Thank you very much, members of the committee. Thank you for the opportunity to speak today.
The Public Interest Advocacy Centre has been deeply involved with the Personal Information Protection and Electronic Documents Act, PIPEDA, from a consumer perspective from before its passage. We're therefore here today to give you the consumer perspective on PIPEDA so far.
First of all, PIPEDA is not working for consumers. PIPEDA is, to quote Professor Michael Geist, a “placebo privacy protection”. Canadian consumers think their personal information is being protected by a dedicated consumer privacy act, but in practice it is not. We therefore have three requests of this committee. First, the commissioner should be handed order-making power. Second, consumers should be notified when their personal information that is held by a business is lost or stolen. Third, the consent sections of PIPEDA should be clarified to ensure that real informed consent of consumers is obtained when they offer up their personal information.
I'll deal first with order-making power. PIAC completed a study on the consumer experience under PIPEDA in 2004. It found a number of problems for complainants, including the lack of enforcement, above all, by the Privacy Commissioner, in order to vindicate them when they had a successful complaint. Other problems were the frustration of complainants that the commissioner did not, as a matter of course, name the company that had not followed the act, and that the reasons given by the commissioner for their findings were so brief and sanitized that no one else could benefit from their experience in bringing their complaint.
Secondary marketing purposes for personal information gathered from consumers now are so important to business that there is no incentive for them to change practices. Only order-making power of the commissioner will act as a counterbalance to the trade in personal information. Still, the Privacy Commissioner has come before you and said that she does not want order-making power. She said it would decrease the office's overall efficiency and they would be using other powers to get results. We disagree. We think that order-making power would increase the efficiency of the mediation and other processes of the office, as it would act as a stick to the carrot of mediation. As noted in our report, many companies simply ignore the office's findings. The commissioner cannot threaten to take every finding to the Federal Court. Provincial privacy commissioners, however, get results because they have this power to make orders backing up their mediation efforts.
If the OPC--that's the Office of the Privacy Commissioner--intends to perform more audits, for example, order-making power is a natural complement to the audit power. However, at present if there is an audit that discovers practices that are not in compliance with the act, the commissioner has no power to order those practices to be changed. If we add this to the requirement to have reasonable grounds on the audit power, then the commissioner's promise to police PIPEDA with more audit powers looks very suspect. As noted by CIPPIC, there is a widespread non-compliance by business with the most basic and fundamental provisions of PIPEDA, those that are intended to provide the consumer privacy in the marketplace. We therefore do not see order-making power as a luxury, but rather as a necessity.
I'd like to deal now with the issue of naming names in particular. We also think that the Office of the Privacy Commissioner is being far too reluctant to use the powers of her office that she does have. Chief amongst these is the power to make any information gathered in her inquiries under the act public, if it is in the public interest. And this is subsection 20(2). The commissioner has effectively indicated that she will never use it. Maybe, just maybe, she will for repeat offenders. But we've never seen it used this way, and we believe the Canadian Marketing Association has nothing to worry about in this regard.
However, if consumers are to have any effect on the bad actors in the industry on the subject of privacy, they must be able to express their displeasure to the company involved. This cannot be done when the company is protected from any adverse publicity or consumer action. If this committee does not recommend full order-making power for the commission, then at the least we are calling for you to ask that the present section 20 of PIPEDA be reviewed and amended to direct the publication of names of respondents.
I'll turn now to the concept of breach notification. Our second main point is that for a data breach, companies should be required to notify customers under PIPEDA. This would be real protection for real people. Identity theft is either the goal of, or the likely consequences of, many lost and stolen corporate databases of individuals' personal information. Remember that it is real people whose real personal information is lost by companies, and that those individuals will either suffer real financial loss due to the identity theft, or will have to take measures to guard against it, and even if no harm results they will be worried about it.
Covering up the truth, however, will do nothing to help people with this situation. They must be informed in order to make the right decisions for themselves about how to deal with identity theft.
This is the heart of our support for the breach notification requirement. We feel that companies hold personal information in trust and that they must make every effort to protect the beneficiaries of that trust—consumers, customers—by being as open as possible and admitting to losses of personal information.
Canada is not leading in this very practical aspect of privacy protection. Several U.S. states, including notably California, have passed very comprehensive breach notification acts even without underlying privacy legislation. We note also that the Ontario law in the health area requires physicians with a data breach to notify their patients. Other provinces may be considering such breach notification.
We do not think Parliament should take a “wait and see” approach to breach notification, because this places the risk of identity theft on the consumer and not on the company, which, as I noted, should be considered to be in a position of trust.
Consent is our last issue. First, the main point to remember about PIPEDA is that it requires individual consent to all collections, uses, and disclosures of personal information, with only some very limited exceptions. This is the guiding principle and main point of the act, giving people a right of say over their personal information held by others.
Consent was looked at by the courts in a case arising out of a dispute over phone company listings. In that case, Englander v. Telus, the Federal Court of Appeal said clearly that what consent means under PIPEDA is informed consent; that the individual must clearly know about the proposed collection, use, and disclosure of their personal information and agree to it.
This concern applies directly to the argument over what should be standard business practice for obtaining consent to direct marketing or secondary marketing. It suggests that PIPEDA should be amended to define levels of consent, and that the highest possible level of consent—the one tending towards true, informed consent—should usually be required.
In practical terms, this means that opt-in consent should be the default, and opt-out consent only when the company ensures that the consumer is fully informed of what will happen to their personal information.
We're concerned with the CIPPIC reports and believe they demonstrate that the majority of retailers are not likely meeting this standard for consent, and that it is imperfectly expressed in PIPEDA. We therefore urge the committee to adopt the technical amendments to the consent sections of the act that are outlined in CIPPIC's written submission and are designed to clarify this concept so that retailers and other heavy information users can rely on true customer consent.
In summary, PIAC therefore can say that we are asking that this committee give consideration to granting order-making powers to the Privacy Commissioner; that a data breach notification requirement be added to the act; and that clearer rules on consent, in line with those suggested by CIPPIC, be added to the act.
Thank you very much. I welcome any questions in either language at the close.