noted comments he had made 6 years ago on the initial approval of PIPEDA
• The reason to have the law is because there’s a need for responsibilities for private companies and government to pay attention to privacy
• Legislation should provide a place for questions to be asked

Nine concerns to bring to the committee
(1) publicizing complainants
(2) effective education function
(3) response to companies to breaches of security
(4) Transborder data flow
(5) Workplace privacy
(6) Electronic Medical Records (EMR)
(7) Challenges of emerging technologies
(8) Current views on access and consent
(9) OPC committed to ombudsman model

Colin Bennett

Four issues

(1) International context
(2) Oversight and enforcement
(3) Law and the CSA standard
(4) Is PIPEDA working?

Overall, PIPEDA is "quite a light form of regulation" and its success depends on building of compliance from the bottom-up. The law needs to be reformed, specifically in terms of the powers of the Commissioner.

QUESTIONS

Ms. Marlene Jennings (Liberal)

Q:     Do you think using the CSA model was the right way to go? If the Commissioner had executory powers, would it bring publicity and education – is that the missing piece of this legislation?

A:     (Bennett) regarding naming names, it’s very tricky under the ombud model. Regarding order-making power, it would undoubtedly change the culture of the office, create tensions with the Information office, but it would give it teeth and hopefully speed up the process, cut into delays, and foster proper jurisprudence

Q:    since the order-making powers would make the process public, do you think such a power requires a clause to ensure information remains confidential? Also, in terms of the "work product info" the Federal Court recently noted that "work product" is not part of PIPEDA – are you in favour of making a distinction?

A:      (Bennett) it’s not clear at the moment. There is an exception in the BC legislation. Familiar with the case from working on it. There is a distinction between info as a doctor and as a patient. We must ensure consistency. The worry with a broad definition is that there could be unintended consequences for employees. There needs to be careful drafting to ensure legislation specifies what it means.

Mr. Jean-Yves Laforest (Bloc)

Q:     how can we improve the federal legislation? Do you feel Canadians in general are informed enough to understand what's at stake when they shop online, etc.?

A:     (Rosenberg): not in general. The internet is a mystery to most people. As little as a few years ago, most people didn’t know what cookies were. Everyone online gathers info. Google has information about all of us. They use the same old argument – that they’re collecting it to improve the consumer experience. How do we ensure people become informed? The privacy policies on most websites are unclear, and most websites are from the US where the laws are different.

Q:     shouldn't the government be responsible for telling Canadians what’s really happening? Has the government been remiss in this responsibility?

A:     (Rosenberg) it's not solely the role of government. The OPC should have an education function, but this requires money. This all ties into the naming names comment earlier

A:     (Bennett) Most Canadians don’t know what's going on. Most are extremely concerned about their privacy though, and have had experiences with losing it. There is a good number of Canadians who understand the issues and often say "it’s none of their business." This varies by gender, age and location. Education is part of a larger set of tools to improve privacy in Canada. The law is one of many instruments needed – information, self-regulation, privacy enhancing technologies.

Mr. David Tilson (Conservative)

Q:    this is all very Orwellian. Don't use your blackberry in a private meeting because you never know who can pick up the information. People are not too concerned about the security at airports, or with cameras at cornerstores because people are worried about their personal safety; they are "terrified that something is going to happen on a plane." Can you go too far either way?

A:    (Bennett) Yes. People are concerned when they don't see a legit public purpose. Concerns increase the more people know how the info can be used. When you dig down you find a range of issues. The Privacy Act calls for legit purpose and procedural guidelines.

Q:     I’m talking about PIPEDA. Have you "philosophized" on what this is going to cost private businesses? Is this something we should care about?

A:     (Rosenberg) To your prior question, we must distinguish between public and private property. It's most concerning in public areas, and I wonder if it’s sufficiently understood.

Q:    Let's zero in on the private industry. Think about the costs to them, both economically and time-wise. Can we consider that?

A:     (Bennett). There’s been a good deal of analysis on this. My own view is that the costs of being privacy unfriendly (bad reputation, etc) far outweigh the compliance costs. Most companies recognize privacy as a value.

Q:    Where did you get that?

A:     (Bennett) look to the companies with publicized ID theft issues whose stock plummeted from bad publicity.

Ms. Marlene Jennings (Liberal)

Q:    There is a distinction between protection of personal info and the exemption for a "work product". You've suggested that this definition has to be carefully crafted – Bennett, could you suggest a definition (not today, but in the future)? Also, to Rosenberg, do you have a preference of the provincial legislation that already exists? Is one better than the others?

A:     (Bennett) I’m not sure I could add any thing beyond the Commissioner's paper on this subject.

A:     (Rosenberg) AB and BC are similar, and I'm not as familiar with the QC legislation as I should be. I'm not concerned with just video surveillance, but also with testing (drug, etc.). It's hard to figure out how to regulated effectively. The general rubric of technology is that if you can, you should. But this is not good – look at the US. We could look to models that work out agreements between mgmt and employees regarding privacy (ie. personal calls on lunch hours, etc.)

Mr. Bruce Stanton (Conservative)

Q:    to Rosenberg, regarding your recommendation of publicizing the complainants, help me understand the compliance issues.

A:     (Rosenberg) Only people who complain know what's going on. Is this better for companies? For privacy protection generally? If Commissioner upholds complaints, what then?

Q:    Do you know why its this model?

A:    (Rosenberg) Not every case is in the public interest. Persuasion without going public could be a less invasive way of fixing the problem

A:     (Bennett) the problem is in s.21 which obliges confidentiality, and s.22 which says the Commissioner can make things public. The Commissioner has interpreted s.21 as overriding s.22. The burden is on the complainant – but it shouldn't be up to the complainant to decide. CIPPIC always posts it on their website. Regarding naming names, people often don't understand the context without the name, can't know the exact business practices. This is needed for clear jurisprudence. But I appreciate that it’s not easy to name names always.

Ms. Carole Lavallée (Bloc)

Q:    I'm new to PIPEDA. I have concerns for the rights of employees and how their work is monitored. Does the law forbid an employer who installs cameras for security from spying? What are the consequences of this?

A:    (Bennett) The legislation doesn't distinguish between consumers and employees. There are gaps in Canada, where employee info can't be protected. The test (s.7) is whether there is a reasonable purpose. This must be explained at the time of collection. The employee relationship is different. There must be knowledge/consent unless under exemption.

Q:    Does the employer have the right to use the footage to spy?

A:    (Rosenberg) Usually yes. There is some monitoring related to work progress. The argument is that the employer is legally responsible for what their employees do at work so they should be allowed to monitor them. Recall the Canada Post cameras in the washrooms case. There are some legit purposes, but not all.

Mr. Mike Wallace (Conservative)

Q:    legislation has been in place 5 years, but the health part for only 1.5 years. Is this review premature?

A:     (Bennett). No. The 5-year statutory review is a good thing. It's difficult to separate out problems with legislation or policy with statute or its interpretation, or with larger context since 9/11. There are some recommendations for tinkering to clarify certain provisions to help people know their rights and responsibilities under the Act.

A:     (Rosenberg) It's not too soon, though I agree in part on the health info. There is still lots to do with respect to the digitization of medical records and lots of questions regarding access (ie. medical researchers want it without the personal info, but think about in small towns where there’s only one or two people with that particular condition – it's not hard to identify people).

Q:     So you want tweaking, not a major overhaul?

A:    (Rosenberg) In general, except the order-making power is major.

Ms. Marlene Jennings (Liberal)

Q:    The move to EMRs raises lots of questions. What other questions, besides those related to medical researchers?

A:     (Rosenberg) This is an area that needs conformity for accessibility. EMRs contain info for lots of questions. Access is the main issue – doctors vs other people; the info has to be structured for different levels of accessibility

A:     (Bennett) the Rules need to be harmonized.

Q:    Regarding consent issues, I read the CIPPIC study and was appalled at their results. I was involved in the debate on the Industry committee on the 2nd reading of PIPEDA. This issue needs to be strengthened and clarified. Think about affiliates of companies and other third parties who share info. (Gives personal example of deliberately limiting consent on a credit card application – the company kept resending the application form because of "processing problems"). Do you think we need to tighten the definition of consent to get rid of implied consent?

A:    (Rosenberg) This is parallel situation to the opt in/out boxes. People give implied consent. I agree this should change

A:     (Bennett) it's also an issue of knowledge. The problem is with education.

Mr. David Tilson (Conservative)

Q:    about transborder info, do you have any specific recommendations?

A:    (Rosenberg) This is an important and difficult question. Most people don’t know info is going to US. Think about the BC outsourcing case. BC tried to legislate on it, but there's no way to be sure it’s foolproof. Not clear if info in database can be kept from the US parent company. Could try to ban outsourcing of information, but that's unlikely.

Q:    If Commissioner finds out about a breach, the only way to really do anything is to toughen financial penalties. If there are penalties, this leads to enforcement questions. What is the role of the Commissioner?

A:     (Rosenberg) This is a political comment – did BC take these questions into account? How much do you really save by outsourcing, when you have to sue people or pay for violations? You must go as far as necessary, to the limit of the law, in pursuing these breaches.

Q:    There are mandatory reporting requirements in the US – should records be kept after the event is all over?

A:    (Bennett) Individuals must be told.

Q:    Should breaches be kept on record? Will this lead to future breaches?

A:    I know a bit about American laws that don't work – this is one of them. We have mandatory notification to the Commissioner.

Mr. Tom Wappel (Chair) (Liberal)

Q:    can you provide the definition of "work product" from the BC legislation?

A:    (Bennett) I'll provide it.

Q:    To Rosenberg, about order-making powers. What about giving it to someone else and leaving the Commissioner to education?

A:    (Rosenberg) It's in the OPC responsibility in BC and it works fine. I see no reason why it couldn't here. I’m willing to listen to the arguments about having a tribunal, but I see no reason why the OPC couldn't do it.

A:    (Bennett) The argument in favour of a tribunal is to take the judicial function from the Commissioner and give it to a panel of experts. This is how it is in the UK. The CBA is in favour of this based on human rights arguments. It can be seen as creating delays and as one more step on the way to court. For now, recommendation is specific order-making powers.

Mr. Mike Wallace (Conservative)

Q:    on order-making powers, can you explain it to me? Give me examples of penalties and how they'd be enforced.

A:    (Bennett) it's the power to say stop collecting info. Regarding penalties, they can be bad publicity, not just fines. Things like cease and desist orders too.

Ms. Carole Lavallée (Bloc)

Q:    Think about phone calls – mobile devices aren't protected. Should they be?

A:    (Rosenberg). Yes. Expectations are key. Determining what's protected changes people's expectations accordingly. No reason why cell phones should be different.

Mr. David Tilson (Conservative)

Q:    Can you provide a list of suggested recommendations of amendments to the provincial legislation?

A:     (Rosenberg) Yes.

Mr. Tom Wappel (Chair) (Liberal)

Q:    Does QC have order-making power? Why was it rejected by the government of the day when PIPEDA was being created?

A:    (Bennett) It was rejected because of consistency issues with the Privacy Act. If order-making power was in PIPEDA it would create work. There was a recognition (which I believed at the time) that ombudsman model was part of the culture of the OPC. It hasn't been a complete failure, but there are some clear disadvantages with respect to private sector issues, where it’s not just a dispute between an individual and an organization. There must be an order-making power. Issues for consideration are naming names, and appeal of orders – both must be carefully thought through.