Actually, that's exactly where I am. I have seven recommendations that I'd like to leave you with. They're very doable and they're very practical.
The first one is that if you want to make sure people know how their information is being used so they can make reasonable and informed decisions about whether or not they want to use the computer or disclose this information, I'd suggest you should amend principle 4.3.2 to make it clear that companies have to tell people what they're doing before obtaining their consent. Again, you can look to the B.C. and Alberta legislation, because they've had the opportunity to look at a number of the weaknesses in PIPEDA and come up with tighter language.
Secondly, I'd suggest you clear up the loopholes that let companies assume people have consented, and provide specific definitions of expressed, implied, and opt-out consent.
Thirdly, one of the main practical mechanisms to ensure that people know what's going on in the information marketplace is the privacy policy itself. According to all the research that's come out, privacy policies have typically been written in incomprehensible language that does little to actually tell the individual how or even when her information is being collected or used.
Just to quickly make this point, I'm doing some work right now on how to improve the comprehension of privacy policies, and my colleague, Jacquelyn Burkell at Western, said her research assistant couldn't understand something. She said, “Here's a policy from one of the sites Canadian kids hang out on the most. Can you just tell me, what do they collect, how do they use it, and how can somebody opt out of this?” It took me nine hours to answer those questions, and for what it's worth, I have a law degree, a PhD in communication, and 15 years' experience in privacy law.
So I would suggest that you should consider amending the act to require that privacy statements are written in plain language so that individuals know exactly what information is being collected and how that information is being used.
Similarly, I would suggest that you look at the way the act allows corporations to define purposes. Facebook, when it's negotiating consent with people, says they collect all this information “to provide you with more useful information and a more personalized experience”. I would suggest we should amend the act to require specific definitions of purposes.
FIfth, you know that the purposes for which a corporation is allowed to collect information are required to be ones that a reasonable person would consider to be appropriate in the circumstances. The big question is, reasonable for whom? For the corporation or for the individual? I would suggest it makes perfect sense for Neopets to want to figure out if my kids are interested in alcohol, but from a consumer point of view, that is not a reasonable request.
So I would suggest you consider amending subsection 5(3) to read something along the lines of organizations being allowed to collect information for purposes that a reasonable consumer would consider appropriate in the context of the immediate transaction. And ultimately, often what happens in the marketplace is that consumers are left with a take it or leave it response from a corporation: This is what we do with your information. If you don't like it, go away.
I would suggest that to strengthen the act in this regard, you revisit principle 4.3.3, which talks about tied consent or the refusal-to-deal provision, and make it clear that a company can refuse to deal with someone only if they do not give them information that's necessary to provide the goods or services that are involved in the transaction. And again, you can look to the Alberta or B.C. legislation for precedents.
Lastly, and perhaps most importantly, I would ask you to carefully consider which side of the line you'll come down on when business imperatives conflict with privacy, because they will conflict with privacy.
I would ask you to consider amending section 3 to make it clear that privacy is a human right, a social value, and a democratic value, and that the purpose of PIPEDA, its primary goal, is to protect the privacy of Canadians in the electronic marketplace that I've described to you.
Thank you very much for your attention.