Last week I appeared before the House of Commons Standing Committee on Access to Information, Privacy and Ethics as part of its review of PIPEDA, Canada’s private sector privacy law. The ETHI study is expected to last several months and may provide the foundation for potential reforms. My opening remarks are posted below:
Appearance before the House of Commons Standing Committee on Access to Information, Privacy & Ethics, March 21, 2017
Good afternoon. My name is Michael Geist. I am a law professor at the University of Ottawa, where I hold the Canada Research Chair in Internet and E-commerce Law. My areas of specialty include digital policy, intellectual property, and privacy. I served for many years on the Privacy Commissioner of Canada’s External Advisory Board and I have been privileged to appear before multiple committees on privacy issues, including appearances on PIPEDA, Bill S-4, Bill C-13, and this committee’s earlier reviews of social and media privacy and the Privacy Act.
I appear today in a personal capacity representing only my own views.
There is much I’d like to discuss: stronger enforcement through order making power, the example of Canadian anti-spam legislation as a model for tougher enforcement and consent standards, and the mounting concerns with how copyright rules may undermine privacy. Given limited time, however, I’d like to use my opening remarks to focus on three issues: privacy reform pressures, consent, and transparency.
1. Need for Reform
I had the honour of appearing before both the House and Senate committees on Bill S-4, which was ostensibly the effort to update PIPEDA by implementing recommendations first made in 2006. At the time, it was obvious that further changes were needed. In fact, the ongoing delays in implementing aspects of that bill – security breach notification for example – shows how painfully slow the process of updating Canada’s privacy laws has been.
I believe that there is now an increased urgency to address the issue. The committee has already heard about developments in Europe with the GDPR that could threaten Canada’s adequacy standing with European privacy officials. There is another international development that could have a significant impact on Canadian privacy law that bears attention: trade deals.
The upcoming NAFTA renegotiation seems likely to include U.S. demands that Canada refrain from establishing “data localization” rules that mandate retention of personal information on computer servers located in Canada. Data localization has become an increasingly popular policy measure as countries respond to concerns about U.S.-based surveillance and the subordination of privacy protections for non-U.S. citizens and residents under the Trump Administration.
In response to the mounting public concerns, leading technology companies such as Microsoft, Amazon, and Google have established or committed to establish Canadian-based computer server facilities that can offer localization of information. These moves follow on the federal government’s 2016 cloud computing strategy that prioritizes privacy and security concerns by mandating that certain data be stored in Canada. The Trans Pacific Partnership included restrictions on data localization requirements at the insistence of U.S. negotiators. Those provisions are likely to resurface during the NAFTA talks.
So too will limitations on data transfer restrictions, which mandate the free flow of information on networks across borders. Those rules are important to preserve online freedoms in countries that have a history of cracking down on Internet speech, but in the Canadian context, could restrict the ability to establish privacy safeguards. In fact, should the European Union mandate data transfer restrictions as many experts expect, Canada could find itself between a proverbial privacy rock and a hard place, with the EU requiring restrictions and NAFTA prohibiting them.
Privacy laws around the world may differ on certain issues, but all share a key principle: the collection, use and disclosure of personal information requires user consent. The challenge in a digital world where data is continuously collected and can be used in a myriad of previously unimaginable ways is how to ensure that the consent model still achieves the objective of giving the public effective control over their personal information.
Rather than weakening or abandoning consent models, Canadian law needs to upgrade its approach by making consent more effective in the digital environment. There is little doubt that the current model is still too reliant on opt-out policies in which businesses are entitled to presume that they can use their customers’ personal information unless they inform them otherwise. Moreover, cryptic privacy policies that leave the public confused about how their information may be collected or disclosed creates a notion of consent that is often based on fiction, not fact.
How to solve the shortcomings of the consent-based model? Four proposals:
First, Canada should implement opt-in consent as the default approach. At the moment, opt-in is only used where strictly required by law or for highly sensitive information such as health or financial data. The current system means that the majority of information is collected, used, and disclosed without informed consent.
Second, since informed consent depends upon the public understanding how their information will be collected, used, and disclosed, the rules associated with transparency must be improved. Confusing negative-option check boxes that leave the public unsure about how to exercise their privacy rights should be rejected as an appropriate form of consent.
Moreover, given the uncertainty associated with big data and cross-border transfers of information, new forms of transparency in privacy policies are needed. For example, algorithmic transparency would require search engines and social media companies to disclose how information is used to determine the content displayed to each user. Data transfer transparency would require companies to disclose where personal information is stored and when it may be transferred outside Canada.
Third, effective consent means giving users the ability to exercise their privacy choices. Most policies are offered on a “take it or leave it” basis with little room to customize how information is collected, used and disclosed. Real consent should also mean real choice.
Fourth, stronger enforcement powers are needed to address privacy violations. The rush to comply with the Canadian anti-spam law was driven by the inclusion of significant penalties for violation of the rules. Canadian privacy law is still premised on moral suasion or fears of public shaming, not tough enforcement backed by penalties. If privacy rules are to be taken seriously, there must be serious consequences when companies run afoul of the rules.
3. Transparency and Reporting
In recent years, the stunning revelations about requests and disclosures of personal information of Canadians – millions of requests, the majority without court oversight or warrant – points to an enormously troubling weakness in Canada’s privacy laws. Most Canadians have no awareness of these disclosures and have been shocked to learn how frequently they occur.
Recent emphasis has been on private sector transparency reporting. Large Internet companies such as Google and Twitter have released transparency reports and they have been joined by some of Canada’s leading communications companies such as Rogers and Telus.
Despite the availability of a transparency reporting standard approved by the government and Privacy Commissioner, there are still some holdouts. The problem lies with the non-binding approach to transparency disclosures. After an industry-wide meeting organized by the privacy commissioner held in April 2015, Rogers noted that “it was indicated at this meeting that any guidelines adopted would fall short of regulation, but would regarded as more substantive than voluntary guidelines.” Yet if the non-regulatory approach does not work, it falls to either the federal privacy commissioner or the government to take action.
The most notable company to refrain from meeting these transparency standards is Bell, Canada’s largest telecommunications company. While Bell initially claimed that it was waiting for a standard from the Privacy Commissioner, it has still not met those standards. Simply put, millions of Canadians still do not know when, under what circumstances, and with what frequency Bell discloses subscriber information.
This, in my view, is unacceptable. If the current law does not mandate such disclosures, there is a problem with the law. A reform requiring disclosure with real penalties for failure to do so is needed.
Scarcely a day goes by without some media coverage of a privacy-related issue. The public is concerned with their privacy and the business community recognizes the value of personal information. It is time for the law to catch up. I look forward to your questions.