Evidence of meeting #52 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was consent.
A recording is available from Parliament.
5:10 p.m.
Liberal
Nathaniel Erskine-Smith Liberal Beaches—East York, ON
To push back a bit, though, is that what the position of the U.K. Information Commissioner looks like? Maybe it does; I'm less familiar with that. But if that commissioner has have a capacity to level a $250,000 fine, that strikes me as more effective than the current powers our current commissioner has.
If you take a differing view, what is the problem with the U.K. commissioner's powers in terms of their model? But maybe you're not familiar with it.
5:10 p.m.
Partner, McInnes Cooper, As an Individual
No, I'm not familiar enough with the structure of the U.K. office.
5:10 p.m.
Liberal
Nathaniel Erskine-Smith Liberal Beaches—East York, ON
Okay.
You mentioned court damages in sections 14 and 16 of PIPEDA in relation to one another. Do you think court damages are sufficient deterrents? Here I would just note that the last case I really remember as a law student was Ward and the $5,000 in damages awarded for an illegal strip search. That struck me as a pittance for a severe privacy breach, so are court damages sufficient do you think?
5:10 p.m.
Partner, McInnes Cooper, As an Individual
Maybe one of the things to address is whether or not it's adequate that only one individual can go to court in connection with any particular complaint. But it's modelled on being compensatory, so a judge, an independent person, with all of the evidence in front of him determined, in that case, that $5,000 was adequate.
The Ontario Court of Appeal has said that the general damages available for harm to feelings in connection with a privacy breach range from a nominal amount to $20,000. Those are the damages that have been assessed by our legal system, which I don't have a whole lot of reason to question.
5:10 p.m.
Liberal
Nathaniel Erskine-Smith Liberal Beaches—East York, ON
One rationale for remedies is compensation and another is deterrence, so when we look at our recommendations with respect to empowering the Privacy Commissioner, it strikes me that greater deterrence is perhaps warranted.
You had some concerns with respect to the opt-in model that Mr. Geist had raised. When we had the Privacy Commissioner before us, he spoke of meaningful consent. If we do not go for an opt-in model, how do we improve the existing model to ensure meaningful consent?
5:10 p.m.
Partner, McInnes Cooper, As an Individual
There may, in fact, be a little bit of confusion. When you talk about privacy by default, where automatically, without the person doing anything else, they're going to follow the most privacy-protected thing, that is going to work on a whole lot of services, but it might not work on all.
In our legislation, as it's currently drafted and if properly implemented, the second principle says that you have to identify the purposes for processing, collection, use, and disclosure of personal information.
The next principle says you have to get consent, and we now have a clear articulation that consent has to be meaningful. There is some flexibility in that the form of the consent has to be based on the sensitivity of the information, and that doesn't necessarily mean you only get opt-in consent for the most sensitive stuff. It's a continuum. There are certain things that are inherent in the use of a service that are just kind of part and parcel—do you need an affirmative check box? If I go to Chapters-Indigo and order a book, do I have to opt in for them to use my address that I've just given them to ship me the book? It's completely obvious in that transaction, and you should be able to imply that consent, but secondary use, for example, using my name and address for marketing purposes for some other purpose, seems to be a sensible opt-in.
One of the great things about the legislation is the fact that it's based on principles and that it's relatively fluid, and it's going to work in the Chapters model, in a bank model, and in a telecom model.
5:15 p.m.
Liberal
Nathaniel Erskine-Smith Liberal Beaches—East York, ON
This will be my last question. You mentioned the importance of choice and not deviating from the consent model for that reason. It strikes me, as terms of use get more complicated and we're opting into so many different services, that there is an existing model already in Ontario that has lasted for decades. In the Sale of Goods Act we talk about implied warranties, and there are standard terms the consumers cannot opt out of; businesses cannot allow consumers to opt out of them, for consumer protection. Do you think the same principles could apply with respect to privacy?
5:15 p.m.
Partner, McInnes Cooper, As an Individual
I'm not sure you'd find it a complete analogue, and I would hesitate to bake something into concrete when the technology is going to move and consumer expectations are going to move. But I do think it does make some sense to have some “if these are your default practices”, so “this is your standard terms of use”, or “this is kind of a standard privacy policy”, which is an expectation that you don't need to do anything additional to get additional consent. But if you deviate from that, then perhaps it does make some sense to bring that to the individual's attention. Among the defects that are identified, I don't think a lot of companies are fulfilling their obligations under PIPEDA well enough with regard to identifying purposes. We could all do a better job. There is discussion of short-form privacy notices, like the nutritional labels, just-in-time notification, which is something I advise my clients about—nobody is going to read your privacy policy. You can't rely on that to be the foundation for your identifying purposes and consent. When you have a form and you're asking for information, you have to make it clear to your consumers at that time what you are going to do with that information. Otherwise privacy policies are just a legal fiction.
5:15 p.m.
Conservative
The Chair Conservative Blaine Calkins
All right, colleagues, the bells haven't started yet, but I'm looking at the screen and the Speaker is reading the terms of the motion right now, so the bells will start momentarily. We will operate on that assumption.
First of all, I would like to apologize to our witnesses. These things happen from time to time, but thank you very much for your consideration and patience as we deliberated today.
If there is anything else you think we should know, or some answers you wish in hindsight that you had given us, please submit that information to the committee, and please follow our progress on the study of PIPEDA. If anything else comes across your mind that you think would be to the benefit of all Canadians, please let us know.
Thank you very much.
The meeting is adjourned.