My apologies first of all, but I'm strictly limited to your 2:30 deadline because we're having a bit of a problem out here in British Columbia with a privacy breach, strangely enough, one that affects both the public and the private sectors. So, I will have to go at 2:30.
I will also try to keep my comments as brief as possible to allow the maximum time for questions. I will limit myself to the four points raised by the commissioner in his letter of December 2 to the chair, as well as two extra points.
We've also had two detailed submissions that we've put in to the commissioner's process, which I believe are available, and I'd be pleased to provide them to you.
Consent for the collection, use, or disclosure of our personal information is the underpinning of PIPEDA. Attempts to move away from this or to tamper with it should be viewed with considerable suspicion. At the same time, it's important to note that, in many cases, consent is really illusory. The conditions being agreed to are often in the form of over-broad, lengthy terms of service and other contractual services. The choice offered to consumers is often to accept all conditions or to not use the service. The result of this is that, in many cases, an organization feels free to do whatever it wants with the information it collects under the guise that the individual whose information it is has, in fact, consented to this.
For example, in our 2015 study on “The Connected Car”—which was generously supported by the contributions program of the Privacy Commissioner—we found that there were multiple agreements, policies, and contracts that come into play when somebody is attempting to purchase a vehicle. The purchaser is supposed to have read and understood all of these policies. At lot of times these are not available on the Canadian website of the manufacturer. They are available only on the U.S. website, and it's not entirely clear whether or not they apply. These policies and conditions tend to have very open-ended use and conditions that allow for “such other purposes as we see fit” or for research or for marketing. Some of these policies can, in fact, be somewhat contradictory. It's not entirely clear where these are coming from. As a result, we provide this general recommendation in our “The Connected Car” report:
Rather than relying on the fiction of choice and consent, what is needed in this industry are clear, specific and relevant limits on collection, retention, use and disclosure of personal customer data. We need industry-specific data protection regulations for the Connected Car industry.
We also had a number of specific recommendations for the automotive industry regarding consent. I'd like to refer you to four suggestions that Professor Michael Geist of the University of Ottawa put forward as a useful basis for approaching the issue of consent generally: the opt-in consent should be the default model; rules on transparency must be improved; consumers must be able to exercise a choice other than to take it or leave it; and stronger enforcement powers and penalties are required.
In terms of reputation and privacy, with the rise of the online world, considerations that were once primarily the concern of the well-heeled and the well-known—things like damage to reputation—have become much more widespread and are, in fact, concerns of pretty much everybody who is involved online. What might once have been simply neighbourhood gossip can now become part of a global campaign of vilification. Ordinary people who do not have large financial resources or access to legal resources are put in the position of trying to defend themselves and their reputation in this new world. FIPA made a submission to the Privacy Commissioner's consultation on this issue, and I would refer you to that piece of work for a more detailed discussion of some of the issues involved.
We didn't make specific recommendations, but we did outline various considerations that should be taken into account when approaching this issue.
In terms of enforcement, as we've said before, with regard to the Access to Information Act and the Information Commissioner or the Privacy Act and the Privacy Commissioner, we're also of the view in terms of PIPEDA that the Privacy Commissioner should be brought up to the same level as his provincial counterparts who have order-making power. This system has operated for more than a decade in British Columbia, and there hasn't been any systemic problem with the commissioner having order-making power. It would also ensure that, in terms of protection of people's rights, they would be able to get a more immediate remedy under the federal regime, which is not the case currently, rather than somebody, say in British Columba, having a choice of complaining about conduct either provincially or federally.
In terms of adequacy, the order-making power would have, I think, a positive effect with regard to ensuring that PIPEDA continued to be looked upon as providing adequate privacy protections.
The two additional points that I would raise are these.
One is something that came up, I believe, during our discussions on the Privacy Act, and that is the coverage of federal political parties. It's our view that the federal political parties, which are currently not covered under any legislation protecting people's privacy and personal-information rights, should be dealt with under PIPEDA. Here in British Columbia, our substantially similar provincial act, the Personal Information Protection Act, covers the political parties in this province. Arguably it could cover provincially incorporated branches of federal parties. The commissioner has, in fact, successfully done at least two investigations and reports on the two largest parties here in British Columbia, and we continue to have parliamentary democracy here, so we don't see any impediment to federal political parties being brought under the PIPEDA regime.
Finally, I'd just like to support what Professor Steeves said in terms of algorithmic transparency. This is a very key point, and it's something that we raised previously with regard to the Privacy Act.
I look forward to your questions.
Thank you very much.