Good afternoon.
My name is Ariane Siegel. I am a partner in the law firm of Gowling Lafleur Henderson, practising in the area of privacy and telecommunications law. I am also the chair of ITAC's privacy task force, and it is in this capacity that I'm addressing you today.
As you've already heard, a well-respected international think tank, Privacy International, ranked Canada at the top of the list of countries for privacy protection in its most recent survey--second only to Germany. The high degree of accessibility under PIPEDA did not go unnoticed by Privacy International, and the report correctly states that “anyone can complain to the Commissioner about an alleged violation of PIPEDA”.
ITAC suggests that contrary to the survey of 64 companies put before you by the Canadian Internet Policy and Public Interest Clinic, there has been a very good level of privacy compliance by Canadian organizations. Most organizations work diligently at compliance and have extended significant resources in this regard. Especially noteworthy is the profound impact that Canadian privacy laws are having on international privacy compliance. For example, many U.S. companies with Canadian subsidiaries are adapting Canadian privacy compliance frameworks for use in operational settings south of the border.
Let's begin with ITAC's general position regarding PIPEDA in the context of the ongoing review process. ITAC, as you've heard, believes it's far too soon to make significant changes to PIPEDA. Most companies have had less than three years to implement and refine their privacy policies and procedures. Furthermore, many customers and employees are only now becoming familiar with how to exercise their rights under the legislation. ITAC supports cooperation with industry to create guidelines for security implementation and operational standards to enhance the transparency and consistency of the exercise of existing powers under the legislation.
I'd like to focus on ITAC's views on several issues that have been raised over the course of this review process. First is with respect to PIPEDA's inherent flexibility. PIPEDA's flexibility allows for the implementation of privacy principles in all organizations, no matter how large or small, and across all industries, however different their business processes may be. Consumers and employees also benefit from PIPEDA's flexibility, which provides an accessible, effective, and low-cost dispute resolution mechanism.
Secondly, with respect to the commissioner's order-making powers, ITAC believes that the existing ombudsperson model provides an effective, informal, accessible, and cost-effective dispute resolution process, while also allowing for a formal and binding review process by the court in certain instances. If decisions of the commissioner were to become binding orders, organizations would have to implement a more formal and costly compliance infrastructure. Adherence to PIPEDA's broad principles would give way to a very strict and literal approach and much less openness and collaboration with the Office of the Privacy Commissioner. Binding orders also raise the stakes for businesses in any dispute, and consumers could expect to find themselves pitted against experienced legal counsel in the process. Such a formal and adversarial process might well be avoided by consumers altogether.
Next, with respect to mandatory data breach notification, ITAC opposes mandatory notification of privacy breaches. ITAC is of the view that organizations take their responsibilities for data security very seriously. In the case of a data breach that poses risk to individual privacy, no organization would want to take on the additional potential liability of not taking adequate steps to mitigate further risks or damages that could be suffered to individuals. Many organizations currently contact the Office of the Privacy Commissioner to get guidance on how to deal with data breaches.
ITAC is of the view that mandatory notification requirements would result in notification fatigue for customers. CIPPIC pointed out in its submissions to this committee that several U.S. jurisdictions currently have notification requirements in place. However, these notification requirements do not mean that privacy protection is better in the United States or that somehow Americans are less prone to identity theft.
Canada is an international leader on the data protection front. Canadians have also been early adapters of leading-edge technologies, and many of the organizations are in the forefront of leading efforts to develop new privacy-enhancing technologies and processes. ITAC would support and would itself be interested in working with the Office of the Privacy Commissioner to develop guidelines on addressing data breaches.
Another issue is the commissioner's discretion to identify complaint respondents.
Currently, case summaries are reported for the most part on an anonymous basis. The commissioner has taken the position that naming respondents in each and every case would not meet the public interest threshold of the legislation.
ITAC supports this approach. The commissioner has the discretion she requires in order to name respondents. ITAC believes that a mandatory practice of naming respondents in each and every instance would not benefit parties to any dispute, and, in fact, could result in negative consequences.
Complaint resolution often results in a change to business policies or procedures such that the benefit naturally accrues to all customers. In this way, positive results are achieved with a high degree of efficiency.
Fifth, ITAC would like to respond to the issue of increased restrictions on transborder flows of personal information. Commercial practices often demand that personal information flow across borders. This has become an irreversible economic reality, driven by globalization and new technological opportunities.
Fortunately, PIPEDA's accountability principle demands that businesses in Canada communicate their privacy practices to the public and requires businesses to enter into contractual agreements to ensure a similar level of protection for personal information transferred outside of Canada.
Placing further restrictions on transborder flows of information under PIPEDA could reduce the global competitiveness of Canadian businesses. Canadian privacy legislation does not need to be modified to ensure that organizations safeguard data in any outsourcing, whether local or transborder.
PIPEDA very clearly recognizes the need for organizations to safeguard data. The Office of the Privacy Commissioner has set out a very practical framework for dealing with transborder data outsourcing in two recent case summaries.
Most importantly, the long-established common law of agency imposes obligations on organizations to protect data in their custody and control and would extend to the need to impose adequate protection when data is processed elsewhere.
In conclusion, ITAC believes that the provisions of PIPEDA are sound and continue to provide the appropriate balance between the interests of the public and industry as technology and expectations evolve over time. PIPEDA balances various legislative approaches, setting the tone for other jurisdictions and enabling Canadian businesses to remain competitive in the global arena.
ITAC members have invested significantly in the operational, legal, technical, and training aspects of privacy protection. ITAC itself has demonstrated leadership in educating its members about privacy, and we have worked with the federal and provincial privacy commissioners in doing so. We plan to continue our efforts in this field.
On behalf of ITAC and its member companies, I would like to thank you for the opportunity to address this committee.