Thank you.
To get to the point of this statute, the first point, a very important one, is that it is about giving individuals the right to control the information that relates to them. For 30 to 40 years now we've been hearing about the way personal information is captured by organizations, by technologies, and that process has gone on. It's an incredibly important human right and value, which virtually every advanced industrial society now has enshrined in law. It's a right and a value supported by public opinion. Consistently Canadians have said that they are extremely concerned about the threats to their privacy.
The basic aims, however, of PIPEDA are not substantially different from those found in other western societies. It's based on a set of principles, which are in schedule 1 of the legislation, that you see throughout western Europe in other countries as well. It's very important to recognize that PIPEDA really has to be seen within this larger international context. In fact, international agreements such as those from the OECD, from the Council of Europe, and from the European Union have influenced the way PIPEDA was drafted, and indeed the way it has been implemented.
The forces that brought privacy to the agenda in Canada in the 1970s and 1980s were no different from those elsewhere. But one thing that was somewhat different here is that we were relatively late in legislating a set of safeguards for our private sector. Most other countries were ahead of Canada. That has had some implications, I think. Firstly, it meant that when this law was drafted it had to take into account what was going on elsewhere. There was considerable pressure from the European Union and from other countries as well for Canada to get its act together and to join that family of nations that had privacy protection statutes for their private sector. Although our law has been shaped by some distinctively Canadian concerns and interests, it's important to recognize that inescapable international context.
The second thing that I think is important to understand about PIPEDA is that before the law was promulgated there was a great deal of activity in Canada by its private sector. There were a lot of codes of practice developed, and indeed the standard itself was negotiated through a committee that involved both the private sector and consumer organizations. Therefore, the theory behind this legislation was that it would build upon activity that was already going on in the marketplace. There would be codes of practice, there would be a standard, and then the legislation would come over the top of that. Those are two very distinctive things about the history of this legislation that need to be kept in mind.
On oversight and enforcement, laws differ in the various countries about how you actually enforce these various privacy principles. In Canada we have, at the federal level at any rate, opted for the so-called ombudsman model, and you will be receiving a great deal of advice about whether that ombudsman model actually works. I have some mixed feelings about it. I think you need to look extremely carefully at the prospect of replacing the ombudsman model with an order-making model that is currently in existence in Alberta and B.C.
I have been a complainant under PIPEDA, and I would like to briefly recount that story for you.
Back in November 2001 I received a product survey through the mail that I believed was not in compliance with the legislation. There had been some media stories about this at an earlier point. I objected to three things in this survey. I objected to the fact that it was distributed as a kind of fact-finding survey, with very little indication there would be any direct marketing involved. I was concerned about the position of the opt-out box on the survey. I was also concerned about the fact that there was no way one could complain, no website, and no 1-800 number. There were some quite precise issues of general legal compliance that really had nothing to do with my individual rights. I was not seeking redress here. I was seeking for the company to simply clean up its act and comply with the law.
The Privacy Commissioner agreed with my complaint, agreed that it was a well-founded complaint, and in fact in some respects went even further. But what happened was a long period of negotiation, quite a period of resistance, a lot of to-ing and fro-ing. And the complainant is put in a difficult position in regard to knowing what to do with the information you have, and whether or not to in fact publicize the name of the company concerned. Therefore, they were stalling, and it wasn't until another complaint came in about this company that there was some resolution of the process.
The lesson I draw from this is that the ombudsman model, which is very good at mediating and resolving disputes between individuals and organizations, may not be very good when you're looking at a compliance model or regulatory model like this, where you're simply trying to get the organization concerned to comply with the law. Therefore, I think there's a mismatch between some of the goals of the law and the ombudsman model that is used to enforce it.
Thirdly, I'd like to just say something about the CSA standard. This is a notable innovation. There was an explicit reason why the drafters of PIPEDA decided to legislate by reference to the CSA model code for the protection of personal information. It was believed that if the private sector had already negotiated this standard, the legislation would do nothing more than force companies to live up to their own rules.
Also, I think it's important to note that embodied within this legislation is a method of compliance. There's a standard there. Any organization can take that standard, go out and be registered to that standard, use it as evidence if there's a complaint against them, and use it as evidence that they're pursuing good practices. There are many ways in which that standard can be used more effectively in the implementation of the law. I have a couple more specific recommendations about that, but I see my time is running out.
Is PIPEDA working? You're going to get a lot of advice on both sides of this issue, but businesses in Canada can be divided into three groups.
First of all, there are those large, high-profile companies that have in fact been leaders on this issue. These were the organizations that, early in the process, developed their codes of practice through their trade associations, and that, in the mid-1990s, participated in the development of the Canadian Standards Association's code. My impression is that while these businesses certainly face important challenges and there are clearly privacy issues there, there is a general compliance. They're not necessary compliant because of the law, but because they largely raised their standards before the act was promulgated.
A second category, on the other end of the spectrum, is the free riders, the companies that deliberately attempt to make money out of the processing of personal information without individuals' knowledge and consent. My impression also is that many of these businesses have either been exposed as a result of PIPEDA or have been put out of business.
By far, the largest category of business is in the middle: companies that process the full range of consumer and employee information, but which have never really been concerned about the issue, nor have they been pressed by the media, by their trade associations, by the Privacy Commissioner, or by privacy advocates, to do anything more than the minimum. They may have made an early effort to get a privacy policy and appoint a responsible person, but have had no further exposure to the issue.
There's a good deal of evidence from surveys that most businesses are not generally aware of PIPEDA and are not generally aware of their obligations. My impression is that they're in that large category of organizations that are in the middle of the spectrum, and to which I think the intention of the law needs to be addressed.
The committee will no doubt receive some testimony that PIPEDA is a heavy-handed piece of legislation. I do not think it is. By comparison, it's quite a light form of regulation. If you compare PIPEDA with equivalent statutes in France, Germany, and other European countries, it really is relatively light. But it does depend on the building of compliance from the bottom up. Indeed, the entire regime was founded on the theory that the CSA standard would build upon existing codes of practice and that the legislative framework would build upon the CSA standard.
I've argued before that this kind of approach has a chance of encouraging a more effective system of privacy protection than would the top-down command and sanction model that is enforced through law alone. I'm still of that view, but I also believe the law needs to be reformed. I also think this committee needs to look very seriously at the powers that the Privacy Commissioner has in order to enforce this extremely important piece of legislation.
Thank you very much.