Information & Ethics Committee on Dec. 11th, 2006

Thank you, Mr. Chair.

Ms. Seigel will deliver our presentation, but I would like to say a few words first to put it into context.

Our association represents Canadian information and communications technologies, or the ICT industry, including everything to do with computers, software and telecommunications from equipment to service.

This industry is highly interested in every aspect of privacy protection, and has been for quite some time.

In 1996, when I was chief privacy officer at Bell Canada, we were already operating under an extensive set of regulations that dated back to 1955 in matters of privacy protection. But the industry as a whole, the broader industry, also saw at that time, as the Internet was about to explode in terms of usage, that privacy protection and confidence in the Internet and the e-economy was absolutely critical to our future. Therefore, our industry was really the first proponent of tackling the issue with legislation. We also had to consider that we couldn't take a regime that applied to a heavily regulated industry, like telecom was at the time, and transpose that holus-bolus to the whole economy in matters of privacy protection.

We were very happy to evolve a regime that was quite innovative and quite effective that involved a first layer of taking ten principles developed by the OECD in a multi-party manner, where they had consumers, businesses, and governments evolve these principles. They were taken, again, in a multi-party approach by the Canadian Standards Association, which developed a code on them. And the legislation reflects this, that we had a base of self-regulation on which we then imposed a government body, the Office of the Privacy Commissioner, in an ombudsperson role, and then the courts to do enforcement, if, as, and when required.

This mixed model, which, as I said, is quite innovative and quite effective, has been recognized worldwide as truly an effective way of tackling this, this made-in-Canada solution.

So I would say, when you hear suggestions, I would be very loathe to take on anything that changes the fundamental structure. There's really no reason to undo that very successful approach.

I have a final comment in terms of context.

The vast majority of the members of our association are small businesses and the vast majority of the businesses that are clients of our technology companies, who have to deal with these information protection measures, are small businesses. These businesses do not have the means to continually adapt to changes in their operating approaches.

They don't have in-house law departments; they don't have the resources to have a lot of legal advice to change the way they do things.

So I would say, again, as a general approach, our industry feels you should be very cognizant of the maxim that if it ain't really broke, don't fix it; don't change the legislation unless absolutely necessary.

I'll pass it on to Ariane.

Good afternoon.

My name is Ariane Siegel. I am a partner in the law firm of Gowling Lafleur Henderson, practising in the area of privacy and telecommunications law. I am also the chair of ITAC's privacy task force, and it is in this capacity that I'm addressing you today.

As you've already heard, a well-respected international think tank, Privacy International, ranked Canada at the top of the list of countries for privacy protection in its most recent survey--second only to Germany. The high degree of accessibility under PIPEDA did not go unnoticed by Privacy International, and the report correctly states that “anyone can complain to the Commissioner about an alleged violation of PIPEDA”.

ITAC suggests that contrary to the survey of 64 companies put before you by the Canadian Internet Policy and Public Interest Clinic, there has been a very good level of privacy compliance by Canadian organizations. Most organizations work diligently at compliance and have extended significant resources in this regard. Especially noteworthy is the profound impact that Canadian privacy laws are having on international privacy compliance. For example, many U.S. companies with Canadian subsidiaries are adapting Canadian privacy compliance frameworks for use in operational settings south of the border.

Let's begin with ITAC's general position regarding PIPEDA in the context of the ongoing review process. ITAC, as you've heard, believes it's far too soon to make significant changes to PIPEDA. Most companies have had less than three years to implement and refine their privacy policies and procedures. Furthermore, many customers and employees are only now becoming familiar with how to exercise their rights under the legislation. ITAC supports cooperation with industry to create guidelines for security implementation and operational standards to enhance the transparency and consistency of the exercise of existing powers under the legislation.

I'd like to focus on ITAC's views on several issues that have been raised over the course of this review process. First is with respect to PIPEDA's inherent flexibility. PIPEDA's flexibility allows for the implementation of privacy principles in all organizations, no matter how large or small, and across all industries, however different their business processes may be. Consumers and employees also benefit from PIPEDA's flexibility, which provides an accessible, effective, and low-cost dispute resolution mechanism.

Secondly, with respect to the commissioner's order-making powers, ITAC believes that the existing ombudsperson model provides an effective, informal, accessible, and cost-effective dispute resolution process, while also allowing for a formal and binding review process by the court in certain instances. If decisions of the commissioner were to become binding orders, organizations would have to implement a more formal and costly compliance infrastructure. Adherence to PIPEDA's broad principles would give way to a very strict and literal approach and much less openness and collaboration with the Office of the Privacy Commissioner. Binding orders also raise the stakes for businesses in any dispute, and consumers could expect to find themselves pitted against experienced legal counsel in the process. Such a formal and adversarial process might well be avoided by consumers altogether.

Next, with respect to mandatory data breach notification, ITAC opposes mandatory notification of privacy breaches. ITAC is of the view that organizations take their responsibilities for data security very seriously. In the case of a data breach that poses risk to individual privacy, no organization would want to take on the additional potential liability of not taking adequate steps to mitigate further risks or damages that could be suffered to individuals. Many organizations currently contact the Office of the Privacy Commissioner to get guidance on how to deal with data breaches.

ITAC is of the view that mandatory notification requirements would result in notification fatigue for customers. CIPPIC pointed out in its submissions to this committee that several U.S. jurisdictions currently have notification requirements in place. However, these notification requirements do not mean that privacy protection is better in the United States or that somehow Americans are less prone to identity theft.

Canada is an international leader on the data protection front. Canadians have also been early adapters of leading-edge technologies, and many of the organizations are in the forefront of leading efforts to develop new privacy-enhancing technologies and processes. ITAC would support and would itself be interested in working with the Office of the Privacy Commissioner to develop guidelines on addressing data breaches.

Another issue is the commissioner's discretion to identify complaint respondents.

Currently, case summaries are reported for the most part on an anonymous basis. The commissioner has taken the position that naming respondents in each and every case would not meet the public interest threshold of the legislation.

ITAC supports this approach. The commissioner has the discretion she requires in order to name respondents. ITAC believes that a mandatory practice of naming respondents in each and every instance would not benefit parties to any dispute, and, in fact, could result in negative consequences.

Complaint resolution often results in a change to business policies or procedures such that the benefit naturally accrues to all customers. In this way, positive results are achieved with a high degree of efficiency.

Fifth, ITAC would like to respond to the issue of increased restrictions on transborder flows of personal information. Commercial practices often demand that personal information flow across borders. This has become an irreversible economic reality, driven by globalization and new technological opportunities.

Fortunately, PIPEDA's accountability principle demands that businesses in Canada communicate their privacy practices to the public and requires businesses to enter into contractual agreements to ensure a similar level of protection for personal information transferred outside of Canada.

Placing further restrictions on transborder flows of information under PIPEDA could reduce the global competitiveness of Canadian businesses. Canadian privacy legislation does not need to be modified to ensure that organizations safeguard data in any outsourcing, whether local or transborder.

PIPEDA very clearly recognizes the need for organizations to safeguard data. The Office of the Privacy Commissioner has set out a very practical framework for dealing with transborder data outsourcing in two recent case summaries.

Most importantly, the long-established common law of agency imposes obligations on organizations to protect data in their custody and control and would extend to the need to impose adequate protection when data is processed elsewhere.

In conclusion, ITAC believes that the provisions of PIPEDA are sound and continue to provide the appropriate balance between the interests of the public and industry as technology and expectations evolve over time. PIPEDA balances various legislative approaches, setting the tone for other jurisdictions and enabling Canadian businesses to remain competitive in the global arena.

ITAC members have invested significantly in the operational, legal, technical, and training aspects of privacy protection. ITAC itself has demonstrated leadership in educating its members about privacy, and we have worked with the federal and provincial privacy commissioners in doing so. We plan to continue our efforts in this field.

On behalf of ITAC and its member companies, I would like to thank you for the opportunity to address this committee.

Good afternoon, Mr. Chair and honourable members.

Let me commence by expressing my extreme gratitude for the invitation and the opportunity to appear before you today on a set of issues that I care very deeply about.

Like many of the others who have appeared before you, and perhaps unlike my friends to my left, I'm concerned that there are a number of significant problems with the current legislation that do require reform. I've provided written submissions to that effect and hope to illustrate a key problem in my brief time before you here today.

I submitted them about a week ago. They perhaps didn't come through translation.

It perhaps goes without saying that computers, databases, networks, surveillance cameras, cookies, spyware, radio frequency identification, and other automated means of collecting, using, and disclosing personal information directly threaten our ability to control personal information.

You've heard about this from many of your previous witnesses. I have significant expertise on these issues, and I'm happy to provide more information about any of them for you, if you wish, during the question period.

My testimony today, however, will be to suggest that there is a much bigger threat to privacy that comes from a much more primitive and much more basic technology. It is a technology that all of you are familiar with, even those of you, like our honourable chair, who avoid computers, PDAs, and the Internet like the plague.

The threat I'm referring to is in fact a legal threat.

In French it is called the “contrat d'adhésion”.

In English, we call it the standard form contract.

While computers, surveillance cameras, and RFID chips technologically enable aggressive, voluminous, and sometimes surreptitious collection of information, it is the standard form contract that legally enables the so-called “implied consent”, “deemed consent”, and “opt-out” consent-gathering processes that are said to justify the use of surveillance technologies under our current privacy law. These means of using the law to deem consent, when there is in fact none, can be highly problematic.

Standard form contracts are mass-produced documents that prevent and preclude negotiation and agreement. They are drafted exclusively by parties in an economic position to offer them on a take it or leave it basis. In an information age, where the business handshake has been replaced by mouse clicks, where the bilateral negotiation process is supplanted by global, one to many transactions, the standard form contract is regularly invoked by organizations to circumvent various privacy protections prescribed by PIPEDA and other data protection regimes.

Whether in the sale of goods or the licensing of services, many organizations use standard form contracts, clickwraps, and end-user licence agreements as ways to justify what is sometimes an unreasonable and overarching so-called consent to excessive collection, use, and disclosure of personal information. Through these sometimes one-sided contracts, organizations are able to extend their personal information practices well beyond the bounds of what might otherwise be permitted by Canadian privacy law. They do this by compelling consumers, customers, and citizens to sometimes contract out protections that would otherwise be afforded through PIPEDA.

In my written submissions, which I guess you don't have in front of you, I offer a series of detailed recommendations on how to amend PIPEDA in light of these, to fix the enormous problems of obtaining genuine consent that are generated by the contractual model.

I am happy to answer any questions you might have on those, but let me first provide you with two crunchy examples that should hit close to home.

Example number one. As a member of Parliament, your job, like mine, requires you to stay in one of Canada's nearly 400,000 hotel rooms from time to time. Maybe you need to send some documents or check your e-mail while you are there. To use a hotel's Internet services, you'll be required to agree to its terms of use. On a recent work-related trip, I stayed at a Hilton Hotel. While there, I needed to use the Internet. Here is what I'm said to have consented to when I plugged my computer into the Hilton's Internet connection:

We automatically track, collect and compile User Information and Transaction Data (as defined below) when you utilize the Site.

...

You agree that HHC shall own all Information.

By accessing the Site, you voluntarily, expressly and knowingly acknowledge and agree with all of the foregoing and further agree to each and all of the following: (i) such Information belongs to HHC and is not personal or private proprietary information; (ii) such Information, wherever collected, may be processed, used, reproduced, modified, adapted, translated, used to create derivative works, shared, published and distributed by HHC in its sole and absolute discretion in any media and manner irrevocably in perpetuity in any location throughout the universe without royalty or payment of any kind, without, however, any obligation by HHC to do so;

....

So instead of me, let's imagine that the honourable member, Mr. Tilson, stayed at the Hilton Hotel and sent an e-mail to his colleague, Mr. Wallace, an e-mail containing some communications perhaps about these committee deliberations, perhaps about some more personal things.

Under the terms of service referred to above, Hilton will claim that the personal information and private communications generated by these two honourable members is in fact not personal or private information, by way of their consent, and it is therefore not subject to PIPEDA, and that in fact Hilton owns the information in perpetuity, anywhere in the universe. As David Bowie might have once sung, “Planet Earth is blue, and there's nothing you can do”.

According to Canadian contract law—and I've been teaching it for more than ten years—I suspect that Hilton would likely prevail. Regardless, most individuals would be forced into submission during a lengthy and protracted litigation process in the courts about what is certainly, at this point, an unclear point in the law. I recommend we clarify the law with this.

Example number two. Like me, everyone around this table is a consumer of many intellectual products every day. You read the newspaper, specialty magazines or books, or maybe you watch TV, movies, or listen to music or talk radio. If you are like me, sometimes you don't care who knows what you are reading about or listening to, and sometimes you probably do, but l'II bet that you would care a lot if you learned that someone was always able to know about every single intellectual product that you consumed: how often, where, when, etc. Everyone around this table, I suspect, cares about intellectual privacy, the ability to consume intellectual products free from public scrutiny and corporate or governmental surveillance.

Imagine that you go out and buy a CD or DVD, or maybe you borrow it from the library. You put it into a device that you own and you play it. You watch or you listen. All the while, unknown to you, a small software routine written into the code of that CD or DVD causes an automated communication via your wireless Internet connection. The CD or DVD reports back to Sony--or whoever--who you are, where you are, what machine you use, which software you run, what you are watching or listening to, when you watched or listened, how often, etc.

By now in the course of these proceedings, and having heard many witnesses, you are, I suppose, no longer surprised by the realities of the digital age, but here is something that might surprise you.

You decide to investigate whether the company's practice infringes on your privacy rights under Canadian law. You come to learn that it probably does not, or at best that the law is unclear with respect to any of this. In fact, you come to learn that you have probably legally consented to letting the CD phone home and rat you out to the mother ship. ln the standard form contract of more than 3,000 words--which, by the way, is about 700 words more than it took Edgar Allen Poe to tell the tale of the thousand injuries of Fortunato--52 words provide your so-called consent to the automatic installation of a rootkit; Sony calls it “a small proprietary software program”.

Because of this provision, the organization collecting your personal information will claim that you have contracted out of the protections otherwise afforded to you under PIPEDA. According to their agreement, you also supposedly consented to allow them and their information-sharing partners to give that information to any member of the government who makes a request, without a court order and without any form of due process--and there is nothing you can do about it.

The main point I want to impress upon this committee today is that this form of legal manoeuvring--something that each and every one of us around this table is subject to multiple times each and every day--is hugely problematic and is not sufficiently addressed in PIPEDA. Standard form contracts, as well as a number of other so-called consent-gathering processes, can sometimes--not always, but sometimes--undermine the nature and value of genuine consent, and in those instances will fly in the face of what our privacy laws are actually trying to achieve.

I would submit that PIPEDA's attempt to balance individual privacy rights with the needs of organizations to collect personal information is undermined if--irrespective of PIPEDA's many protective provisions--intrusive, unfair, or unwanted collection, use, or disclosure can be imposed on individuals with impunity through standard form contracts or other similar so-called consent-gathering processes such as those used in the past by Sony, by Hilton and other hotels, by instant messaging services, by mobile phone providers, by other online service providers, by health care providers, etc. I can assure you this same strategy is used often and with great success in other sectors as well, all of which tells us we do need much tighter sets of consent provisions than those currently provided in PIPEDA.

ln my written submission, I offer concrete recommendations to fix this. If I have another thirty seconds, I'll go on the record to lend my support for other recommendations that have been made by other witnesses. In particular, the law should be amended to provide the federal Privacy Commissioner with order-making power; the law should remove any lingering doubt about the power of the federal Privacy Commissioner to regularly name names in well-founded findings; the law should include a mandatory security breach disclosure requirement; and finally, Ottawa must seriously begin to address the growing concern in Canada over the outsourcing of personal information to non-Canadian organizations, particularly data flows to the United States.

I know there is no time to address these points now, but I am happy to respond to any questions you might have.

Thank you very much for your time.

Oh, oh!

Mr. Chair, I will start and then Mr. Bowman will continue.

The Canadian Bar Association is very pleased to appear before this committee as it conducts its statutory review of PIPEDA. The Canadian Bar Association is a national association representing over 37,000 jurists across Canada, and amongst our primary objectives are improvement of the law and improvement of the administration of justice, and it's with those optics that we have reviewed PIPEDA, and indeed that we were actively involved when PIPEDA was developed.

The development of this area of law also led the Canadian Bar Association to establish the privacy and access law section, the group that has prepared the paper before you. I'll just say something about the section. It brings together lawyers who act for businesses and not-for-profit organizations and privacy groups, as well as academics, and government officials who act in this area of law. So it brings that balance of interests to the table in assessing the operations of the law.

Finally, a word about the paper in front of you. This is not the privacy and access law section's first foray into a review of PIPEDA; we've provided preliminary assessments to Industry Canada and the Privacy Commissioner on issues that we thought should be addressed in this review. So the paper before you poses some key points from those more comprehensive submissions and gives an executive summary of them. We have provided the full paper to the clerk for use in greater detail.

I will now ask Mr. Bowman, who is chair of the privacy and access law section, to address the key elements that we think are subjects to review.

Mr. Chairman, honourable members, thanks very much for the opportunity to speak with you today.

In my brief remarks to you this afternoon, the CBA section wishes to highlight four key areas or themes among several we've addressed in detail in our submission to Industry Canada, which we've just referenced.

These themes reflect particular areas of PIPEDA that six years of experience have demonstrated to be deficiencies in the law or that represent emerging policy issues that were not adequately recognized when the law was first enacted. After nearly six years of interpretation by the courts and by the Office of the Privacy Commissioner, we believe it's prudent and necessary to consider amending PIPEDA.

Privacy legislation has been enacted in British Columbia, Alberta, and Ontario since PIPEDA came into force. These provincial developments respond to our experience with PIPEDA and in some instances have addressed deficiencies in both drafting and interpretation.

The CBA section’s recommendations for amendments to PIPEDA are shaped by the following principles. First, while respecting the balancing of interests in the collection, use, and disclosure of personal information, vigilance is necessary in monitoring and opposing unnecessary erosions of privacy by both government and non-governmental organizations. Second, the basis for protecting privacy in Canada should be fair information practices as they continue to evolve. Third, privacy legislation and practices across Canada should be harmonized to the extent possible.

I'll touch on the first theme, and that is that PIPEDA should be neutral in regard to the litigation process. In other words, it should not affect pre-existing and commonly held litigation processes that have evolved for decades and hundreds of years. PIPEDA contains a number of specific exemptions to the consent requirement that require amendment. The current exceptions relating to litigation are too narrow and should, at a minimum, be broadened to ensure that well-established litigation procedures are not impeded.

This narrowness is evident in the investigation exceptions, the one-way disclosure, the collection and use of debt disclosure information, and the limitation on disclosure throughout the litigation process. The result is inadequate coverage of all aspects of the process: pleadings, oral discovery, mediation, private arbitration, settlements, solicitor communications, and other non-court ordered exchanges of information.

There should be a broad exclusion for information legally available to a party to a proceeding that would override specific exceptions currently found in PIPEDA. Related to this concern, PIPEDA should be amended in its application to law enforcement. Specifically, the provisions for the collection, use, and disclosure of personal information without consent for legitimate law enforcement purposes should be clarified. The current provisions relating to investigations and the enforcement of laws are confusing and internally inconsistent. A single standard should be applied for collection, use, and disclosure relating to law enforcement.

Finally, the provisions respecting investigative bodies should be streamlined. For example, organizations should be permitted to carry out their own investigative activities without unnecessarily being required to use other investigative bodies to collect information from third parties. The CBA recommends an amendment to create a broad exclusion for information available by law to a party in a proceeding to permit collection, use, and disclosure without consent where reasonably required for an investigation.

The second theme I'll touch on is as follows: PIPEDA enforcement should be more effective while continuing to reflect principles of fundamental justice. The lack of order-making powers in PIPEDA significantly affects the likelihood of complainants bringing forward issues of non-compliance. Complainants must apply to the Federal Court to obtain a remedy or compensation, but they may only do so after the commissioner has issued a finding. At present, it takes up to a year to receive a finding. Also, taking a matter to the Federal Court effectively requires hiring legal counsel and places the complainant at risk of an adverse cost award.

Further, there is no mechanism for the commissioner to compensate an individual who has incurred significant expense or suffered loss in connection with a complaint. However, under the current structure, conferring order-making powers on the commissioner could result in a violation of principles of fundamental justice. Currently, the commissioner acts as an ombudsman who advocates protecting personal information. The commissioner's office also investigates alleged violations of PIPEDA. Combining advocacy, investigative, and decision-making roles may place the commissioner in a conflict of interest and undermine the credibility of the office.

More effective enforcement could be achieved by assigning a separate office or body, functioning in a reasonably informal manner with decision-making authority. We've previously suggested an impartial tribunal with order-making powers and the ability to award damages, while the commissioner would retain the investigative powers and an advocacy role. The commissioner could be required to issue a finding within six months, which would then be referred to the tribunal. Therefore, the CBA section recommends an effective enforcement mechanism for PIPEDA be considered, such as an establishment of an impartial tribunal that would operate relatively informally, with power to make orders and award damages.

The next theme is that any requirement for notification of breaches of privacy should be balanced in approach. To date, federal and provincial privacy legislation has required public and private organizations to apply security safeguards when handling personal information. Several U.S. states have recently enacted additional legislation to require organizations to notify individuals in the event of a security breach involving improper disclosure of their personal information.

The EU has recently announced that it may consider information security incident notification. In contrast, Canadian privacy legislation does not explicitly contain such a requirement, with the exception of Ontario's Personal Health Information Protection Act. Therefore, the CBA section recommends that a balanced privacy breach notification requirement be considered, such as a duty to notify only where an organization is not covered by security mechanisms such as encryption, or has received notice that such protection mechanisms have been breached, and the information that has been compromised is sensitive personal information.

The final theme I'll touch on is that transborder information intended under Canadian privacy laws to flow unimpeded should be subject to appropriate precautionary requirements.

The commissioner has stated that the review of PIPEDA would be an opportunity for developing further privacy protection measures related to transborder information sharing by the private sector. One such measure is found in the commissioner's submission to the British Columbia Privacy Commissioner concerning the impact of the U.S. Patriot Act on personal health information of B.C. residents. The federal Privacy Commissioner recommended that Canadian companies that outsource information processing to organizations based abroad should notify their customers that the information may be available to the foreign government or its agencies under a lawful order made in that country.

Section 17 of Quebec's Act Respecting the Protection of Personal Information in the Private Sector specifically addresses the issue of transborder transfer of information. It obliges people communicating information about Quebec residents to persons outside the province to take all reasonable care to ensure that such information is not disclosed to third parties without consent, except as provided in the legislation.

PIPEDA currently contains general rules requiring parties holding information or outsourcing information to ensure its protection, but doesn't necessarily contain any rule specifically directed at protection of information transferred outside of Canada. Under PIPEDA, each organization, as you know, remains responsible for personal information in its custody or control, including information transferred across a border.

PIPEDA should contain appropriate precautionary requirements to protect information when it is transferred across borders. We have previously considered a number of alternatives to achieve this objective, such as a requirement that organizations transferring information to foreign entities enter into written agreements that would ensure security and protection of information against unauthorized access or disclosure in accordance with Canadian privacy law. Another alternative is a more generalized approach of protecting information transferred outside of the jurisdiction found in Quebec's privacy law.

In its earlier submission, the CBA section also analyzed options for notification or consent requirement for information transferred across a border. Each of these options would involve some form of notice to be provided to or consent obtained from the individuals whose information would be transferred outside of Canada. Amending PIPEDA to implement either a notice or a consent requirement to cross-border transfer of information requires a very careful consideration of the potential advantages and disadvantages of the approach.

The CBA section recommends that where personal information is to be stored or processed in a jurisdiction outside of Canada, PIPEDA require additional provisions to enhance security of personal information and ensure conformity to Canadian law, such as contracts between organizations and entities storing or processing personal information.

The CBA section appreciates the opportunity to share its views with the committee today. We believe our suggestions will provide some assistance in amending PIPEDA to address deficiencies that have become apparent since its enactment. Our goal is to improve the legislation for the benefit of Canadians, consistent with PIPEDA's purpose of establishing rules that recognize both individual privacy rights and the organizations' needs to collect and use information in an appropriate and reasonable manner.

Thank you very much.

Actually, I would clarify. I picked some particularly dramatic examples that I thought would grab hold of this audience. I would never suggest that every standard form contract is written in these kinds of ways. In fact, many good counsel, both at the table and around the room, have worked hard to try to have balanced provisions in these kinds of things.

The main point I wanted to make, however, is that the threshold for consent in contract law is very low. Contractual consent is a transactional notion. It occurs in a moment. It occurs when I click “I agree”—and you know as well as I do that most people around the room, when they're forced, with those standard form agreements, go scroll, scroll, scroll, click, click, click. Even in cases where you try to read them, sometimes they're very difficult.

So in answer to your question, it's not the case that every good or service online would be such as to circumvent PIPEDA, but the point is that they can and the point is that the consent provisions within PIPEDA have to be clarified in such a way that this low threshold of clicking for consent and other kinds of deemings of consent don't have the effect of undermining the privacy protections that are meant to be there notwithstanding people's contracts.

Am I aware of any privacy breaches?

Certainly I come across issues with respect to privacy breaches often. The question is, are these breaches serious, and what do companies do about them? In fact, every organization that I've ever dealt with has always approached the Privacy Commissioner for guidance on what to do with their privacy breach.

In many cases, the privacy breaches are so insignificant—for example, an e-mail address. I'd say 99.9% of any of the privacy breaches I've encountered are accidental releases of someone's e-mail address. It's as simple as—and I'm sure everyone at this table has experienced it—sending that in the header of an e-mail and exposing the other people you're sending the e-mail to. That might be considered by some to be a privacy breach, and that's the reality of many of the privacy breaches.

With respect to consent issues and are consent issues and privacy breaches somehow tied together, PIPEDA goes into great, great detail with respect to what is a reasonable form of consent. The schedule to PIPEDA provides all sorts of examples with respect to what's a reasonable form of consent. Certainly it has become commonplace, in my experience. Every single company that I've ever dealt with puts together different standards of consent, based on the sensitivity of the information.

Organizations that are collecting sensitive personal information, such as financial data, almost always exclusively use express forms of consent; whereas if consent is just for purposes of secondary marketing, sending you literature in the mail about the organization or about maybe a sale going on down the street that you might be interested in...most individuals are very happy with implied forms of consent, and that's working quite well under PIPEDA. The Privacy Commissioner herself has recognized this in a whole string of decisions going back a few years now.

Really, the issue of consent is almost a settled piece of guidance within PIPEDA. Virtually no organization or no individual really gets too riled up about consent these days.

I think it depends on the perspective you're coming from.

With respect to transborder data flow, ITAC members don't believe that amendments are necessary under PIPEDA. The Privacy Commissioner, in two recent decisions--and you're probably familiar with them already--has carefully articulated guidelines with respect to what you need to do in the case of a transborder data flow. All companies now routinely use non-disclosure agreements and contracts.

If you look back in history at why organizations use contracts when they enter into any outsourcing arrangement, whether it's local or transborder, it's because the common law of agency and principle requires you to do that. You don't really need legislation to put that into practice; the law has already done that for you.

If I may add something, when I talked earlier about being careful not to amend the law if it's not really necessary, as I heard from the Canadian Bar Association, there's one category of information for investigations pertaining to litigation. We have no views on that. That might well be required. I know if you change the law there, you're not going to change people's day-to-day lives such that they're now going to have to interpret things differently. It's going to be law firms doing interpretations.

On the lack of order-making power, I think creating a separate tribunal would really be adding another heavy layer. It would create another government institution with our taxpayer dollars and another place complainants would have to go to. I'd be very leery about that.

On the question of cross-border data flow, British Columbia tried to legislate that. It caused an awful mess. They were going to grind the health care system to a halt. They tried to make significant amendments to address it. The Privacy Commissioner has issued decisions that give very clear guidelines as to how you have to treat that. And it's the same with consent. The appendix talks about “knowledge and consent” in 4.3.2, meaningful consent, and in 4.3.5, “reasonable expectations of the individual”.

I think we're not talking about having to change the law; we're talking about how you interpret the law reasonably in a given circumstance.

Just so I'm clear on the question, are you asking if there is another law that protects non-complying organizations or individuals?

I can try to give you an answer, Mrs. Lavalée.

The law we are talking about does not prevent the disclosure of identity. The commissioner decides on a case-by-case basis whether this is reasonable or not.

In your question, do you mean that do not permit the various commissioners in the provinces to disclose the identity of infringing organizations? I'm not aware of any provincial statutes that prohibit the respective Privacy Commissioner from disclosing the identity of an infringing organization.

Off the top of my head, I'm not actually aware of any.

No, I'm afraid I'm not in a position to speak about those issues. Like other lawyers, I'm waiting to see how the challenge unfolds. In terms of the issues that are at play, I certainly wouldn't be in a position. Nor has our section put its mind to analyzing that for the purposes of the PIPEDA review.

I would also disclaim any particular expertise on the issue. The issue, of course, is a constitutional issue, so it has to do in part with the fact that PIPEDA, as you've heard from other witnesses who've appeared before you, tries to achieve ends that can be understood as falling within both federal jurisdiction as well as provincial jurisdiction.

I actually don't have any particular comments that I think would enlighten this committee. Therefore, I'd rather not obfuscate by making my opinions known.

It's not an issue that we have addressed as an association, so we have no expertise to bring.

We certainly heard her remarks to this committee, but specifically addressing that issue, again, we haven't put our minds to it. What I can do is perhaps redirect this to the recommendations that we've put forward in terms of the overall functioning of the office right now. But directly on that point, I apologize again that we haven't put our minds directly to it.

I'd be happy to comment on that.

I was here on the day when Madame Commissioner was making her submissions to this committee. I would, quite frankly, be quite surprised if somehow solicitor–client privilege operated differently for the commissioner in terms of her investigations than it would for other investigatory bodies. From what was going on that day, I was quite unclear exactly on what it was that was being sought. If there is solicitor–client privilege, and if that privilege is such as to preclude other investigatory bodies from getting that evidence, it's not clear to me why the Privacy Commissioner should have that over and above other investigatory bodies.

We haven't addressed this issue either. Mr. Kerr's comments seem reasonable, but that is no reason to add special powers in the legislation. I have nothing more to add.

I can't imagine why the treatment of documents in an investigation would be different for the Privacy Commissioner than in the context of any other examination or ombudsperson model, especially given the context of her role. It's my understanding the commissioner approves and enjoys the role of ombudsperson and is not seeking order-making powers.

I know of no situation where documents that are covered by solicitor-client privilege should in fact somehow become part of the commissioner's investigation process.

I can only turn to experience, to the experiences of my members and my own experiences advising businesses on compliance.

First of all, I think we need to separate order-making powers from a duty to notify. First, with respect to order-making powers, order-making powers are not what will enhance privacy protection in our society. I don't think the Privacy Commissioner is looking for order-making powers. And setting up a type of tribunal for the Privacy Commissioner would have to seriously alter how we view the role of the Office of the Privacy Commissioner right now. It would change from that of an ombudsperson and an advocate-educator to that really of a tribunal, which is significantly different.

Order-making powers, I don't believe, are something you would want to see for privacy issues. For any of you who are familiar with the privacy dispute process, I've had the opportunity to be involved in a number of mediations with the Privacy Commissioner, and when you're involved in this sort of mediation and a dispute or a complaint against you, companies put on the table all of their most complex business processes.

The issue is, should somehow a tribunal be struck to deal with and order new processes for business? My suggestion is that's not something you would want to see happen. There are very few bodies, or individuals even, who have that sort of detailed business process expertise that goes to the root of some of the issues we're discussing today.

But that's the case for all other claimants in society who feel they've somehow been wronged or suffered a loss.

When we're dealing with privacy breaches, in some instances they may result in some form of loss, but in the vast majority of instances they may not. And when it's appropriate and they have suffered damages, then it's open to them, as it is open to any other claimant in a society, to go to Federal Court and seek damages. I don't think we necessarily need to have in place a completely different system to treat losses in the privacy context.

The commissioner herself, I believe, sees that she's had ample ability in fact to help mould and change the direction of how companies comply with privacy. So, for example, if you've gone to the Privacy--

When you go to the Privacy Commissioner's website, for example, you'll see the whole host of findings that she has listed, and in very few instances has she had any trouble whatsoever in convincing an organization that it should somehow change its process. I'd say one of the most important instruments in her back pocket is the threat and the possibility that if an organization does not change its practices, she can use her power to name names.

Thank you.

One thing we should say for the record is that the CBA, we think, has a balanced approach on a lot of these issues. On this issue, I think it actually is quite evident. In my statements, I wanted to reinforce the fact that our recommendation for order-making power is conditional upon an impartial tribunal model. We don't necessarily think the status quo is perfect, nor do we think that just slapping down order-making power for the Privacy Commissioner is the answer.

We looked at both the Alberta and British Columbia models in coming up with our recommendations, but despite that and input of members from those jurisdictions, the recommendation was really to try to create a model in which the strengths of the Privacy Commissioner's Office advocacy investigations are left as they are, and to set up this tribunal with order-making powers. The reality right now is that companies that handle personal information simply don't fear the consequences of being found acting contrary to PIPEDA. I would agree that the naming of names is a stick. I wouldn't say it's a big stick, and I think that's reflected in our submission. This is coming from organizations and firms such as my own who advise private companies.

The professor doesn't put his hand up that often.

Oh, oh!

I think in the context of the conversation we were just having, it's useful to note that of the more than 1,400 complaints that the Privacy Commissioner has received, only nine cases, as far as I can count them, have been commented on by the Federal Court, and not a single one has attracted a damage award, as far as I can tell. Three of the complainants were able to recoup their costs; four of the cases saw the court awarding no costs to either party; in two cases the complainant had to bear the costs for themselves as well as for their opponents. I would suggest that part of the impetus behind PIPEDA was a recognition that the private law was insufficient as a means of remedying some of the potential problems in an information age.

So I would suggest that the question isn't whether without order-making powers this legislation has any teeth. The question is, what kind of teeth make for the best system? If you would like me to continue, I would say why I think order-making power is important, but I'll leave it to the chair.

Agreed.

I would feel uneasy about that. I think the brunt of what people see going on and the statistics quoted by Professor Kerr show there really isn't a problem. I would hesitate to say we're going to legislate another regulatory body just because we think we might be able to improve things.

This isn't broken, and it does not require more regulation and another regulatory tribunal.

I would like to go on the record as saying there's more than one way to interpret what those statistics say with respect to whether there is a problem or not. That should be obvious to the members, but I want to go on the record as saying that.

Part of our submission, and the reason for suggesting the tribunal, was based on what we see as a potential conflict between the competing responsibilities of the commissioner's office. When you think about it, the commissioner's office is responsible for educating, for investigating, for helping mediate, but also for acting essentially as the judge. So that conflict and our recognition of that is reflected in our suggestion for this tribunal.

I don't think so. I'm not looking for new work.

Our suggestion is an informal tribunal, so it is just that; you wouldn't have to go to court. Currently, you have to go to court and you have to wait up to a year to get a recommendation from the commissioner's office. So I don't think the current framework is helping those--

That's not our recommendation. Ultimately, the Federal Court could weigh in.

Sure. The short answer is that there was a preference for some of the provincial acts, notably Alberta and British Columbia.

I'm flipping to my business transaction section, and that is a good example of where the provincial laws have learned from the PIPEDA experience. The drafters learned from the deficiencies and the lack of clarity in PIPEDA, specifically dealing with due diligence investigations in the sale of a business and a recognition that lack of clarity in PIPEDA is not assisting business. It's not assisting with the protection of privacy or the facilitation of--

Yes, and with the business transactions, without referencing them, the B.C. and the Alberta legislation in particular set out expressly what organizations are to do to protect privacy.

For instance, if you're going to sell your business and you want a prospective purchaser to take a look at your personal information holding, right now it is unclear when and how they can view that, if at all, under PIPEDA. The Alberta privacy legislation spells it out. And for organizations that don't have deep pockets, that makes it a lot more business-friendly, so they don't have to retain people like me.

I would say we have no indication that where there's an order-making power, there's better implementation of privacy protection. In other words, the ombudsman process is simpler and more straightforward for both complainants and the companies involved, and it seems to be producing good results. I've not had anything that says the B.C. situation produces better privacy protection--maybe a little more work for lawyers, I suppose. The way we get feedback, not just from the statistics but from our members, is that once you get an investigation by the Privacy Commissioner, all the pressures are there for you to change your behaviour.

About 70% of our members are small companies and 30% are larger companies, 70% Canadian-based. It's a very international industry, maybe about 30% multinationals—not the same overlap, because there are some Canadian-based multinationals. They're involved in computers, all kinds of computer technology, mobile technology, telecommunications technology, software, information technology services, and consulting. There are a lot of very small software companies, a lot of small companies. Canada, for example, is a world leader in security software and that kind of—

Yes, at first, in the sense of trying to adapt to a new law, to create processes in the firm to respond to it. But they do not begrudge that, because as I said, this is an industry whose very livelihood is dependent on good privacy protection. Except that once you go through a whole process of education—and as I said, there are two layers. There's self-regulation, where the businesses themselves have to learn about this, get educated, and comply. That's where I get a little leery about changes to the law that would require them to study everything again.

After a few years, we're still in the process of getting all this to filter through and getting people comfortable with what they have to do. And technology changes so much that they have to keep up to speed on that as well. So they've got plenty on their plate with that already.

Absolutely.

Sure. I'm more than happy to provide my oral remarks. What I had already provided was a written submission, which was much more formal in nature, but I'm happy to provide this as well.

There are several recommendations.

It's absolutely 100% your responsibility to read it, and Canadian contract law is very clear in this regard, that so long as sufficient notice has been given.... In cases such as Rudder and Microsoft, which is one of the leading cases in Canada...it is incumbent upon the person who ultimately clicks “I agree” to either read those terms or to be deemed to consent if they don't. However, the point is it's not just about reading, knowing, and understanding them; it's about the idea that in an information age, where there's only one choice, which is either yes or you don't get to participate, it raises issues with respect to the relative bargaining power of the individual. I would suspect that many times in your life you have been faced with that situation where you have no—

I would suspect--

It's a very important question, and I'd like to answer it if you let me.

In the context of when those kinds of things are such that courts and governments ought to interfere with those contracts, that's your question, under what circumstances ought they too. In my recommendations I'm very clear that where the privacy legislation itself has an elevated standard of protection such that, for example, in the British Columbia statute it says you're not allowed to prevent somebody from withdrawing from their consent at a later time, and if you attempt to do that the contract will be unenforceable.... The B.C. legislation, for example, says that. What I'm recommending to you here is the same sort of thing. So just like in the law of contracts the courts will set aside contracts as being unenforceable for public policy or illegality when somebody tries to contract something that goes against a statute, I'm suggesting the same with PIPEDA. In other words, when a PIPEDA protection is there, you shouldn't be exposed to having somebody ram down your throat that you're not allowed to avail yourself of those protections or else not use any services. That's my submission.

First of all, the law in this area is actually quite well developed. The law, as Professor Kerr is aware, requires companies not only to provide information in their terms of use, for example, and to get individuals to click “I agree”, but you're also required to highlight any important part of those terms and conditions to your customers. Many of you have probably seen these in terms of use; you'll have a bold statement going across the page that says, look out below, there's something important, and you'll point it out.

Secondly, in the case of a collection of personal information like the example that was provided, which is too broad, PIPEDA provides the perfect mechanism to be able to redress that. PIPEDA clearly says you can only and should only collect personal information to the extent that it's required and use it to the extent that the use is reasonable. There are a whole series of Privacy Commissioner decisions that look at this very issue. And when an organization is collecting excessive amounts of information or using it in an inappropriate way that is too broad, there is a redress mechanism that is provided, and the commissioner is able to find findings and recommendations against the respondent. From my experience, companies are absolutely terrified of the Privacy Commissioner. All you have to do is hold up the example of the Air Canada case so many years ago and they say, “We don't want that to be us; that's the last thing we want.” That's the most important tool the commissioner has.

If you look at the American jurisdictions that do have notification requirements, and I believe at the last count there were 22 U.S. jurisdictions, privacy protections are no better there. It's the opposite. In fact, how many of you have seen those notification letters that come in the mail? You can get a dozen of them in a week sometimes in some jurisdictions, and they become meaningless. All it does is infuriate many consumers, who say, “My gosh, is this serious or not? What am I supposed to do?” Much preferable would be a mechanism whereby industry and the Privacy Commissioner come together to have guidelines with respect to how you deal with notification and data breaches. I'm sure most organizations would happily follow along.

No, I did not.

I think the intention was to talk about order-making powers, like a court has.

One of the things I said right in the closing part of my remarks, as a recommendation, was with respect to order-making power, which we've talked a bit about so far today. I did not in any way suggest that the commissioner currently has that power.

I would like to comment on that, if you'd let me. I came to hear the commissioner speak, and I also heard Commissioner Loukidelis from British Columbia speak. I've also been sort of following what's been going on online with people who are discussing these proceedings on blogs.

I would love to put forward my take on this, because I think I heard it differently from how some people have been talking about it subsequently. What I heard the commissioner say was that at the moment she is not in favour of order-making powers, and she was very clear that she was open to the idea of potentially wanting them. Further, she said that this is not the right time for her to have order-making powers. She also alluded to some things that some people might have interpreted as having to do with some of the transitions, which have taken place in that office, over the past several years.

I also heard Commissioner Loukidelis describe the order-making power as a power of last resort, which I believe some people around this table misunderstood as him somehow denigrating as an unnecessary power. I think a power of last resort is an extremely important power. When a tightrope walker walks on the tightrope and the safety net is the instrument of last resort, just because it's the last resort doesn't mean it's any less important. In fact, it's potentially the most important instrument.

So I would be careful to draw conclusions from the fact that when she was a commissioner in Quebec, she had order-making power and because she is now the Privacy Commissioner of Canada and has suggested that this is not the time for order-making power, that this means order-making power is inappropriate.

As a manager, she recognizes that the office has been through a tremendous amount of turmoil in the last several years, and she takes the position, like my colleagues over here, that maybe it's too soon for these powers. I want to be very clear that it's not at all the case that she has in any way suggested that she is against the idea of order-making power.

Obviously, from my previous remarks, it's clear that I share some of your concerns with respect to the consumer protection aspect of this. Quite frankly, I'm surprised that the recommendation I was putting forward is somehow thought to be extraordinary in any way. With this recommendation, I'm not asking for a major overhaul of anything to do with PIPEDA. I'm simply suggesting that where a contract comes into conflict with other higher order privacy protections under the act, we should clarify the act to say those contracts are unenforceable.

I agree with my colleague that with respect to the reasonableness clause, it may operate in that way to do this. In theory, it should operate to do that. You're going to find situations where, when consumers are confronted with that, the party on the other side will simply say, “Well, look at our contract. How can you say that anything around our information-collecting practices are unreasonable under PIPEDA if you've already agreed to them by way of contract?”

You make my point for me in a way.

Our position is that the current consent model doesn't need revision. The illustration that was pointed out in terms of being able to read the contract and make a decision is a reasonable approach.

That being said, the reality is that the Hiltons of the world are getting away with some of these consent provisions that might be too broad. That's why we focused our energies on the enforcement mechanisms, in terms of order-making power being contingent upon a tribunal set-up.

The current law does not allow abusive behaviour. It is therefore not necessary to amend it to allow—

In my opinion, if someone complained to the commissioner, you would see a rather quick change in the company's behaviour. I do not see the need for order-making power to make a company like that comply. I think this would happen quickly enough.

Hotels--and I think it's unfair to pick on the Hilton hotels--in general have to balance their interest in protecting consumer information. The Hilton, or any other hotel, probably has no real interest in owning the personal information or exercising that sort of power. They have to balance, though, the language they use in their contracts against the practical realities of protecting their own interest.

What happens, for example, if you have a guest who is using the hotel's resources, the computer, to access illicit or illegal websites and is perhaps engaging in illegal transactions? They have to have the recourse to go to that individual and say they looked at this and it's not right. Whether it's legal or not, they have to balance a whole variety of interests, not only the interests in Canada but also the interests internationally. There may be requirements in the United States with which they are complying or requirements in Europe they have to consider.

My experience is that many organizations are trying their best to put together terms of use and privacy policies. They have to balance a whole variety of obligations and compliance issues, and privacy is only one of them. Maybe someone hasn't looked that carefully at the privacy language. But I bet if you asked Hilton, or other organizations that have similar policies, whether they really intend to use personal information for those purposes, I'm sure the answer would be no. Really, their only interest is in protecting themselves and making sure they are able to comply with the variety of obligations they have in front of them.

I suppose it could be done. It would go against what most people who appeared before this committee have said, including the Privacy Commissioner of British Columbia. He made some significant remarks about this principle called “technological neutrality”, which to some extent is a principle I subscribe to as well.

I don't necessarily think there is something magical about e-mail that means we need a special law. I think the recommendation I put forward is in the spirit of what you're suggesting. It simply says that in situations where somebody is seeking consent through a standard form agreement for the purposes of things that are excessive and unreasonable, PIPEDA would clearly state that those contracts are unenforceable.

I would suggest that question provokes what I think is the fundamental misunderstanding by the general public about data protection...and falls short of understanding its importance, the whole reason we're doing this.

The former commissioner--I'm talking about Bruce Phillips--described PIPEDA as a necessary step in addressing some of the erosion of privacy that comes with computers and networking, and ultimately to reverse that.

If you understood the extent to which information collected for one purpose can be amalgamated with other information for secondary purposes, and if you understood the kinds of colleagues I work with and the kind of information they can glean by data mining and putting information together, you would see that eventually what we're talking about here is the idea that it could be possible, with these systems, that every kind of intellectual product you consume could be databased and therefore a narrative could be put together by connecting the dots.

It's really not about your listening to Alabama one night. It's a profile of your life. It's the sort of thing that scared the bejabbers out of Justice Bork in the United States in terms of video movie rentals. There was a subpoena, when he was being nominated for the Supreme Court, to find out what videos he was collecting. Now imagine that with every single thing you read, look at, listen to, watch, or think about. All of the intellectual products, by virtue of being in the digital realm, are to some extent capable of that level of observation.

That's an issue that would have to be taken up with our members. But certainly many organizations with which I'm familiar now do consult often with the Privacy Commissioner's office, and I don't think they would see a different duty.

We've got a law already that allows the commissioner to determine when it would be reasonable to notify and when it would not. So why would we need to legislate something that, by nature, is going to have to be more rigid than reasonableness would require?

Some of the challenges with duty to notify have been addressed by some of the other guests here in terms of notification fatigue. Our detailed submission sets out our views on notification of loss. We say if a duty to notify is to be directly or indirectly included in PIPEDA, it should be a balanced approach.

Bill 200 is a bill I assisted with drafting in Manitoba. It's intended to be substantially similar to PIPEDA, modelled after the Alberta law. It has a duty to notify. It reflects the similar language we've put in our submission in terms of a balanced approach. For example, we say that a duty to notify might be included where the information is about an identifiable individual or the information is not identifiable by virtue of being protected through, for instance, encryption, or the organization has received notice that the protection has been breached, that the encryption technology has been breached, and that the information falls into certain specified categories of sensitive information.

If you say duty to notify every time, you're going to end up with notification fatigue. It's going to be ineffective. The status quo and the reality are that some organizations simply choose not to notify, and that may not be friendly from a privacy perspective.

I don't have anything to add.

Not particularly. The media has done a fairly good job of speaking about some of the hardships that occurred in that office with the previous commissioner. I don't need to add anything.

I don't think changing the legislation in any way is going to help small business. What will help small business, number one, is investment in resources with respect to education; number two, practical guidelines that businesses across the board can implement; number three, working groups that establish precedents and model agreements that can be implemented by small businesses; and number four, new technologies and investment in new technologies, which can be used by small businesses and all businesses in helping to safeguard data.

These practical tools will help businesses and in turn help consumers the most.

An accumulation of studies coming out in the last few months shows that the Canadian economy is made up of predominantly small business, and small business in Canada needs help in getting to know more about how to use technology. So to the extent that we can do things that encourage that or encourage them even in the tax system to invest more in technology...we will help the system, but at the moment we have a big gap in the use of technology by Canadian small business.

I agree with absolutely everything that's been said so far, and some of my recommendations about tightening up the consent provisions are made because at the end of the day small businesses are going to have to have a clearer sense of how to do that. That can also be helped, to some extent, through guidelines and through educational systems.

I know the Privacy Commissioner's office is already committed to those kinds of educational campaigns. They've been ramping up a lot of their online modules, some of which I know because my colleagues and I have been involved in facilitating the development of some of those kinds of tools. The Privacy Commissioner's office also started a landmark kind of thing that I've not seen in any other jurisdictions that care about privacy. It's a contributions program meant to have academic involvement from across the country in developing the very kinds of tools you're talking about.

It's still early days in terms of that. And in the same sense that you've heard from some of the witnesses appearing before you that it's early days and small business hasn't yet crystallized how to do this, so don't change the rules, I think the same is true for thinking about the educational mandate. It's rolling out now, and I would encourage more and more of it. But it's only fair to say that this Privacy Commissioner has been deeply committed to that issue and has done a fairly significant job of improving that education. I don't think it's hit the ground level in every jurisdiction of every riding of every member yet, I agree with that.

Sure. I would echo the comments that have already been made in terms of the Privacy Commissioner's office and their staff doing a great job in public education. You're right in recognizing the reality that a lot of small and medium-sized businesses either don't care or don't understand the legislation. We don't think that radically overhauling the legislation is the answer to combat that, nor do we think that leaving it as confusing and subjective as some of the terms are is the answer.

The reality I face in my day-to-day practice is that small and medium-sized businesses are overwhelmed by the legislation. They don't understand it, and it's confusing, so they tune out and don't comply. Then they look at the Privacy Commissioner's office and they don't see order-making power, or they don't see the types of enforcement we've specifically addressed here, and again they tune out. That should be a real concern to everyone, including the organizations that have spent a lot of resources trying to comply with the legislation. The changes we've suggested we think are modest and would assist with small and medium-sized businesses. That's why some of the provisions that have influenced our submissions stem from the Alberta and British Columbia acts, which do a much better job of spoon-feeding to small and medium-sized businesses what they actually need to do to comply.

I've never denied there's any responsibility with respect to agreeing or assenting to terms in a contract. That's never been my position. Interestingly, the courts in Canada took your position on this in another case we haven't talked about yet, a case called Kanitz v. Rogers Cable Inc. It had to do with Rogers wanting to change some of the terms of its agreement after the contract had already been made with its particular customers. The question was whether or not it could do so after the fact and have that still be part of the contract. Part of what the decision ultimately said was it was up to individuals to go and check Rogers' website to be able to know about the updated terms, and if they agreed to them and whatnot.

If you were to assign your legislative assistant or whoever helps you to be the babysitter of every standard form contract you've entered into this month alone, you wouldn't get a lot of help on any other things if you had to adopt that kind of approach across the board, given how automated these things are. Also, as you said previously, you didn't even know you signed that one.

The responsibility flows both ways. While you're right to point out that the consumer has responsibility in these matters, at the end of the day, if these automated contracts work in the direction of the one party who gets the opportunity to write them, that will be just as harmful to the small guy, whether it's a small business or an irresponsible consumer, in your view.

Yes, thank you.

I'm glad Professor Kerr raised that point, because this takes us back to the constitutional question. PIPEDA, the regulation of personal information in society, does not occur in a vacuum. For example, with respect to the case of notification of important changes in the contract, Ontario's brand new Consumer Protection Act deals with exactly that. It deals with requirements to provide explicit notification to consumers, if you ever want to change the terms of their contract on 30 days' notice. So we're moving into a realm where the provinces have a very important say in exactly how terms of contracts between private organizations and individuals are played out. PIPEDA is general because it has to leave some room for constitutional maneuverability in terms of what the provinces can legislate and what the federal government can legislate. Many of our consumer protections acts deal with that exact point.

Any horror stories that would have occurred if the commissioner did have--

That could have been avoided if the commissioner had order-making power? I can't think of any off the top of my head. That's why we didn't recommend that the commissioner get order-making power.

Yes. I would only be speculating, but it would be an interesting speculation to ask the question, how might an office, not necessarily that commissioner but an office, with order-making power have dealt with the situation where Maclean's magazine came and dumped all of the commissioner's cellphone records onto her desk, which she bought from a U.S. data broker? I think it would be an interesting question to ask.

Yes, all the time.

That Robert Marleau will appear tomorrow.

It's good idea.