Information & Ethics Committee on March 21st, 2017

No, I'm not familiar enough with the structure of the U.K. office.

Maybe one of the things to address is whether or not it's adequate that only one individual can go to court in connection with any particular complaint. But it's modelled on being compensatory, so a judge, an independent person, with all of the evidence in front of him determined, in that case, that $5,000 was adequate.

The Ontario Court of Appeal has said that the general damages available for harm to feelings in connection with a privacy breach range from a nominal amount to $20,000. Those are the damages that have been assessed by our legal system, which I don't have a whole lot of reason to question.

There may, in fact, be a little bit of confusion. When you talk about privacy by default, where automatically, without the person doing anything else, they're going to follow the most privacy-protected thing, that is going to work on a whole lot of services, but it might not work on all.

In our legislation, as it's currently drafted and if properly implemented, the second principle says that you have to identify the purposes for processing, collection, use, and disclosure of personal information.

The next principle says you have to get consent, and we now have a clear articulation that consent has to be meaningful. There is some flexibility in that the form of the consent has to be based on the sensitivity of the information, and that doesn't necessarily mean you only get opt-in consent for the most sensitive stuff. It's a continuum. There are certain things that are inherent in the use of a service that are just kind of part and parcel—do you need an affirmative check box? If I go to Chapters-Indigo and order a book, do I have to opt in for them to use my address that I've just given them to ship me the book? It's completely obvious in that transaction, and you should be able to imply that consent, but secondary use, for example, using my name and address for marketing purposes for some other purpose, seems to be a sensible opt-in.

One of the great things about the legislation is the fact that it's based on principles and that it's relatively fluid, and it's going to work in the Chapters model, in a bank model, and in a telecom model.

I'm not sure you'd find it a complete analogue, and I would hesitate to bake something into concrete when the technology is going to move and consumer expectations are going to move. But I do think it does make some sense to have some “if these are your default practices”, so “this is your standard terms of use”, or “this is kind of a standard privacy policy”, which is an expectation that you don't need to do anything additional to get additional consent. But if you deviate from that, then perhaps it does make some sense to bring that to the individual's attention. Among the defects that are identified, I don't think a lot of companies are fulfilling their obligations under PIPEDA well enough with regard to identifying purposes. We could all do a better job. There is discussion of short-form privacy notices, like the nutritional labels, just-in-time notification, which is something I advise my clients about—nobody is going to read your privacy policy. You can't rely on that to be the foundation for your identifying purposes and consent. When you have a form and you're asking for information, you have to make it clear to your consumers at that time what you are going to do with that information. Otherwise privacy policies are just a legal fiction.