Thank you for the question. It's pretty sweeping.
I guess the first thing I would urge the committee to do is to exactly understand how PIPEDA currently works, because some of what you're describing could be illegal in the existing act. I know you're going to hear from various carriers about specific high-profile incidents, such as ones you described.
I don't know of a more challenging issue for the committee than addressing the expectation of privacy in an online environment. I don't want to patronize anyone, but when I was growing up in Lancaster, Ontario, we had a general store. When you went into the general store, the vendor knew you and knew your buying habits. If you dramatically changed your buying habits, they would notice that, or perhaps they would say, “Oh, you're here, and I know you like this kind of stuff, so I got a new one. Do you want to have a look at it?”
We didn't consider that an unwarranted intrusion into our privacy. But when a company now contacts me and says, “I know you're interested in canoeing”, I would say, “Oh, how did you know that?” They know it because they have access to a lot of vendor sites in canoeing.
I think you've identified correctly the challenges. One is of consumer confidence. Consumer confidence goes both ways. We want to trust that we have enough privacy to do business online. We also want to trust that the company is using the information we have to prevent exactly the opposite side of your equation, which is the data breach.
I got a call last year asking, did I buy $12,000 worth of drywall on my credit card yesterday. No, I did not. I was very glad that they had my personal information and were able to contact me abruptly and stop that. So fraud protection is a very significant part of the online world as well. I don't know that you're going to find an exactly easy balance between those two pressures.
