Information & Ethics Committee on Dec. 11th, 2012

I think that companies should let their members, or their clientele, know that the conditions have changed, since the consent the consumer gave when subscribing did not apply to the new conditions. The company should at least indicate that the rules of the game have changed, so that the consumer can have the option to keep or cancel their subscription.

Thank you, honourable member.

I'm a bit amazed at that statement. It sounds like if we got more power, we would be slinging mud balls at each other. I don't know what hell would break loose if we had enforcement powers.

I had the honour to be the president of a tribunal, one of the ones I mentioned in my speech, that enforced privacy legislation in Quebec, both in the private sector and the public sector. I didn't notice that we had particularly acrimonious relationships with companies in the private sector. I don't notice that my colleagues in British Columbia and Alberta have particularly acrimonious relationships, because they also have an educative role. They also prefer to settle through negotiation, if possible. Nobody really wants to go to court if they can avoid it. They promote the voluntary adhesion to the law.

Therefore I don't see, in those places across Canada where there is some kind of enforcement power, that anybody said the relationships are difficult. If people don't agree and there's one case where you go to the tribunal, well, perhaps people agree to disagree, but I haven't noticed that's prevented my colleagues—or me, when I was in that position myself—from doing educational work, from working with chief privacy officers, from having collegial meetings with the private sector.

I'm a bit perplexed as to that statement.

That's another comment that just dumbfounded me. The reality of what we call multifunctional administrative organizations is a concept that is very well known in Canadian law—and, I believe, in British law and arguably in Australian law, to take laws that resemble our public law the most. Both my Australian and U.K. colleagues have different functions: they do education, they do arbitration, they do mediation, they do public outreach, and they also can either impose fines themselves—that's my U.K. colleague—or can go to the court and ask for fines of over $1 million Australian—that's my Australian colleague, so this is a model that's well known internationally.

It's also well known here. Again, my B.C. and Alberta colleagues do education work with us. We've issued several guidance documents together with them. They have a public outreach office and so on, and they are tribunals. They make binding conclusions. Therefore, I don't know why all of a sudden it would be impossible for us, when it has been possible in Alberta, B.C., and Quebec for the last 15 years and it's the rule abroad.

I'm not sure—

There is an appeal process, yes. In the case of Quebec, there's a direct appeal. I believe in the case of Alberta and B.C. there's judicial review, which to me is usually a higher standard.

Yes.

I would think there are any number of players across Canada, both federally and provincially, in digital literacy issues, depending on whether you're addressing it to school children, parents, young adults, or seniors, who kind of skipped that altogether.

We're involved to the extent of our resources, and we just launched, with the Media Awareness Network, a tool about mobile app guidance for educators in school boards across the country.

There are any number of players. That activity could be developed, but we wanted to bring this tool to your attention.

Certainly American companies, which are the major players on the Internet, have the FTC's opinion in their sights.

Could I ask assistant commissioner Chantal Bernier, who directs our day-to-day investigations, to give you a recent example of the truth, I think, of the statement you put forward about the FTC and other privacy commissioners?

Thank you, Commissioner.

Yes. I think this story is quite eloquent.

You may recall, if you have followed the press clippings around our work, that in 2011 we issued a report of findings on Google WiFi. We found that as Google was rolling out Street View, they captured—accidentally, they say, and we have no evidence otherwise—personal information of Canadians. We gave them one year, a full year, to present to us a third party audit assuring us that they had applied all the recommendations we had made.

That timeline was May 20. At the beginning of May we had a meeting with Google, and our request for a third party audit, which was clearly stated in our letter, did not even seem to be on their radar screen. They were rather apologetic, and said “Oh, my God, can we have an extension?” In July, they sent us the third party audit that in fact had been written for the FTC.

I believe that truly goes to your point.

Well, from observation over the years, I think it is the only thing that makes them sit up and take notice.

Their names are already public. We're dealing with a far different breed of companies from what existed when PIPEDA was adopted. Lawyers have said to me many times over the years, “I wish there were more sanctions”, or, when I started talking about sanctions, they say they are so happy we are doing that because their client—this could be an outside client at a law firm or the CEO of a company where they are an in-house lawyer—asks them to draw up all the regulatory risks and then asks, “What happens if I don't?”

When they get to privacy, they ask what happens if they fall off the Canadian privacy wagon. Well, I have to say, “Don't worry. There will be an investigation, and in the course of the investigation, you can promise to fix it”, and that's it. That's what the law says. If they promise to fix it and there's an agreement, I don't take them to Federal Court, so they say, “Okay, fine; put it at the bottom of the list.”

As a result, the lawyers who were advising their clients can't get their clients to pay attention to Canadian privacy law because the CEO asks, “What are my biggest risks?” If there's virtually no risk of infringing when you infringe a Canadian privacy law, you move on to other things. That includes data breach, as we were talking about earlier.

I think it's been done already by the Federal Court. I think there's a legal test, a real and substantial connection to Canada. I think many of the companies meet it. It's fairly clear, and that test would have to be met.

We would be levying a sanction for their behaviour involving the personal information of Canadians. I don't think there is a problem of enforcing it. Other countries enforce things against companies headquartered elsewhere. It depends on how your laws are written, but one of the many good things about PIPEDA—the only thing I’m raising here is the lack of enforcement powers—is that PIPEDA is written in a such a neutral way that as long as you have a connection with Canada, it doesn't matter where you are headquartered. It doesn't matter where your servers are, etc. I think that can be dealt with in a rewrite of the law.

Yes. I would think it would be interesting if you looked at the range of fines the European Union is currently contemplating. There's a range of fines; first tier, second tier, third tier. It goes up to a maximum of 2% of worldwide revenue. There's debate about that and so on, but if you look at the fines the FTC is imposing, a range of $20 million to 25 million....