First of all, the law in this area is actually quite well developed. The law, as Professor Kerr is aware, requires companies not only to provide information in their terms of use, for example, and to get individuals to click “I agree”, but you're also required to highlight any important part of those terms and conditions to your customers. Many of you have probably seen these in terms of use; you'll have a bold statement going across the page that says, look out below, there's something important, and you'll point it out.
Secondly, in the case of a collection of personal information like the example that was provided, which is too broad, PIPEDA provides the perfect mechanism to be able to redress that. PIPEDA clearly says you can only and should only collect personal information to the extent that it's required and use it to the extent that the use is reasonable. There are a whole series of Privacy Commissioner decisions that look at this very issue. And when an organization is collecting excessive amounts of information or using it in an inappropriate way that is too broad, there is a redress mechanism that is provided, and the commissioner is able to find findings and recommendations against the respondent. From my experience, companies are absolutely terrified of the Privacy Commissioner. All you have to do is hold up the example of the Air Canada case so many years ago and they say, “We don't want that to be us; that's the last thing we want.” That's the most important tool the commissioner has.
If you look at the American jurisdictions that do have notification requirements, and I believe at the last count there were 22 U.S. jurisdictions, privacy protections are no better there. It's the opposite. In fact, how many of you have seen those notification letters that come in the mail? You can get a dozen of them in a week sometimes in some jurisdictions, and they become meaningless. All it does is infuriate many consumers, who say, “My gosh, is this serious or not? What am I supposed to do?” Much preferable would be a mechanism whereby industry and the Privacy Commissioner come together to have guidelines with respect to how you deal with notification and data breaches. I'm sure most organizations would happily follow along.