Information & Ethics Committee on Dec. 6th, 2006

Thank you very much, Mr. Chair, and thank you for the opportunity to testify today.

Good afternoon, members of the committee. In the few minutes I have, I'd like to go over some of the key findings of CIPPIC's two recent studies, which were mailed to each of you last week. I'll then highlight what we think are PIPEDA's major flaws and suggest ways of correcting them.

For more specifics, I would refer you to our written submission dated November 28, 2006. I understand you have an executive summary and the recommendations from that submission with you today. That submission includes a brief description of CIPPIC and of my background, as well as a detailed list and explanation of our 20 recommendations.

I have been working in the privacy field for about 15 years, primarily as a consumer advocate. Since the early nineties, I have worked closely and productively with the Canadian Marketing Association, the Retail Council of Canada, Canadian Bankers Association, ITAC, telecom companies, and other business interests on various privacy-related matters, including the code that forms the basis of PIPEDA.

Since starting up CIPPIC in 2003, I have focused on making privacy laws work by researching marketplace practices, exposing questionable practices, and holding organizations accountable. I've been a staunch advocate of PIPEDA since its conception, and I continue to be a strong supporter of the act.

However, with almost six years of experience with this legislation under our belts, it's become clear that there are a number of gaps and flaws in the regime. I'd like first about what we found when we researched the Canadian data brokerage industry. We found many instances of consumer lists for sale or rent where the likelihood that those consumers had truly consented to the subsequent trading of their names and contact information was highly questionable. For example, one list we found has information about individual and household lifestyles, hobbies, and demographics on almost 900,000 Canadian. The information for this list comes from product registration cards filled out by consumers. Another list has age, gender, home address, and telephone numbers of almost 50,000 frequent travellers in Canada. The information for this was obtained from corporate client databases of airline ticketing offices and travel agencies.

Another list has the gender, monthly income, home and business address of almost 13,000 Canadians with gold cards. This information came from payment processing companies. We found numerous lists offering detailed health information about Canadians who had provided this information on websites or in response to surveys. I could go on and on. This is just a very small selection of the information we found. The point is, there's a vibrant industry in the compilation and trading of these lists for direct marketing and potentially other purposes, and it's not at all clear that the individuals on these lists have consented to such use of their information.

The second study we did is called Compliance with Canadian Data Protection Laws. This was conceived and designed for the very purpose of this review. We tested the compliance of 64 online retailers with three of PIPEDA's most basic requirements, those being openness, accountability, and consent. Our sample included large and small companies and covered nine different types of business, from magazine publishers to general retailers. We also tested the compliance of a separate sample of 72 companies with PIPEDA's requirement for individual access.

The results were sobering. In brief, we found widespread non-compliance with the act. Over half of the 64 companies we contacted by phone could not provide contact information for the person in the company responsible for privacy. Two-thirds refused to provide their privacy policy by any means other than their website. Looking a privacy policies, 70% were incomplete in some important respect, 22% were unclear about why they collect the information, 30% were unclear about how they use the information, and 45% were unclear about to whom they disclose the information.

A third of companies we tested don't bother to get consent during the online ordering process. Most companies rely on their privacy policies to get consent. But over half failed to bring the policy to the attention of shoppers, and 60% buried the opt-out consent inconspicuously in their policy.

We found a disturbing number of misleading representations in the policies or on the websites suggesting, for example, that the company would not share your information without consent, but then deep down in the policy it stated that your consent was being assumed. Somewhere between 11% and 39% of our sample required consumers to agree to unnecessary uses and disclosures in order to transact. We couldn't be sure of the number because the policies were unclear.

On individual access--that's the right of someone to access their own personal information held by the company--over a third of the companies to which we sent requests failed to respond at all. Of those that did respond, most failed to answer all three questions we asked. Only 21% fully complied with PIPEDA's requirement to answer these questions.

Our compliance study was conducted in early 2006, five years after PIPEDA came into force. Surely, five years is an ample grace period for companies to get compliant with these pretty basic obligations. So why such a high rate of non-compliance? I think there are two reasons. First and foremost, there's no real incentive for companies to comply with PIPEDA. Second, the act's provisions on notice and consent are unclear.

Something needs to change in the enforcement of this legislation. Companies have to believe that they risk significant reputational or financial damage if they don't comply. That's simply not the case now. Even reckless and wilful violators get away with, at most, a private admonishment from the Privacy Commissioner. We've made a number of recommendations to rectify this situation, most of which do not require any major change to the enforcement regime. Although we think that the commissioner should have order-making powers, there are a number of other amendments that could collectively create the kinds of incentives that industry needs. I refer you specifically to recommendations 3 to 11 in our written submission.

Another possible reason for some of the non-compliance we found is that certain of the act's obligations are unclear. Notice and consent requirements, in particular, are poorly drafted. Now, I take some responsibility for that. I was on the CSA committee, but the CSA code was drafted as a voluntary code, not as legislation. I think I can safely say that no one on the committee ever expected that it would become law as drafted. Alberta and British Columbia have done a much better job of articulating the obligations that PIPEDA meant to convey. We therefore recommend a redrafting of PIPEDA's consent provisions along the lines of the Alberta legislation.

Our study also exposed strange gaps in the act that limit its effectiveness. For example, there's no clear requirement to advise people as to how their information will be used. That's just implicit in the consent requirement. Second, there's no requirement for organizations to disclose the source from which they got your information if you ask them. And there are no special limitations regarding the collection of information from children, whose credulity and ignorance can easily be exploited by commercial interests.

We've provided you with recommendations addressing all these gaps and drafting issues. I don't have time to cover the rest of our recommendations, but let me briefly mention data breach notification.

Over the past year, CIPPIC has been leading a multi-researcher project on identity theft, funded in part by the banks. Identity theft strikes relatively few unlucky individuals, but when it strikes, it can be devastating, and its incidence seems to be growing. There's nothing in PIPEDA that requires organizations to inform affected individuals of security breaches that make them vulnerable to identity theft, and there's little market incentive for organizations to expose their faults voluntarily. We think there should be a legislative requirement for organizations to notify individuals when their data is exposed to potential abuse. We've been researching the existing Canadian law on data breach notification, the various approaches being taken in the United States to this issue, and the arguments for and against. We will be publishing a white paper on the issue with detailed recommendations before Christmas, and I would be happy to share that with you.

Thank you very much for your time. I'd be pleased to answer any questions.

Thank you very much, members of the committee. Thank you for the opportunity to speak today.

The Public Interest Advocacy Centre has been deeply involved with the Personal Information Protection and Electronic Documents Act, PIPEDA, from a consumer perspective from before its passage. We're therefore here today to give you the consumer perspective on PIPEDA so far.

First of all, PIPEDA is not working for consumers. PIPEDA is, to quote Professor Michael Geist, a “placebo privacy protection”. Canadian consumers think their personal information is being protected by a dedicated consumer privacy act, but in practice it is not. We therefore have three requests of this committee. First, the commissioner should be handed order-making power. Second, consumers should be notified when their personal information that is held by a business is lost or stolen. Third, the consent sections of PIPEDA should be clarified to ensure that real informed consent of consumers is obtained when they offer up their personal information.

I'll deal first with order-making power. PIAC completed a study on the consumer experience under PIPEDA in 2004. It found a number of problems for complainants, including the lack of enforcement, above all, by the Privacy Commissioner, in order to vindicate them when they had a successful complaint. Other problems were the frustration of complainants that the commissioner did not, as a matter of course, name the company that had not followed the act, and that the reasons given by the commissioner for their findings were so brief and sanitized that no one else could benefit from their experience in bringing their complaint.

Secondary marketing purposes for personal information gathered from consumers now are so important to business that there is no incentive for them to change practices. Only order-making power of the commissioner will act as a counterbalance to the trade in personal information. Still, the Privacy Commissioner has come before you and said that she does not want order-making power. She said it would decrease the office's overall efficiency and they would be using other powers to get results. We disagree. We think that order-making power would increase the efficiency of the mediation and other processes of the office, as it would act as a stick to the carrot of mediation. As noted in our report, many companies simply ignore the office's findings. The commissioner cannot threaten to take every finding to the Federal Court. Provincial privacy commissioners, however, get results because they have this power to make orders backing up their mediation efforts.

If the OPC--that's the Office of the Privacy Commissioner--intends to perform more audits, for example, order-making power is a natural complement to the audit power. However, at present if there is an audit that discovers practices that are not in compliance with the act, the commissioner has no power to order those practices to be changed. If we add this to the requirement to have reasonable grounds on the audit power, then the commissioner's promise to police PIPEDA with more audit powers looks very suspect. As noted by CIPPIC, there is a widespread non-compliance by business with the most basic and fundamental provisions of PIPEDA, those that are intended to provide the consumer privacy in the marketplace. We therefore do not see order-making power as a luxury, but rather as a necessity.

I'd like to deal now with the issue of naming names in particular. We also think that the Office of the Privacy Commissioner is being far too reluctant to use the powers of her office that she does have. Chief amongst these is the power to make any information gathered in her inquiries under the act public, if it is in the public interest. And this is subsection 20(2). The commissioner has effectively indicated that she will never use it. Maybe, just maybe, she will for repeat offenders. But we've never seen it used this way, and we believe the Canadian Marketing Association has nothing to worry about in this regard.

However, if consumers are to have any effect on the bad actors in the industry on the subject of privacy, they must be able to express their displeasure to the company involved. This cannot be done when the company is protected from any adverse publicity or consumer action. If this committee does not recommend full order-making power for the commission, then at the least we are calling for you to ask that the present section 20 of PIPEDA be reviewed and amended to direct the publication of names of respondents.

I'll turn now to the concept of breach notification. Our second main point is that for a data breach, companies should be required to notify customers under PIPEDA. This would be real protection for real people. Identity theft is either the goal of, or the likely consequences of, many lost and stolen corporate databases of individuals' personal information. Remember that it is real people whose real personal information is lost by companies, and that those individuals will either suffer real financial loss due to the identity theft, or will have to take measures to guard against it, and even if no harm results they will be worried about it.

Covering up the truth, however, will do nothing to help people with this situation. They must be informed in order to make the right decisions for themselves about how to deal with identity theft.

This is the heart of our support for the breach notification requirement. We feel that companies hold personal information in trust and that they must make every effort to protect the beneficiaries of that trust—consumers, customers—by being as open as possible and admitting to losses of personal information.

Canada is not leading in this very practical aspect of privacy protection. Several U.S. states, including notably California, have passed very comprehensive breach notification acts even without underlying privacy legislation. We note also that the Ontario law in the health area requires physicians with a data breach to notify their patients. Other provinces may be considering such breach notification.

We do not think Parliament should take a “wait and see” approach to breach notification, because this places the risk of identity theft on the consumer and not on the company, which, as I noted, should be considered to be in a position of trust.

Consent is our last issue. First, the main point to remember about PIPEDA is that it requires individual consent to all collections, uses, and disclosures of personal information, with only some very limited exceptions. This is the guiding principle and main point of the act, giving people a right of say over their personal information held by others.

Consent was looked at by the courts in a case arising out of a dispute over phone company listings. In that case, Englander v. Telus, the Federal Court of Appeal said clearly that what consent means under PIPEDA is informed consent; that the individual must clearly know about the proposed collection, use, and disclosure of their personal information and agree to it.

This concern applies directly to the argument over what should be standard business practice for obtaining consent to direct marketing or secondary marketing. It suggests that PIPEDA should be amended to define levels of consent, and that the highest possible level of consent—the one tending towards true, informed consent—should usually be required.

In practical terms, this means that opt-in consent should be the default, and opt-out consent only when the company ensures that the consumer is fully informed of what will happen to their personal information.

We're concerned with the CIPPIC reports and believe they demonstrate that the majority of retailers are not likely meeting this standard for consent, and that it is imperfectly expressed in PIPEDA. We therefore urge the committee to adopt the technical amendments to the consent sections of the act that are outlined in CIPPIC's written submission and are designed to clarify this concept so that retailers and other heavy information users can rely on true customer consent.

In summary, PIAC therefore can say that we are asking that this committee give consideration to granting order-making powers to the Privacy Commissioner; that a data breach notification requirement be added to the act; and that clearer rules on consent, in line with those suggested by CIPPIC, be added to the act.

Thank you very much. I welcome any questions in either language at the close.

Thank you, Mr. Chairman.

Good afternoon, ladies and gentlemen. My name is Brendan Wycks, and l'm executive director of MRIA, the Marketing Research and Intelligence Association.

Allow me to briefly introduce the other representatives of our association here today. David Stark is chair of our association's standards committee. David is a vice-president and privacy officer for North America at TNS, a corporate research agency member of our association, based in Toronto. Also with us is Alain Choinière, chair of our government relations committee and president of corporate research agency member, CRA/COGEM, based in Montreal; and Mr. Greg Jodouin, our government relations consultant. Mr. Choinière and Mr. Jodouin are available to assist us in answering questions that may arise following our presentation.

We thank the members of the access to information, privacy, and ethics standing committee for allowing us to present our views to you today on the Personal Information Protection and Electronic Documents Act. Let me begin by stating that we are very supportive of PIPEDA and have been since its inception, having been involved as early as the mid-1990s, during the drafting of the Canadian Standards Association's voluntary privacy code that eventually made its way into the PIPEDA statute.

MRIA is the single authoritative voice of the market and survey research industry in Canada, representing all of its sectors. Our members include over 1,800 individual research professionals and more than 260 corporate members. Those are comprised of research agencies of all sizes and specializations, from sole proprietorships such as focus group moderators, to large global full-service agencies and, in addition, many buyers and users of research services, such as the major Canadian banks and other financial services industry players, national retailers, insurance companies, telecommunications firms, and manufacturers.

It perhaps goes without saying, but one of the major pillars of the market and survey research industry is the good relationship that exists between researchers and the general public. We devote a significant amount of time and effort to protecting that relationship through our long-standing self-regulation of our industry, much of which centres around protecting consumers' right to privacy. As another example, legitimate researchers are forbidden from trying to sell anything. That's one of the key principles that are front and centre in our rigorous standards of practice, and it is now enshrined in our recently released charter of respondent rights.

It's an absolute necessity to the ongoing viability of our industry that we protect that healthy relationship with Canadians and the reservoir of goodwill that exists for survey researchers. In that vein, we also have a long history of working closely with the federal government on policy initiatives that enhance consumer and privacy rights in Canada. An important fact that you may not be aware of is that the federal government is the single largest user of survey research in Canada. As a major research user, the government indirectly benefits from the impact that our self-regulatory initiatives have in strengthening consumer rights and improving accountability.

All told, MRIA and the industry we represent are advocates and champions of an enhanced privacy framework in Canada. We are happy to be here today to make some suggestions on how Parliament can achieve a stronger, more effective national privacy regime. We applaud the government's and the Privacy Commissioner's ongoing efforts to enhance privacy and consumer rights.

Turning now to the act itself, we believe PIPEDA has proven to be effective legislation that has brought about considerable change in the way businesses operate. No doubt, it has resulted in a collective raising of the bar, across the board and for all industries, in how personal information is collected, used, and disclosed. But as with all new initiatives, the wrinkles only appear when they are put to the test, and the past six years have shown us what works well and what could be improved.

We' d now like to make a few recommendations on how to strengthen PIPEDA.

First, we believe the law should be amended to require organizations to disclose to individuals breaches of their unencrypted sensitive personal information. The majority of U.S. states already have such security breach notification laws in force. It's paradoxical that PIPEDA requires organizations to use physical, technological, and organizational safeguards to protect the personal information that they collect, but that currently there is no explicit requirement to notify individuals when their sensitive unencrypted personal data are compromised, such as one's name in combination with any of the following: social insurance number, driver's licence, credit card number or bank account number with accompanying security code, passport number, or other information that could be used by criminals to propagate identity theft.

Market and survey research firms do not collect from consumers the types of personal information that I've just mentioned. Our industry suffers, however, when online identity theft occurs, because that fraudulent criminal activity makes Canadians less trusting of reputable businesses and less willing to disclose their personal information for bona fide, legitimate purposes.

Second, we would like to see PIPEDA amended to give the Privacy Commissioner order-making powers. The commissioner should be empowered to issue binding findings, including the levying of fines and the imposing of penalties or mandatory reporting requirements on organizations that demonstrate a blatant disregard for Canadians' privacy rights. Privacy abusers should not be able to enjoy the benefit of anonymity in case summaries appearing on the Privacy Commissioner's website. If the Privacy Commissioner were able to identify organizations that have been the subject of well-founded complaints, they would surely improve their personal information management practices to avoid becoming the focus of media attention and suffering damage to their corporate reputations.

Third, we also believe PIPEDA should be amended to allow the transfer of personal information from an organization to a prospective purchaser or business partner. As part of this, organizations should address mergers and sales in their privacy policies, to permit the transfer of individuals' personal information. For its part, the receiving party should be required to honour the terms and conditions in the transferring party's privacy policy. If the acquiring party wishes to amend the privacy policy, then it should provide an option for individuals to opt out of any material changes to the collection, use, and disclosure of their personal information.

Finally, we would like to comment on a serious industry issue as it relates to PIPEDA and why we would like to see tougher enforcement of the law. We call this issue “mugging and sugging”, or marketing under the guise of research and selling under the guise of research.

In recent years, a number of pressures have begun to encroach on the reservoir of goodwill that Canadians have historically shown toward survey research. The explosion of direct selling and telemarketing activities over the past decade has also added to the sensitivity Canadians have about participating in survey research. Some unscrupulous direct marketers and fundraisers who use the guise of survey research in their sales pitches have exacerbated this situation.

As disciplined as researchers are in respecting consumers' privacy rights, the actions of other industries can damage the relationship that exists between researchers and the general public. This has been an ongoing concern for MRIA, notably with the increasing prevalence of mugging and sugging practices.

Just to give you a bit of backup information about this, MRIA periodically conducts a survey on Canadians' attitudes towards survey research, as a form of pulse check on our industry and respondent privacy protection. Our most recent fielding of this survey, conducted in late 2004, shows that the generally positive attitudes toward survey research continue to be fuelled by a recognition among Canadians that survey research serves a valuable purpose in society, because it allows them to give voice to their opinions and to have input into and influence decisions about public policies and about products and services in the marketplace.

In our 2004 survey, 87% of respondents agreed that research surveys give people the opportunity to provide valuable input and feedback. That was up three percentage points over the responses to that same question when we conducted the survey in 2001. In terms of those who agreed that the survey industry serves a useful purpose, 78% agreed, up slightly from 2001. Of particular interest to parliamentarians, 73% agreed that research surveys and polls are useful for government to understand how the public feels about issues.

The 2004 study results, however, underscore the persistent serious threat to our industry posed by mugging and sugging. Mugging and sugging, marketing and selling under the guise of research, occur when direct sellers and fundraisers pretend to conduct a research survey to gain the confidence of a potential target. There is no doubt that this illegal activity has an adverse effect on the positive attitude that the general public has toward participating in research surveys. More than half, or 53%, of respondents in our 2004 survey had been contacted in the previous year for an alleged research survey that actually turned out to be an attempt to sell a product or service. More than one in four, or 27%, of respondents in our 2004 survey had been contacted in the previous year for an alleged survey that actually turned out to be an attempt to solicit money for a charity or for some other cause.

As things currently stand, PIPEDA makes it illegal to mug and sug. The identifying purposes for which muggers and suggers seek and obtain Canadians' consent are fraudulent. Consent is obtained under the false pretenses of survey research, and the collected personal information is used for other than the stated purposes—not for a legitimate survey, but for sales. Yet our research shows that these unscrupulous practices still occur. Occurrences of mugging and sugging were at the same level in 2004 as our previous survey had found in 2001. Mugging and sugging had not diminished at all.

And now, with the coming implementation of the national “do not call” registry in 2007, unscrupulous telemarketers will have another incentive to flout the law by practising mugging and sugging. And that would erode the public goodwill that legitimate survey researchers have earned.

We therefore urge the Government of Canada to amend PIPEDA to give the Privacy Commissioner order-making powers so that, together, we can put the muggers and suggers out of business and protect Canadians from their scams.

To wrap up, market and survey research plays a pivotal role in our society by giving voice to the opinions of Canadians and helping to influence and improve public policy decisions. There are two key characteristics that define market and survey research and differentiate our work from that of the telemarketing industry. First, legitimate survey researchers never attempt to sell anything. In fact, solicitation violates our rigorous code of conduct and ethical practices.

Second, survey research gives Canadians an opportunity to voice their opinions and to have influence on important issues related to public policy and products and services, thereby serving a valuable societal purpose. For these reasons, it is critical that the right legislative framework exist in Canada, to protect the essential work that survey researchers do. PIPEDA went a long way to achieving that. Yet, the six years since its adoption have demonstrated that the legislation must go further still. MRIA and the survey research industry believe that important amendments must be made to PIPEDA that will make the legislation more effective in protecting Canadians' privacy rights.

To summarize, our PIPEDA amendment recommendations are as follows. First, organizations should have to disclose to individuals any breach of their unencrypted sensitive personal information. Second, under specified conditions that protect privacy rights, PIPEDA should allow for the transfer of personal information from one organization to a prospective purchaser or business partner. Third, the Privacy Commissioner should have order-making powers, such as the power to making binding findings or to impose fines or other penalties. Finally, and most important to the market and survey research industry, those order-making powers should provide the Privacy Commissioner with the necessary tools, resources, and jurisdiction to enforce PIPEDA and to once and for all put an end to fraudulent mugging and sugging practices.

MRIA appreciates this opportunity to present the views of the market and survey research industry as part of this important legislative review. We'd be pleased to provide further comments as your proceedings evolve and as information on potential amendments to PIPEDA is released.

Thank you.

One of the principles is that organizations must identify the purposes, the reasons why they are seeking to collect personal information. So when muggers claim to be doing a survey, when that's the identified purpose that's disclosed, they're not in fact genuine about what they're doing. They're calling people to try to sell them something, and that's not disclosed until after Canadians have given information, ostensibly for the purpose of a survey. That goes against the identifying purposes, the principle, the fact that the purposes must be disclosed before or at the time of collection. Since the sales pitch is not disclosed until the very end, then the way they use that information also goes against PIPEDA.

But there's another statute, amendments to the Competition Act that were made, I think, about seven years ago. Those amendments require telemarketers to disclose within the first 30 seconds of their call their name, the name of the organization on whose behalf they're calling, and the purpose of their call. So they really can't be using fancy footwork, like mugging and sugging, to hide what their true tactics are, if their purpose is to try to sell something.

So there's a couple of statutes where it's illegal: the amendments to the Competition Act and some of the principles within PIPEDA. Obviously, through order-making powers and better enforcement, I think we could go a long way toward putting an end to mugging.

Generally when researchers call Canadians, if it's a survey by phone, or if it's inviting Canadians to join a panel to--

We obtain consent to conduct the survey, or when we invite people to a focus group, they agree that they will participate or not. It is an opt-in consent. We don't pass on information for secondary purposes, because we don't try to market products or services.

No, that--

No, not at all.

The recommendation is that if a prospective purchaser of a research firm, or any business, wants to buy another, and that business has customer records or personal information in place, then whenever a business transfer occurs, the legislation should be clear in stating what is and is not permitted--

That's right.

No.

No.