Good afternoon. Thank you to the committee and to the chair for this opportunity to speak with you today about this very important subject.
If I could just briefly introduce myself, I am a privacy lawyer and partner with McInnes Cooper in Halifax. I’ve been practising law in this area for about 15 years, and I’ve had a strong interest in the intersection or collision between technology and civil rights for quite some time. I'm also a part-time member of the faculty of law at Dalhousie University, where I've taught courses such as Internet and media law, law and technology, and privacy law. I'm a past president of the Canadian IT Law Association and former chair of the national privacy and access law section of the CBA.
I think the perspective that I can offer is as somebody who regularly advises businesses with a view to compliance with Canadian privacy laws, and I have represented a number of companies and clients in connection with investigations with the Office of the Privacy Commissioner of Canada.
I've had the benefit of advising clients on a full range of privacy, access to information, and technology issues in that time. In connection with this, I'm also often exposed to the privacy laws of other jurisdictions. One thing that's been abundantly clear to me over the last 15 years is that the more I learn about other countries’ privacy laws, the better the Canadian law looks. It is actually a marvel of technological neutrality and resilience. It was drafted in the 1990s but continues to hold up very well, particularly with the amendments put in through the Digital Privacy Act.
I should emphasize that my comments should not be attributed to my firm, my clients, or any organizations that I'm associated with. These are my own views and my own opinions.
On the specifics, I’d like to address three issues, but I'd be happy to discuss any of the topics that I'm sure will come up in the rounds of questions.
First, I’d like to address the right to be forgotten. Then, I’d like to speak about the powers of the Privacy Commissioner. Finally, I’d like to address the question of consent.
In my previous appearances before this committee, particularly on the Privacy Act inquiry, I was asked about the right to be forgotten and whether it should exist under Canadian privacy law. My view then, as now, is generally no.
In the meantime, we’ve actually had a decision from the Federal Court of Canada in a case called Globe24h.com, which, as I understand it, related to a Romanian individual who operated a website entirely based in Romania. He would scour court and tribunal decisions from Canadian websites and post them on his own site. The main difference was that these tribunal websites, operated by government entities and organizations like CanLII, put in place measures so that individual names can't be indexed on search engines. If your name appears in a court case and you search your name, it's not going to show up in these databases.
This individual took down or didn't implement that protection. A person could find their name—it was associated with a court case—and it might have been embarrassing since for most people any day in court is not their best day. He then implemented a mechanism by which people could ask to have it removed. If they mailed in a request, it might be processed in six months, or they could pay some cash online and it would be taken down right away. Essentially it's been characterized as an extortion scam.
An individual whose information appeared on Globe24h.com complained to the Privacy Commissioner. The Privacy Commissioner found that the webmaster had violated Canadian privacy law—even though it was entirely based in Romania, I think it was not an unsensible decision on jurisdiction—and then took the next step, which is to go to the Federal Court as is already provided for in PIPEDA. The Federal Court issued an order finding that the purposes, which were ultimately extortive, were not reasonable and were in violation of the legislation. It required that the individual take down all of these decisions—and, as I understand it, the site is now inoperative—and required payment of compensation. Finally, the court ordered the individual, again in Romania, not to do it again, not to take any Canadian court or tribunal decisions and put them online in violation of the legislation.
One thing that I would note is that this decision—or at least the court case—was entirely uncontested, so there wasn't any nuanced understanding or discussion of countervailing interests, like the charter section 2(b) rights related to freedom of expression. The decision actually applied a provision in PIPEDA related to journalism that was found, in a parallel case in Alberta, to be unconstitutional, so I'm not sure we can necessarily take this as clear guidance that all of a sudden a right to be forgotten has been found in our legislation.
I generally urge caution with respect to this case, because the case itself was uncontested, or seeing it as attributing or injecting into our existing privacy law a right to be forgotten. I would also urge caution if the committee and others are looking to inject into our privacy law a right to be forgotten. For example, in many of the cases that we've seen coming out of Europe, the existence of the information on the Internet is entirely lawful, and the indexing of it is seen to be particularly problematic.
In the examples that Ms. Vonn mentioned, if the content underlying it is libellous, then, in fact, you can get an injunction to get that sort of content removed. Is it really the place to go after the indexer in connection with that particular problem?
Also, what needs to be noted and taken into account is that we have the right of freedom of expression in our constitution and guaranteed in our charter, but we don't have a right of privacy vis-à-vis businesses. So, if you attempt to do anything in this area, you're going to want to draft it for the purposes of surviving charter scrutiny, which is going to be difficult to do in the context of the right to be forgotten.
The next thing I'd like to talk about is the powers of the Privacy Commissioner. Based on my experience advising businesses in dealing with the Privacy Commissioner on a regular basis, I personally do not think it's a good idea to expand the power of the commissioner. The commissioner, in fact, has significant powers that are seldom used. If the commissioner were granted order-making powers or the ability to levy fines against organizations, his many roles would need to be closely examined in light of basic principles of procedural fairness and fundamental justice. The commissioner, not surprisingly, is an advocate for privacy rights. One should not lightly give one person or institution the powers of an advocate, an educational authority, an investigator, a prosecutor, and a judge. These functions are generally separated and are separated for a reason. It's an inherent conflict of interest to have the same person identify the bad guys, investigate the bad guys, prosecute the bad guys, determine that they are bad guys, and then punish them for being bad guys. We separate those in just about every instance. What we would end up with is, ultimately, something that looks like the Canadian Human Rights Commission, where you have a commission and a tribunal. I’m not sure you'd get many people advocating for an institutional structure like that for dispensing swift justice.
One thing that the Globe24h.com case actually does stand for is the ability of the commissioner, along with the complainant, to go to court. PIPEDA provides for an expedited application process. You appear in front of a Federal Court judge, and you put your case forward. The respondent has an application to respond—although in the Globe24h.com case, the individual declined to do so. The matter is determined by an impartial judge who has the ability to order an organization to change its practices. It has the ability to order compensation and damages. Those damages could, in fact, be punitive, but you'll note that most of it is based on wanting those powers to be remedial. I think that is, ultimately, a good thing.
One thing that I'm also concerned about is that if you were to reformulate the Office of the Privacy Commissioner, the spirit of collaboration and cooperation that I've generally seen would disappear. If the Privacy Commissioner is both the cop and the prosecutor, you would see businesses asserting their right to remain silent and, in fact, not cooperating in the same way that they do. In my experience—there may be other companies out there that aren't as co-operative as my clients—my clients are generally looking for a resolution; they are looking to negotiate something with the commissioner. That involves a fair amount of back and forth, and a fair amount of co-operation. If that role changes dramatically, then you're in a different environment entirely.
Finally, and just briefly, on consent, I would caution that although technology has gotten much more complicated and individuals' relationships with technology and the way that personal information is collected, used, and disclosed has gotten more complicated, any notion of abandoning the consent principle is, I think, problematic.
One aspect of it, for example, is the suggestion that everything should be opt-in, as Professor Geist suggested. I think we need to take a moment and think about how that actually plays out in many circumstances. For example, when Twitter launched, it had two options: your tweets could be public, or your tweets could be private. Many advocates say that the defaults of any new service, when it rolls out, have to be the most privacy protective. This would have meant that on day one when you signed up on Twitter, all of your tweets would have been protected. Those first users would have been yelling in an empty room. In fact, it was designed to be a public platform for people who want that. That was intended to be the default of Twitter, but if you wanted to, you could scale it back.
If there were a law that made it mandatory that your tweets be protected or that you had to implement the most privacy protective option, Twitter would have launched without protected tweets because they would have had to implement that. You ultimately end up with an option that is less privacy protective. We need to be cautious about where some of these decisions are going to take us, particularly in light of the enormous diversity of products and services that are out there.
I also really hesitate to implement any system that takes away an individual's choices. One of the great things, and one of the real core values, related to privacy is related to individual autonomy. There are those who probably don't mind the defaults—to kind of take them away in a particular direction. However, for those who actually take the time to understand or who are given the means to understand exactly what's going on with their information, they should always have the right to do that.
Thank you so much for inviting me to participate in this important discussion. I really look forward to the questions and answers.