In 2008, I appeared before the House of Commons Standing Committee on Access to Information, Privacy and Ethics to discuss the Privacy Act.
Appearance Before the Standing Committee on Access to Information, Privacy and Ethics, May 15, 2008
My name is Michael Geist. As you heard, I’m a law professor at the University of Ottawa, where I hold the Canada Research Chair on Internet and E-Commerce Law. I’m also a syndicated columnist on law and technology issues for a number of papers, including the Toronto Star, Ottawa Citizen, and The Vancouver Sun. I served on the national task force on spam that was struck by the Minister of Industry in 2004. And like the prior witness, I currently sit on the Privacy Commissioner of Canada’s expert advisory board. I am the editor of theCanadian Privacy Law Review , and last month I launched a website called iOptOut.ca, which has already been used by tens of thousands of Canadians to opt out of unwanted telemarketing.
I speak today in my own capacity or on my own behalf. I should note that my primary expertise is in technology and Internet law. For the most part, my focus on privacy has been on the private sector side, on PIPEDA and its effectiveness in light of a globalized Internet and emerging technologies. But I must say that since my appointment to the Privacy Commissioner’s advisory board, both the importance and inadequacy of the Privacy Act have become glaringly clear. Those limitations have been a constant source of discussion, certainly among the commissioners and many of the task force’s members.
As you may know, I’m very active in researching and speaking out on copyright-related matters. Last night I appeared before the parliamentary IP caucus, where we debated in part whether or not the Copyright Act was as outdated as some critics would claim. While a copyright bill appears imminent, it’s noteworthy that since the release of the very first set of recommendations on reforming the Privacy Act in 1987, Canadian governments have passed two major bills reforming the Copyright Act, and multiple smaller bills. So if the Copyright Act is out of date, I think the Privacy Act is positively ancient by comparison.
In deference to the notion of drilling down, I want to focus on five primary areas of concern, and I’ll pick up on the recommendations made by the Privacy Commissioner that I found to be most compelling.
First is the issue of education and the ability of the commissioner to respond. I think that part of the failure to engage in meaningful Privacy Act reform may be attributable to the lack of public awareness of the law and its importance. The Privacy Commissioner has played an important and, I have to say, increasingly innovative role in trying to raise awareness and educate the public about PIPEDA and broader privacy concerns. I think the Privacy Act deserves no less, in terms of the kind of educational role that we could have. Moreover, the notion of limiting reporting to an annual report I think clearly reflects a bygone era. We’re in a 24-hour news cycle, and any restrictions on the ability to disseminate information, particularly information that might touch on the privacy of millions of Canadians, such that it remains out of the public eye until an annual report can be tabled, need to be reformed so there’s power to disclose the information in a timely manner.
I’ll also focus on the issue of strengthening protections. As this committee has already heard, I think there are few, if any, privacy experts out there who would argue that the current Privacy Act meets the standards of a modern privacy act. At a time when I think the government is expected to be a model role player in this, it is instead finding itself doing far less than the private sector.
You’ve heard of several areas for reform. I’ll focus on just a couple. One is the issue of the limiting collection principle—this “necessity” provision that has been talked about. I think it’s a hallmark of private sector privacy law. Government should similarly be subject to collecting only that information that’s strictly necessary for its programs and activities. I think that could play a role in a range of issues–identity theft, for example, which has taken on a growing importance and a growing amount of concern within our communities. It’s an issue where, if we limited the amount of information collected and disseminated, we could have a positive impact.
I’d also argue that Federal Court reform, which has been raised, is something that ought to be considered, broadening it to include complaints beyond refusal to provide information, and the power to award damages, which all weigh into the issue of order-making power here as well.
I believe that the commissioner ought to have order-making power. It may be that she currently feels that’s not necessary. My position on PIPEDA reform is that the commissioner needs order-making power. It’s my position in some ways to be consistent, and I think that order-making power is appropriate here as well—even if, at the moment, the Privacy Commissioner doesn’t feel that power is necessary. I think it would be helpful.
The third issue is that around third-party disclosures. In this current globalized “flat world,” the Friedman term, data, as we all know, moves easily between jurisdictions. Governments at both the federal and provincial level will be, and are, increasingly outsourcing data for efficiency purposes and other means.
Our privacy law needs to keep pace. An accountability principle is essential that makes clear that with the collection of that data by government, the government then remains accountable, regardless of where that data may flow.
Moreover, I would agree with those who have recommended a formalized approach to transborder information sharing agreements. That is needed. While some of those agreements may already be in place on an informal basis, I think an approach similar to what we see in the European Union, with an adequacy standard, and making that more formalized, would be valuable.
The fourth issue, and one that has been raised, I believe, by this committee in the past, is the issue of security breach disclosure requirements. It’s something that has become readily apparent as being necessary in the private sector world. As you well know, there is currently work under way to try to deal with that within the PIPEDA framework. I think a similar provision would be valuable within the Privacy Act as well. Indeed, one could make the argument that given the absence of strong security standards in the act, it’s even more essential.
Finally, there is the issue of privacy impact assessments. Privacy, of course, touches us in many ways, and it’s implicated in many pieces of legislation–sometimes where you least expect it. The Privacy Commissioner has regularly appeared before committees, but I think that leaving it to the point where it’s already before a committee and having the privacy commissioner deal with it runs the risk of having privacy be little more than an afterthought within pieces of legislation. From my perspective, it’s more important to ensure that there is some sort of impact assessment–frankly, before the legislation is even tabled.
To return to my concerns associated with copyright, this privacy commissioner, as well as several other provincial privacy commissioners, has already spoken out about the privacy impact of potential copyright reform. As legislation is imminent, we know there’s no sense that those issues have been factored into the legislation. I think those kinds of things could be better addressed by raising them up front, as opposed to a later date.
I’ll stop there, I think. I welcome any of your questions.