Thank you, Mr. Chairman. It's a pleasure to be here today.
I might just add to the introduction you made a moment ago that Barbara Robins is also chair of our ethics and privacy committee. Her responsibilities as vice-president, legal and regulatory affairs, extend not just to Canada but to Latin America and the Asia-Pacific region as well. So she has some international perspective that might be of interest to the committee.
I also want to take a quick moment to thank the committee for its indulgence. We were asked to appear next week, but that appearance conflicted with our board of directors meeting to consider our annual plan and budget. Given the fact that we have 37 people on our board, that would have been a little difficult to move.
In 1995, this association was the first national business association to call on the federal government to pass privacy legislation to govern the private sector. CMA believed that a well-balanced privacy law would result in benefits for consumers and for information-based marketers, an increasingly important sector of the Canadian economy.
Marketers know that respect for personal information is good for business. They advocated a law that would provide clear direction on how personal information could be collected, used, and disclosed, and a law that would be sufficiently flexible to enable businesses to grow the economy and take advantage of our new and emerging technologies. And to a great extent, PIPEDA has fulfilled these high expectations, although we remain in the early stages of implementing this new privacy framework. It should be kept in mind that for the vast majority of the private sector, this law only came into effect on January 1, 2004.
CMA is the largest marketing association in the country, with more than 800 corporate members representing a wide variety of marketing sectors, and we do have a code of ethics and standards of practice that is mandatory for our members. It is the self-regulatory code that provides our members and other marketers with a comprehensive set of best practices. We've provided committee members with a copy of that code for your future reference in your deliberations.
Privacy provisions of the code are structured to reflect PIPEDA's 10 privacy principles but are supplemented with additional rules for marketers. For example, for marketing to children, our code requires the express consent of a parent or guardian before a child's personal information can be collected, used, or disclosed for marketing purposes. CMA members are required to offer an opt-out opportunity with every e-mail marketing communication that's made. CMA members are banned from using unsolicited email, or spam, to acquire new customers. And CMA members must use our do-not-contact program, the only service of its kind in Canada, and it is offered free to consumers. All these provisions and the rest of the code are supported by detailed compliance guidelines.
With respect to PIPEDA, CMA takes the position that it's still too early to consider substantial changes, especially given the fact that the act has only been in effect, for most of the private sector, since January 1, 2004. The law does appear to be working well, as demonstrated by the noticeable downward trend in the number of complaints directed to the Privacy Commissioner and the increasing proportion of these complaints that are resolved or settled. At the same time, CMA's research, conducted for the Privacy Commissioner, shows the need for improvement, particularly among small and medium-sized enterprises in terms of both awareness and compliance. We have provided the committee clerk with a copy of that research.
In her own presentation to this committee, the Privacy Commissioner observed that this is not the time to make major changes in the framework of PIPEDA. CMA supports the Privacy Commissioner's view in that respect, and were Parliament to consider changes in the near future, we would strongly advise that these early adjustments be limited to technical amendments for purposes of clarifying meaning and intent.
The commissioner raised some issues that we'd like to comment on. First, I'll go to the question of the commissioner's powers and whether the existing ombudsman model has been effective. The evidence of the past few years clearly indicates that the ombudsman model has worked very well in promoting and protecting the privacy rights of Canadians. In response to complaints, organizations have invariably demonstrated a willingness to follow the direction of the Privacy Commissioner. We also feel that the commissioner's role as a privacy advocate is one that inherently contains positional bias and is therefore more compatible with an ombudsman's role.
Most importantly, however, the reality is that the commissioner's powers of influence are well supported by the discretionary power to publicize privacy breaches and by the ability to seek binding orders through the Federal Court. The last thing any marketer wants to see is their name on the front page of the Ottawa Citizen, being identified as being in breach of the privacy provisions, in the opinion of the Privacy Commissioner.
Another subject that has been the topic of much discussion over the past year or so is notification to consumers where there has been a breach of security or accidental disclosure of personal information. The question is, under what circumstances should organizations report a loss or theft of personal information to consumers? CMA believes that organizations do have a responsibility to notify consumers where the loss or theft of personal information poses a reasonable risk of harm to the individual. The challenge is to establish the correct threshold for triggering that notification. For example, how would we best define a risk of harm to the affected individuals?
We do not want to unduly alarm individuals with interminable notices of inadvertent disclosures of information that are totally innocuous. Our proposed approach to this issue is to request that the Privacy Commissioner of Canada consult with all stakeholders to develop and publicize national privacy breach response and notification guidelines. Those national guidelines can then be easily adjusted as we come to better understand the impacts of breaches and the impacts of notification, and they could subsequently form the basis of some legislative action by Parliament.
The Privacy Commissioner, on another issue, has also indicated that she is satisfied that her office can also deal with the matter of cross-border information flows by providing guidance to organizations. In our experience, that has worked very well and we agree with her assessment.
I have a couple of concluding remarks, Mr. Chairman.
Today's information-based economy continues to present new and innovative ways for business to interact with existing customers and potential customers and grow their customer base. Indeed, consumers expect more, demanding more tailored offers, convenience, and better service, requiring business to become more sophisticated in its ability to anticipate and meet these needs. Central to that marketing relationship is the collection, use, and disclosure of personal information.
Canadian marketers have long recognized that consumer confidence, privacy protection, and transparent information practices are critical for continued success. Good marketers know that respect for personal information is good business. PIPEDA is a privacy framework designed to achieve that delicate balance. In the words of a former Attorney General of this country, it is “a remarkable national consensus based on a series of delicate compromises”, one that all stakeholders believe would provide effective privacy protection while allowing businesses and not-for-profit organizations to responsibly use personal information to grow our information-based economy.
And there is much at stake. In 2001, through information-based channels, marketers generated over $107 billion in annual sales. That supported over 850,000 jobs in the Canadian economy.
PIPEDA has been working well, although there's work to be done in improving its performance and making small and mid-sized enterprises aware of its provisions. That being the case, CMA fully supports the existing act, and we urge the committee to resist making any fundamental changes to PIPEDA until we've had a few more years' experience with the legislation in its current form.
Mr. Chairman, thank you very much. We look forward to your questions and your committee's questions.