Information & Ethics Committee on Dec. 6th, 2006

Thank you very much, Mr. Chair, and thank you for the opportunity to testify today.

Good afternoon, members of the committee. In the few minutes I have, I'd like to go over some of the key findings of CIPPIC's two recent studies, which were mailed to each of you last week. I'll then highlight what we think are PIPEDA's major flaws and suggest ways of correcting them.

For more specifics, I would refer you to our written submission dated November 28, 2006. I understand you have an executive summary and the recommendations from that submission with you today. That submission includes a brief description of CIPPIC and of my background, as well as a detailed list and explanation of our 20 recommendations.

I have been working in the privacy field for about 15 years, primarily as a consumer advocate. Since the early nineties, I have worked closely and productively with the Canadian Marketing Association, the Retail Council of Canada, Canadian Bankers Association, ITAC, telecom companies, and other business interests on various privacy-related matters, including the code that forms the basis of PIPEDA.

Since starting up CIPPIC in 2003, I have focused on making privacy laws work by researching marketplace practices, exposing questionable practices, and holding organizations accountable. I've been a staunch advocate of PIPEDA since its conception, and I continue to be a strong supporter of the act.

However, with almost six years of experience with this legislation under our belts, it's become clear that there are a number of gaps and flaws in the regime. I'd like first about what we found when we researched the Canadian data brokerage industry. We found many instances of consumer lists for sale or rent where the likelihood that those consumers had truly consented to the subsequent trading of their names and contact information was highly questionable. For example, one list we found has information about individual and household lifestyles, hobbies, and demographics on almost 900,000 Canadian. The information for this list comes from product registration cards filled out by consumers. Another list has age, gender, home address, and telephone numbers of almost 50,000 frequent travellers in Canada. The information for this was obtained from corporate client databases of airline ticketing offices and travel agencies.

Another list has the gender, monthly income, home and business address of almost 13,000 Canadians with gold cards. This information came from payment processing companies. We found numerous lists offering detailed health information about Canadians who had provided this information on websites or in response to surveys. I could go on and on. This is just a very small selection of the information we found. The point is, there's a vibrant industry in the compilation and trading of these lists for direct marketing and potentially other purposes, and it's not at all clear that the individuals on these lists have consented to such use of their information.

The second study we did is called Compliance with Canadian Data Protection Laws. This was conceived and designed for the very purpose of this review. We tested the compliance of 64 online retailers with three of PIPEDA's most basic requirements, those being openness, accountability, and consent. Our sample included large and small companies and covered nine different types of business, from magazine publishers to general retailers. We also tested the compliance of a separate sample of 72 companies with PIPEDA's requirement for individual access.

The results were sobering. In brief, we found widespread non-compliance with the act. Over half of the 64 companies we contacted by phone could not provide contact information for the person in the company responsible for privacy. Two-thirds refused to provide their privacy policy by any means other than their website. Looking a privacy policies, 70% were incomplete in some important respect, 22% were unclear about why they collect the information, 30% were unclear about how they use the information, and 45% were unclear about to whom they disclose the information.

A third of companies we tested don't bother to get consent during the online ordering process. Most companies rely on their privacy policies to get consent. But over half failed to bring the policy to the attention of shoppers, and 60% buried the opt-out consent inconspicuously in their policy.

We found a disturbing number of misleading representations in the policies or on the websites suggesting, for example, that the company would not share your information without consent, but then deep down in the policy it stated that your consent was being assumed. Somewhere between 11% and 39% of our sample required consumers to agree to unnecessary uses and disclosures in order to transact. We couldn't be sure of the number because the policies were unclear.

On individual access--that's the right of someone to access their own personal information held by the company--over a third of the companies to which we sent requests failed to respond at all. Of those that did respond, most failed to answer all three questions we asked. Only 21% fully complied with PIPEDA's requirement to answer these questions.

Our compliance study was conducted in early 2006, five years after PIPEDA came into force. Surely, five years is an ample grace period for companies to get compliant with these pretty basic obligations. So why such a high rate of non-compliance? I think there are two reasons. First and foremost, there's no real incentive for companies to comply with PIPEDA. Second, the act's provisions on notice and consent are unclear.

Something needs to change in the enforcement of this legislation. Companies have to believe that they risk significant reputational or financial damage if they don't comply. That's simply not the case now. Even reckless and wilful violators get away with, at most, a private admonishment from the Privacy Commissioner. We've made a number of recommendations to rectify this situation, most of which do not require any major change to the enforcement regime. Although we think that the commissioner should have order-making powers, there are a number of other amendments that could collectively create the kinds of incentives that industry needs. I refer you specifically to recommendations 3 to 11 in our written submission.

Another possible reason for some of the non-compliance we found is that certain of the act's obligations are unclear. Notice and consent requirements, in particular, are poorly drafted. Now, I take some responsibility for that. I was on the CSA committee, but the CSA code was drafted as a voluntary code, not as legislation. I think I can safely say that no one on the committee ever expected that it would become law as drafted. Alberta and British Columbia have done a much better job of articulating the obligations that PIPEDA meant to convey. We therefore recommend a redrafting of PIPEDA's consent provisions along the lines of the Alberta legislation.

Our study also exposed strange gaps in the act that limit its effectiveness. For example, there's no clear requirement to advise people as to how their information will be used. That's just implicit in the consent requirement. Second, there's no requirement for organizations to disclose the source from which they got your information if you ask them. And there are no special limitations regarding the collection of information from children, whose credulity and ignorance can easily be exploited by commercial interests.

We've provided you with recommendations addressing all these gaps and drafting issues. I don't have time to cover the rest of our recommendations, but let me briefly mention data breach notification.

Over the past year, CIPPIC has been leading a multi-researcher project on identity theft, funded in part by the banks. Identity theft strikes relatively few unlucky individuals, but when it strikes, it can be devastating, and its incidence seems to be growing. There's nothing in PIPEDA that requires organizations to inform affected individuals of security breaches that make them vulnerable to identity theft, and there's little market incentive for organizations to expose their faults voluntarily. We think there should be a legislative requirement for organizations to notify individuals when their data is exposed to potential abuse. We've been researching the existing Canadian law on data breach notification, the various approaches being taken in the United States to this issue, and the arguments for and against. We will be publishing a white paper on the issue with detailed recommendations before Christmas, and I would be happy to share that with you.

Thank you very much for your time. I'd be pleased to answer any questions.

Thank you very much, members of the committee. Thank you for the opportunity to speak today.

The Public Interest Advocacy Centre has been deeply involved with the Personal Information Protection and Electronic Documents Act, PIPEDA, from a consumer perspective from before its passage. We're therefore here today to give you the consumer perspective on PIPEDA so far.

First of all, PIPEDA is not working for consumers. PIPEDA is, to quote Professor Michael Geist, a “placebo privacy protection”. Canadian consumers think their personal information is being protected by a dedicated consumer privacy act, but in practice it is not. We therefore have three requests of this committee. First, the commissioner should be handed order-making power. Second, consumers should be notified when their personal information that is held by a business is lost or stolen. Third, the consent sections of PIPEDA should be clarified to ensure that real informed consent of consumers is obtained when they offer up their personal information.

I'll deal first with order-making power. PIAC completed a study on the consumer experience under PIPEDA in 2004. It found a number of problems for complainants, including the lack of enforcement, above all, by the Privacy Commissioner, in order to vindicate them when they had a successful complaint. Other problems were the frustration of complainants that the commissioner did not, as a matter of course, name the company that had not followed the act, and that the reasons given by the commissioner for their findings were so brief and sanitized that no one else could benefit from their experience in bringing their complaint.

Secondary marketing purposes for personal information gathered from consumers now are so important to business that there is no incentive for them to change practices. Only order-making power of the commissioner will act as a counterbalance to the trade in personal information. Still, the Privacy Commissioner has come before you and said that she does not want order-making power. She said it would decrease the office's overall efficiency and they would be using other powers to get results. We disagree. We think that order-making power would increase the efficiency of the mediation and other processes of the office, as it would act as a stick to the carrot of mediation. As noted in our report, many companies simply ignore the office's findings. The commissioner cannot threaten to take every finding to the Federal Court. Provincial privacy commissioners, however, get results because they have this power to make orders backing up their mediation efforts.

If the OPC--that's the Office of the Privacy Commissioner--intends to perform more audits, for example, order-making power is a natural complement to the audit power. However, at present if there is an audit that discovers practices that are not in compliance with the act, the commissioner has no power to order those practices to be changed. If we add this to the requirement to have reasonable grounds on the audit power, then the commissioner's promise to police PIPEDA with more audit powers looks very suspect. As noted by CIPPIC, there is a widespread non-compliance by business with the most basic and fundamental provisions of PIPEDA, those that are intended to provide the consumer privacy in the marketplace. We therefore do not see order-making power as a luxury, but rather as a necessity.

I'd like to deal now with the issue of naming names in particular. We also think that the Office of the Privacy Commissioner is being far too reluctant to use the powers of her office that she does have. Chief amongst these is the power to make any information gathered in her inquiries under the act public, if it is in the public interest. And this is subsection 20(2). The commissioner has effectively indicated that she will never use it. Maybe, just maybe, she will for repeat offenders. But we've never seen it used this way, and we believe the Canadian Marketing Association has nothing to worry about in this regard.

However, if consumers are to have any effect on the bad actors in the industry on the subject of privacy, they must be able to express their displeasure to the company involved. This cannot be done when the company is protected from any adverse publicity or consumer action. If this committee does not recommend full order-making power for the commission, then at the least we are calling for you to ask that the present section 20 of PIPEDA be reviewed and amended to direct the publication of names of respondents.

I'll turn now to the concept of breach notification. Our second main point is that for a data breach, companies should be required to notify customers under PIPEDA. This would be real protection for real people. Identity theft is either the goal of, or the likely consequences of, many lost and stolen corporate databases of individuals' personal information. Remember that it is real people whose real personal information is lost by companies, and that those individuals will either suffer real financial loss due to the identity theft, or will have to take measures to guard against it, and even if no harm results they will be worried about it.

Covering up the truth, however, will do nothing to help people with this situation. They must be informed in order to make the right decisions for themselves about how to deal with identity theft.

This is the heart of our support for the breach notification requirement. We feel that companies hold personal information in trust and that they must make every effort to protect the beneficiaries of that trust—consumers, customers—by being as open as possible and admitting to losses of personal information.

Canada is not leading in this very practical aspect of privacy protection. Several U.S. states, including notably California, have passed very comprehensive breach notification acts even without underlying privacy legislation. We note also that the Ontario law in the health area requires physicians with a data breach to notify their patients. Other provinces may be considering such breach notification.

We do not think Parliament should take a “wait and see” approach to breach notification, because this places the risk of identity theft on the consumer and not on the company, which, as I noted, should be considered to be in a position of trust.

Consent is our last issue. First, the main point to remember about PIPEDA is that it requires individual consent to all collections, uses, and disclosures of personal information, with only some very limited exceptions. This is the guiding principle and main point of the act, giving people a right of say over their personal information held by others.

Consent was looked at by the courts in a case arising out of a dispute over phone company listings. In that case, Englander v. Telus, the Federal Court of Appeal said clearly that what consent means under PIPEDA is informed consent; that the individual must clearly know about the proposed collection, use, and disclosure of their personal information and agree to it.

This concern applies directly to the argument over what should be standard business practice for obtaining consent to direct marketing or secondary marketing. It suggests that PIPEDA should be amended to define levels of consent, and that the highest possible level of consent—the one tending towards true, informed consent—should usually be required.

In practical terms, this means that opt-in consent should be the default, and opt-out consent only when the company ensures that the consumer is fully informed of what will happen to their personal information.

We're concerned with the CIPPIC reports and believe they demonstrate that the majority of retailers are not likely meeting this standard for consent, and that it is imperfectly expressed in PIPEDA. We therefore urge the committee to adopt the technical amendments to the consent sections of the act that are outlined in CIPPIC's written submission and are designed to clarify this concept so that retailers and other heavy information users can rely on true customer consent.

In summary, PIAC therefore can say that we are asking that this committee give consideration to granting order-making powers to the Privacy Commissioner; that a data breach notification requirement be added to the act; and that clearer rules on consent, in line with those suggested by CIPPIC, be added to the act.

Thank you very much. I welcome any questions in either language at the close.

Thank you, Mr. Chairman.

Good afternoon, ladies and gentlemen. My name is Brendan Wycks, and l'm executive director of MRIA, the Marketing Research and Intelligence Association.

Allow me to briefly introduce the other representatives of our association here today. David Stark is chair of our association's standards committee. David is a vice-president and privacy officer for North America at TNS, a corporate research agency member of our association, based in Toronto. Also with us is Alain Choinière, chair of our government relations committee and president of corporate research agency member, CRA/COGEM, based in Montreal; and Mr. Greg Jodouin, our government relations consultant. Mr. Choinière and Mr. Jodouin are available to assist us in answering questions that may arise following our presentation.

We thank the members of the access to information, privacy, and ethics standing committee for allowing us to present our views to you today on the Personal Information Protection and Electronic Documents Act. Let me begin by stating that we are very supportive of PIPEDA and have been since its inception, having been involved as early as the mid-1990s, during the drafting of the Canadian Standards Association's voluntary privacy code that eventually made its way into the PIPEDA statute.

MRIA is the single authoritative voice of the market and survey research industry in Canada, representing all of its sectors. Our members include over 1,800 individual research professionals and more than 260 corporate members. Those are comprised of research agencies of all sizes and specializations, from sole proprietorships such as focus group moderators, to large global full-service agencies and, in addition, many buyers and users of research services, such as the major Canadian banks and other financial services industry players, national retailers, insurance companies, telecommunications firms, and manufacturers.

It perhaps goes without saying, but one of the major pillars of the market and survey research industry is the good relationship that exists between researchers and the general public. We devote a significant amount of time and effort to protecting that relationship through our long-standing self-regulation of our industry, much of which centres around protecting consumers' right to privacy. As another example, legitimate researchers are forbidden from trying to sell anything. That's one of the key principles that are front and centre in our rigorous standards of practice, and it is now enshrined in our recently released charter of respondent rights.

It's an absolute necessity to the ongoing viability of our industry that we protect that healthy relationship with Canadians and the reservoir of goodwill that exists for survey researchers. In that vein, we also have a long history of working closely with the federal government on policy initiatives that enhance consumer and privacy rights in Canada. An important fact that you may not be aware of is that the federal government is the single largest user of survey research in Canada. As a major research user, the government indirectly benefits from the impact that our self-regulatory initiatives have in strengthening consumer rights and improving accountability.

All told, MRIA and the industry we represent are advocates and champions of an enhanced privacy framework in Canada. We are happy to be here today to make some suggestions on how Parliament can achieve a stronger, more effective national privacy regime. We applaud the government's and the Privacy Commissioner's ongoing efforts to enhance privacy and consumer rights.

Turning now to the act itself, we believe PIPEDA has proven to be effective legislation that has brought about considerable change in the way businesses operate. No doubt, it has resulted in a collective raising of the bar, across the board and for all industries, in how personal information is collected, used, and disclosed. But as with all new initiatives, the wrinkles only appear when they are put to the test, and the past six years have shown us what works well and what could be improved.

We' d now like to make a few recommendations on how to strengthen PIPEDA.

First, we believe the law should be amended to require organizations to disclose to individuals breaches of their unencrypted sensitive personal information. The majority of U.S. states already have such security breach notification laws in force. It's paradoxical that PIPEDA requires organizations to use physical, technological, and organizational safeguards to protect the personal information that they collect, but that currently there is no explicit requirement to notify individuals when their sensitive unencrypted personal data are compromised, such as one's name in combination with any of the following: social insurance number, driver's licence, credit card number or bank account number with accompanying security code, passport number, or other information that could be used by criminals to propagate identity theft.

Market and survey research firms do not collect from consumers the types of personal information that I've just mentioned. Our industry suffers, however, when online identity theft occurs, because that fraudulent criminal activity makes Canadians less trusting of reputable businesses and less willing to disclose their personal information for bona fide, legitimate purposes.

Second, we would like to see PIPEDA amended to give the Privacy Commissioner order-making powers. The commissioner should be empowered to issue binding findings, including the levying of fines and the imposing of penalties or mandatory reporting requirements on organizations that demonstrate a blatant disregard for Canadians' privacy rights. Privacy abusers should not be able to enjoy the benefit of anonymity in case summaries appearing on the Privacy Commissioner's website. If the Privacy Commissioner were able to identify organizations that have been the subject of well-founded complaints, they would surely improve their personal information management practices to avoid becoming the focus of media attention and suffering damage to their corporate reputations.

Third, we also believe PIPEDA should be amended to allow the transfer of personal information from an organization to a prospective purchaser or business partner. As part of this, organizations should address mergers and sales in their privacy policies, to permit the transfer of individuals' personal information. For its part, the receiving party should be required to honour the terms and conditions in the transferring party's privacy policy. If the acquiring party wishes to amend the privacy policy, then it should provide an option for individuals to opt out of any material changes to the collection, use, and disclosure of their personal information.

Finally, we would like to comment on a serious industry issue as it relates to PIPEDA and why we would like to see tougher enforcement of the law. We call this issue “mugging and sugging”, or marketing under the guise of research and selling under the guise of research.

In recent years, a number of pressures have begun to encroach on the reservoir of goodwill that Canadians have historically shown toward survey research. The explosion of direct selling and telemarketing activities over the past decade has also added to the sensitivity Canadians have about participating in survey research. Some unscrupulous direct marketers and fundraisers who use the guise of survey research in their sales pitches have exacerbated this situation.

As disciplined as researchers are in respecting consumers' privacy rights, the actions of other industries can damage the relationship that exists between researchers and the general public. This has been an ongoing concern for MRIA, notably with the increasing prevalence of mugging and sugging practices.

Just to give you a bit of backup information about this, MRIA periodically conducts a survey on Canadians' attitudes towards survey research, as a form of pulse check on our industry and respondent privacy protection. Our most recent fielding of this survey, conducted in late 2004, shows that the generally positive attitudes toward survey research continue to be fuelled by a recognition among Canadians that survey research serves a valuable purpose in society, because it allows them to give voice to their opinions and to have input into and influence decisions about public policies and about products and services in the marketplace.

In our 2004 survey, 87% of respondents agreed that research surveys give people the opportunity to provide valuable input and feedback. That was up three percentage points over the responses to that same question when we conducted the survey in 2001. In terms of those who agreed that the survey industry serves a useful purpose, 78% agreed, up slightly from 2001. Of particular interest to parliamentarians, 73% agreed that research surveys and polls are useful for government to understand how the public feels about issues.

The 2004 study results, however, underscore the persistent serious threat to our industry posed by mugging and sugging. Mugging and sugging, marketing and selling under the guise of research, occur when direct sellers and fundraisers pretend to conduct a research survey to gain the confidence of a potential target. There is no doubt that this illegal activity has an adverse effect on the positive attitude that the general public has toward participating in research surveys. More than half, or 53%, of respondents in our 2004 survey had been contacted in the previous year for an alleged research survey that actually turned out to be an attempt to sell a product or service. More than one in four, or 27%, of respondents in our 2004 survey had been contacted in the previous year for an alleged survey that actually turned out to be an attempt to solicit money for a charity or for some other cause.

As things currently stand, PIPEDA makes it illegal to mug and sug. The identifying purposes for which muggers and suggers seek and obtain Canadians' consent are fraudulent. Consent is obtained under the false pretenses of survey research, and the collected personal information is used for other than the stated purposes—not for a legitimate survey, but for sales. Yet our research shows that these unscrupulous practices still occur. Occurrences of mugging and sugging were at the same level in 2004 as our previous survey had found in 2001. Mugging and sugging had not diminished at all.

And now, with the coming implementation of the national “do not call” registry in 2007, unscrupulous telemarketers will have another incentive to flout the law by practising mugging and sugging. And that would erode the public goodwill that legitimate survey researchers have earned.

We therefore urge the Government of Canada to amend PIPEDA to give the Privacy Commissioner order-making powers so that, together, we can put the muggers and suggers out of business and protect Canadians from their scams.

To wrap up, market and survey research plays a pivotal role in our society by giving voice to the opinions of Canadians and helping to influence and improve public policy decisions. There are two key characteristics that define market and survey research and differentiate our work from that of the telemarketing industry. First, legitimate survey researchers never attempt to sell anything. In fact, solicitation violates our rigorous code of conduct and ethical practices.

Second, survey research gives Canadians an opportunity to voice their opinions and to have influence on important issues related to public policy and products and services, thereby serving a valuable societal purpose. For these reasons, it is critical that the right legislative framework exist in Canada, to protect the essential work that survey researchers do. PIPEDA went a long way to achieving that. Yet, the six years since its adoption have demonstrated that the legislation must go further still. MRIA and the survey research industry believe that important amendments must be made to PIPEDA that will make the legislation more effective in protecting Canadians' privacy rights.

To summarize, our PIPEDA amendment recommendations are as follows. First, organizations should have to disclose to individuals any breach of their unencrypted sensitive personal information. Second, under specified conditions that protect privacy rights, PIPEDA should allow for the transfer of personal information from one organization to a prospective purchaser or business partner. Third, the Privacy Commissioner should have order-making powers, such as the power to making binding findings or to impose fines or other penalties. Finally, and most important to the market and survey research industry, those order-making powers should provide the Privacy Commissioner with the necessary tools, resources, and jurisdiction to enforce PIPEDA and to once and for all put an end to fraudulent mugging and sugging practices.

MRIA appreciates this opportunity to present the views of the market and survey research industry as part of this important legislative review. We'd be pleased to provide further comments as your proceedings evolve and as information on potential amendments to PIPEDA is released.

Thank you.

One of the principles is that organizations must identify the purposes, the reasons why they are seeking to collect personal information. So when muggers claim to be doing a survey, when that's the identified purpose that's disclosed, they're not in fact genuine about what they're doing. They're calling people to try to sell them something, and that's not disclosed until after Canadians have given information, ostensibly for the purpose of a survey. That goes against the identifying purposes, the principle, the fact that the purposes must be disclosed before or at the time of collection. Since the sales pitch is not disclosed until the very end, then the way they use that information also goes against PIPEDA.

But there's another statute, amendments to the Competition Act that were made, I think, about seven years ago. Those amendments require telemarketers to disclose within the first 30 seconds of their call their name, the name of the organization on whose behalf they're calling, and the purpose of their call. So they really can't be using fancy footwork, like mugging and sugging, to hide what their true tactics are, if their purpose is to try to sell something.

So there's a couple of statutes where it's illegal: the amendments to the Competition Act and some of the principles within PIPEDA. Obviously, through order-making powers and better enforcement, I think we could go a long way toward putting an end to mugging.

Generally when researchers call Canadians, if it's a survey by phone, or if it's inviting Canadians to join a panel to--

We obtain consent to conduct the survey, or when we invite people to a focus group, they agree that they will participate or not. It is an opt-in consent. We don't pass on information for secondary purposes, because we don't try to market products or services.

No, that--

No, not at all.

The recommendation is that if a prospective purchaser of a research firm, or any business, wants to buy another, and that business has customer records or personal information in place, then whenever a business transfer occurs, the legislation should be clear in stating what is and is not permitted--

That's right.

No.

No.

I believe we're almost identical in our viewpoints.

Speaking for PIAC, I'd say we would still like to have order-making power, because of companies in the past that have demonstrated they will not follow the findings of the Privacy Commissioner--repeat offenders.

We were having this debate earlier. We think it's either one or zero.

There was an Air Canada dispute over the flight points program, and Air Canada's name came out. I don't recall another situation where the Privacy Commissioner has ever named anyone.

We believe there are at least 350 findings.

Very few have gone to court. Most of those that have were settled.

I have a bit of difficulty with that. First of all, she and previous commissioners have had a lot of time to use these other powers.

We also have some concern that some of the messages we've been getting from the Privacy Commissioner's office suggest that there is an interpretation of the law that doesn't allow them to name names. That's why one of our recommendations, and PIAC's too, is to clarify that, so it is clear that not only is she allowed to name names, but in fact she must in certain cases.

Like PIAC, we at CIPPIC feel that the order-making power would complement all these other powers and would help to make the legislation more effective.

That's a very good question. I was asking myself that. We didn't study that. It's very hard to do. I was trying to think of how I would construct a study to try to measure the effectiveness of the legislation, for example, business compliance. I suppose what we could try to do in a future study would be to pick some companies that are regulated under the Alberta legislation, and some under B.C. and Quebec, and compare federally. You'd need a pretty big sample to come up with a significant result.

You're asking for specifics on how the notice should be delivered or on what should be in the notice.

Yes, our recommendation--and I'll let the others speak to this too--is that notification should generally be by mail, but electronic and substitute notice should be permitted, as appropriate. I think there should be some flexibility there for organizations, but we do think this is a business cost that is worth incurring and that it will have the effect of an incentive for businesses.

That's a good question. We haven't proposed registered mail specifically, but it's something to think about.

The difficulty would be with very large losses, of course. The California legislation allows for substitute notice through a newspaper of general circulation for really large ones--

It might not be very good at all, but it might be the only way to do it if there are half a million.

I'll just speak from PIAC's point of view.

We support having the Privacy Commissioner apprised as soon as possible of a data breach and having the Privacy Commissioner give advice to the company involved, but we do not support the Privacy Commissioner having discretion to make a call on whether notification should be given or not given. They're reluctant so far to do things--

To begin with, in our experience, there have been organizations that didn't really follow the commissioner's recommendations. In those cases, particularly if the name of the organization is unknown, consumers will want to solve the problem themselves, by no longer dealing with the company or whomever.

I should also point out that in the provinces, for example, in British Columbia, an order is not made every time. The power is there to persuade companies that are a bit reticent to change their practices. I think it works well.

Yes.

Yes.

I would add that we have trouble understanding why there is so much reluctance to adopt an order-making power at the federal level when it seems to be working very well in all three provinces, Quebec included, not just British Columbia and Alberta.

The reason we've pointed to the British Columbia and Alberta models is that they were modeled on PIPEDA three years afterwards. They got the advantage of seeing how the federal legislation was working and improving on it in a way that Quebec didn't, because Quebec was the first one out of the gate.

I have trouble understanding the opposition to order-making powers, because I think it's clearly proven to be a complementary tool in the hands of the provincial privacy commissioners.

I have a question of clarification. Are you asking about the businesses' understanding of their obligations under the act or about the consumers' understanding of the businesses' practices?

You're talking about consumers.

I would agree with what John stated, that the intention of this legislation is to ensure informed consent, which means the knowledge, the full knowledge of individuals about what the business is doing with their personal information. That is not stated clearly enough either in the legislation, speaking to the organizations, or in the organizations' privacy policies to consumers, in many cases. Businesses need to do a much better job conveying that to individuals, and the act needs to communicate better to the organizations.

Yes.

We did scientific readability tests on the 61, I think it was, privacy policies we had overall. They all measured way above average. The average was way above average. I don't have it before me now, but on the scales we measured it, we did eight or ten different readability tests, and they were all above grade 13 comprehension levels, well above the standard English level.

Often these corporations are not communicating in plain language to individuals. The act requires them to do that. The act says it has to be generally understandable, it has to be reasonably easy for individuals to understand what's happening with their personal information. We had law students testing this, and they found—I gave you the percentages—in a large minority of cases what was going on was not clear to a law student.

Thank you.

It's a good question. I think certainly more could be done in terms of educating small businesses and getting the word out about what they have to do under PIPEDA. I think there may be a perception out there that it's much more onerous than it actually is. PIPEDA does not require every organization to have a separate privacy officer. If it's a sole proprietorship, a small business, the guy in charge of privacy is the guy running the business.

And it probably won't ever affect them. This is largely directed toward businesses that are in the business of dealing with personal information.

This is the question. Why are they asking for that information? Do they really need to? If once they're getting into that business--

May I answer?

To the extent that it does affect the smaller businesses, we simply think it's good business, because if a customer finds out after the fact that there has been a loss of their personal data and it led to identity theft, that business would feel terrible and they would lose business in the long run. We think that it's good to get the issue in front of them--as Philippa said, an incentive--to have them take even a very general look at their data-handling practices, if you will, and put things under lock and key. They may think about maybe running a really simple encryption program. Even knowing what kind of information they have, it's not that onerous.

I share your frustration. Let's face it, the small convenience store operator won't necessarily have a written privacy policy that's posted, and all of these things that are required under the statute. Where I hope some organizations might attempt to assist the small business owner would be the various trade associations.

I don't know what the Canadian Federation of Independent Business has done for their members, but our industry association produced a privacy protection handbook. And recall that our association represents not only large corporate members but sole proprietors, focus group moderators, small business people. They have a comprehensive set of tools through their industry association that will help make it much easier for them to comply without incurring significant legal costs. I'd like to think that many other Canadian trade associations are helping their small business members to some degree.

I believe the Privacy Commissioner has the mandate, under the act, to do some public education, and we do acknowledge that they have some guidelines on their website. I'm not sure of their plan for reaching out in the future. I believe it was referred to in the last report that they were going to put something more in place. I believe we can count on them for some of that, but I do like the suggestion that there may be alternate routes to getting the message out there. Certainly from consumer organizations' point of view, we're happy to work with the business organizations to do that.

I'm just going to take a stab in the dark here, but I know the Privacy Commissioner does meet with the business organizations on a fairly regular basis, and this is something that certainly could come up in discussions with them at that time. We would be happy to participate, as well, to the extent that would exist.

It's six years.

The act came into force on January 1, 2001, and everyone knew about it then. The provincially regulated businesses were given three years' grace period, basically, before it became effective for them. So they had that first three years to think about it and get educated and get ready for it, and then it's been an additional two years since then that they've been under the legislation, subject to the legislation. So there's a distinction for some businesses between just the legislation being there but their not being subject to it, and their being subject to it.

That's not true. For many of the members of the Canadian Marketing Association, it's been effective since 2001. For some of their members it's only been effective since January 1, 2004, but it's been around since 2001, and they all knew about it.

Yes.

No, we don't think so.

Because privacy is personal to the individual, and that further publication of their name will, in their view, also victimize them from a privacy point of view. It's special that way, and we do acknowledge that is a special situation, because we're dealing with personal privacy.

Even if their requests were frivolous and vexatious, because we don't think there are a lot of those complaints, and that in situations like that—

—there are still routes for the company in the court system, if they feel they are being attacked in an unfair way, to try to address that.

That's a fine question. If there's an organization that is being investigated further than just mediation, if it's a resistant organization, let's say, I'm sure the Privacy Commissioner will come across situations where they get no response from the company, where they have had an egregious situation, and in those cases the Privacy Commissioner will want to get an order out there. For repeat offences, I think at that point the Privacy Commissioner will see the value in laying down the law, if I can put it that way, to someone who has ignored the last two findings. Those will be the situations where it will start to happen.

We have determined, through very careful reading of the rather cryptic findings--a number of examples are in our report--that in at least three cases there are repeat offences for the same bank, because the commissioner at the time said it was the same bank as in finding number x. I can give you the exact numbering if you give me one moment.

There may be more. We found three.

I have two cases with banks.

There was one case where we made a complaint against the company, and it was the third time. It had been complained about twice before, and you could determine that.

Well, I think it's fine. I think it's a good idea to have reasonable grounds. I think there is a place, however, for spot audits, like randomized spot checks, if the commissioner has the resources to do that, where it doesn't have to be a company against which there have been several complaints. That's one reason.

Another reason is that it seems to be...I mean, the commissioner's being taken to court right now by Equifax for not having reasonable grounds for a particular audit when apparently there were four complaints and a preliminary investigation. It just seems like a tremendous waste of resources to allow that kind of litigation when the Privacy Commissioner is extremely unlikely to engage in that kind of audit without reasonable grounds in any case.

I'm not sure. The money they're getting right now, $16 million, is a pretty decent amount of money. I don't have the ability to judge what you can do with that.

There are a number of complaints that are disputes between one individual and one company, and those absolutely are appropriately dealt with through mediation, resolved and settled, and no one's name needs to be published in those cases necessarily.

But there are many more, certainly the complaints that CIPPIC has lodged with the Privacy Commissioner, that have to do with company policies and practices that are widespread and are affecting thousands and thousands of consumers at once. It's not a question of a dispute that you can mediate. This is a matter where in many cases companies are just blatantly, in our view, violating the law and they think they're right. The issue needs to resolved, and it's an issue that should be resolved publicly, in our view.

No, I think the release of the corporate name should be after the findings have been made.

I have to agree with you that I don't think enough outreach and enough education has been done from a consumer point of view.

The two aren't incompatible, because you have cases that we found over the last four or five years where some companies are just never going to give in. They will continue the practice. But it's true that a huge amount of education still needs to be done, especially at the consumer end, to say that you have these rights, and at the business end, to say these are your responsibilities and this is how to handle it. I don't see the two as being incompatible.

At the Public Interest Advocacy Centre, PIAC, we suggested a form that is already in the Quebec legislation. The court decisions are really along the same lines, but it's not explicit.

So we support that kind of amendment.

I think we said exactly the opposite. What we said was that at the very least, the names of delinquent companies should absolutely be published, as well as the names of the people responsible. As for the commissioner's other decisions, the names of companies should also be disclosed, where appropriate.

I know that for many years PIAC and also CIPPIC have been calling for the naming of organizations that have been found delinquent under the act.

The Competition Act is similar.

I think businesses that are flagrant abusers and violators of privacy rights should have their names published. Publishing the names would shame them into compliance, one would hope. They would become media stories, and then that would sort of tie into the question raised previously: how do you increase awareness and consumer education?

If people can be cloaked in anonymity, then yes, of course consumers aren't going to understand their privacy rights and the law. So this is one way of bringing their rights to their attention. Name names. Let's not treat offending organizations with kid gloves.

I'd like to add that we don't interpret the act in the same way as the commissioner does. We feel it is in the public interest to publish those names. It's just a difference of opinion.

If, for example, the smaller businesses are holding personal information and they lose it, I'm assuming they would still be concerned for their customers. That's one of the reasons we brought the one big request here, which is that if they lose it could they please tell people.

Most small businesses are not using the personal information in a lot of secondary ways. They might be doing some mail-outs to their own customers, but they're not in the huge data brokerage industries. We don't see a lot that we're requesting here that's going to impact them any more than the act already does at the moment.

Absolutely, and if businesses do, then there is not going to be any problem. What PIPEDA does is it takes an industry code of practice, developed by industry, and just turns it into legislation so that perhaps the minority of bad actors out there are also caught. The good guys are following their own codes of practice and doing the right thing--common sense, respecting their customers' privacy, not getting into trouble. The legislation is necessary to go after the other guys, the big data brokers who are just ignoring people's privacy. That's more what it's there for.

I can see how it seems really daunting when you don't know the legislation; it's new, and you suddenly feel, oh my God, I have to have a privacy policy, I have to be careful, I have to have all my records in locked cabinets, and that kind of thing. But I think when you go through it, most of it is actually just common sense. In this day and age, when we're suddenly now in an environment where information is so easily available and traded and lost and shared and abused, we just need to, all of us--and this act only applies to commercial activities, but I think there are other activities that we also need to be very careful about--make sure that our computers have passwords, encryption, or whatever, on them to protect the information.

You do need to make sure that if you decide to make secondary use of that information, let's say, in a car dealership.... I know you have my file there, and I know you might contact me in the future about something. I'm your customer, that's fine. But if you then want to sell it to someone else for some other purpose, then I want to have the option of saying no, and I think I should have it.

That's what PIPEDA does; it gives me that option.

Yes. Opt-out consent is absolutely the standard in the marketing industry. It is allowed under PIPEDA.

That's a very good question. It was asked earlier, I think, too. I think it's used in situations where it's inappropriate. I think you can do opt-out consent well if you give people proper notice, if you tell them up front, and if you bring it to their attention, effectively--

I think opt-in is a much better approach, and I think organizations should be using opt-in. I think they're getting away with uninformed consent and consent that's not meaningful consent, because in many cases they're using opt-out and they're not doing it properly.

It doesn't seem to be working. I think the threat of order-making powers might help, but I think organizations are seeing right now a policy of not naming names, so they're feeling quite comfortable that they won't be named.

That's what we found in our study, yes.

We have one experience that's fairly detailed, the Englander v. Telus case. In that case, Mr. Englander lost at the trial division of the Federal Court and was ordered to pay, I believe, $15,000 in costs to Telus, and that didn't include his own time. He had to go to the Federal Court of Appeal, and he eventually got his costs back. But I'm assuming that he had more time on top of that. I don't know how many hours he spent on it, but if he was billing himself out at $200 an hour, that would be an awful lot. I know there's another case, which is detailed in our report, of a lady who had to abandon it because the costs were getting too high.

It's like any other court case; it's in the thousands.

Tens of thousand.

Tens of thousands.

But you'd have the order.

Right now the only way to get a binding order is to go to Federal Court.

Absolutely.

Actually PIAC and CIPPIC have been calling for data breach notification for a couple of years now. About two years ago, we put out a news release on this and sent it to all MPs, hoping that some action would be taken.

The Ontario government put a data breach notification requirement into its health privacy law. This is the only one that exists in Canada right now. It's an obvious measure that needs to be in place in the context of identity theft. I absolutely agree with you that it's something that can be done quite easily.

We will be coming out with this working paper. As the honourable member suggested, there are a number of details that you need to work out. What is the threshold, the trigger for the notifications? How should the notifications be made? When? Should the Privacy Commissioner be notified? Should the police force be notified, and so on?

I would recommend having further consultation on this. I think there is pretty widespread recognition that this is needed.

In the legislation, PIPEDA doesn't really address the issue of business transfers. I believe that by contrast legislation in B.C. and Alberta addresses them, and so there's a gap there. I think we need some clarity around what organizations should or should not be permitted to do.

At our company, we filled the gap by putting an explanation into our privacy policy that, should our company be acquired, this is what we would require of the acquiring company.

Absolutely.

It is there.

It might actually be covered by the provision that says, if you change the purpose, you have to give new notice. But we haven't seen a case yet.

The business transaction is one. We have pointed to their provisions on consent, whereby they have very nicely distinguished among three different kinds of consent: the opt-in, the preferable upfront, positive opt-in consent, which is the standard; then the concept of implied consent, where you can reasonably assume the person has consented, given the facts and the circumstances, and where the person would have consented had you asked them, and that kind of thing; and then the concept of opt-out consent or negative option consent, where you're providing notice to the individual and then assuming their consent unless they opt out, and giving them some method for opting out, and by so doing, they have been able to structure the criteria for each of those kinds of consent. It's much clearer in those acts than it is in PIPEDA, although I think the same thing was intended.

Of the act, or are you talking about--

Then you don't know.

At the moment, the act is set up to wait for people to complain. There have been quite a number of complaints. The Privacy Commissioner probably has figures in the annual report. It's not perfect in the sense that if no one complains you don't find out it's true.

It is.

Sir, I think that is the very reason it's important to allow groups like CIPPIC and PIAC to do the kind of research we do and find important non-compliance and complain about it, because privacy breaches are so hidden by their very nature.

We're suggesting the provincial model in B.C., Alberta, and Quebec be followed, whereby the commissioner himself or herself has that power rather than a separate tribunal, which we think would be awfully cumbersome.

For a tribunal?

And we're not quite sure of the reasons.

I don't see the difference between writing a finding and writing an order. It may be a bit longer, it may be slightly more costly, but they were doing the work anyway, so let's make it effective.

That would be an improvement on the present situation, whereby the investigation has occasionally been a little bit one-sided for either the complainant or the company. We would welcome a slightly more formalized procedure, and as to whether that would add a lot to the cost or not, I don't think so. I think the B.C. and Alberta models have shown you can give people a chance to do written submissions, at least, and I'm not sure if they do oral as well. We don't want to judicialize it overly, but--

Can I answer that?

That's absolutely right. There's great merit to the ombudsman approach, and we're not saying to get rid of it. We're saying to continue the ombudsman approach and resolve as many of these disputes as you can through mediation and that sort of thing. But you should also have the order-making power for those kinds of issues for which it is appropriate and for those that need the order-making power.

I haven't thought about that.

We haven't thought about it in detail, but take, for example, the very garden variety company that didn't respond to my request for what information they held on me or didn't respond within thirty or sixty days or whatever it is under the act. Those are the sorts of things that would be more difficult to appeal, so they might be appropriate. But I would like to look at it more before we make a proper answer.

Can I respond to the broader issue? The Alberta and B.C. models make the commissioners' findings final. They're not actually appealable to court.

Judicial review.

There's always the possibility for judicial review. That always exists. It may be that what you're talking about is applications for judicial review. But those are the models that we've been proposing.

We've also proposed a simplified procedure. The Federal Court does have, in its rules, rules for simplified procedures. I haven't studied them to see how effective they are, but absolutely, a lot of these cases are susceptible to written evidence and simplified procedures. We should structure this in a way that is most efficient, with the lowest cost for everyone.

I don't think we know at the moment.

You'd have to ask them. I'm just trying to think of any court cases that I'm aware of in those two provinces. There may be some, but I'm not—

We'd love to know too.

Both of those are being reviewed. The Alberta legislation is currently being reviewed, and the B.C. one is about to be reviewed by the legislature.

It seems out of the blue to me, and we think it would be an incentive for people to do better security, because they then have this requirement.

I think I know where it comes from. The B.C. Information and Privacy Commissioner had an experience with a particular data breach example involving a local mental health organization that had files on the psychiatric conditions of many people. There was some breach. Something happened and they didn't know who got the information, so they felt they needed to notify all these people. In that situation the B.C. Information and Privacy Commissioner was involved, and there were all sorts of difficult questions that needed to be answered. Would the patients themselves be further traumatized by receiving the notification? How would they be notified? The details of going about the whole thing were difficult.

I think it was that particular experience with a mental health organization that led him to question whether we want to jump into this. Of course, I would recommend asking the question directly to him.

It's not that clear, but there is a principle that says you have to take physical, organizational, and technological measures that are appropriate to the sensitivity of the information.

Yes. And if you're a large bank, you have to do encryption and have security personnel, and I think the Privacy Commissioner recognizes that.

There's a level.

The CSA code has become PIPEDA. PIPEDA is the CSA code, basically.

That's exactly it. PIPEDA is really just legislating good business practice that has been recognized by businesses.

I can certainly say, for myself, that when we were coming up with these recommendations, I was taking the kinds of concerns you're raising now very much into consideration. The last thing we want to do is create more bureaucracy and more expense from it, but what we want to do is make it more effective, in an efficient way. We've tried to design the recommendations here in a way that doesn't require more expense or effort on anyone's part. They will for sure on the part of the Privacy Commissioner, and they will require expense on the part of private businesses that are not currently up to shape in terms of their privacy protection practices, but they should be.

It's a big part of the solution, but it is only part. We can see, just from the cases we've had in the last three years, that one part of the solution is convincing businesses to change certain business practices that have been found to be privacy-invasive and that they're not changing.

But a big part of it definitely would be getting the consumer up to speed on what the act requires.

A lot of what's required here is just pure transparency. It's saying to businesses, tell the consumers what you're doing. Don't do it behind the scenes; tell them if you've had a data breach and that they might be the subject of identity theft.

These are all pretty common-sense kinds of things that I think most businesses who have thought about it are already doing, or would do in those circumstances.

We've actually recommended that this be treated as an offence and that there be a penalty for that.

I don't think we've explicitly specified the penalty. It's something that needs to be further discussed, but we've said that should be subject to sanctions.

Our recommendation nine suggests that the offences section be expanded. On data breach notification, our recommendation is that there be tough penalties for that and not simply injunctive relief, which is appropriate for other kinds of problems.

We have two different things here. We have the commissioner's orders and we have offences. Offences are prosecuted by the attorneys general.

They would be treated as different categories. Those are not orders that the commissioner makes.

Recommendations three to eleven in our submission are all about that.

I can quickly run through them.

We're saying that there are lots of things you can do here to improve the situation.

You can make it easier for individuals to take cases to Federal Court, to get binding orders and damages where they have suffered damages. They should be protected from adverse cost awards in Federal Court unless they've behaved irresponsibly. They should be eligible for solicitor-client costs if they win. There should be the possibility for punitive damages, not just compensatory damages, in appropriate cases. Privacy breaches often don't carry much in the way of compensatory damages, and yet we would all agree that there's a behaviour here that should be punished.

We've talked about the publication of names. Permitting class actions is another important one. Right now only individual complainants can take their matters to Federal Court. They have to get a finding from the commissioner, and once they have that they can go to Federal Court. But often what we're talking about are breaches or violations of the act that affect thousands of individuals. The act should allow class actions in those situations. The Federal Court has rules for class actions that can be structured to permit those kinds of proceedings in appropriate cases.

The commissioner is doing a pretty good job of reporting statistics in her annual reports right now, but there's probably room for improvement. That should be mandatory in any case. It shouldn't be a discretionary thing. We need to know, particularly if she doesn't have order-making powers, more facts about what's going on.

We talked about audits, and we talked about expanding the offences section.

All of those things you can do without creating order-making powers.

They don't know.

There's a little bit of pushiness in principle 4.3.3 of the act that says it has to be for a legitimate and explicitly mentioned purposes, but we think that gives too much wiggle room, and we would prefer to have it amended so that it has to be information only requested for providing that service. That's why we said, here is a technical amendment, but we're shocked as well.

I would say it's fine, it's perfectly legal, and it's okay if—if—they are getting proper consent. There are ways of doing proper opt-out consent, but our study shows they are not.

The law is well behind the industry and the technology in this area, and it needs to catch up.