Evidence of meeting #22 for Access to Information, Privacy and Ethics in the 39th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was pipeda.
A recording is available from Parliament.
4:55 p.m.
Liberal
Jim Peterson Liberal Willowdale, ON
If later I complained and disagreed with the Privacy Commissioner's ruling, if she had order-making power, my remedy would be to go to the Federal Court.
4:55 p.m.
Executive Director, Canadian Internet Policy and Public Interest Clinic
Right now the only way to get a binding order is to go to Federal Court.
4:55 p.m.
Conservative
Gerald Keddy Conservative South Shore—St. Margaret's, NS
Thank you, Mr. Chair.
Welcome to our witnesses.
I'm not a usual suspect on this committee, so most of this information is news to me today. I do appreciate the information that you're bringing forth.
I can't quite figure out why we're not acting in a more proactive way to deal with a number of these issues. I suspect there's nobody at the table here who doesn't know someone whose identity has been stolen, and at this time there's no recourse for the individual when this happens.
Certainly the way we do business has changed, the way we store information has changed, and the way we deal with that needs to change to catch up.
I find it a little incredible that when information is compromised, there is no responsibility on behalf of the company, if I understand this correctly, to let the individual know there's a possibility that their personal information could be in the hands of someone who wants to use it for criminal or other purposes. Is that correct? All right.
To fix that single issue is not rocket science. I'm not saying this entire act can be corrected overnight, but hopefully some of these issues can be singled out as being more important and timely than others, and corrected. Have you tried to do that?
5 p.m.
Executive Director, Canadian Internet Policy and Public Interest Clinic
Absolutely.
Actually PIAC and CIPPIC have been calling for data breach notification for a couple of years now. About two years ago, we put out a news release on this and sent it to all MPs, hoping that some action would be taken.
The Ontario government put a data breach notification requirement into its health privacy law. This is the only one that exists in Canada right now. It's an obvious measure that needs to be in place in the context of identity theft. I absolutely agree with you that it's something that can be done quite easily.
We will be coming out with this working paper. As the honourable member suggested, there are a number of details that you need to work out. What is the threshold, the trigger for the notifications? How should the notifications be made? When? Should the Privacy Commissioner be notified? Should the police force be notified, and so on?
I would recommend having further consultation on this. I think there is pretty widespread recognition that this is needed.
5 p.m.
Conservative
Gerald Keddy Conservative South Shore—St. Margaret's, NS
I always marvel that politicians—certainly the previous government, and hopefully we'll be able to correct that—bring in legislation without sunset clauses, without a three-, four-, or five-year period, when we go back and look at that legislation to see if it's done what we wanted it to do—whether it's been effective and whether it's working or not. But that would go along with it.
The other thing I want some clarification on is personal information transfers when a company is sold. If I own a company and have a fair amount of personal information belonging to an individual—and I'll take the example from Mr. Van Kesteren of selling cars—I would need a certain amount of that personal information about previous customers, because there might be a recall. There may be reasons why I should have that.
However, whether or not one has the ability to sell the customer list should be something that would come back to the customer. I don't know how exactly that's handled under the legislation now.
5 p.m.
MRIA Standards Chair, Marketing Research and Intelligence Association
In the legislation, PIPEDA doesn't really address the issue of business transfers. I believe that by contrast legislation in B.C. and Alberta addresses them, and so there's a gap there. I think we need some clarity around what organizations should or should not be permitted to do.
At our company, we filled the gap by putting an explanation into our privacy policy that, should our company be acquired, this is what we would require of the acquiring company.
5 p.m.
Conservative
Gerald Keddy Conservative South Shore—St. Margaret's, NS
Where I'm trying to head here is, do we need clarification on? I'm not questioning the fact that companies need to transfer information. Most companies work and produce a profit on information. But if that information is going to be used for a different purpose than what the customer already understands that it's being used for, then it should be automatic that the customer or client has to be contacted and told, there could possibly be a difference in how we use your information. I'm shocked that it's not there.
5 p.m.
MRIA Standards Chair, Marketing Research and Intelligence Association
Absolutely.
5 p.m.
Conservative
Gerald Keddy Conservative South Shore—St. Margaret's, NS
I'm shocked it's not there. That would sound....
5 p.m.
A witness
It is there.
5 p.m.
Counsel, Public Interest Advocacy Centre
It might actually be covered by the provision that says, if you change the purpose, you have to give new notice. But we haven't seen a case yet.
5 p.m.
Conservative
Gerald Keddy Conservative South Shore—St. Margaret's, NS
Do you have specific examples? You mentioned the provincial laws that British Columbia and Alberta brought in after the federal laws were passed, where they were able to look at the federal act and make specific changes to correct deficiencies, if you will, within the federal act. Do you have specific examples of things they've done differently from what the federal act has done?
5 p.m.
Executive Director, Canadian Internet Policy and Public Interest Clinic
The business transaction is one. We have pointed to their provisions on consent, whereby they have very nicely distinguished among three different kinds of consent: the opt-in, the preferable upfront, positive opt-in consent, which is the standard; then the concept of implied consent, where you can reasonably assume the person has consented, given the facts and the circumstances, and where the person would have consented had you asked them, and that kind of thing; and then the concept of opt-out consent or negative option consent, where you're providing notice to the individual and then assuming their consent unless they opt out, and giving them some method for opting out, and by so doing, they have been able to structure the criteria for each of those kinds of consent. It's much clearer in those acts than it is in PIPEDA, although I think the same thing was intended.
5 p.m.
Liberal
The Chair Liberal Tom Wappel
Mr. Keddy, you're out of time.
We're into round three. I want to remind colleagues it's 5:05. Your steering committee met yesterday, and there is a report of a work plan they prepared, and it's unanimous. It would be nice if we had enough time after this meeting, before 5:30, to discuss that steering committee report. I bring that to everybody's attention.
Unless the clerk sees someone else, at this point the only person on round three is Mr. Tilson.
Away you go, Mr. Tilson.
5:05 p.m.
Conservative
5:05 p.m.
Executive Director, Canadian Internet Policy and Public Interest Clinic
Of the act, or are you talking about--
5:05 p.m.
Conservative
David Tilson Conservative Dufferin—Caledon, ON
A breach of the legislation. We've talked about the requirement that businesses or corporations or individuals have an obligation to report breaches. What if they choose not to? What if they decide not to tell on them?
5:05 p.m.
Executive Director, Canadian Internet Policy and Public Interest Clinic
Then you don't know.
5:05 p.m.
Counsel, Public Interest Advocacy Centre
At the moment, the act is set up to wait for people to complain. There have been quite a number of complaints. The Privacy Commissioner probably has figures in the annual report. It's not perfect in the sense that if no one complains you don't find out it's true.
5:05 p.m.
Conservative