Evidence of meeting #47 for Access to Information, Privacy and Ethics in the 39th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was problem.
A recording is available from Parliament.
10:05 a.m.
Executive Director, Canadian Internet Policy and Public Interest Clinic
The Competition Bureau is also involved with PhoneBusters.
10:05 a.m.
Counsel, Canadian Consumer Initiative
I do not know the organization's exact status.
10:05 a.m.
Executive Director, Canadian Internet Policy and Public Interest Clinic
It is an initiative.
10:05 a.m.
Bloc
Carole Lavallée Bloc Saint-Bruno—Saint-Hubert, QC
I suppose there is a telephone number that people can use. I guess that it does not exist in Quebec, because I have never heard of it.
10:05 a.m.
Executive Director, Canadian Internet Policy and Public Interest Clinic
Maybe it only works in English, I do not know, but there is a website where you can find information: www.phonebusters.com, I believe.
10:05 a.m.
Bloc
Carole Lavallée Bloc Saint-Bruno—Saint-Hubert, QC
I really do not know much about it, but would they have data on identity theft? Is that included in the questions for the witnesses who are going to be appearing? Okay, I see.
10:05 a.m.
Liberal
The Chair Liberal Tom Wappel
They'll be able to explain to us exactly who they are, what they are, what their legal status is, etc.
10:05 a.m.
Bloc
Carole Lavallée Bloc Saint-Bruno—Saint-Hubert, QC
Fine. Thank you very much, Mr. Chair.
At the beginning of your presentation, you said that laws needed to be changed. I would like to know which laws you were referring to and how exactly we must change them.
I would ask you to answer one after the other, but not both at the same time.
10:05 a.m.
Counsel, Canadian Consumer Initiative
There is the Personal Information Protection Act. As the committee has mentioned, the law must be changed to make it mandatory to disclose information leaks.
I do not know whether the social insurance number is included in the act that...
Where does that come from?
10:05 a.m.
Executive Director, Canadian Internet Policy and Public Interest Clinic
It is already against the law to use the social insurance number if there is no need to. The problem does not lie in that part of the act.
The problems include enforcement—the lack of incentive and penalty for organizations that collect social insurance numbers when they shouldn't. They refuse the consumer the right to see the credit report that the privacy law says they have a right to see. TJX and Winners are swiping shoppers' credit cards—Maybe everyone should be using cash, and maybe that's what we should be recommending. But that would certainly be contrary to the government's policy of trying to encourage electronic commerce.
They are swiping credit cards and keeping the detailed information from the magnetic stripe, which they are not supposed to keep and are not allowed to keep under privacy law. They're storing it in a database in the United States for years, thereby providing a gold mine for identity thieves.
The big amendments we really need to make here are on the enforcement regime of PIPEDA. We need to give complainants more effective mechanisms to pursue their complaints in courts and to get recourse. We need to have real financial and reputational penalties for organizations that don't comply with the law.
We should also be looking at provincial laws that regulate credit bureaus and provide consumer protection. The Consumer Measures Committee has already done some work in this area, but we need to see how the laws can be improved. For example, they should provide consumers with the right to freeze their credit on the credit report. That means that no lending institution could get access to their credit report without the consumer's explicit permission. That makes sense for victims of identity theft and people who have good reason to suspect they might be victims.
10:05 a.m.
Liberal
10:05 a.m.
Conservative
Mike Wallace Conservative Burlington, ON
Thank you, Mr. Chair, and thank you to the witnesses for coming.
I have a couple of clarification questions to understand where you're from. I have a report that you did together in 2003. That was with the Public Interest Advocacy Centre. Now I see that you're two different organizations. Are you all under one umbrella?
10:05 a.m.
A voice
They're divorced.
10:05 a.m.
Conservative
Mike Wallace Conservative Burlington, ON
They're divorced. I see they kept the “law” part of their name.
10:10 a.m.
Executive Director, Canadian Internet Policy and Public Interest Clinic
It's coincidental to some extent. I worked as a lawyer for 12 years with the Public Interest Advocacy Centre. The last thing I did was the report on identity theft. When I left in August 2003, the report was almost, but not quite, complete. John took it over and finished it.
In September 2003, I left the Public Interest Advocacy Centre and set up CIPPIC, Canadian Internet Policy and Public Interest Clinic at the University of Ottawa. We are completely separate organizations.
10:10 a.m.
Conservative
Mike Wallace Conservative Burlington, ON
We have the report Identity Theft: The Need for Better Consumer Protection, which was completed in 2003. Have any of the recommendations and conclusions in here been implemented? Do you have any idea?
10:10 a.m.
Counsel, Canadian Consumer Initiative
It has been recommended by this committee for data breach notification. I think that's the major one at the moment. I have to grab my recommendations at the back of it.
10:10 a.m.
Conservative
Mike Wallace Conservative Burlington, ON
Did Industry Canada pay for this study or part of this study?
10:10 a.m.
Conservative
Mike Wallace Conservative Burlington, ON
They funded the whole thing. Okay. My researcher got this for me, and I didn't know whether we had done anything on this or not.
I have another clarification question. The consumer group that was here last indicated in their report that there was no data protection law in the United States. Is that accurate, or has that changed?
10:10 a.m.
Counsel, Canadian Consumer Initiative
That is correct. However, for example, the rule I cited before from the FTC...they have a certain jurisdiction to enforce their general consumer protection act. Under their rule-making power, they've made a rule with financial institutions that requires them to take steps like PIPEDA in terms of safeguarding information.
10:10 a.m.
Executive Director, Canadian Internet Policy and Public Interest Clinic
Can I just add to that? The U.S. has a patchwork of sector-specific and issue-specific data protection laws. They do not have this nice, comprehensive law that we have. In fact, the biggest recommendation of consumer and privacy advocates in the United States is that the U.S. adopt a PIPEDA-like law.
10:10 a.m.
Conservative
Mike Wallace Conservative Burlington, ON
Ms. Lawson, you're working on a project right now. Is that correct? Who's funding that?