Information & Ethics Committee on May 15th, 2008

Yes. I didn't distribute anything, but I do have some remarks.

Thanks.

I'll speed through this quickly. I apologize for not having submitted my remarks in advance, but I'm happy to distribute them now. Let me just go through this quickly.

My name is Michael Geist. As you heard, I'm a law professor at the University of Ottawa, where I hold the Canada Research Chair on Internet and E-Commerce Law. I'm also a syndicated columnist on law and technology issues for a number of papers, including the Toronto Star, Ottawa Citizen, and The Vancouver Sun. I served on the national task force on spam that was struck by the Minister of Industry in 2004. And like the prior witness, I currently sit on the Privacy Commissioner of Canada's expert advisory board. I am the editor of the Canadian Privacy Law Review , and last month I launched a website called iOptOut.ca, which has already been used by tens of thousands of Canadians to opt out of unwanted telemarketing.

I speak today in my own capacity or on my own behalf. I should note that my primary expertise is in technology and Internet law. For the most part, my focus on privacy has been on the private sector side, on PIPEDA and its effectiveness in light of a globalized Internet and emerging technologies. But I must say that since my appointment to the Privacy Commissioner's advisory board, both the importance and inadequacy of the Privacy Act have become glaringly clear. Those limitations have been a constant source of discussion, certainly among the commissioners and many of the task force's members.

As you may know, I'm very active in researching and speaking out on copyright-related matters. Last night I appeared before the parliamentary IP caucus, where we debated in part whether or not the Copyright Act was as outdated as some critics would claim. While a copyright bill appears imminent, it's noteworthy that since the release of the very first set of recommendations on reforming the Privacy Act in 1987, Canadian governments have passed two major bills reforming the Copyright Act, and multiple smaller bills. So if the Copyright Act is out of date, I think the Privacy Act is positively ancient by comparison.

In deference to the notion of drilling down, I want to focus on five primary areas of concern, and I'll pick up on the recommendations made by the Privacy Commissioner that I found to be most compelling.

First is the issue of education and the ability of the commissioner to respond. I think that part of the failure to engage in meaningful Privacy Act reform may be attributable to the lack of public awareness of the law and its importance. The Privacy Commissioner has played an important and, I have to say, increasingly innovative role in trying to raise awareness and educate the public about PIPEDA and broader privacy concerns. I think the Privacy Act deserves no less, in terms of the kind of educational role that we could have. Moreover, the notion of limiting reporting to an annual report I think clearly reflects a bygone era. We're in a 24-hour news cycle, and any restrictions on the ability to disseminate information, particularly information that might touch on the privacy of millions of Canadians, such that it remains out of the public eye until an annual report can be tabled, need to be reformed so there's power to disclose the information in a timely manner.

I'll also focus on the issue of strengthening protections. As this committee has already heard, I think there are few, if any, privacy experts out there who would argue that the current Privacy Act meets the standards of a modern privacy act. At a time when I think the government is expected to be a model role player in this, it is instead finding itself doing far less than the private sector.

You've heard of several areas for reform. I'll focus on just a couple. One is the issue of the limiting collection principle—this “necessity” provision that has been talked about. I think it's a hallmark of private sector privacy law. Government should similarly be subject to collecting only that information that's strictly necessary for its programs and activities. I think that could play a role in a range of issues--identity theft, for example, which has taken on a growing importance and a growing amount of concern within our communities. It's an issue where, if we limited the amount of information collected and disseminated, we could have a positive impact.

I'd also argue that Federal Court reform, which has been raised, is something that ought to be considered, broadening it to include complaints beyond refusal to provide information, and the power to award damages, which all weigh into the issue of order-making power here as well.

I believe that the commissioner ought to have order-making power. It may be that she currently feels that's not necessary. My position on PIPEDA reform is that the commissioner needs order-making power. It's my position in some ways to be consistent, and I think that order-making power is appropriate here as well—even if, at the moment, the Privacy Commissioner doesn't feel that power is necessary. I think it would be helpful.

The third issue is that around third-party disclosures. In this current globalized “flat world,” the Friedman term, data, as we all know, moves easily between jurisdictions. Governments at both the federal and provincial level will be, and are, increasingly outsourcing data for efficiency purposes and other means.

Our privacy law needs to keep pace. An accountability principle is essential that makes clear that with the collection of that data by government, the government then remains accountable, regardless of where that data may flow.

Moreover, I would agree with those who have recommended a formalized approach to transborder information sharing agreements. That is needed. While some of those agreements may already be in place on an informal basis, I think an approach similar to what we see in the European Union, with an adequacy standard, and making that more formalized, would be valuable.

The fourth issue, and one that has been raised, I believe, by this committee in the past, is the issue of security breach disclosure requirements. It's something that has become readily apparent as being necessary in the private sector world. As you well know, there is currently work under way to try to deal with that within the PIPEDA framework. I think a similar provision would be valuable within the Privacy Act as well. Indeed, one could make the argument that given the absence of strong security standards in the act, it's even more essential.

Finally, there is the issue of privacy impact assessments. Privacy, of course, touches us in many ways, and it's implicated in many pieces of legislation--sometimes where you least expect it. The Privacy Commissioner has regularly appeared before committees, but I think that leaving it to the point where it's already before a committee and having the privacy commissioner deal with it runs the risk of having privacy be little more than an afterthought within pieces of legislation. From my perspective, it's more important to ensure that there is some sort of impact assessment--frankly, before the legislation is even tabled.

To return to my concerns associated with copyright, this privacy commissioner, as well as several other provincial privacy commissioners, has already spoken out about the privacy impact of potential copyright reform. As legislation is imminent, we know there's no sense that those issues have been factored into the legislation. I think those kinds of things could be better addressed by raising them up front, as opposed to a later date.

I'll stop there, I think. I welcome any of your questions.

The short answer--and I think for some the rather depressing answer--is that there are no absolute assurances. I think the current environment, where our personal data does traverse national borders with ease, to the point that your information is in different parts of the world, often without your direct knowledge, is a reality of this current globalized world.

I don't think, though, that means we take the proverbial Scott McNealy approach. He's the former CEO of Sun Microsystems, who said you have no privacy, get over it. There are people who can choose to say they don't want that information shared, but in a sense they forfeit, or they are forced to surrender, some of the benefits the globalized world provides.

I think most Canadians are comfortable with a certain amount of risk. Sometimes they're aware of it; many times they're not. But they recognize that there are benefits to even some of the outsourcing you've just described. They're comfortable knowing that does create a certain risk. But I think that then creates an obligation, from a regulatory law perspective, to create as many safeguards as we can within the realm of ensuring that we maintain some of these efficiencies.

Law doesn't become irrelevant in the scenario you've just described; it becomes more relevant than ever. It becomes more important than ever to ensure that our privacy legislation, while not providing anyone with an absolute certainty about protection of their privacy, at least provides some measure of assurance that those who are good actors know they have certain obligations in order to ensure they're complying with the law. And we have to ensure that the law sets the right kinds of obligations.

It must have been Charlie.

Certainly you find in countries around the world that many of the standards of privacy legislation are derived from the same basic principles, many of them from the early 1980s with the OECD. The notion of the destruction of documents, that you're going to flush certain personal information at some point in time, is part of those standards.

The broader question you've asked is how you develop the kind of privacy culture within the federal government that provides at least a greater level of assurance that people's privacy is adequately protected. I note that I think our private sector companies face precisely some of the same kinds of challenges, with larger companies having data housed in subsidiaries and in different parts of the company. There is the front person, who is speaking to you on the phone. Are they going to respect the privacy appropriately, and are other people who have access to different pieces of information?

It starts in a number of ways. One is to prioritize, and make clear that privacy culture is something that matters, and that there is an expectation that no matter where you come from within that broader bureaucracy, whether you're the person providing call centre assistance or someone who is making larger decisions, those privacy obligations will be respected.

But how do you begin to even imbue that? It starts with the legislation. If the legislation itself is seen as somehow substandard, and it doesn't even come up to the same level that, as I mentioned, our private sector companies are facing, I would argue that sends a message in itself. It sends a message that somehow we're comfortable with decades-old out-of-date legislation, and perhaps those privacy interests simply aren't that important.

My critics would tell you I'm not well informed about any of the above.

I would say that I've come to the privacy issue from a technological perspective. What I have found in the five years I have been the chair and in the about ten years I've been at the University of Ottawa focusing on these issues is that if you're going to focus on the digital environment and on emerging technologies, things like copyright and telecommunications and fundamental things like privacy are inseparable. They form a core part of this emerging environment, so you have to focus on it.

Between the Privacy Act and PIPEDA, as I alluded to in my remarks, I'm more familiar with PIPEDA than I am with the Privacy Act. I've been on the Privacy Commissioner's advisory board for a couple of years, and in the course of its meetings and in being the closing speaker at the International Conference of Data Protection and Privacy Commissioners in Montreal last fall, I have become so aware of the importance of the Privacy Act, as I mentioned, that I felt it was appropriate to come and speak to it, because so much of what the Privacy Commissioner is concerned with becomes so essential.

I think that's right. That's why I focused on things like cross-border data transfers, security breaches, and the like.

Anybody who tells you they know for sure what's in store is probably lying, or just just guessing at best. What has become clear--and we certainly see this from jurisdictions and privacy commissioners from around the world--is that we are collecting ever more data. The ability to access that data, regardless of location, is something that technology has changed quite dramatically, and something we now have to factor into the kind of frame in which we live. The kind of data we have access to, DNA data and other sorts of biometric information, is the sort of data we didn't previously have access to. The impetus to collect new forms of data through this technological world comes up as well.

I think, for example, of CCTV, the closed-caption television cameras. I did one of my degrees in England at Cambridge University, and one became almost laissez-faire about having a camera around every corner. I know there are plans to install some of those cameras as part of the Vancouver Olympics in 2010.

So technology is increasing our capacity to collect this information, and disseminate and distribute it on a global basis. On whether we need reforms that address specific technologies or instead rely more heavily on the core principles, and ensure we have a principle-based statute that reflects the broadly accepted principles, in many ways the latter is better, because predicting with any kind of accuracy what this technological environment is going to look like a few years from now is really just a guess for everybody.