The Privacy Commissioner of Canada appeared before the committee on Monday in what is likely to be the first of two appearances (she indicated she would return at the end of the hearings). While the Commissioner asked for security breach disclosure legislation and identified cross-border data transfers as a concern, the big story of the day is that she effectively killed the prospect of order-making power. A shift toward order-making power was raised in both prior hearings and is likely to surface again when several privacy advocates appear before the committee. My guess is that the issue is now dead – the Commissioner opened by stating that she was not seeking any additional enforcement powers.
The move took committee members by surprise – several asked for clarification or reasons behind the decision. The Commissioner indicated that order making power raised other concerns and that it was premature to change the PIPEDA framework. With order making power likely finished (the committee is not going to add order making power if the Commissioner and the Industry Minister don't want it), the key remaining issues to look out for are security breach disclosure, cross-border transfers, the costs of PIPEDA to small business (a big concern for the Conservative members of the committee), and questions around the definition of "work product."
A full review of the day's events, thanks to Kathi Simmons, follows.
PIPEDA is the foundation for protection in Canada; more important than ever as technology has far surpassed where it was when the legislation was created. Transborder flow of information is now a "flood", RFIDs threaten privacy. We want to help ensure the Act is capable of dealing with challenges.
We did a consultation paper, and had over 60 submissions; 12 issues were identified as important. There is general agreement about the issues, but not how to address them. The Act is generally working well. Must strike a balance between keeping personal information private and allowing legitimate collection of information for business purposes.
Several important issues that affect a large number of Canadians:
- Privacy law must be administered in a stable context; I'm not asking for enhanced enforcement powers
- Some of our most difficult complaints have been related to employer's use of info; the Act is based on consent; we must find an appropriate way to deal with employee information
- Work product – this is done on a case by case approach; ask if the information is about the individual, if yes it's protected; if no, it's not; removing this case by case procedure could result in abuses
- Transborder flows of information – with the explosion of offshore processing and the emphasis on national security, the cross border flows are increasing. We must provide guidance and require companies to be open about their practices. The Act must address these challenges.
- To deal with other jurisdiction complaints, I ask you to consider a provision to make clear the authority we have to share info with our foreign counterparts.
- Unauthorized disclosure – we need breach notification laws; they would act as an early warning system. I look forward to discussing the possibility of notification requirements within the foundation of the Act
- Solicitor-client privilege – recent case from Federal Court (Bloodtribe) left a "gaping hole" in powers of investigation. We're seeking leave to appeal, but we request an amendment to the Act as soon as possible.
Overall, there is a high level of compliance with the Act; the business community is committed to protection. It can be improved, however, as there are gaps in the Act and between the provinces which could be clearer. I will come back at the end of the hearings to comment further.
Mr. Jim Peterson (Liberal)
Q: How can we get around Bloodtribe?
A: There is a provision in the Privacy Act; we need to clarify PIPEDA.
Q: Would there be objections to such an amendment?
Q: Have you heard objections to it before?
A: We haven't floated the idea yet.
Q: Can you give examples of how it would hamper privacy specifically?
A: There is a real possibility that organizations could take an expansive view of solicitor/client privilege relationship and shelter documents from us
Q: How many complaints have you had?
A: Overall, 1400 over 5 years. We’ve had 56,000 inquiries.
Q: What is the number 1 type of complaint?
A: The three main types are (1) use and disclosure, 38% (2) collection, 23% and (3) access to own information, 18%
Q: How many court cases have you had?
A: 50 cases since 1st stages; 12 active cases right now.
Q: How long until final determination?
A: Not really measured. On average, cases are disposed of in less than year, 11 mos. It depends on the case.
Q: You don't want the order making power? You’re happy using the courts?
A: This is not the time to make major changes in the framework of PIPEDA. It was used in less than ideal circumstances at the beginning. There has been no serious study of the different models. We have many powers now, and the use of the Federal Court is an important power.
Q: Even though it's slow, cumbersome and costly?
A: There is no evidence that it's worse than tribunals. That depends on many factors. There are no excessive delays in the Federal Court, and most cases are settled out of court. When we've "turned up the heat" by threatening Federal Court, all but one case has complied.
Ms. Carole Lavallee (Bloc)
Q: You say there are increasing transborder flows of information. Is there nothing in the Act to address it and correct it?
A: Because of global flows of information that's worse than it was in 1998, there is no clear directive in Act to deal with counterparts in a clear manner. A change I'd like to see is the Act to clearly tell me how to deal with my EU counterparts with respect to personal info.
Q: You want to negotiate with them?
A: Yes, on general areas of interest. I don't want to provide personal information to other countries; we want clarification.
Q: Are you saying you should be able to deal with your counterparts to work jointly?
A: Yes. I want to transfer files. I want more specifics.
Q: I thought you wanted ways to better protect the info?
A: Sure. It's another one of our concerns. It is possible to have general guidelines in the Act (as with Treasury Board for the private sector). There is a principle of accountability in the Act. We must get companies who are sending info abroad to abide by Canadian standards.
Q: Are you talking about additional guidelines? Bill C2?
A: No. Principle number 4 in the CSA code that the Act was based on.
Q: Thank you. Also, can you talk about the disclosure of private info – the breach notification requirements?
A: It's not spelled out clearly how to deal with breaches; how to apply the principles is the problem. We’ve turned to a US model. We need government lawyers to study it more.
Chair: Can you send the exact section of the Privacy Act that you were referring to?
Mr. Pat Martin (NDP)
Q: Do you want mandatory notification of disclosure of personal information?
A: Yes. It's an important problem. We suggest PIPEDA address it. Exact wording is a challenge though. We’ve looked at US models
Q: Should it be graded on seriousness of breach? Referred to credit company breaches.
A: You’d want "significant" element so you're not having to notify millions of people when the breach is insignificant and quickly rectified. It's not clear exactly what is the link between breach notification and ID theft. I could talk to this when I come back.
A: (Assistant Commissioner) This is an interesting question. It's in the interest of credit card companies to track it and they do.
Q: I know Manitoba contracted out their health data to a private firm and now my personal information is in Dallas. On the issue of cross border flow, is there enough measures to give confidence that our info isn't being sold?
A: There are many things that can be done. Provinces can issue guidelines with scale of sensitivity for the public sector. Recall the responsibility principle I mentioned earlier. We need to encourage organizations to bind the companies they export to with strict contract clauses, and check/audit and hold them responsible for damages.
A: (Assistant Commissioner) We investigated the CIBC VISA complaint; They had done what they could do.
Mr. David Tilson (Conservative)
Q: On the personal information definition, should it exclude work product info? You say it's a case by case basis. Should there be a change in the definition?
A: No. Leave PIPEDA as is. We currently have a flexible definition. In some decisions we've dealt with it and sometimes it's not covered by the Act. If we go do a definition it will hamper our attempts to limit workplace surveillance.
Q: I ask because it was before the Federal Court – does it give the Commission too much discretion? Should the public require more certainty?
A: To my recollection, that case was discontinued. That's for the committee.
Q: When you come back you can tell us more. On solicitor client privilege, and I'm not familiar with the case mentioned, are you saying the Commissioner should go beyond?
A: Yes. We do in the Privacy Act.
Q: Are you saying you should have the right to docs anyway?
Q: There are very few situations that go beyond solicitor-client privilege.
A: the first level of court agreed with us, and we want to go to the third.
Q: You mentioned you had 12 issues. Will you deliver those to the committee?
A: You already have it.
Q: Is PIPEDA doing enough to facilitate small businesses?
A: Most complaints are against big business. The provincial laws often apply to small businesses. We consulted with them. We're currently working on an interactive tool for small businesses without the money to invest in compliance.
Q: Can the legislation be changed to assist?
A: The burdens of compliance fall hardest on small businesses. We may not be doing enough.
Q: (Chair) Regarding solicitor-client privilege, I'd like a clarification please. Do you want access to docs to determine if there is privilege, or do you want access to docs even if there is privilege? Which is your position?
A: Both. We need to determine if there is solicitor-client privilege.
A: (Assistant Commissioner) In Bloodtribe, the woman wanted access to docs held by her employer that were being withheld from her on the basis of solicitor-client privilege. We must be able to look at those docs to confirm that it exists.
Ms. Marlene Jennings (Liberal)
Q There are three issues for me. First, notification of breach. You have no way to penalize. Are you seeking authority to compel notification? To penalize companies who do not? Doesn't this accord better with order making power? Second, work product. There is a compelling need to ensure processes are well founded before a complaint is made. Do you think distinction between personal information and work product is a good idea? And third, on the ombudsman model. You currently have no executory powers. Can you explain/reflect on using other models?
A: Regarding the model, we forget that the office of the Privacy Commissioner has lots of powers. The Federal Court and order damages, which none of the provinces can. I'll provide the other answers in written form.
Mr. Mike Wallace (Conservative)
Q: Organizations like the BC definition of work product. Can you comment?
A: The BC definition is well received in BC. From point of view of protection of privacy, any definition may have the effect of narrowing protections for personal info. Other provincial jurisdictions have a consultation step. This is an interesting idea.
Q: What is the average cost for small businesses? Do you care?
A: Yes. I care that the law be as easy to apply as possible because privacy is a fundamental value and because Parliament enacted this law for Canadians to follow. In 2000, Parliament chose the right system.
A: (Assistant Commissioner) The law is based on the CSA code, it's a management standard. It's quite easy to apply and it works for everybody. We could do better with education.
Q: Is budget addition for education?
A: Yes. It will be available to the public this winter.
Mr. Jean-Yves LaForest (Bloc)
Q: You said it's possible to improve the Act. Several witnesses have said that you have no power to make orders and that complicated the process for them post-investigation. You don’t want additional powers – why?
A: It's timely. The Act was not implemented as it should be until April 1 of this year when we got a budget consistent with our mandate. We have excellent staff. I have investigation powers. The news is reporting that companies are contesting this power. It becomes binding in a court ruling. The point of the Act is to get compliance. If you look closely at our record you will see a high level of compliance. What we do is no less efficient than the legal process of an administrative tribunal. I ran that in Quebec, "I know what I’m talking about"
Q: You don't want any new powers now. You're saying we choose on time.
A: Give me more time.
Mr. Dave Van Kesteren (Conservative)
Q: I was in a small business prior to this, and it struck terror in our hearts when this law came down. Do you not use a heavy hand unless there is cause?
A: The law is flexible. We investigate complaints. We don't do nothing – we are ready to go to court to uphold our ruling.
Q: Someone must initiate a complaint, right? As you move forward, thinking of small business owners, if we could tell them what not to do, is that possible for you to do?
A: Yes. You’re completely right. On January 1/04 there were some amazing misinterpretations of PIPEDA. We have identified small businesses as important target for education.
Q: Do you have field inspectors to ensure compliance?
A: No. We have auditors, who can only act on reasonable grounds.
Q: Biggest concern – corporate takeover, cross border transfer of information?
A: It has to do with being able to share information
Q: Any info?
A: It is an area of concern. We require those companies to hold those to who they are sending it to Canadian rules. We have jurisdiction over Cdn companies with a "real and substantial link". The companies here are responsible for how they send info.
Mr. Pat Martin (NDP)
Q: We have a letter from the ADM of Industry, saying that the UK ranked us as tied with Germany for the number one privacy protection system in the world. I'm horrified by new threats, like RFIDs and the idea that I could be tracked by the underwear I’m wearing. Can you speak to that? Is there any funded research from OPC?
A: (Assistant Commissioner) No details here. We funded a university study (Dalhousie and computer engineering dept). It's completed, we’ll send you a copy. There is a fair amount of fear about RFIDs, but there is a limited use of them. We see people willing to sacrifice privacy for convenience and security. We’re working on RFID guidelines to be posted this winter. There's some info in the Ontario privacy commissioner's website.
Q: Can you explain RFID?
A: There are both active and passive types. In books at Chapter's there’s often a small square piece – that contains an RFID. They're used at the airport in Hong Kong to track luggage. They’re used at the wholesale level to track shipments.
Mr. Sukh Dhaliwal (Liberal)
Q: On work product, can you explain the difference between a work product and personal information in medical records?
A: Personal info in medical records is the contents of my file, my test results, etc. Prescribing patterns of doctors would be work product.
Q: Is there a difficulty in incorporating that into PIPEDA?
A: It's easier to define it in a specific context, as there are a "mere handful" of cases that deal with this issue. One area of active concern is in workplace surveillance, which is increasing. We could put a definition in the Act, but it may indirectly provide less protection for workers with new technologies.
Q: (Chair) I have difficulty linking how surveillance is connected to work product.
Q: Most info is used for R & D purposes, would you still call it personal info?
A: At time info is generated is when it's qualified. May be anonymized after. We’ll come up with an example and send it to you.
Q: (Chair) Are you bound by old rulings? Do they bind the Federal Court?
A: Ombud conclusions are not binding on Federal Court. It's a good idea to provide predictability.
Q: Could you overrule it?
A: Yes, technically.
Mr. David Tilson (Conservative)
Q: Transfer file to another jurisdiction – could you transfer it to EU or US?
A: Not as Commissioner, not under the current regime. Not clear in law that it can't transfer a file. I should be able to if the circumstance warrants it.
Q: Do you have a definition for these circumstances?
A: I don't do it now. There may be circumstances where it would be useful to be able to transfer a file to another jurisdiction for "complete and satisfactory resolution." To really get some redress it would be helpful to share. Where I can't act in other jurisdictions, it would be good if someone else could pursue it. Mentions, Safe Web Act in the US.
Chair: are you asking for a specific power to make it clear we have authority to share personal info with international counterparts.
A: Yes, where it's in the interests of Canadians.
Ms. Marlene Jennings (Liberal)
Q: On the issue of aggregated prescribing info – can we create a carve out for a medical exemption? Do you think it's possible to clearly carve this out without weakening the protection of personal info?
A: If specific type of work product info, it could be carved out "possibly"
Q: could you propose an actual carve out?
Q: On using the CSA standard as a model – there are issues of consent. There have been studies show companies imply consent and this is not clear to consumers. Some want to tighten it to get rid of implied consent. Do you agree?
A: Consent is at the heart of the Act. Problem is with definitional basis for contexts where you give consent. We have provided guidance and suggested level of consent required. It's not an issue for the law to be tightened, but for compliance work. We've said clearly when consumers say no you can't batter them.
A: (Assistant Commissioner) Code says you can object to use/disclosure of info not required to provide the service. When it goes beyond that, it's problematic. It’s already covered in the law; it’s a question of education now.
Ms. Lynne Yelich (Conservative)
Q: How much authority do you have – you said it depends on the case. On the issue of 56,000 inquiries, what do you do? Are car dealers overreacting with requirements of databasing?
A: Maybe they're overreacting. We don’t have a breakdown. Most of our complaints are against financial institutions. Most people have 4-5 accounts per person. Other issues are against insurance companies, transportation (airlines), telecommunications (cable, phone)
Q: Is there a reverse onus burden of proof? Can I take company to court if I signed something?
A: Yes. (Assistant Commissioner) You have a right to withdraw consent. Organizations don't listen often, but you can. If they don’t listen, you complain.
Chair: On the role of education, Mr. Rosenberg last week made a startling statement (reads quote from Rosenberg that says barely anyone knows about PIPEDA) Can you respond to that?
A: We have received an increase in budget to make us able to meet public education challenge. Rosenberg is right, but we're taking steps to correct it.
Q: On your consultation process, how much of it is from the private sector?
A: We got 63 submissions; 42 of them are from a group that includes law firms, universities, industries, professional associations, etc. A good 50% or more were from the private sector.
Chair: Since you were the former privacy commissioner of Quebec, where you had order making power, why don't you want it now?
A: I'm not saying order making power is never good. At this time, Parliament would be wise to go on as is rather than completely redraw the legislation. My experience is that tribunals have their own challenges (they are expensive, long drawn out processes if you get judicial review). Before order making power is seen as the panacea, we need to look at tribunals and elements of efficiency. The ability for us to go to Federal Court is an advantage.
Mr. Jim Peterson (Liberal)
Q: Are they hampered by order making power?
A: No. If the law is set up that way, it works well there. Another thing to take into consideration is that the law hasn't been fully applied yet. The ombud model was chosen for reason – it's the model for the Info Commissioner, for the Languages Commissioner – it's a unique federal model that was available.
Q: Have you ever had a case where you couldn't get results that you wanted in a timely manner?
A: Not for the last 1.5 years, since we've been threatening Federal Court. The issue is how fast we can push through our investigations. Most cases are settled though.
Mr. David Tilson (Conservative)
Q: Are there other areas from experience as QC Commissioner that could be used here?
A: I'd have to go back. Laws are similar. Quebec has the disadvantage of being the first. Things are clearer in PIPEDA.
Chair: You are in a unique position. If something comes to you, bring it next time.