Thank you, Mike.
The Canadian Chamber and its members believe that Canadian privacy legislation should continue to strike the correct balance between the privacy rights of individuals and the legitimate needs of business to collect and disclose customer information. The flexibility built into PIPEDA has been very beneficial to consumers and business alike during the five years since its implementation.
With regard to the Privacy Commissioner's order-making powers, the current ombudsman model provides an effective manner, in our view, in which to best protect an individual's need for privacy and at the same time address the interests of businesses. This mechanism for resolving privacy issues is critical for consumers, and it is cost-effective. Implementation of an order-making process would require a complete review and overhaul of the role of the Office of the Privacy Commissioner and the Federal Court. Since any such orders would be subject to appeals, this could potentially result in a less timely resolution of issues.
In 2004, under the existing ombudsman model, the OPC increased its emphasis on settling complaints, settling 45% of them without a formal investigation. Changes to the current ombudsman model could significantly adversely impact the ability of the OPC to effect such early settlement. The current model provides the commissioner with a wide range of powers, including complaint investigation and audit powers.
Turning now to the issue of duty to notify, in the Canadian Chamber's view, the current model, again, is operating successfully. I would note that there already exist significant reputational, financial, and legal incentives for businesses to notify customers when there have been serious breaches. Moreover, we believe that the OPC already has the tools to require notification where circumstances warrant it.
Instituting a duty to notify could create a more adversarial relationship between business and the OPC. In addition, imposing a duty to notify on every potential breach could well do a disservice to the very consumers it is meant to protect. This kind of requirement could result in a flood of notices being sent to consumers, desensitizing them to the gravity of a truly serious privacy breach. I believe we've seen this occurring in the U.S.
Given this, the Canadian Chamber does not believe that mandatory breach notification is necessary in the legislation. We would encourage businesses to continue to work closely with the Privacy Commissioner's office in order to identify breaches and to notify those who could be affected by a possible breach in privacy. This flexibility enables notice where appropriate in the circumstances, with no adverse impact on consumers.
I'd also like to note that it would be beneficial for the Canadian Chamber and other business associations to develop a best practices set of guidelines that could be used when breaches in privacy occur. To that end, business groups, including the Canadian Chamber, ITAC, the CMA, and others, are currently developing breach notification guidelines in conjunction with the Office of the Privacy Commissioner. Details on these best practices guidelines should be available later this spring.
With regard to the power to name names, the Canadian Chamber believes that reputation is key for business, and therefore the naming power that currently exists with PIPEDA should not be used lightly. Any proposed changes to the Privacy Commissioner's powers in this regard would represent a fundamental shift in the structure of PIPEDA and would be opposed by the Canadian Chamber.
Take the retail sector, for instance. It is extremely competitive, which is good for consumers, but the naming of names could do serious damage to a company's brand, damage that would possibly be wholly disproportionate to the severity of the breach. Therefore, this power should be reserved for those parties who demonstrate a clear pattern of non-compliance.
If there were to be a routine naming of names, it would not help the relationship between business and the OPC. The Privacy Commissioner herself has stated that she does not require naming powers nor desire them. Most cases can be adequately mediated between business and the OPC.
Given this, it is essential that businesses in all sectors are educated about PIPEDA and their responsibilities as businesses in handling personal information. There needs to be a good balance between enforcement of the law and ensuring businesses, especially small and medium-sized businesses, have a good understanding of PIPEDA so that inadvertent infractions are minimized.
On the issue of transborder data flow, international data flow is an economic reality, and any restrictions on this flow could hinder Canada's competitiveness in the global economy. Companies understand that their business reputations are on the line, and they do not take that responsibility lightly. They remain accountable when information is transferred to a third party for processing.
Policy consistency is essential for efficient transborder data flow, as was illustrated in the APEC privacy framework and the security and prosperity partnership initiatives. The accountability principle that is built into PIPEDA is an effective means of ensuring that Canadian businesses communicate their privacy practices to the public in an open and transparent manner. The accountability principle also requires businesses to enter into contractual agreements with any third-party providers, regardless of where the third party is located. This provides an added level of protection to consumers.
Mike.