I think the legislation lays out a good framework to work with. A lot of the problems are, as I said, because the language that's used is quite vague. The problem is, if all transactions fall within this broad corporate surveillance, the individual has no way of making any decision about what happens to the flow of his or her information. So the thinking behind PIPEDA is that we need to give people enough information about what's going on so they can decide whether or not to disclose information.
Within the context of the electronic marketplace, the mechanisms we're relying on obfuscate rather than clarify what's going on. So you want to give people the opportunity to first find out how their lives will be affected if they enter into that particular transaction and to then make a choice.
I think we can go a long way just by tightening up the consent provisions and by dealing with the tied-consent provision, in particular. Once everybody starts doing it, then basically, I'm out of luck, because I no longer have the right to say no.
Let me give you an example. I walked into Home Depot earlier this month, and I was trying to return some plumbing stuff. I had bought two sizes, because I wasn't sure what was going to fit. I've had transactions with them for the past ten years. I've always been able to return things. I went in, I had my receipt, and they said, “That's fine, but first we're going to have to swipe your driver's licence.” I was thinking, “Whoa!” Somebody else might be comfortable with the fact that the information is given over to them. They might even think that's great; they can match that with other information, the fact that I like that red sweater, and I will be able to get more services that I'm actually interested in. At the same time, other people might not want to, and we might have very good reasons.
Industry Canada published a report on identity theft, a discussion paper, in 2005, that stated that 70% of all identity fraud occurs because an inside employee takes that information, steals it, and gives it to the fraudster. So I don't necessarily want Home Depot to have my driver's licence in its database, because now I have no way of controlling it. It's really pretty simple: you can just say no. Right now, it's hard, the way the act is set up, because the provisions are very loosey-goosey. In fact, when I complained about this to the Privacy Commissioner's office I was told I should contact Home Depot myself and tell them I don't like their policy.
I'm not sure we're going to get the right results that way. I think we need to have a strong commissioner who is actively out there dealing with these kinds of issues and making sure that there is enough information available to individuals so they can make some kind of choice about what happens to their personal information.