Evidence of meeting #22 for Access to Information, Privacy and Ethics in the 39th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was pipeda.
A recording is available from Parliament.
4:10 p.m.
Liberal
Jim Peterson Liberal Willowdale, ON
Could I ask you, Mr. Lawford and Ms. Lawson, is there any room between you on any of these issues or are you ad idem totally?
4:10 p.m.
Counsel, Public Interest Advocacy Centre
I believe we're almost identical in our viewpoints.
4:10 p.m.
Liberal
Jim Peterson Liberal Willowdale, ON
I certainly felt that way.
Let me go to the order-making power. You've shown that there are at least three other powers that could be used more effectively: corporate audits, the initiation of complaints, and naming. If those were being fully used, would you want order-making power in the hands of the Privacy Commissioner?
4:10 p.m.
Counsel, Public Interest Advocacy Centre
Speaking for PIAC, I'd say we would still like to have order-making power, because of companies in the past that have demonstrated they will not follow the findings of the Privacy Commissioner--repeat offenders.
4:10 p.m.
Liberal
Jim Peterson Liberal Willowdale, ON
How many people have been named by the Privacy Commissioner for breaches so far?
4:10 p.m.
Counsel, Public Interest Advocacy Centre
We were having this debate earlier. We think it's either one or zero.
There was an Air Canada dispute over the flight points program, and Air Canada's name came out. I don't recall another situation where the Privacy Commissioner has ever named anyone.
4:10 p.m.
Counsel, Public Interest Advocacy Centre
We believe there are at least 350 findings.
4:10 p.m.
Executive Director, Canadian Internet Policy and Public Interest Clinic
Very few have gone to court. Most of those that have were settled.
4:10 p.m.
Liberal
Jim Peterson Liberal Willowdale, ON
The Privacy Commissioner was very adamant that she not be given this order-making power until she has been given a chance to try these alternative remedies.
4:10 p.m.
Executive Director, Canadian Internet Policy and Public Interest Clinic
I have a bit of difficulty with that. First of all, she and previous commissioners have had a lot of time to use these other powers.
We also have some concern that some of the messages we've been getting from the Privacy Commissioner's office suggest that there is an interpretation of the law that doesn't allow them to name names. That's why one of our recommendations, and PIAC's too, is to clarify that, so it is clear that not only is she allowed to name names, but in fact she must in certain cases.
Like PIAC, we at CIPPIC feel that the order-making power would complement all these other powers and would help to make the legislation more effective.
4:10 p.m.
Liberal
Jim Peterson Liberal Willowdale, ON
Can you compare the practice of the three provinces with what's happened federally? Is it more effective?
4:10 p.m.
Executive Director, Canadian Internet Policy and Public Interest Clinic
That's a very good question. I was asking myself that. We didn't study that. It's very hard to do. I was trying to think of how I would construct a study to try to measure the effectiveness of the legislation, for example, business compliance. I suppose what we could try to do in a future study would be to pick some companies that are regulated under the Alberta legislation, and some under B.C. and Quebec, and compare federally. You'd need a pretty big sample to come up with a significant result.
4:15 p.m.
Liberal
Jim Peterson Liberal Willowdale, ON
A lot of your recommendations are excellent, particularly in the consent area. We can learn a lot from you there.
On data breach notification, your study points out that in less than a year--since last February--50 million Americans have been compromised in terms of their personal information. Would you like to expand on the types of notice you think we should make available to those who have been compromised?
4:15 p.m.
Executive Director, Canadian Internet Policy and Public Interest Clinic
You're asking for specifics on how the notice should be delivered or on what should be in the notice.
4:15 p.m.
Liberal
Jim Peterson Liberal Willowdale, ON
Yes. I noticed that you said you're not calling for registered letters or phone calls to everybody. You're just calling for e-mails or general--
4:15 p.m.
Executive Director, Canadian Internet Policy and Public Interest Clinic
Yes, our recommendation--and I'll let the others speak to this too--is that notification should generally be by mail, but electronic and substitute notice should be permitted, as appropriate. I think there should be some flexibility there for organizations, but we do think this is a business cost that is worth incurring and that it will have the effect of an incentive for businesses.
4:15 p.m.
Liberal
Jim Peterson Liberal Willowdale, ON
Do you think it should be by registered mail, so we're certain that it has been delivered?
4:15 p.m.
Executive Director, Canadian Internet Policy and Public Interest Clinic
That's a good question. We haven't proposed registered mail specifically, but it's something to think about.
4:15 p.m.
Counsel, Public Interest Advocacy Centre
The difficulty would be with very large losses, of course. The California legislation allows for substitute notice through a newspaper of general circulation for really large ones--
4:15 p.m.
Counsel, Public Interest Advocacy Centre
It might not be very good at all, but it might be the only way to do it if there are half a million.
4:15 p.m.
Liberal
Jim Peterson Liberal Willowdale, ON
Would you consider a notice provision that would have to be worked out with the Office of the Privacy Commissioner in every case?
4:15 p.m.
Counsel, Public Interest Advocacy Centre
I'll just speak from PIAC's point of view.
We support having the Privacy Commissioner apprised as soon as possible of a data breach and having the Privacy Commissioner give advice to the company involved, but we do not support the Privacy Commissioner having discretion to make a call on whether notification should be given or not given. They're reluctant so far to do things--