Information & Ethics Committee on Feb. 6th, 2007

I don't think it's a work product issue. I am familiar with the issue you're talking about. I can tell you that I actually had a meeting with the Automotive Industries Association of Canada last week to discuss how we can facilitate discussions among the vehicle manufacturers and the garage repair people across Canada so there is some degree of access to software codes they need in order to properly repair these cars. That is all part of the to and fro of a good vibrant economy. No one is going to give that information, if you will, with nothing in return. So it is an issue that requires discussion, and we will be there.

That's a difficult question. What you would be asking is for the business to subsidize the cost of making this access request. The problem we face by forcing the insurers or big businesses to respond at a minimal fee is that they can be subject to tactics. They can be oppressed, in a way, in the course of a court action, where the threat of a request for boxes and boxes of file material is made in the knowledge that it would cost huge amounts of money to respond. Even though the case may be one that the insurer or the defendant would like to have the courts resolve, it's more cost effective to pay the claim off than to respond to the PIPEDA request. So to avoid abuses by certain parties that may wish to use PIPEDA as a sword in their litigation process is largely the reason we are concerned about the responsibility to have to respond with minimum rather than the reasonable fees.

I want to comment on the issue of minimum fees for producing, and I agree with Mr. Bundus that there are times when the requests are abusive. There are times when if you ask for a minimal fee.... I want to comment on one thing. Let me rephrase this. The cost isn't just borne by the companies, it's borne by the people who buy the products. The more expensive you make the delivery of the system, the more expensive the product's going to be.

This issue doesn't happen every day, but when it does happen it is abusive. It's people who want to abuse the system by making repeated requests for thousands and thousands of documents just to slow things down.

So I think it is fair in certain cases to ask for minimum fees. We do it in the court system. If we were in court and were required to produce documents, we could do so at fees, and nobody has a problem coming up with something that's reasonable; there are standards for it. So I think it is something that already happens. It's just looked after by the process.

I have a concern that if you move to a sliding scale such as reasonable fees you can end up in a situation where they become deterrent fees, and people feel that they can't afford the cost of an access request and therefore they are denied access to the fundamental information to which they're entitled to have a right of access.

I think there are some other ways of resolving some of these kinds of concerns where people are making requests that are clearly made in bad faith or made in a vexatious manner. Under the B.C. act, the company is entitled to go to the B.C. commissioner and say we would like the right not to have to respond to this access request because we think it was made in bad faith, or is frivolous, or is vexatious. I think that's certainly one thing you may want to look at putting into the act.

Certainly, when you start sliding the scale towards “reasonable”, which is a hard term to really interpret here, if you get beyond the minimal or no fee approach--and I think there are schedules you can use to look at what actually is a minimal cost, the cost of photocopying things and so on--I don't think the individual should have to bear the burden of the corporation saying, we have to do some research to know what to give you. I think that should be the company's burden. I think to impose the burden back on the individual is patently unfair. The company has collected and is using their information for their economic benefit, usually, and the individual should not have to pay a new cost on top of that to have access to it.

I think I have.

If there are subsidiaries here in this country, they're subject to our law to the extent they are collecting and using information inside Canada. I think that's fairly clearly understood.

With regard to the offence, section 28 of the act already outlines what the offences are at the present time. There are certainly offences for obstructing the Privacy Commissioner in performing her duties. Those fines range from $10,000 to $100,000. Generally speaking, it would be through the Attorney General, and there'd be some kind of a hearing or trial, whatever, to establish the fine. It would be an offence under the act, though.

In the case of breach disclosure, any organization that knowingly withheld information about a breach, knowing that it could cause public harm or loss of, say, credit standing, cause the kind of harm that we associate with identity theft, if they did so knowingly and without regard to the public interest, I think that should be considered a serious offence under the act. I think there needs to be some kind of a penalty put in place in the act to make especially smaller companies that may not have the kind of fiduciary responsibilities or sense of obligation that large corporations have understand that this is a serious issue and it will be treated as a serious issue.

May I interject, Mr. Chairman?

I'd like to take you to tab 4 of our materials, which was the transcript, so there's a little déjà vu here. It's at tab 4, page 4, in both the English and French versions, towards the bottom of the page. We don't disagree--which is a roundabout way of saying we pretty much agree--that there should be a duty to notify. The problem isn't whether there should be a duty to notify, or whether people have the right. The problem is the threshold. When you're dealing with a principle-based statute with the breadth of PIPEDA, it's almost impossible to craft a meaningful threshold. This is something--if you look at the bottom of column two--which the commissioner acknowledges quite explicitly. She says, “we're in favour of the principle. The problem is in knowing how to implement it.” She continues on to talk about the complexity and the difficulty in trying to transpose the American remedies to Canada. “To whom do you give notice? What would be the scope of it? Would it concern all the information, or only where there's significant risk? Who will bear the cost?” If you turn over to page 5, midway down, she says that she recommends there be a breach notification provision. The exact wording, however, is quite honestly a challenge, and then there's a discussion about needing some sort of threshold.

With respect, we would suggest that you consider that perhaps there be some sort of statement of principle in PIPEDA, that there should be notification with some sort of threshold, but then again, we would suggest, particularly with complex industries like ours, that the detail of exactly what the threshold is going to be and how it's going to be implemented be left to our governing statutes and to those who really have expert knowledge of how we function. You can put rules. It's very difficult to put in rules that are going to apply to banks and to a small business. There's another passage in here where we have the commissioner and assistant commissioner talking about the CIBC breaches. You can have rules upon rules, but sometimes things are going to happen. They said CIBC did everything right. They had great systems. They had great agreements, but sometimes these things happen.

I would suggest--and we would I think agree on this--that it be left to those with expert knowledge of our very complex industries.