Information & Ethics Committee on Dec. 11th, 2006

We've got a law already that allows the commissioner to determine when it would be reasonable to notify and when it would not. So why would we need to legislate something that, by nature, is going to have to be more rigid than reasonableness would require?

Some of the challenges with duty to notify have been addressed by some of the other guests here in terms of notification fatigue. Our detailed submission sets out our views on notification of loss. We say if a duty to notify is to be directly or indirectly included in PIPEDA, it should be a balanced approach.

Bill 200 is a bill I assisted with drafting in Manitoba. It's intended to be substantially similar to PIPEDA, modelled after the Alberta law. It has a duty to notify. It reflects the similar language we've put in our submission in terms of a balanced approach. For example, we say that a duty to notify might be included where the information is about an identifiable individual or the information is not identifiable by virtue of being protected through, for instance, encryption, or the organization has received notice that the protection has been breached, that the encryption technology has been breached, and that the information falls into certain specified categories of sensitive information.

If you say duty to notify every time, you're going to end up with notification fatigue. It's going to be ineffective. The status quo and the reality are that some organizations simply choose not to notify, and that may not be friendly from a privacy perspective.

Not particularly. The media has done a fairly good job of speaking about some of the hardships that occurred in that office with the previous commissioner. I don't need to add anything.

I don't think changing the legislation in any way is going to help small business. What will help small business, number one, is investment in resources with respect to education; number two, practical guidelines that businesses across the board can implement; number three, working groups that establish precedents and model agreements that can be implemented by small businesses; and number four, new technologies and investment in new technologies, which can be used by small businesses and all businesses in helping to safeguard data.

These practical tools will help businesses and in turn help consumers the most.

An accumulation of studies coming out in the last few months shows that the Canadian economy is made up of predominantly small business, and small business in Canada needs help in getting to know more about how to use technology. So to the extent that we can do things that encourage that or encourage them even in the tax system to invest more in technology...we will help the system, but at the moment we have a big gap in the use of technology by Canadian small business.

I agree with absolutely everything that's been said so far, and some of my recommendations about tightening up the consent provisions are made because at the end of the day small businesses are going to have to have a clearer sense of how to do that. That can also be helped, to some extent, through guidelines and through educational systems.

I know the Privacy Commissioner's office is already committed to those kinds of educational campaigns. They've been ramping up a lot of their online modules, some of which I know because my colleagues and I have been involved in facilitating the development of some of those kinds of tools. The Privacy Commissioner's office also started a landmark kind of thing that I've not seen in any other jurisdictions that care about privacy. It's a contributions program meant to have academic involvement from across the country in developing the very kinds of tools you're talking about.

It's still early days in terms of that. And in the same sense that you've heard from some of the witnesses appearing before you that it's early days and small business hasn't yet crystallized how to do this, so don't change the rules, I think the same is true for thinking about the educational mandate. It's rolling out now, and I would encourage more and more of it. But it's only fair to say that this Privacy Commissioner has been deeply committed to that issue and has done a fairly significant job of improving that education. I don't think it's hit the ground level in every jurisdiction of every riding of every member yet, I agree with that.

Sure. I would echo the comments that have already been made in terms of the Privacy Commissioner's office and their staff doing a great job in public education. You're right in recognizing the reality that a lot of small and medium-sized businesses either don't care or don't understand the legislation. We don't think that radically overhauling the legislation is the answer to combat that, nor do we think that leaving it as confusing and subjective as some of the terms are is the answer.

The reality I face in my day-to-day practice is that small and medium-sized businesses are overwhelmed by the legislation. They don't understand it, and it's confusing, so they tune out and don't comply. Then they look at the Privacy Commissioner's office and they don't see order-making power, or they don't see the types of enforcement we've specifically addressed here, and again they tune out. That should be a real concern to everyone, including the organizations that have spent a lot of resources trying to comply with the legislation. The changes we've suggested we think are modest and would assist with small and medium-sized businesses. That's why some of the provisions that have influenced our submissions stem from the Alberta and British Columbia acts, which do a much better job of spoon-feeding to small and medium-sized businesses what they actually need to do to comply.

I've never denied there's any responsibility with respect to agreeing or assenting to terms in a contract. That's never been my position. Interestingly, the courts in Canada took your position on this in another case we haven't talked about yet, a case called Kanitz v. Rogers Cable Inc. It had to do with Rogers wanting to change some of the terms of its agreement after the contract had already been made with its particular customers. The question was whether or not it could do so after the fact and have that still be part of the contract. Part of what the decision ultimately said was it was up to individuals to go and check Rogers' website to be able to know about the updated terms, and if they agreed to them and whatnot.

If you were to assign your legislative assistant or whoever helps you to be the babysitter of every standard form contract you've entered into this month alone, you wouldn't get a lot of help on any other things if you had to adopt that kind of approach across the board, given how automated these things are. Also, as you said previously, you didn't even know you signed that one.

The responsibility flows both ways. While you're right to point out that the consumer has responsibility in these matters, at the end of the day, if these automated contracts work in the direction of the one party who gets the opportunity to write them, that will be just as harmful to the small guy, whether it's a small business or an irresponsible consumer, in your view.

Yes, thank you.

I'm glad Professor Kerr raised that point, because this takes us back to the constitutional question. PIPEDA, the regulation of personal information in society, does not occur in a vacuum. For example, with respect to the case of notification of important changes in the contract, Ontario's brand new Consumer Protection Act deals with exactly that. It deals with requirements to provide explicit notification to consumers, if you ever want to change the terms of their contract on 30 days' notice. So we're moving into a realm where the provinces have a very important say in exactly how terms of contracts between private organizations and individuals are played out. PIPEDA is general because it has to leave some room for constitutional maneuverability in terms of what the provinces can legislate and what the federal government can legislate. Many of our consumer protections acts deal with that exact point.

Any horror stories that would have occurred if the commissioner did have--

That could have been avoided if the commissioner had order-making power? I can't think of any off the top of my head. That's why we didn't recommend that the commissioner get order-making power.