Information & Ethics committee  It does sound reasonable, and it also sounds sort of like what they're trying to do in Europe by giving users a little bit more control of information that is detrimental to them, by giving them more of a right to delete it or control it. Just saying that you have the right to have accurate data...well, who goes out and checks their data, as you point out?

Information & Ethics committee  No, and again, as far as social networks go, the only parallel is when you identify your data and it goes out to a third party, or the privacy policy says they can share with third parties and you didn't read it or didn't understand it and it goes out. It's sort of the same thing.

Information & Ethics committee  Yes, that is the intent. In these meetings, you see the game the two parties play; those sites have a goal, and this legislation has another. For now, we are saying that the consent allows us to determine where to draw the line. The problem is that the conditions under which people give their consent are not clear enough.

Information & Ethics committee  I think they are. It's interesting, because Canada has this definition in PIPEDA of what is personal information, which everyone wants to avoid because it's so clear. It says personal information is information about an identifiable individual, anything about an identifiable individual.

Information & Ethics committee  We've put a little bit of thought into that. That's why I mentioned at the end that the committee might want to look at the do-not-call or anti-spam model, where there are fees in the case of do not track, to buy the lists that you have to scrub against, and in the case of anti-spam, the fines go back to the CRTC to continue to do anti-spam enforcement.

Information & Ethics committee  It's the same as any other enforcement area, such as security. You'll take complaints and tips when you get them, but you have to have an arm out there doing enforcement on its own. I think the Privacy Commissioner has done as much as she can with her budget. They haven't been very aggressive with auditing companies, which is one power they have.

Information & Ethics committee  It's interesting, because consumer reporting or credit reporting, which you're talking about, is something that pre-dated the privacy legislation. As you know, there are a few protections built into the provincial legislation. For example, you can correct information or you can at least put a note on your credit file saying that it is wrong.

Information & Ethics committee  To date, Nexopia has not done anything, and the Privacy Commissioner of Canada has not said anything. I do not really know why the two deadlines of June 30 and September 30 have passed without anything being said. I would imagine that something is going on at Nexopia or that the company is taking some action, but we do not know why they are still not following the commissioner's recommendations.

Information & Ethics committee  It is difficult to answer that question. It does not have to do with the willingness or desire of companies to abide by the law; instead, it has to do with the fact that in situations, where the law is soft, it will be bent all the way. That's normal. It is done to do business effectively.

Information & Ethics committee  The committee heard from health care experts, and those questions have been examined with a fine-tooth comb, if I may say so. In addition, should the Privacy Commissioner be invited again by this committee, you could ask her if any guidelines will be developed.

Information & Ethics committee  We did touch on it a little bit on the Nexopia complaint, because Nexopia requires, or it did require—I think it still does—that if you create a profile and you want to put a picture up, it has to be your face or torso. I don't know quite why torso is included, but face is. If you require people to put up a picture of their face, obviously we have the problem of facial recognition, which can be run over a network.

Information & Ethics committee  In Alberta, the commissioner can recommend a fine for data breaches. I have studied about 30 decisions like that, and they are effective enough to make companies change their practices when there are problems, even when the fine is $5,000 or $10,000. If the commissioner has the power and the responsibility to impose fines, those decisions are tough enough for other companies to examine them.

Information & Ethics committee  I think I can. The way the act is structured right now is that the complainant or the Privacy Commissioner can go to Federal Court to enforce a fine. The company can't complain if it loses. That works fine if the first resolution is just an ombudsman-type resolution where we recommend that you change.

Information & Ethics committee  I would agree, definitely, that that would have to be a change that would go along with giving order-making powers. For example, in Alberta it's very possible to go to Queen's Bench and say that a privacy commission decision was crazy and have it overturned. If you want to separate the two functions, like you do with the Competition Bureau, with the commissioner saying “This is a bad practice”, and then the competition tribunal deciding if it really is offside, that is a lot of superstructure to add for privacy.

Information & Ethics committee  I would like to say I could just fill you in, but I know that because of the “right to forget” stuff going on in Europe, the Article 29 working party is working on this. I don't know what their technical committees are doing. It would be a very good idea to set up a committee, led by the Privacy Commissioner, with industry and other stakeholders, like consumer groups, to start doing the same thing here.