Evidence of meeting #23 for Access to Information, Privacy and Ethics in the 39th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was pipeda.
A recording is available from Parliament.
4:55 p.m.
Bloc
Louis Plamondon Bloc Bas-Richelieu—Nicolet—Bécancour, QC
If there is any time left, I would like to give it to my colleague.
4:55 p.m.
Bloc
Carole Lavallée Bloc Saint-Bruno—Saint-Hubert, QC
Thank you, Mr. Plamondon.
I would like to come back to the debate that was well underway on the matter of consumer consent. I do not know whether this was described as abusive, but that is the adjective that comes to mind. We were talking about the consent that Hilton Hotels asks for and all the consent we are asked for. We sign consent forms with the idea that the consent seekers cannot do much with it anyway. But often, the information ends up on the Web.
Furthermore, consumers are not very familiar with the Privacy Act. They are not very aware of their rights either. This is perhaps one reason why there are not very many complaints.
The fact that publishing the identity of the respondents is left to the discretion of the commissioner does not help us either in better understanding the law. Often, we learn about our rights by reading the newspapers and hearing about individual cases that do not comply with the law. I am also re-reading the US Patriot Act, which suggests that consumers be advised when their personal information goes abroad. I do not see how consumer protection fits in this system. How can a consumer refuse to give his consent?
I am not sure whether you each want a turn to comment, if that is alright with Mr. Chair, of course.
4:55 p.m.
Canada Research Chair in Ethics, Law and Technology, University of Ottawa, As an Individual
Obviously, from my previous remarks, it's clear that I share some of your concerns with respect to the consumer protection aspect of this. Quite frankly, I'm surprised that the recommendation I was putting forward is somehow thought to be extraordinary in any way. With this recommendation, I'm not asking for a major overhaul of anything to do with PIPEDA. I'm simply suggesting that where a contract comes into conflict with other higher order privacy protections under the act, we should clarify the act to say those contracts are unenforceable.
I agree with my colleague that with respect to the reasonableness clause, it may operate in that way to do this. In theory, it should operate to do that. You're going to find situations where, when consumers are confronted with that, the party on the other side will simply say, “Well, look at our contract. How can you say that anything around our information-collecting practices are unreasonable under PIPEDA if you've already agreed to them by way of contract?”
You make my point for me in a way.
4:55 p.m.
Chair, National Privacy and Access Law Section, Canadian Bar Association
Our position is that the current consent model doesn't need revision. The illustration that was pointed out in terms of being able to read the contract and make a decision is a reasonable approach.
That being said, the reality is that the Hiltons of the world are getting away with some of these consent provisions that might be too broad. That's why we focused our energies on the enforcement mechanisms, in terms of order-making power being contingent upon a tribunal set-up.
5 p.m.
President and Chief Executive Officer, Information Technology Association of Canada
The current law does not allow abusive behaviour. It is therefore not necessary to amend it to allow—
5 p.m.
Bloc
Carole Lavallée Bloc Saint-Bruno—Saint-Hubert, QC
In your opinion, is the Hilton Hotel's behaviour abusive?
5 p.m.
President and Chief Executive Officer, Information Technology Association of Canada
In my opinion, if someone complained to the commissioner, you would see a rather quick change in the company's behaviour. I do not see the need for order-making power to make a company like that comply. I think this would happen quickly enough.
5 p.m.
Liberal
The Chair Liberal Tom Wappel
Thank you.
I would remind committee members what the commissioner said, and I quote:
We will not be asking for enhanced enforcement powers. We are not convinced that the time is right to make such a fundamental change to the enforcement mechanisms for several reasons, both practical and administrative.
She expanded on that during questions.
Mr. Van Kesteren.
5 p.m.
Conservative
Dave Van Kesteren Conservative Chatham-Kent—Essex, ON
Thank you, Mr. Chair.
Thank you all for coming out.
I have a question for Ms. Siegel or Mr. Courtois. What's the thinking behind what Professor Kerr has brought forward, the contracts we don't sign but we click onto...? Why do hotels and organizations like--
5 p.m.
Lawyer, Information Technology Association of Canada
Hotels--and I think it's unfair to pick on the Hilton hotels--in general have to balance their interest in protecting consumer information. The Hilton, or any other hotel, probably has no real interest in owning the personal information or exercising that sort of power. They have to balance, though, the language they use in their contracts against the practical realities of protecting their own interest.
What happens, for example, if you have a guest who is using the hotel's resources, the computer, to access illicit or illegal websites and is perhaps engaging in illegal transactions? They have to have the recourse to go to that individual and say they looked at this and it's not right. Whether it's legal or not, they have to balance a whole variety of interests, not only the interests in Canada but also the interests internationally. There may be requirements in the United States with which they are complying or requirements in Europe they have to consider.
My experience is that many organizations are trying their best to put together terms of use and privacy policies. They have to balance a whole variety of obligations and compliance issues, and privacy is only one of them. Maybe someone hasn't looked that carefully at the privacy language. But I bet if you asked Hilton, or other organizations that have similar policies, whether they really intend to use personal information for those purposes, I'm sure the answer would be no. Really, their only interest is in protecting themselves and making sure they are able to comply with the variety of obligations they have in front of them.
5 p.m.
Conservative
Dave Van Kesteren Conservative Chatham-Kent—Essex, ON
Professor Kerr, rather than reinvent the wheel, when it comes to e-mail and such, couldn't you enact a law that extends privacy to those things? Then the things that Ms. Siegel is speaking of really wouldn't be an issue. We can all understand what she is talking about; it's the e-mail. That's the stuff that scares everybody. Could that be done?
5 p.m.
Canada Research Chair in Ethics, Law and Technology, University of Ottawa, As an Individual
I suppose it could be done. It would go against what most people who appeared before this committee have said, including the Privacy Commissioner of British Columbia. He made some significant remarks about this principle called “technological neutrality”, which to some extent is a principle I subscribe to as well.
I don't necessarily think there is something magical about e-mail that means we need a special law. I think the recommendation I put forward is in the spirit of what you're suggesting. It simply says that in situations where somebody is seeking consent through a standard form agreement for the purposes of things that are excessive and unreasonable, PIPEDA would clearly state that those contracts are unenforceable.
5:05 p.m.
Conservative
Dave Van Kesteren Conservative Chatham-Kent—Essex, ON
I have another question, and this one is to you, too, Professor.
You were talking about the iPod and its capability, and being able to track people and find out exactly what they're listening to. Who cares? Who really cares if I'm listening to Alabama? Oh, shocking!
December 11th, 2006 / 5:05 p.m.
Canada Research Chair in Ethics, Law and Technology, University of Ottawa, As an Individual
I would suggest that question provokes what I think is the fundamental misunderstanding by the general public about data protection...and falls short of understanding its importance, the whole reason we're doing this.
The former commissioner--I'm talking about Bruce Phillips--described PIPEDA as a necessary step in addressing some of the erosion of privacy that comes with computers and networking, and ultimately to reverse that.
If you understood the extent to which information collected for one purpose can be amalgamated with other information for secondary purposes, and if you understood the kinds of colleagues I work with and the kind of information they can glean by data mining and putting information together, you would see that eventually what we're talking about here is the idea that it could be possible, with these systems, that every kind of intellectual product you consume could be databased and therefore a narrative could be put together by connecting the dots.
It's really not about your listening to Alabama one night. It's a profile of your life. It's the sort of thing that scared the bejabbers out of Justice Bork in the United States in terms of video movie rentals. There was a subpoena, when he was being nominated for the Supreme Court, to find out what videos he was collecting. Now imagine that with every single thing you read, look at, listen to, watch, or think about. All of the intellectual products, by virtue of being in the digital realm, are to some extent capable of that level of observation.
5:05 p.m.
Conservative
5:05 p.m.
Liberal
The Chair Liberal Tom Wappel
No, you're at six minutes already, I'm afraid. We can come back to you on another round, though.
Mr. Peterson.
5:05 p.m.
Liberal
Jim Peterson Liberal Willowdale, ON
On notification of breach, do you think there should be an obligation to consult with the commissioner if you're not going to notify?