The PIPEDA hearings continued on Monday with a robust debate on order making power, naming names, and the effect of contractual provisions on privacy protection. The Information Technology Association of Canada uniformally argued that PIPEDA works fine, changes are unnecessary and costly, and dismissed proposed provisions such as naming names or order making power. My colleague Ian Kerr focused on contractual issues, while the Canadian Bar Association supported order making power with the development of a new tribunal.
While I was not in attendance, the notes from the hearing suggest that this hearing would be better named "ITAC Attacks". In its zeal to dissuade the committee from recommending any changes, ITAC made several unsubstantiated claims including claims that most organizations approach the commissioner where security breaches occur, that there is a good level of privacy compliance in Canada, and that the U.S. is not less prone to privacy invasions than Canada (all offered without reference to any supporting study). It would be worth noting which companies comprise ITAC's membership and inquire directly whether they support the strongest assault yet on reforms that might improve Canada's privacy law framework.
The full notes of the day's event, from Kathleen Simmons, are posted below:
Information Technology Association of Canada
Bernard A. Courtois, President and Chief Executive Officer
ITAC is the national industry of information technology companies. They have a primary interest in privacy matters; the industry was one of the first proponents of privacy legislation since it was obvious we couldn’t take telecommunications regulations and transpose them to the internet economy. We were happy to see the OECD principles applied in a multiparty approach to form the CSA standards on which PIPEDA was based. We had a stake. The mixed model is both innovative and effective and is the most effective way of tackling issues. Most clients of our firms are small businesses who don’t have the means to continuously adapt to changes. We advocate the general approach, "if it ain’t really broke, don’t fix it"
Ariane Siegel, Lawyer
Canada has been ranked near the top of international privacy surveys. Contrary to the CIPPIC survey, there is a good level of compliance in Canada. PIPEDA has had a profound impact on international compliance with privacy laws, as we have US companies complying with Canadian regulations. ITAC’s general position is that it's too soon to make significant changes. We support cooperation with industry.
There are 5 main issues to discuss:
- Inherent flexibility. PIPEDA applies to all; both consumers and employees benefit from the flexible structure.
- Order making power. The existing ombud model is effective. Organizations would need more infrastructure to comply with changes – this is expensive. Changes will raise the stakes for businesses, and pit consumers against lawyers.
- Mandatory notification. ITAC opposes mandatory notification. In the case of a breach, no organization would want to take the risks associated with not telling people about it. It could result in notification fatigue for consumers. Refers to CIPPIC report and notes the US is not less prone to privacy invasions because they have order making power. ITAC would work on guidelines to address this issue, rather than see a change to the legislation.
- Naming names. ITAC supports the Commissioner's discretion. Having a mandatory response would not benefit consumers, and may even have negative consequences. Dispute resolution can create positive results.
- Transborder flows. Further restrictions could reduce Canada's global competitiveness. PIPEDA recognizes the need for safeguards. The common law of agency imposes sufficient obligations
In conclusion, ITAC says the current provisions are sound and provide appropriate balance. It sets the tone for other jurisdictions, and it enables Canadian businesses to remain competitive. ITAC has engaged in education with its members and will continue to do so.
Ian Kerr, Canada Research Chair in Ethics, Law and Technology, University of Ottawa
There are significant problems that require reform. Increasingly, technologies that are used to collect information threaten our ability to control personal information. An even bigger threat than the new technologies, though, is the standard form contract, which legally enables implied consent, deemed consent, and opt-out forms of consent to justify behaviours. Standard form contracts prevent and preclude negotiation. They are regularly invoked to circumvent PIPEDA, as EULAs and click-wraps are used to justify overarching consent.
In my written submission, I make recommendations to fix problems for obtaining genuine consent. I will review several concrete examples in my oral submissions, but feel free to ask any questions pertaining to my recommendations during questions.
Second, relates to intellectual privacy. Lays out fact scenario from Sony rootkit case – private media use being tracked through technical device. Says law is unclear about the how disputes over the contract could be resolved, because they probably garnered your consent legally.
The point is that legal manoeuvring is hugely problematic, and standard form contracts can undermine the nature and value of genuine consent. PIPEDA's attempt to balance is undermined if standard form contracts can gather too much info We need tighter consent provisions.
I also lend my support to the addition of order making power; to remove doubt the Commissioner must name names; we must include mandatory security breach notification; and we must address outsourcing of information and the transborder flows, especially to the US.
Canadian Bar Association
Tamra L. Thomson, Director Legislation and Law Reform
We represent 370,000 jurists who advocate for the improvement of law and justice. Developments in this area led to the development of the Privacy and Access Law Section. The PALS brings together lawyers, academics and government to provide a balanced representation of interests on these issues. This submission is not our first foray into review of PIPEDA. We have provided recommendations in our paper, which is an executive summary of previous submissions to the Committee.
Brian Bowman, Chair National Privacy and Access Law Section
There are four key themes we'd like to address. 6 years of experience had demonstrated some deficiencies in the law and it is necessary and prudent to consider amendments at this time. Provincial legislation can be looked at to demonstrate differences/areas for improvement.
- Exemptions in PIPEDA are too narrow. This is evident in the disclosure provisions. There is inadequate coverage of procedures between parties. There should be a broad exemption. The Act should be amended in application to enforcement. Clarification is needed. There should be a single standard for collection, use and disclosure. Provisions of investigative bodies should be streamlined. Amendment is necessary to create exclusion of information necessary for investigation.
- The lack of order making power significantly affects clients. It takes a year to receive a finding, then you must hire counsel. There is no mechanism to compensate an individual's loss with respect to a complaint. This is a potential violation of the principles of fundamental justice. Combining the roles of investigator, reviewer and decider may put the Commissioner in a conflict of interest. We recommend an impartial tribunal with OMP and the ability to award damages. An effective enforcement mechanism is needed.
- Any requirements for notification of breach should be balanced. US and EU have measures to address this, but Canada doesn't except for the Ontario personal health information Act. We recommend a duty to notify where (a) there is no use of encryption or it has been damaged, or (b) the info is personal and sensitive.
- Transborder flows. We need appropriate precautionary requirements. The Commissioner's own submission to the BC Privacy Commissioner regarding the health info issue said that Canadian companies should notify consumers of any breaches. Section 17 of the Quebec Act addresses this – "take all reasonable care." Currently PIPEDA has no specific protections for information transferred outside Canada, and it should contain provisions for this. We've considered other measures – written agreements, similar measures to Quebec. Each involves notification and consent – we recommend amending PIPEDA to have notification or consent. Where personal information is to be stored, the Act should require compliance with Canadian law.
Our goal is to improve the legislation and we recommend a balanced approach.
Sukh Dhaliwal (Liberal)
Q: Prof. Kerr's message is scary.
A: (Kerr) Not all companies are scary. The point is that the threshold for consent is low. Not all goods and services circumvent, but they can. The Act must be amended to prevent this.
Q: Siegal, are you aware of any privacy breaches in the last four years?
A: (Siegal) I come across breaches quite often. The issue is, are they serious? And if yes, what can companies do about them? Most companies approach the Commissioner for advice. Most issues involve release of email addresses. With respect to consent, the Act has great detail with respect to "reasonable form of consent". Companies have different standards of consent for different levels of info. For example, secondary marketing doesn't require consent. The Commissioner has recognized this.
Q: Regarding Mr. Bowman's recommendations for amendments, is there anything you see there?
A: (Siegal) ITAC said that no amendments are necessary. The common law of agency covers these issues.
A: (Courtois) On the lack of OMP, adding a Tribunal is high cost to taxpayers. With respect to transborder data flows, BC tried to legislate it and it was a mess – the Commissioner ultimately issued guidelines. With respect to consent, it's about how the provisions are interpreted.
Carole Lavallée (Bloc)
Q: Is there something other than PIPEDA that protects offenders, companies who breach the law?
A: (Courtois) The law doesn't prevent disclosure; the Commissioner does it with discretion.
A: (Bowman) I'm not aware of anything that prohibits disclosure.
Q: The name of offenders is not made public under PIPEDA, is there any other legislation where names are not publicized?
A: (Bowman) I'm not aware of any.
Q: Spokespeople from Industry said the Act was under a constitutional challenge in Quebec. Can you speak to that?
A: (Bowman) I'm not in a position to speak about it. Our Section hasn't addressed it.
A: (Kerr) I also disclaim any expertise, but I can tell you that the issue is how the federal Act tries to achieve ends in both federal and provincial jurisdictions.
A: (Courtois) This hasn't been addressed by our organization.
Q: Regarding the comments from the CBA, the Commissioner spoke of difference in access to documents in investigations; documents that are subject to professional privacy investigations. Can you speak to that?
A: (Bowman) Specifically, I have no comment on the solicitor-client issue. I will put it to the committee.
A: (Kerr) I would be surprised if solicitor-client privilege operated differently in Privacy cases. It's not clear to me why the Privacy Commissioner should have this power.
A: (Courtois) We have not addressed this issue, but what Prof. Kerr has said is reasonable to us.
David Tilson (Conservative)
Q: On the solicitor-client issue, I would have thought this would excite you lawyers. What do you think?
A: (Siegal) I can't imagine why it would be different for the Privacy Commissioner.
Q: Regarding OMP, the issue must be debated. The difficulty is that the Commissioner said it's a case by case issue, but there is no way to compensate people for their losses, and what do we do about violations that we don't even know about? The commissioner has rarely imposed the rule of notifying the public. This is very important. If we're going to have teeth in this legislation, can we do it without OMP?
A: (Seigal) I can only speak from experience, but we need to separate OMP from the duty to notify. OMP is not what will enhance privacy protection. OMP is not something you'd want to see for privacy reasons. In mediations with the Commissioner, companies put complex business processed on the table. Should a Tribunal be in place to order new processes? Where very few would have that kind of knowledge?
Q: On the issue of compensating people for their losses, should clients rely only on tort law?
A: (Siegal) That's the case for everything else. When it's appropriate, they can go and talk to the Federal Court and seek damages. The Commissioner hasn't had any trouble convincing organizations to change their practices. The power to name names is an important one.
A: (Bowman) We have a balanced approach. Our recommendation is conditional on a Tribunal. OMP alone isn't enough.
Q: What about the non-appealable OMP?
A: (Bowman) We're trying to create a model where the Commissioner keeps her strengths, but a Tribunal with OMP exists. Naming names is a stick, indeed, but it's a small stick.
A: (Kerr) it's useful to note tha only 9 of 1400 cases have been commented on by the Federal Court, none of them got damages; there were 2 cases where people had to bear the costs themselves. PIPEDA is a recognition that private law is inefficient. The real issue is what kind of teeth do you want the legislation to have.
Tom Wappel (Chair)
Reads from Commissioner's testimony on solicitor-client privilege. Would you have a problem with independent way of verifying if solicitor-client privilege exists? Panellists shake heads.
Jim Peterson (Liberal)
Q: Going to Federal Court is costly, time-consuming and intimidating. What about a Tribunal?
A: (Courtois) I am uneasy about Prof. Kerr's statistics, which seem to show there is no problem. I think PIPEDA doesn't require any changes.
A: (Kerr) I would like to go on record to say that statistics can be interpreted in many different ways.
A: (Bowman) the Commissioner is responsible for investigation, negotiation and judgment – this is a conflict of interest.
Q: What have you learned is the best law, looking at the 4 jurisdictions with privacy laws. Where is the lack of harmonization Mr. Bowman talked about?
A: (Bowman) I give preference to Alberta and BC, particularly the business transactions provisions. These laws set out express protection provisions. It is unclear how to view personal info on sale of business under PIPEDA.
Mike Wallace (Conservative)
Q: To ITAC, have your members had issues with OMP in BC?
A: (Courtois) We have no indication that OMP makes better privacy. The ombud model is working.
Q: Who are your members?
A: (Courtois) 70% large businesses, 30% small. 70% Canadian, 30% international. They include computers, technology, mobile, telecommunications, software, IT consulting, etc.
Q: Do they have high costs from the Act?
A: Yes, initially. But they don't begrudge it because their livelihood depends on it. Once you go through process of education, you are leery of changes that would require re-learning.
Q: To Prof Kerr, the issue with standard form contracts is consent, right? Do you want to say more on this?
A: (Kerr) I have thorough recommendations in my written submission.
Q: When is it my responsibility?
A: It is 100% your responsibility to read the contract. So long as sufficient notice is given, it is the role of the person. It's not just about knowing, reading and understanding though. When you only have one choice, it's an issue of relative bargaining power.
Q: Isn't that what's good about living here? That you can choose not to participate? When does the government get out of the way?
Some chaos following the question. Chair tells Kerr he doesn't have to respond if he doesn't want to.
A: (Kerr) I'll answer if you'll let me. When courts and governments ought to interfere – where the legislation has elevated standards of protection. Where courts will set aside contracts that violate public policy, where standard form contracts trap you in violation of PIPEDA, there should be protection.
Tom Wappel (Chair)
I think the Hilton Hotel's use of the term "universe" is clearly too broad. It should definitely be kept to the planet earth.
Q: I would like clarification from Prof. Kerr. You said the Commissioner had "powers" and you used the word "order". Were you speaking her order powers?
A: (Kerr) No. My recommendation is for OMP. I didn't suggest that she has it now.
Q: The Commissioner is not in favour.
A: (Kerr) I heard the Commissioner say "at the moment" she doesn't want OMP, that it's not the right time. She's not opposed to it. I heard Loukidelis say OMP was "power of last resort" that doesn't mean it's not important – in fact, it's the most important. We should be careful to draw conclusions that timing makes it inappropriate. She takes the position that it's too soon as a manager.
Carole Lavallée (Bloc)
Q: Some of these consumer consent issues seem abusive. There are all kinds of forms we OK and agree to online. Consumers are not aware of the Act or of their rights, perhaps that's why there's no complaints. The lack of complaints doesn't help us understand – we learn by news reports of what's going on with the Commissioner. I relate this to the US Patriot Act, where consumers are notified of info abroad. How can they refuse?
A: (Kerr) I share your consumer protection concerns. I am surprised my recommendation is so extraordinary. I am merely suggesting that we should clarify the Act to ensure overbroad contracts are unenforceable.
A: (Bowman) The current consent model is ok. Being able to read standard form contracts is sufficient. But the reality is that Hilton Hotels and others like them exist – this is why we need stronger enforcement measures.
A: (Courtois) The current legislation doesn't provide for abuse of consent. There is no need for OMP, persuasion is sufficient.
Tom Wappel (Chair)
Clarifies the Commissioner's comments regarding OMP.
Dave Van Kesteren (Conservative)
Q: To Seigal or Courtois, what is the thinking behind these contracts?
Q: Prof Kerr, couldn't we enact a law that extends just to email?
A: It could be done, but it would go against the submissions of most witnesses before you, including the BC Commissioner. There is nothing special about email. My recommendations are simple.
Q: Prof Kerr, who cares if somebody knows what I'm listening to?
A: That question represents a fundamental misunderstanding of the privacy legislation. Bruce Phillips called it a necessary step to reverse abuses of personal info. If you understood how personal info is, and can be, used to database and put together the dots to create a profile of your life, you would know why we care. We're talking about intellectual products.
Jim Peterson (Liberal)
Q: Should there be an obligation to tell the Commissioner if you're not going to notify someone of a breach?
A: (Siegal) Many organizations do consult often with the Commissioner.
A: (Courtois) We have laws of reasonableness that work.
A: (Bowman) There are definite challenges of the duty to notify, like fatigue. If a duty is to be included, it should be a balanced approach. Bill 200 in Manitoba has a duty to notify – it uses language of a balanced approach that may be helpful to you. The reality is that some organizations choose not to comply.
Q: Prof Kerr, you mentioned turmoil in the Commissioner's office in previous years, do you wish to elaborate?
A: (Kerr) No. The media has sufficiently covered it.
David Tilson (Conservative)
Q: This is a question is ask all submissions – people are worried about ID theft, but most don't know anything about it. I have people in my riding, mostly SMEs, tell me they don't know anything about this. Do you have any recommendations regarding what to do to assist SMEs?
A: (Siegal) Changing the legislation won't help. We need investment in education, practical guidelines, working groups to establish precedents, and new technical investment to safeguard data.
A: (Courtois) SMEs need help to sue technology. We must encourage investment in technology.
A: (Kerr) I agree. At the end of the day SMEs need help. Guidelines would work. The Office of the Privacy Commissioner is ramping up online tools, and has set up a contributions program. It's still early days. It's only fair to say that this Commissioner is committed to education and is doing a good job.
A: (Bowman) the Office of the Privacy Commissioner is doing a good job. Reality is that SMEs don't care or know. Overhauling it radically or leaving it as is are not solutions. People tune out and don't see any powers to make them comply. CBA changes are modest and will help SMEs. Alberta and BC are doing a good job.
Dave Van Kesteren (Conservative)
Q: I appreciate, Prof Kerr, what you've brought. I'm still concerned about our own obligations though.
A: (Kerr). I've never denied personal responsibility. In Rogers, the court took your position – that it's up to individuals to check for updated terms. If you assigned someone to cover all these contracts that you agree to in a month, you wouldn't get much help on anything else.
A: (Siegal) PIPEDA is not operating in a vacuum. The Ontario Act deals with issues from the Rogers case. Provinces have important say in how contracts are played out. This is why PIPEDA is flexible, we must leave room for constitutional manoeuvrability.
Jim Peterson (Liberal)
Q: Are there any horrors you know of that could've been avoided with OMP?
A: (Bowman) None.
A: (Kerr) I am speculating, but I would ask how an office with OMP would have dealt with a situation where Macleans magazine had Commissioner's phone records.
Tom Wappel (Chair)
Are people really blogging this? Laughter.