Information & Ethics Committee on Nov. 29th, 2006

Thank you very much for the opportunity to come to speak with you this afternoon.

As I was preparing my comments for today, I was surprised to go over the transcripts yet again and read that both Mr. Binder and Commissioner Stoddart indicated that PIPEDA is working quite well and that the community is generally satisfied with its provisions.

One of the hats I wear is as the chair of the National Privacy Coalition. It's a loose coalition of over 100 privacy experts across the country. We facilitate and support communication on a number of issues. We also provide platforms for organizing around those issues. I think it's quite apparent that the privacy community, in any event, has some serious concerns about the ways in which PIPEDA has been protecting, or perhaps failing to protect, the privacy of Canadians over the past five years.

As early as November 2004, the Public Interest Advocacy Centre issued a report that concluded that the legislation was in fact “a sheep in wolf's clothing”. I know you're aware of the report that was issued this year by the Canadian Internet Policy and Public Interest Clinic at the University of Ottawa that documented widespread lack of compliance on the part of the private sector. I know from my own work with the small-business community, particularly in the context of public education, that there's a widespread confusion in a large part of that community about their responsibilities under the act.

From a consumer's point of view, I fear that for all of PIPEDA's good intentions, perhaps the best way to describe it is “death by a thousand cuts.” The language in the act is vague. Many of the rights and responsibilities set out in the legislation are either poorly defined or not defined at all.

That vagueness isn't an accident. The CSA code that the act is built on is a consensus-driven document. When consumer rights and business practicalities conflicted around the table when the CSA negotiation was going on, the drafters intentionally used language that could be interpreted broadly by both sides. That makes perfect sense when you're talking about a voluntary code, but it's disastrous for legislation.

Is PIPEDA fixable? Well, yes, with some caveats. First and foremost, I think we need to recognize right up front that the act is trying to do two very different things. On the one hand, it purports to protect individual privacy rights; on the other hand, it's designed to promote electronic commerce and make private information available in the marketplace for commercial purposes.

Those two purposes aren't always reconcilable, and I think you see a number of problems arise when you look at the kinds of platforms that have been developed to support electronic commerce.

First of all, a number of the technologies that are rolling out in the e-commerce world are built to allow the invisible collection of a whole range of personal information about you, about me, about all of us.

You know, for example, that cookies can track the websites you visit. Microsoft is one of many companies that use web beacons. Web beacons are these single-pixel graphics. They're so small that they're invisible, and you can pop them on a web page or stick them in an email. They're used there because the companies want to be able to track what you do when they email you. This little beacon will let them see if you, if I—

If I'm on MSN and am doing instant messaging—I'm registered there, and they know who I am—they pop one of these little web beacons into the emails they send me. They can then check and see what Val's up to. Did she read our email? Did she click on any of the links? They also have an arrangement whereby they have web beacons imbedded in the websites of their advertisers to see whether Val goes over to one of the sites and buys one of the products they were advertising.

It's not only me they're watching—I'm rather boring. It's particularly important to realize that over half of Canadian kids between the ages of nine and seventeen instant-message on a daily basis; that's over 50%. An additional 20% instant-message at least every other day.

They can put a camera in a store, for example, to track eye movement. If I go into a store wanting to buy a pair of jeans for one of my kids and happen to notice a red sweater over in the corner and keep checking it out, the camera is set up to collect all that information about me. This can alert the store manager, so that the store manager can send over a clerk to close the deal on the red sweater that I did not come in to buy.

I understand you've been talking a bit about RFID tags. RFID tags are increasingly being implemented or deployed throughout the electronic marketplace. These are the promiscuous little devices that are attached to the products we buy. They're designed to do one thing: to tell whoever asks them who they are and where they are. If any RFID reader asks, they're promiscuous, and they'll say “Here I am, I'm right over here.”

I've tried, and it's very hard to tell if these things are actually attached to the products I buy, but it's virtually impossible to tell if they're turned off when I leave the store. Now, as an individual consumer, I'm not just worried about the information I'm dropping as I go through the electronic marketplace; I have to worry about the fact that my things are leaking information about me as well.

When you think about the information flows in this environment, people who shop this way, people who participate in electronic commerce are automatically—not by choice, but automatically—disclosing personal information just by using a free instant messaging service, buying some razor blades, or walking in front of a store's cameras. Since that collection of information is invisible, is seamless, it's really difficult for me to even realize it's there, much less to contest it.

Secondly, the environment is set up so that a lot of the information collected about individuals and used for commercial purposes is actually disclosed for non-commercial purposes. We're just going through our daily lives. We could be playing, we could be chatting with friends, we could be surfing the net, or we could be walking through stores and looking at red sweaters for fun. I'm not necessarily asking a company to enter into a transaction with me when this information is collected. In fact, the company is watching me as I go about my private life and is collecting information about me for its own purposes. I'd like to give you a couple of examples, so that you can see how this plays out in the information marketplace.

Neopets is one of the most popular e-commerce sites with Canadian kids aged nine to thirteen. Like almost all the top fifty sites that Canadian kids hang out on, they're encouraged to register. That means they are asked to provide their real name, their e-mail, their age, their gender, and some form of location information, whether it's a real-world address or a postal code. When kids go on this site, it looks like a playground, but it's actually a market research firm. The kids get there and they want to play, and they have an opportunity to create this virtual pet, a Neopet. In order to keep their Neopet alive, they have to buy food for it. There were a number of complaints, so they now have a Neopet food bank so they don't starve, as they used to in earlier years.

Oh, oh!

It must have been the Liberals.

Oh, oh!

The nanny state rules again, right?

When kids go to Neopets and have to buy these things, they have to first earn Neopoints. The way they do that is by filling out marketing surveys. These surveys contain questions that I think you'd expect. A couple of years ago I filled out one about whether or not I liked breakfast cereals. It asked me, “Do you eat breakfast? How often do you eat breakfast? What time do you eat breakfast? Do you recognize this particular brand?”

But these surveys also ask questions that I think will surprise you. The one I filled out asked me what my parents did for a living. “Does Mom work outside of the home? What kind of car do your parents drive? How much money do you think your parents earn a year? Here are some brackets.”

Then they said, “We really want to know more about you. This is empowering. You can tell us so much about yourself and we'll be able to make this site even better to suit you better. Why don't you look at this list of fifty things and click on the things that really turn you on?” The list again included things that you would expect, like Barbies, video games, and reading. It also included things I don't think you're going to expect. On the list was beer, alcohol, cigarettes, and cigars.

These kids are nine and they are playing. They are not disclosing information for commercial purposes. Yet the kind of legislation that we have in place lets companies set up these kinds of environments and, through a very weak consent mechanism, capture that information and reconfigure it as a commercial commodity.

Social networking sites like Facebook, for example, work in much the same way. It's particularly popular right now with Canadians in their twenties and early thirties. These kinds of sites encourage people to post all sorts of information about their personal lives. You put your pictures up, you have your list of friends, and you fill out personal profiles. The profiles ask you to disclose things like your sexual orientation, your political views, and your religious views.

The company takes all this information and then also records all of the messages, all of the chat you have with your friends, all the searches you make, and all of the parties you set up. Then it takes the additional step of matching all that information about you with information also about you from other sources, like newspapers, blogs, instant messaging. The idea is to take it, slice it and dice it, and then sell you back to advertisers.

When people are on the site, they think they're sharing photos with their friends. My 20-year-old grad students, for example, spend a lot of time hanging out on Facebook and they throw up all of their pictures from their different parties, complain about how bad their classes are, gossip about their professors, but that information is encaptured as a commodity.

In fact, Facebook is one of a growing number of companies that now in their agreement say you've given us, just by using our service, a non-exclusive license. We now own that stuff and we can do what we want with it. We can give it away. We can post it in other places. In effect, what they're doing is they're taking the intimate details of these Canadians' private lives and turning them into the company's intellectual property.

Actually, that's exactly where I am. I have seven recommendations that I'd like to leave you with. They're very doable and they're very practical.

The first one is that if you want to make sure people know how their information is being used so they can make reasonable and informed decisions about whether or not they want to use the computer or disclose this information, I'd suggest you should amend principle 4.3.2 to make it clear that companies have to tell people what they're doing before obtaining their consent. Again, you can look to the B.C. and Alberta legislation, because they've had the opportunity to look at a number of the weaknesses in PIPEDA and come up with tighter language.

Secondly, I'd suggest you clear up the loopholes that let companies assume people have consented, and provide specific definitions of expressed, implied, and opt-out consent.

Thirdly, one of the main practical mechanisms to ensure that people know what's going on in the information marketplace is the privacy policy itself. According to all the research that's come out, privacy policies have typically been written in incomprehensible language that does little to actually tell the individual how or even when her information is being collected or used.

Just to quickly make this point, I'm doing some work right now on how to improve the comprehension of privacy policies, and my colleague, Jacquelyn Burkell at Western, said her research assistant couldn't understand something. She said, “Here's a policy from one of the sites Canadian kids hang out on the most. Can you just tell me, what do they collect, how do they use it, and how can somebody opt out of this?” It took me nine hours to answer those questions, and for what it's worth, I have a law degree, a PhD in communication, and 15 years' experience in privacy law.

So I would suggest that you should consider amending the act to require that privacy statements are written in plain language so that individuals know exactly what information is being collected and how that information is being used.

Similarly, I would suggest that you look at the way the act allows corporations to define purposes. Facebook, when it's negotiating consent with people, says they collect all this information “to provide you with more useful information and a more personalized experience”. I would suggest we should amend the act to require specific definitions of purposes.

FIfth, you know that the purposes for which a corporation is allowed to collect information are required to be ones that a reasonable person would consider to be appropriate in the circumstances. The big question is, reasonable for whom? For the corporation or for the individual? I would suggest it makes perfect sense for Neopets to want to figure out if my kids are interested in alcohol, but from a consumer point of view, that is not a reasonable request.

So I would suggest you consider amending subsection 5(3) to read something along the lines of organizations being allowed to collect information for purposes that a reasonable consumer would consider appropriate in the context of the immediate transaction. And ultimately, often what happens in the marketplace is that consumers are left with a take it or leave it response from a corporation: This is what we do with your information. If you don't like it, go away.

I would suggest that to strengthen the act in this regard, you revisit principle 4.3.3, which talks about tied consent or the refusal-to-deal provision, and make it clear that a company can refuse to deal with someone only if they do not give them information that's necessary to provide the goods or services that are involved in the transaction. And again, you can look to the Alberta or B.C. legislation for precedents.

Lastly, and perhaps most importantly, I would ask you to carefully consider which side of the line you'll come down on when business imperatives conflict with privacy, because they will conflict with privacy.

I would ask you to consider amending section 3 to make it clear that privacy is a human right, a social value, and a democratic value, and that the purpose of PIPEDA, its primary goal, is to protect the privacy of Canadians in the electronic marketplace that I've described to you.

Thank you very much for your attention.

No. I don't even like red.

Thank you very much.

Thank you, Mr. Chair, members of the committee. I appreciate the opportunity to travel to a warmer climate to be with you today, and share some views on the British Columbia approach to and experience with private sector privacy legislation in the last three years.

Of course my remarks today are directed to the situation in British Columbia, to the legislation we have there. I don't propose to take it upon myself to recommend to others what is appropriate or not appropriate in any particular jurisdiction's legislation. I trust it goes without saying that I'm here on my own behalf, if you will, on behalf of my office, as opposed to on behalf of the British Columbia government.

By way of introduction, I'd like to make a couple of general comments about the fabric of private sector privacy laws across this country. I think it's important to emphasize that beginning in 1994, with the initiative in Quebec, which responded in part to developments in the European Union, Canadian legislators have enacted in fact a fabric of private sector privacy laws, as opposed to a patchwork.

It has sometimes been suggested that in Canada we have the challenge for private sector businesses and other organizations of dealing with a multiplicity of private sector privacy laws that make it difficult to do business in this country. I would, to the contrary, argue that in fact the laws in Canada are not only consistent but indeed substantially similar. They are that way because they all incorporate what are known as internationally accepted fair information practices, which are reflected in international instruments such as the OECD guidelines on transborder data flows and in the more recent APEC privacy framework of 2004.

The situation, then, in Canada is that although we have a provincial law in, for example, British Columbia, that governs the entire broad private sector, all organizations in the private sector that are provincially regulated in British Columbia are covered by our Personal Information Protection Act. Although we have legislation in Alberta, Quebec, and federally, those laws really are of a piece, I would argue, and any concerns around the challenge to businesses and other organizations presented by having different laws are, in my view, if not misplaced, perhaps at the very least somewhat exaggerated.

In any case, as I've said, the legislation in British Columbia is a generic private sector privacy law; it covers all sectors of the economy that are provincially regulated. The for-profit and not-for-profit sector, some 350,000 organizations in British Columbia, have, since January 1, 2004, been subject to the rules that are generally described as fair information practices internationally. So our office has some three years of experience with that legislation, and my purpose today is to share with you some general observations about some selected issues that I know have been of interest to the committee in previous proceedings in its statutory review of the Personal Information Protection and Electronic Documents Act.

The first specific issue I would like to address that is tackled in British Columbia's Personal Information Protection Act--which I'll refer to as PIPA--is work product information. I wanted to deal with that first because it is something that I know has been of interest to the committee. There was a considerable amount of attention given to it in your session on Monday, so I thought perhaps I might, anticipating that the committee may have heard enough about that, and subject to of course the committee's wishes on this, tackle that issue first.

Under British Columbia's PIPA, a definition has been included of work product information. The intent of this is to carve out of the concept of personal information that is protected under the rules in PIPA a certain body of information that is not, in any generally accepted sense, personal information about an individual.

A similar approach has been taken through interpretation under PIPEDA federally and in certain provincial public sector access to information and privacy protection laws, but the policy-makers in British Columbia decided to tackle the issue head-on and to include a definition of work product information that they could then exclude from the protections otherwise afforded to personal information under the legislation.

The intent of this I think at its core is to, for example, ensure that an ex-employee of an enterprise cannot come to the business, after having had his or her employment terminated, and say: “In exercising my rights under PIPA to have access to my own personal information, I hereby request every e-mail, business plan, memo, fax, or letter that I ever created during my 23 years of employment with you, because of course I created them. They're in some sense about me, and therefore you have to respond to this request.” Because of the exclusion for work product information, which is information that is produced as a result of activities and responsibilities related to the individual's employment or business, the organization is in a good position simply to say no, that is not your personal information.

I understand that there may be concerns about how the definition is cast, a need for precision in how the definition is actually expressed in the legislation, especially when it comes to workplace monitoring. It is my view, speaking generally, that under PIPA in British Columbia, there is ample room in light of the definition that I've just paraphrased for you to actually interpret it and to ensure that workplace monitoring is subject to the appropriate regulations under PIPA and is not somehow excluded because of the definition of “work product information”.

The next issue I'd like to touch on in fact flows from that last point, and that is employment privacy and the whole issue of employee personal information. I know you've already heard how PIPEDA addresses this issue. It is a heavily consent-based statute, of course. Consent is, generally speaking, needed for the collection, use, or disclosure of personal information, including in the employment setting.

I might, as an aside, point out that PIPEDA tackles the question of employment privacy in relation to federally regulated works, undertakings, or businesses, but for constitutional reasons it has long been settled that PIPEDA cannot address privacy issues of employees in the provincially regulated workplace. That is something that PIPA does in British Columbia and that other similar provincial laws do as well.

In British Columbia, as opposed to taking the consent approach to dealing with employment privacy issues, the policy-makers decided to create a special category of information, known as “employee personal information”, in respect of which consent would not be needed. It is not necessary for an organization in British Columbia to get employee consent to collect, use, or disclose what is called employee personal information.

This is not to say that employers have free rein, however, when it comes to collecting or using their employee's personal information, because the definition of “employee personal information” stipulates very clearly that it is only the information that an employer collects solely for purposes reasonably required to establish, manage, or terminate an employment relationship with that particular individual. The legislation also imposes a requirement that any collection, or use, or disclosure of that kind of information must be for purposes reasonably related to the actual work relationship.

Instead of focusing on consent, recognizing that consent in the employment context is often coerced or that employees are under pressure to agree to employer practices, recognizing that it's not appropriate, for example, to ask an employer to get the consent of an employee who's suspected of defrauding the company to being put under surveillance—you're hardly going to get the suspect who's allegedly stealing from you to consent to that—instead of having to go through the consent route, it has been decided that you should be able to collect, use, or disclose personal information so long as it fits within the definition. So there is in fact a set of rules that does apply to personal information of the kind I've just described, and employers are therefore subject to reasonable checks and balances that appropriately, certainly in my view, balance the needs of employers and the interests of employees as regards privacy in the employment setting.

The last issue that I'd like to touch on, because I know it has come up before, is the question of business transactions. Another difference in approach under PIPA, and this is found also in the Alberta version of the same legislation, that differs from other approaches—for example, under PIPEDA—is to permit parties involved in the prospective sale of a business to share personal information of customers, employees, or shareholders, back and forth, in the first instance for the purpose of deciding whether to proceed with the transaction, and second, if the transaction proceeds, to allow that information to be disclosed to the purchaser of the business so that it can be used for the purposes for which it was originally collected, and consent is not needed in that instance.

Notice that in British Columbia you have to actually, after the fact, notify your customers, for example, that the change of control has occurred, that the business has been sold, that the assets have been spun off, as opposed to Alberta where that requirement does not apply. It may be a minor point, but it's certainly one that has widespread support in British Columbia because it acknowledges that in the context of business transactions, the due diligence leading up to them and the aftermath of the completion of the transaction, it is not necessarily either appropriate or practicable to expect parties to the transaction to obtain customer consent each time a business changes hands.

Those are essentially the issues I wanted to touch on. I suspect that members of the committee may have questions that address other issues that have come up before, and I'd be happy to answer them as best I can now or to provide you with further information if I can't assist today.

Thank you.

I think the legislation lays out a good framework to work with. A lot of the problems are, as I said, because the language that's used is quite vague. The problem is, if all transactions fall within this broad corporate surveillance, the individual has no way of making any decision about what happens to the flow of his or her information. So the thinking behind PIPEDA is that we need to give people enough information about what's going on so they can decide whether or not to disclose information.

Within the context of the electronic marketplace, the mechanisms we're relying on obfuscate rather than clarify what's going on. So you want to give people the opportunity to first find out how their lives will be affected if they enter into that particular transaction and to then make a choice.

I think we can go a long way just by tightening up the consent provisions and by dealing with the tied-consent provision, in particular. Once everybody starts doing it, then basically, I'm out of luck, because I no longer have the right to say no.

Let me give you an example. I walked into Home Depot earlier this month, and I was trying to return some plumbing stuff. I had bought two sizes, because I wasn't sure what was going to fit. I've had transactions with them for the past ten years. I've always been able to return things. I went in, I had my receipt, and they said, “That's fine, but first we're going to have to swipe your driver's licence.” I was thinking, “Whoa!” Somebody else might be comfortable with the fact that the information is given over to them. They might even think that's great; they can match that with other information, the fact that I like that red sweater, and I will be able to get more services that I'm actually interested in. At the same time, other people might not want to, and we might have very good reasons.

Industry Canada published a report on identity theft, a discussion paper, in 2005, that stated that 70% of all identity fraud occurs because an inside employee takes that information, steals it, and gives it to the fraudster. So I don't necessarily want Home Depot to have my driver's licence in its database, because now I have no way of controlling it. It's really pretty simple: you can just say no. Right now, it's hard, the way the act is set up, because the provisions are very loosey-goosey. In fact, when I complained about this to the Privacy Commissioner's office I was told I should contact Home Depot myself and tell them I don't like their policy.

I'm not sure we're going to get the right results that way. I think we need to have a strong commissioner who is actively out there dealing with these kinds of issues and making sure that there is enough information available to individuals so they can make some kind of choice about what happens to their personal information.

I don't understand Professor Steeves to be suggesting that because of risks peculiar to particular technologies, for example the Internet, we need technologically prescriptive legislative solutions. Nonetheless, I use this as an opportunity to say that, certainly for the British Columbia situation, I would strongly support the continued technological neutrality of our private sector privacy legislation, that we not try to proscribe particular technologies or prescribe particular solutions. I think it should remain technologically neutral so the legislation can grow as technologies change.

You mean privacy legislation as a whole? Well, let me relate it PIPEDA. When you're looking at privacy in the public sector, you're looking at laws that to a large extent define the relationship between the individual and the state.

Privacy laws and access laws are actually democratic impulses. In the 1970s, people enacted them so the citizens could see what the state was doing, so they could hold the state accountable through the democratic process. Individuals would have enough autonomy that they could go about their private lives without any undue interference.

You have a funny kind of blending now. Because of the information marketplace that you're talking about, information that's captured for commercial purposes becomes available for other uses by the state. It becomes even more important in those circumstances to protect commercial privacy, because that information doesn't just stay there.

For example, I know that police officers in the northern United States have Internet-ready cellphones. When they stop you in your car because you were speeding or whatever, they can take your driver's licence and your name and pull up your commercial profile from data brokers to see what kinds of things you buy and those kinds of things.

I would make the argument that from a public policy point of view it's important to have strict controls over the uses of commercial information, precisely because as it flows into the public sector you're re-skewing the relationship between the individual and the state. One of the concerns I have is that we're now making the individual transparent to the state but using this legislation to protect governments from that accountability that was at the core of the impulse to enact access-to-information and privacy legislation.

I'd be happy to provide the recommendations in writing.

If I can answer them out of order, it is true that Quebec has legislation that prohibits advertising to children. Other Canadian provinces do not have similar legislation. There are voluntary codes in place, but having said that, it is interesting to me that the single most popular site with Quebec girls between grades eight and eleven is a site called “do you look good.com”. It is a social networking site and you post pictures of yourself in this site, so other people can rate you on a scale of zero to ten. It's all about give us your profiles. Tell us what kind of relationship you're interested in. Are you straight? Are you gay? Are you interested in just a fling or are you looking for a long-term type of thing?

When you register on that site, you have to tell them how old you are, and the youngest age starts at thirteen. Like any of these other social networking sites, there's advertising built into it, but all that information is captured as commercial information, so we have to look more critically at how we define advertising.

Advertising has changed significantly in the electronic environment, and it is now driven by this pervasive collection of watching everything you do in all these different environments.

The truth of the matter is, I completely agree with David's comments. This stuff isn't technologically sensitive. It shouldn't be. We should have rules that work for us as Canadians in the marketplace. We do have rules that say if you want to collect information about me, (a) let me know, and (b) let me decide if it's okay with me.

What we need to do is see what it is about PIPEDA that's making that process muddy. Why is it so darned hard to figure out what's happening with my information in the information marketplace? I go back to the comments I made about privacy policies, about disclosures, about the way consent is obtained. If we get back to basics and look at fair information practices and take them at face value, you could give them a shot. They have the potential to put the consumer back in the driver's seat in the electronic marketplace.

I don't think you need to prohibit cookies to do that. People need to know how the marketplace grabs their information, commodifies it, and then sells it back to them. Part of that might work to my benefit. I might want to know what Apple Tunes has out now. I might want to know if there's a new product I can buy.

Most privacy advocates will agree that the problem isn't necessarily that the information could be used for a commercial purpose. It's who gets to decide what that purpose is.

Right now, you have a situation where the act says the company decides what the purpose is, then it can decide whether or not you consent. I don't even know that information is being collected about me in a number of situations, and it's not just on the Internet.

I have two comments about the Internet, which go back to a comment you made, Mr. Wappel.