Information & Ethics Committee on May 15th, 2007

I do not know the organization's exact status.

It is an initiative.

In fact, it could disappear tomorrow.

Maybe it only works in English, I do not know, but there is a website where you can find information: www.phonebusters.com, I believe.

There is the Personal Information Protection Act. As the committee has mentioned, the law must be changed to make it mandatory to disclose information leaks.

I do not know whether the social insurance number is included in the act that...

Where does that come from?

It is already against the law to use the social insurance number if there is no need to. The problem does not lie in that part of the act.

The problems include enforcement—the lack of incentive and penalty for organizations that collect social insurance numbers when they shouldn't. They refuse the consumer the right to see the credit report that the privacy law says they have a right to see. TJX and Winners are swiping shoppers' credit cards—Maybe everyone should be using cash, and maybe that's what we should be recommending. But that would certainly be contrary to the government's policy of trying to encourage electronic commerce.

They are swiping credit cards and keeping the detailed information from the magnetic stripe, which they are not supposed to keep and are not allowed to keep under privacy law. They're storing it in a database in the United States for years, thereby providing a gold mine for identity thieves.

The big amendments we really need to make here are on the enforcement regime of PIPEDA. We need to give complainants more effective mechanisms to pursue their complaints in courts and to get recourse. We need to have real financial and reputational penalties for organizations that don't comply with the law.

We should also be looking at provincial laws that regulate credit bureaus and provide consumer protection. The Consumer Measures Committee has already done some work in this area, but we need to see how the laws can be improved. For example, they should provide consumers with the right to freeze their credit on the credit report. That means that no lending institution could get access to their credit report without the consumer's explicit permission. That makes sense for victims of identity theft and people who have good reason to suspect they might be victims.

They're divorced.

It's coincidental to some extent. I worked as a lawyer for 12 years with the Public Interest Advocacy Centre. The last thing I did was the report on identity theft. When I left in August 2003, the report was almost, but not quite, complete. John took it over and finished it.

In September 2003, I left the Public Interest Advocacy Centre and set up CIPPIC, Canadian Internet Policy and Public Interest Clinic at the University of Ottawa. We are completely separate organizations.

It has been recommended by this committee for data breach notification. I think that's the major one at the moment. I have to grab my recommendations at the back of it.

Yes, they funded it.

That is correct. However, for example, the rule I cited before from the FTC...they have a certain jurisdiction to enforce their general consumer protection act. Under their rule-making power, they've made a rule with financial institutions that requires them to take steps like PIPEDA in terms of safeguarding information.

Can I just add to that? The U.S. has a patchwork of sector-specific and issue-specific data protection laws. They do not have this nice, comprehensive law that we have. In fact, the biggest recommendation of consumer and privacy advocates in the United States is that the U.S. adopt a PIPEDA-like law.