Wednesday's PIPEDA hearing featured B.C. Privacy Commissioner David Loukidelis and University of Ottawa professor Val Steeves. Commissioner Loukidelis went even further than the federal privacy commissioner in downplaying significant change. Loukidelis downplayed his order making power (a last resort), security breach notification (more evidence on impact needed), and even the concerns associated with cross-border transfers to the U.S. (can always pick a different private sector company). Professor Steeves highlighted the privacy challenges posed by new technologies and offered some specific reform recommendations. Natalie Senst was in attendance on Wednesday afternoon and she filed the following report:
- Amend 4.3.2 – companies must tell people what they are doing before they obtain consent (look to Alta /BC)
- clean up loopholes: there needs to be a specific definition of express/implied opt out
- require specific definitions of purposes for collection of information: who is the 'reasonable person? The corporation or the individual consumer?
- Amend 5(3): Collect information for purposes a 'reasonable consumer' would consider appropriate in the circumstances
- Revisit 4.3.3: this is a refusal to deal provision – but it must be clarified that a company can only refuse to deal if information necessary for the transaction is not provided
- What about when bus imperatives conflict w / privacy? Section 3 must be amended: the primary goal of PIPEDA is to protect Canadians.
There is substantially similar (personal information protection) legislation across the provinces and federally: they are similar to OECD guidelines and APEC 2004 guidelines. In BC: challenges of having different laws are either misplaced or exaggerated – there is generic legislation that applies broadly, to for profit and not for profit, and is subject to fair information practices internationally. Key issues include:
- BC PIPA's definition of "work product information" (WPI) excludes WPI from protection. This is a carve out of personal information which is not so personal to an individual (some similarity in federal PIPEDA). The purpose of this carve out is so that ex-employees cannot go back & request all information they created. WPI is information produced in relation to one’s employment. Issue: precision of expression in legislation? There is ample room to interpret in a way to ensure appropriate work place monitoring.
- In regards to employee personal information (EPI): this is consent-based, but in BC consent is not needed for the collection/use of this information. The definition of EPI is limited to information collected solely for the management of employer purposes (related to actual work relationship). Issue: The consent-route is problematic (ie. employee suspected of defrauding will not consent to be tracked)
- Business transactions in BC & Alberta: in regards to the prospective sale of businesses – companies share information back & forth to decide whether to proceed with a transaction. In BC: after-the-fact notification to customer of a change of control of ownership is legitimate so long as due diligence is shown in the leadup & aftermath. There is no need for consent each time a business changes hands.
Mr. Sukh Dhaliwal (Liberal)
Q: In a knowledge based economy where information flows so fast, there are different perspectives in what is "privacy infringement" – so how far do we go in legislating?
A: (VS) Language is quite vague – if all transactions are within broad corporate surveillance, we need to give consumers the choice whether to disclose information. Consumers need to know the consequences of disclosing their information and then be allowed to choose to disclose that information. Tightening consent provisions will go a long way. Industry Canada's report on identity theft found that identity fraud occurs where employees steal information and give it to the fraudster. The set up of the Act (PIPEDA) has provisions that are too loose. There is need for the commissioner to play a strong role ensuring that enough information is available to individuals to make choices to disclose their information.
A: (DL) In BC, technological neutrality is supported so that legislation can grow as technologies change.
Q: Given the collection of credit card and driver's license information as a norm currently, will this evolve into something else requested in the future? What about privacy legislation in general?
A: (VS) Privacy/access laws are democratic impulses to hold one's state accountable. Now, the current concern is that information captured initially for commercial purposes becomes available for other uses by the state, making it more important to protect commercial privacy because it doesn't just stay in the commercial realm (consider the use of commercial profiles by police in driving infractions in the US). The flow of information into the public sector makes the individual transparent to the state.
Ms. Carole Lavallee (Bloc)
Q: This all sounds like science fiction – especially a camera that watches your eye movements (is it possible?) – is this economically of interest? Are there cost barriers to implementing such new technologies? How far should we go in passing laws regarding this? Regarding RFID technologies and internet cookies – should these be forbidden or prohibited? In regards to websites for children with marketing – in Quebec surveying kids is forbidden – what about other provinces? What do polling companies do with the information they collect? Why not prohibit surveys altogether? I missed one of the recommendations VS made. One recommendation of note is: the protection of private information as a fundamental right.
A: (VS) I will provide my recommendations in writing. Quebec has legislation prohibiting marketing to kids – other provinces only have voluntary codes in place. Note that the most popular site with Quebec girls is doyoulookgood.com (which requires a profile: includes girls from age from 13) – there is a need for a critical look at how advertising is defined.
Regarding cookies – this isn't technology sensitive/specific. The issue is that to collect consumer information (a) let me know what I am consenting to, and (b) let me decide to consent (this goes back to how consent is obtained – we must put the consumer in the driver seat). There is no need to prohibit cookies to do this. The issue is: who gets to decide/define what the purpose for information collection is?
Concerning the Internet: text messages on cell phones that are junk messages for which the consumer pays to receive – it is not known who sends this message (ie – who has my information)
A: (DL) Cookies – in the BC context – need to be dealt with by applying general principles (one's internet browser & 3rd party software allow sufficient consumer control of dissemination of one’s info in a specific technological sense). In regards to children, the US congress has childrens privacy protection, but there is no such legislation in Canada. There is hope that BC can ensure general principles are adhered to in regards to children as well.
Mr David Tilson (Conservative)
Q: DL’s work product information (WPI) is appreciated. The Privacy Commissioner has stated that the National Commission determines this on a case by case basis and didn't say we should have a definition.
A: (DL) BC's PIPA has a definition of WPI that is directed by a case by case application of the definition (even without the WPI definition, one could fall back on "personal information" and interpret that).
Q: As a business transaction issue – how much should a state interfere? (most business sales have non-competition/non-disclosure clauses as a routine) – can people not choose not to have those?
A: (DL) In BC business transactions are aided by relief of obligation to go back to individual consumers to get consent (this facilitates change of control of assets). BC's PIPA says the consent of the individual is needed to disclose their personal information.
Q: In regards to surveys, we have to take control of our own actions (train kids not to give info out) – we know there are prices for spreading our information, so can the state go too far in interfering in people's lives?
A: (VS) Legislation is set up to use consent as mechanism to make choices (people don’t realize they are giving out their information). This emphasizes the importance of education and public discussion – but these practices are imbedded in social environments (our law says: if you want to disclose personal information, you must ask)
Q: What should be the penalty for violations of information disclosure rules?
A: (VS) PIPEDA says the Commissioner can order one to stop doing the practice.
Mr. Robert Thibault (Liberal)
Q: A technological neutral approach is understandable (impossible to control) – but eventually we will have to consider technological specificity (consent mechanisms may not be there): what about health care? Giving one's SIN at the pharmacy, disclosing all medical history – for the improvement of our health service? How should we draft legislation that allows for public interest, but avoids commercial exploitation?
A: (DL) Health (e-)records/health privacy: there must be a balance between public interest in research and private interest in health information (BC's issues include: how do we have technological tools to ensure most sensitive information is directed only to those who need to know)
A: (VS) PIPEDA recognizes that health informaiton has incredible value in the marketplace (profiling of doctors to sell product – ie their patients' info) – but, when health information gets outside Dr-patient confidentiality, people stop going to the doctor. As Lavallee said, privacy is how we negotiate the relation between ourself & others (consider unintended consequences) – the capture of health info in PIPEDA underlies that this is a commodity.
Mr. Ronald Stanton (Conservative)
Q: Regarding remedy/response provided by PIPEDA – BC allows the making of orders/forcing of compliance – what is the degree to which an ombudsman model compares?
A: (DL) – FIPPA (BC) has order-making power (& PIPA too since 2004), but this is a last resort tool. This is not the tool of first choice of the office (access to information appeals are referred to mediation first and up to 90% of cases are resolved this way). Other tools include referral to HR processes, chambers of commerce, and education/supportive resources.
Q: The use of the Federal Court is the minority. SHould we be looking more closely at a departure from the ombudsman model?
A: (DL) The situation worked in BC given the nature of the organizations in the public sector (small and medium sized companies). Other tools are also available (with recourse to Federal)
Mr. Jean-Yves Laforest (Bloc)
Q: In BC you have the power to order complaints, doesn’t this decrease the number of complaints?
A: (DL) It is difficult to control for having power or not (ability to order might encourage complainants to come forward) – organizations, once aware of obligations, will follow them. Generally good compliance of federally regulated organizations.
Ms. Carole Lavallee (Bloc)
Q: Fundamental rights take precedence?
A: (VS) Privacy is a fundamental human right. Canada is a signatory to international documents (also, see the Canadian charter). This still needs balancing against other competing interests – if privacy balances against PIPEDA, we avoid balancing against commercial rights. Data-protection legislation will only get us where we want if there is an overarching umbrella realization of privacy as fundamental.
Mr Mike Wallace (Conservative)
Q: if there is a breach (ie credit card error), does the credit card company have to notify customers?
A: (DL) – No, this requirement to notify of breach of security is only required in Ontario’s Health Protection Act. In BC, there is no support for a specific requirement. You need evidence that mandatory notification is an effective (cost) way of reducing identity theft. A better option is to work with organizations & issue guidance regarding risk assessment as to whether notification is prudent.
Q: Provincial (and Federal in absence of Provincial) jurisdiction regarding a national business: is there really no cost to a business if it has to follow differenct regulations?
A: (DL) Similarities among laws across Canada far outweigh the differences regarding personal information protections. There are some nuances, but they are not so onerous.
Q: Please discuss basic employment information – is salary information included?
A: (DL) An organization can in principle disclose salary only to maintain an employment relationship (where reasonable). Regarding aggregated payroll – this is not personal information. In regards to BC's PIPA special rules for enrolling someone as a beneficiary, there is also no requirement of consent.
Mr. Tom Wappel (Chair) (Liberal)
Q: What about the BC review initially intended to occur by next month? What major issues under your act are relevant to this review?
A: The committee review that s. 59 contemplated has not been struck, (but DL can provide information regarding submissions)
Mr Sukh Dhaliwal (Liberal)
Q: Regarding information to pharmaceutical companies – industry needs to know consumer needs – what about work product?
A: (DL) The prescribing patterns of physicians information is on its face WPI in BC.
Mr. Tom Wappel (Chair) (Liberal)
Q: What is the impact of "work product information"?
A: (VS) General Practitioners (doctors) have serious concerns to consider regarding the capture of information (can be de-identified, but not truly anonymized). The impact on the relation between the primary healthcare giver & a patient is changed.
Mr. David Van Kesteren (Conservative)
Q: Are we in a new era – do we need thou shalt not rules? Small business are scared by laws?
A: (VS) PIPEDA is a result of negotiation between consumer groups & private sector – PIPEDA has rules that can work – now we just need to tighten them for effects we want. Compliance for small businesses seems to be a barrier b/c the education module has not been rolled out yet (give the education mandate an opportunity to get out there).
Q: So is this just an evolutionary process (regarding technology)?
A: (VS) Legislators will find that everything will tickle a privacy question (sensitivity to privacy as a social value) – privacy issues exist in more than just this piece of legislation. Regarding Lavallee's comment – recognizing privacy as democratic value will help to get the legislation mix right (which applies to e-commerce)
Mr. Tom Wappel (Chair) (Liberal)
Q: DL, can you outline BC's reasons to amend Privacy Act regarding authorization of personal information to the US (Patriot Act)
A: (DL) In regards to the outsourcing of public services (ie – the Provincial health insurance plan): legislation amended FIPPA to say foreign entities couldn't reach so far into Canada, but there have been no such amendments to PIPA. In regards to the private sector – people can take business elsewhere if they are unhappy.