Information & Ethics Committee on Nov. 22nd, 2006

Thank you for the invitation.

I represent two organizations here, actually, the B.C. Freedom of Information and Privacy Association and the B.C. Civil Liberties Association.

On February 9, 1999, I appeared before the Standing Committee on Industry to present my views on behalf of Electronic Frontier Canada on Bill C-54, PIPEDA.

We supported the bill in principle. Now, on behalf of BC FIPA and BCCLA, I wish to renew our support for privacy protection in Canada by means of PIPEDA. However, there are a number of issues that must be addressed in order to ensure that the privacy of Canadians continues to be protected by this important piece of federal legislation.

In this submission, I will address a number of issues related to both the legislation itself and the operation of the Office of the Privacy Commissioner.

It's important to emphasize that privacy rights are increasingly under attack, and a necessary bulwark in defence of these rights is at the very least adequate legislation supported by a vigorous agency to defend privacy rights and to draw attention to current and anticipated problems.

The most important recommendation I will make in these notes is that the current ombudsman model for conflict regulation employed by the OPC be replaced, providing the minister with order-making powers.

I draw your attention to a story that appeared early in November in the newspapers, in which the British Broadcasting Corporation, the BBC, reported that Richard Thomas, the information commissioner of Britain, had referred to Britain as “waking up to a surveillance society that is all around us”.

Some of its characteristics are given as follows: by 2016, shoppers could be scanned as they enter stores; schools could bring in cards allowing parents to monitor what their children eat; and jobs might be refused to applicants who were seen as a health risk.

The report referred to above is a report on the surveillance society, and I take this as a very serious report. Britain, of course, has been described frequently as one of the most surveillant societies in existence.

To set the tone of some of the remarks that follow, let me turn to some comments I made a little more than six years ago, about the time PIPEDA was approved. I gave some examples of privacy invasions. I argued that one of the reasons for having a law in Canada was that it was necessary that both companies and government be responsible in their privacy activities, and that there be a possibility for questioning the privacy activities, and that the legislation could and should provide this.

Let me describe some of the concerns I have, and I think that will be the focus of my remarks. I have nine concerns, the first of which I'm calling publicizing complaints.

For the most part, the Office of the Privacy Commissioner, the OPC, has decided not to reveal the names of complainants, nor the organizations and companies against which complaints have been launched. It appears that under the current regimen there is little cost to companies that do not resolve their privacy issues; not properly implementing a required privacy regimen is just a small cost of doing business. Public attention would be a much more effective means to achieve compliance.

Second, a much more effective education function is required. The OPC could serve a more effective role than it has up to now; namely, to bring the office and its role under PIPEDA to the attention of the Canadian public. In my classes and talks I have rarely found anyone who knows about Canada's privacy law, his or her rights under the law, or the existence of the OPC, the current Privacy Commissioner, or the activities of the office.

A survey commissioned by the Office of the Privacy Commissioner in March of this year showed that something like 8% of Canadians had heard of PIPEDA. Clearly, if you're not aware of laws protecting you, it's going to be hard to take advantage of the protection they provide.

My third concern is the response of companies to breaches of their security. What, if anything, should companies be required to do when their security barriers are breached, with a resulting release of personal information? Such events have become fairly frequent, and most of the attention has been directed towards companies whose primary activity is the collection, compilation, and marketing of personal information.

When PIPEDA came into effect, the term “identity theft” probably was little known. Now ID theft is well known as one of the major crimes associated with Internet technology. In the body of the submission, I include a table showing the numbers of breaches that have occurred in the U.S. in the last couple of years.

The fourth point is on the transborder data flows of personal information of Canadians. The OPC has brought this issue to the attention of the Canadian public, especially with regard to the possible access to the personal information of Canadians held in the U.S. by the FBI under the U.S.A. Patriot Act. In 2004 this issue arose in British Columbia because the government had outsourced medical records to a subsidiary of the Maximus corporation, a U.S. company. It took B.C. Privacy Commissioner David Loukidelis's holding of hearings to find and determine what threats might occur because of this activity. Very briefly stated, the B.C. government introduced and passed legislation in response, which had some of the following requirements: no remote access to data from outside Canada; special restrictions on data access; and requirements for supervision of U.S. employees. I have more listed here. What's important is that the federal government has to deal with these possibilities as well.

Number five, on workplace privacy issues, PIPEDA does not cover information collected by employers about non-federally regulated private sector employees. Workers in three provinces--B.C., Alberta, and Quebec--have protection in the workplace, but basically there is a real lack of it. I should add, for full disclosure, that a researcher and I did a six-month research project for the Office of the Privacy Commissioner on workplace privacy, and we submitted a report to that office expressing our concern about the future of the rights of workers in Canada.

Number six is the development of the electronic medical record, the EMR, and its privacy implications. We recall that when PIPEDA was enacted, the application of the law to the protection of medical records was postponed for one year in order to provide for additional consultation to deal with any special issues associated with such records. I take medical information to be the most sensitive of all personal information and deserving of the highest degree of protection. We're now in the process, across the country, of instituting information systems that will contain, in part, the medical record of every patient who has been involved in the medical system.

Some serious questions arise as to who has access to this medical record and to what degree patients have a chance to say yes or no. One very simplistic model has most of the information about drugs and so on, or about visits, which are not of the most sensitive nature, being available in general without any special permission, but that particular information that's most sensitive might be considered to be in a special lock box, so that only when a patient gives direct permission can that information be released. You ask to whom it would be released. That would be to other doctors, to administrators to make sure that the health process is being conducted efficiently, and to researchers who would like to have access to medical records.

Point seven is on the challenges of emerging privacy-threatening technologies. The law, generally speaking, always seems to be behind new technologies that appear and have good uses, and all of a sudden they start applying to areas that hadn't been thought of. Obviously the law will still apply, but to try to figure out what's going on is the difficulty. I bring your attention to RFID technology, which is being used in U.S. passports. It's part of inventory control, and it also has possibilities for more sinister use. I don't think that's too strong a word.

Let me read you this story, which appeared earlier this year:

A Cincinnati video surveillance company CityWatcher.com now requires employees to use Verichip human implantable microchips to enter a secure data centre. Until now, the employees entered the data centre with a VeriChip housed in a heart-shaped plastic casing that hangs from their keychain. The VeriChip is a glass encapsulated RFID tag that is injected into the triceps area of the arm to uniquely identify individuals. The tag can be read by radio waves from a few inches away.

If it had slightly higher power it could be read from several metres away.

How do you feel about this? How should a privacy commissioner act in response to these kinds of activities? There is now talk about medical records going on chips to be implanted. Then you can't forget things, and you'll have this medical record. This is just one of the kinds of technologies to which we're really going to have to pay attention.

My eighth point is on current views of some aspects of consent. This is a very long area of great concern. Of a document released by the Privacy Commissioner to stimulate discussion, half of it had to do with various questions of access. Who has rights? Is there blanket access? In some of this, there was some concern about access now taking place under various acts of Parliament meant to deal with terrorism, and the requirements to gain information about individuals without informing them it's being taken. The general question is, how much information can you take from people without getting their assent or at least informing them you're taking it? I use the general term “access” to cover many of these things, but there isn't time to go into them in detail.

Let me turn very quickly to the last of my comments, which is where I began. The Office of the Privacy Commissioner of Canada is committed to the ombudsman model of mediation. Complaints are heard, meetings are held, and non-binding recommendations are issued, with the names of all parties almost always concealed. If they are dissatisfied, a complainant can bring the case to the Federal Court at his or her own expense.

Has this model been effective? There's some disagreement in public responses to this question. Certainly the OPC seems to be committed to its current mode of operation. It is significant that in the three other provinces in Canada with their own versions of PIPEDA, British Columbia, Alberta, and Quebec—and of course the Quebec model came in several years earlier—the model used involves order-making powers. That is, complaints are heard, decisions with legal force are made public, and parties are named. So the full force of public scrutiny is serving as a constant light shining on the privacy practices of companies and organizations, for whom negative publicity is not in their self-interest. That clearly is the single most important recommendation I'm making in this submission.

Let me thank you for the opportunity to appear before you on this very important matter.

Thank you very much. I'm delighted to be here and to have this opportunity.

My name is Colin Bennett. I am a professor and the chair of the political science department at the University of Victoria. For 20 years I've been writing about this subject in Canada and overseas. I've been looking at the spread of surveillance and the kinds of problems that Professor Rosenberg has talked about. One of the things I saw as my role today was perhaps to give you a broader international and comparative context within which PIPEDA has to operate.

I want to stress four things in my remarks. First of all, I'd like to talk about that international context. It's important for you to understand that this legislation is one of a complete family of statutes that have been passed over 30 years by western countries. Secondly, I want to talk about oversight and enforcement. In this regard, I have been a complainant under PIPEDA, and I want to recount my experience of that to reinforce some of the things Professor Rosenberg has said. Thirdly, I want to talk about the law and the standard. This legislation is based on quite an innovative model of a CSA standard, and I think that is something that needs to be analyzed and understood. Finally, I simply want to ask the question, is PIPEDA working? I think you're going to get testimony on all sides of this question, and I have some views on the subject.

I did write some remarks, but I understand they have not yet been translated, and I would like the opportunity to make some further written recommendations at a later stage in this committee's hearings

Thank you.

To get to the point of this statute, the first point, a very important one, is that it is about giving individuals the right to control the information that relates to them. For 30 to 40 years now we've been hearing about the way personal information is captured by organizations, by technologies, and that process has gone on. It's an incredibly important human right and value, which virtually every advanced industrial society now has enshrined in law. It's a right and a value supported by public opinion. Consistently Canadians have said that they are extremely concerned about the threats to their privacy.

The basic aims, however, of PIPEDA are not substantially different from those found in other western societies. It's based on a set of principles, which are in schedule 1 of the legislation, that you see throughout western Europe in other countries as well. It's very important to recognize that PIPEDA really has to be seen within this larger international context. In fact, international agreements such as those from the OECD, from the Council of Europe, and from the European Union have influenced the way PIPEDA was drafted, and indeed the way it has been implemented.

The forces that brought privacy to the agenda in Canada in the 1970s and 1980s were no different from those elsewhere. But one thing that was somewhat different here is that we were relatively late in legislating a set of safeguards for our private sector. Most other countries were ahead of Canada. That has had some implications, I think. Firstly, it meant that when this law was drafted it had to take into account what was going on elsewhere. There was considerable pressure from the European Union and from other countries as well for Canada to get its act together and to join that family of nations that had privacy protection statutes for their private sector. Although our law has been shaped by some distinctively Canadian concerns and interests, it's important to recognize that inescapable international context.

The second thing that I think is important to understand about PIPEDA is that before the law was promulgated there was a great deal of activity in Canada by its private sector. There were a lot of codes of practice developed, and indeed the standard itself was negotiated through a committee that involved both the private sector and consumer organizations. Therefore, the theory behind this legislation was that it would build upon activity that was already going on in the marketplace. There would be codes of practice, there would be a standard, and then the legislation would come over the top of that. Those are two very distinctive things about the history of this legislation that need to be kept in mind.

On oversight and enforcement, laws differ in the various countries about how you actually enforce these various privacy principles. In Canada we have, at the federal level at any rate, opted for the so-called ombudsman model, and you will be receiving a great deal of advice about whether that ombudsman model actually works. I have some mixed feelings about it. I think you need to look extremely carefully at the prospect of replacing the ombudsman model with an order-making model that is currently in existence in Alberta and B.C.

I have been a complainant under PIPEDA, and I would like to briefly recount that story for you.

Back in November 2001 I received a product survey through the mail that I believed was not in compliance with the legislation. There had been some media stories about this at an earlier point. I objected to three things in this survey. I objected to the fact that it was distributed as a kind of fact-finding survey, with very little indication there would be any direct marketing involved. I was concerned about the position of the opt-out box on the survey. I was also concerned about the fact that there was no way one could complain, no website, and no 1-800 number. There were some quite precise issues of general legal compliance that really had nothing to do with my individual rights. I was not seeking redress here. I was seeking for the company to simply clean up its act and comply with the law.

The Privacy Commissioner agreed with my complaint, agreed that it was a well-founded complaint, and in fact in some respects went even further. But what happened was a long period of negotiation, quite a period of resistance, a lot of to-ing and fro-ing. And the complainant is put in a difficult position in regard to knowing what to do with the information you have, and whether or not to in fact publicize the name of the company concerned. Therefore, they were stalling, and it wasn't until another complaint came in about this company that there was some resolution of the process.

The lesson I draw from this is that the ombudsman model, which is very good at mediating and resolving disputes between individuals and organizations, may not be very good when you're looking at a compliance model or regulatory model like this, where you're simply trying to get the organization concerned to comply with the law. Therefore, I think there's a mismatch between some of the goals of the law and the ombudsman model that is used to enforce it.

Thirdly, I'd like to just say something about the CSA standard. This is a notable innovation. There was an explicit reason why the drafters of PIPEDA decided to legislate by reference to the CSA model code for the protection of personal information. It was believed that if the private sector had already negotiated this standard, the legislation would do nothing more than force companies to live up to their own rules.

Also, I think it's important to note that embodied within this legislation is a method of compliance. There's a standard there. Any organization can take that standard, go out and be registered to that standard, use it as evidence if there's a complaint against them, and use it as evidence that they're pursuing good practices. There are many ways in which that standard can be used more effectively in the implementation of the law. I have a couple more specific recommendations about that, but I see my time is running out.

Is PIPEDA working? You're going to get a lot of advice on both sides of this issue, but businesses in Canada can be divided into three groups.

First of all, there are those large, high-profile companies that have in fact been leaders on this issue. These were the organizations that, early in the process, developed their codes of practice through their trade associations, and that, in the mid-1990s, participated in the development of the Canadian Standards Association's code. My impression is that while these businesses certainly face important challenges and there are clearly privacy issues there, there is a general compliance. They're not necessary compliant because of the law, but because they largely raised their standards before the act was promulgated.

A second category, on the other end of the spectrum, is the free riders, the companies that deliberately attempt to make money out of the processing of personal information without individuals' knowledge and consent. My impression also is that many of these businesses have either been exposed as a result of PIPEDA or have been put out of business.

By far, the largest category of business is in the middle: companies that process the full range of consumer and employee information, but which have never really been concerned about the issue, nor have they been pressed by the media, by their trade associations, by the Privacy Commissioner, or by privacy advocates, to do anything more than the minimum. They may have made an early effort to get a privacy policy and appoint a responsible person, but have had no further exposure to the issue.

There's a good deal of evidence from surveys that most businesses are not generally aware of PIPEDA and are not generally aware of their obligations. My impression is that they're in that large category of organizations that are in the middle of the spectrum, and to which I think the intention of the law needs to be addressed.

The committee will no doubt receive some testimony that PIPEDA is a heavy-handed piece of legislation. I do not think it is. By comparison, it's quite a light form of regulation. If you compare PIPEDA with equivalent statutes in France, Germany, and other European countries, it really is relatively light. But it does depend on the building of compliance from the bottom up. Indeed, the entire regime was founded on the theory that the CSA standard would build upon existing codes of practice and that the legislative framework would build upon the CSA standard.

I've argued before that this kind of approach has a chance of encouraging a more effective system of privacy protection than would the top-down command and sanction model that is enforced through law alone. I'm still of that view, but I also believe the law needs to be reformed. I also think this committee needs to look very seriously at the powers that the Privacy Commissioner has in order to enforce this extremely important piece of legislation.

Thank you very much.

The CSA code is used as a template at the moment, rather than as an enforcement mechanism. One thing that could be done is more explicit recognition, probably in section 24, that the commissioner may require registration to that standard. It might also be more explicitly stated in subsection 18(2), under which the commissioner is empowered to delegate the powers of audit.

The point is that there's a ready-made enforcement mechanism embodied in the legislation, and I think it could have more explicit recognition in those sections.

The commissioner has the power already to educate and to publicize.

There are a number of issues inherent in your question, if I could break them out a little bit. The first has to do with public education. The commissioner can do that right now, and obviously that is constrained by certain resources. Then there's the second question, about the naming of names, the naming of companies that are subject to complaints. That's a tricky one under an ombudsman's model, which is premised on the assumption that there will be mediation and all possible effort will be made to work things out in private.

On the separate issue, however, about order-making power, I think the argument is that if you gave the commissioner powers to make orders, it would undoubtedly change the culture of the office. It would undoubtedly create some tensions between the current Privacy Commissioner's office and the Information Commissioner's office, but it would bring the federal Privacy Commissioner's powers more consistently into those of the provinces. It would, I think, give the commissioner some teeth and facilitate mediation, and hopefully--although I think this needs further study--it would speed up the mediation process. It could cut into costs and delays, and I think it would foster a proper jurisprudence.

That, I think, is the most important problem here, that you can look at the findings.... And I do not wish to appear in any way critical of the Office of the Privacy Commissioner; I have enormous respect for what they're doing. But the current model does not foster a proper jurisprudence--for individuals or for organizations. And that's what you get when you have the more, admittedly legalistic, order-making model.

That's correct.

Yes.

Well, you're right that it's not clear at the moment. It's not clear because there is that exemption in the B.C. legislation.

The definition of “work product”.... I'm very familiar with the case you're talking about, because I have to declare that I did do some work for the company that was involved in this issue several years ago, so I have an understanding of the issue that's beyond my understanding as an academic.

If you take the issue of doctor information versus patient information, there's a clear qualitative distinction between the information that is produced as a result of one's professional conduct and the information that one may have as a patient. It's a tricky issue, and this committee clearly has to deal with it and ensure that there is some consistency.

The worry I have, however, with a broad, unlimited definition of “work product” is that it can have unintended consequences for the privacy rights of employees, because there are work product issues having to do with, say, the keystroke monitoring of employees in offices, or that may have to do with video surveillance. So there has to be some very careful drafting.

I'm familiar with what the Privacy Commissioner of Canada has said and with the various alternatives there. There has to be some very careful drafting to ensure that the legislation does, in fact, specify exactly what “work product” means and no more.

Excuse me, I'm from British Columbia.