Evidence of meeting #23 for Access to Information, Privacy and Ethics in the 39th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was pipeda.
A recording is available from Parliament.
4:45 p.m.
Conservative
Mike Wallace Conservative Burlington, ON
Professor Kerr, I have just a couple of questions for you.
I want to be clear, because we don't have your presentation in front of us. Your standard form issue really deals with consent. That's an accurate statement?
4:45 p.m.
Canada Research Chair in Ethics, Law and Technology, University of Ottawa, As an Individual
Absolutely.
4:45 p.m.
Conservative
Mike Wallace Conservative Burlington, ON
When we get it, your presentation will deal with those issues in written form? Is that accurate? Is there anything we don't have in front of us that you wanted to tell us briefly about the consent issue and standard form? I think I understood it, but....
4:45 p.m.
Canada Research Chair in Ethics, Law and Technology, University of Ottawa, As an Individual
Sure. I'm more than happy to provide my oral remarks. What I had already provided was a written submission, which was much more formal in nature, but I'm happy to provide this as well.
4:45 p.m.
Conservative
4:45 p.m.
Canada Research Chair in Ethics, Law and Technology, University of Ottawa, As an Individual
There are several recommendations.
4:45 p.m.
Conservative
Mike Wallace Conservative Burlington, ON
Okay. Let's use your Hilton example. I'm not sure they're reading our e-mail or they know I use it at 10 o'clock at night. I'm sending it across the world, and they might need a different service provider as a Hilton organization. But when is it my responsibility? There's a consent form I'm supposed to read and I submit yes or no. Is that not my responsibility, to read that thing?
4:45 p.m.
Canada Research Chair in Ethics, Law and Technology, University of Ottawa, As an Individual
It's absolutely 100% your responsibility to read it, and Canadian contract law is very clear in this regard, that so long as sufficient notice has been given.... In cases such as Rudder and Microsoft, which is one of the leading cases in Canada...it is incumbent upon the person who ultimately clicks “I agree” to either read those terms or to be deemed to consent if they don't. However, the point is it's not just about reading, knowing, and understanding them; it's about the idea that in an information age, where there's only one choice, which is either yes or you don't get to participate, it raises issues with respect to the relative bargaining power of the individual. I would suspect that many times in your life you have been faced with that situation where you have no—
4:45 p.m.
Conservative
Mike Wallace Conservative Burlington, ON
But it's a choice. Isn't it the glory of living in this country that we have a choice we can make? Either I get on the Internet and talk to my friend David that night or I decide I wait because I'm not satisfied that it's secure enough. When does the government get out of the way of individuals making that choice?
4:45 p.m.
Canada Research Chair in Ethics, Law and Technology, University of Ottawa, As an Individual
I would suspect--
4:45 p.m.
Liberal
The Chair Liberal Tom Wappel
Thank you.
Professor, that's just a rhetorical question. We don't have to get into a debate on it.
4:45 p.m.
Canada Research Chair in Ethics, Law and Technology, University of Ottawa, As an Individual
It's a very important question, and I'd like to answer it if you let me.
4:45 p.m.
Liberal
4:45 p.m.
Canada Research Chair in Ethics, Law and Technology, University of Ottawa, As an Individual
In the context of when those kinds of things are such that courts and governments ought to interfere with those contracts, that's your question, under what circumstances ought they too. In my recommendations I'm very clear that where the privacy legislation itself has an elevated standard of protection such that, for example, in the British Columbia statute it says you're not allowed to prevent somebody from withdrawing from their consent at a later time, and if you attempt to do that the contract will be unenforceable.... The B.C. legislation, for example, says that. What I'm recommending to you here is the same sort of thing. So just like in the law of contracts the courts will set aside contracts as being unenforceable for public policy or illegality when somebody tries to contract something that goes against a statute, I'm suggesting the same with PIPEDA. In other words, when a PIPEDA protection is there, you shouldn't be exposed to having somebody ram down your throat that you're not allowed to avail yourself of those protections or else not use any services. That's my submission.
4:50 p.m.
Lawyer, Information Technology Association of Canada
First of all, the law in this area is actually quite well developed. The law, as Professor Kerr is aware, requires companies not only to provide information in their terms of use, for example, and to get individuals to click “I agree”, but you're also required to highlight any important part of those terms and conditions to your customers. Many of you have probably seen these in terms of use; you'll have a bold statement going across the page that says, look out below, there's something important, and you'll point it out.
Secondly, in the case of a collection of personal information like the example that was provided, which is too broad, PIPEDA provides the perfect mechanism to be able to redress that. PIPEDA clearly says you can only and should only collect personal information to the extent that it's required and use it to the extent that the use is reasonable. There are a whole series of Privacy Commissioner decisions that look at this very issue. And when an organization is collecting excessive amounts of information or using it in an inappropriate way that is too broad, there is a redress mechanism that is provided, and the commissioner is able to find findings and recommendations against the respondent. From my experience, companies are absolutely terrified of the Privacy Commissioner. All you have to do is hold up the example of the Air Canada case so many years ago and they say, “We don't want that to be us; that's the last thing we want.” That's the most important tool the commissioner has.
If you look at the American jurisdictions that do have notification requirements, and I believe at the last count there were 22 U.S. jurisdictions, privacy protections are no better there. It's the opposite. In fact, how many of you have seen those notification letters that come in the mail? You can get a dozen of them in a week sometimes in some jurisdictions, and they become meaningless. All it does is infuriate many consumers, who say, “My gosh, is this serious or not? What am I supposed to do?” Much preferable would be a mechanism whereby industry and the Privacy Commissioner come together to have guidelines with respect to how you deal with notification and data breaches. I'm sure most organizations would happily follow along.
4:50 p.m.
Liberal
The Chair Liberal Tom Wappel
Thank you.
I for one think the Hilton contract dealing with the universe is entirely too broad. I think it should be limited to the planet earth.
Monsieur Plamondon, s'il vous plaît.
December 11th, 2006 / 4:50 p.m.
Bloc
Louis Plamondon Bloc Bas-Richelieu—Nicolet—Bécancour, QC
My question will be brief because I have to leave at 5 p.m.
Mr. Kerr, could you clarify something for me? When you talked about the commissioner's powers, the interpreter used the term “order”. I thought I understood she could issue orders. At least, that's what we got in the French translation.
Did you talk about orders? If yes, could you give some clarification on the recommendation you gave on this?
4:50 p.m.
Canada Research Chair in Ethics, Law and Technology, University of Ottawa, As an Individual
No, I did not.
4:50 p.m.
President and Chief Executive Officer, Information Technology Association of Canada
I think the intention was to talk about order-making powers, like a court has.
4:50 p.m.
Bloc
Louis Plamondon Bloc Bas-Richelieu—Nicolet—Bécancour, QC
Then the interpreter did not provide the right word.
Could you clarify this anyway?
4:50 p.m.
Canada Research Chair in Ethics, Law and Technology, University of Ottawa, As an Individual
One of the things I said right in the closing part of my remarks, as a recommendation, was with respect to order-making power, which we've talked a bit about so far today. I did not in any way suggest that the commissioner currently has that power.
4:50 p.m.
Bloc
Louis Plamondon Bloc Bas-Richelieu—Nicolet—Bécancour, QC
When the commissioner testified before the committee, she did not seem very much in favour of the idea of having such power. She wasn't looking for it. I was therefore surprised by the contradiction in terms of a certain obligation we would have given the commissioner.
4:50 p.m.
Canada Research Chair in Ethics, Law and Technology, University of Ottawa, As an Individual
I would like to comment on that, if you'd let me. I came to hear the commissioner speak, and I also heard Commissioner Loukidelis from British Columbia speak. I've also been sort of following what's been going on online with people who are discussing these proceedings on blogs.
I would love to put forward my take on this, because I think I heard it differently from how some people have been talking about it subsequently. What I heard the commissioner say was that at the moment she is not in favour of order-making powers, and she was very clear that she was open to the idea of potentially wanting them. Further, she said that this is not the right time for her to have order-making powers. She also alluded to some things that some people might have interpreted as having to do with some of the transitions, which have taken place in that office, over the past several years.
I also heard Commissioner Loukidelis describe the order-making power as a power of last resort, which I believe some people around this table misunderstood as him somehow denigrating as an unnecessary power. I think a power of last resort is an extremely important power. When a tightrope walker walks on the tightrope and the safety net is the instrument of last resort, just because it's the last resort doesn't mean it's any less important. In fact, it's potentially the most important instrument.
So I would be careful to draw conclusions from the fact that when she was a commissioner in Quebec, she had order-making power and because she is now the Privacy Commissioner of Canada and has suggested that this is not the time for order-making power, that this means order-making power is inappropriate.
As a manager, she recognizes that the office has been through a tremendous amount of turmoil in the last several years, and she takes the position, like my colleagues over here, that maybe it's too soon for these powers. I want to be very clear that it's not at all the case that she has in any way suggested that she is against the idea of order-making power.