Evidence of meeting #54 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was pipeda.
A recording is available from Parliament.
Conservative
The Acting Chair Conservative Pat Kelly
We're down to 10 seconds, so I'm going to move over to Mr. Blaikie.
NDP
Daniel Blaikie NDP Elmwood—Transcona, MB
Thank you very much.
I want to start by returning to something that Mr. Young had said about tying the fines and penalties for breaking the law on the privacy of information to a proof of intention. I just wonder if that's exactly what you meant, or if that—
NDP
Daniel Blaikie NDP Elmwood—Transcona, MB
Having to prove the intention of breaking the law in order to to be able to assign penalties, and I'm wondering if that's—
Principal, David Young Law, As an Individual
How do you ascertain intention? Is that the issue?
NDP
Daniel Blaikie NDP Elmwood—Transcona, MB
I'm wondering if it becomes too high a threshold, really, or what you have in mind.
Principal, David Young Law, As an Individual
No, not really. In fact, I've had colleagues who have suggested it may be too weak a threshold.
To give you an example of that theory, organizations intentionally take steps to comply with privacy law. They develop privacy policies, procedures, a whole infrastructure. If ultimately the commissioner concludes that it's not compliant, is that intentional breach, they've intended to do that?
It's very easy to say...and quite frankly I think there has to be an intentional element if you're talking about a fine. You don't fine somebody for negligence unless it's gross negligence.
NDP
Daniel Blaikie NDP Elmwood—Transcona, MB
What I'm trying to understand is when you talk about having, for instance, law enforcement be in charge of the investigation and then law enforcement is trying to prove intent. I appreciate that for a company that in good faith honestly tries to observe people's privacy and they develop a system and in the end it's found not to be adequate, slapping them with the maximum fine may not be fair treatment.
NDP
Daniel Blaikie NDP Elmwood—Transcona, MB
But wouldn't it be important at that point to try to divorce the charge of having an inadequate system from the penalty? Wouldn't it make more sense to—
NDP
Daniel Blaikie NDP Elmwood—Transcona, MB
—consider intention with respect to how to assess the fine and not whether or not there has been a breach or whether or not they have an appropriate regimen?
Principal, David Young Law, As an Individual
I pulled out the Alberta act, and that's what the Alberta act says now. It says, intentionally breach the provisions of this act. I'm not sure about the Quebec act, but other than that it's the only law we have in Canada that actually imposes fines for breach of the legislation.
NDP
Daniel Blaikie NDP Elmwood—Transcona, MB
Right. For instance, I know that in other areas, like rail safety for instance, there is legislation on the books. Part of the issue and why the legislation is rarely used, or why there are not many successful cases prosecuted under that act—whatever safety violations are potentially out there—is because trying to prove that the company had the intent of causing harm is just simply too high a threshold to meet.
NDP
Daniel Blaikie NDP Elmwood—Transcona, MB
Would we not be at risk of repeating something similar if that were the way that we—
Principal, David Young Law, As an Individual
If you don't use intent, what are you going to use?
We have already, imminently, that it is going to be an offence for failure to report a breach, and that's just failure to report the breach.
In part, the response to what you've described is the very substantial scope for due diligence. In criminal law and in any regulatory law, it's actually part of the law. It doesn't have to be written in, but it is written into.... Look at the anti-spam legislation, for example.
To answer the example you gave, I think that would be the best way you'd respond to that.
I hope the committee has understood that I think the system works well...and notwithstanding Ian's example of the Facebook, because Facebook responded. He didn't like how they responded, so how would an order-making power deal with that? They just kept doing what they were doing but they put a privacy notice up, and blah, blah, blah.
The system has worked well, in my view. However, I understand there is pressure to consider more higher enforcement powers. I'm saying the commissioner could very easily, under its existing model, convert its recommendation power or add an order-making power to that. He basically does that now. He really does that and much more so than in 2007.
NDP
Daniel Blaikie NDP Elmwood—Transcona, MB
I wonder now, just because I only have so much time, if we could hear from Professor Kerr on that point and then we'll come to Mr. Parker as well.
Ian Kerr
Sure, and I'll try to keep my remarks on this brief.
In terms of your question about intention as being too high a standard, I tend to agree with that. If we hold the standard of proof so high—and those kinds of things are difficult to make out—if we take it almost to a level of a criminal standard, and we know criminal standards to be higher.... Mr. Young, I think rhetorically, asked the question, if it's not an intentional standard, what would it be? I would suggest that in the same way that the general approach to the reasonable expectation of privacy is an objective standard based on notions of reasonableness, and we have a whole area of private law that regulates harms to people on the basis of reasonable foreseeability and other aspects of an objective standard, we could certainly come to find some level of fault-finding that isn't at the level of intent in the way that you're suggesting.
Advisory Consultant, Risk Masters International Inc., As an Individual
With regard to intent versus event, we can look at some of the FTC rulings, particularly on CVS Pharmacy. One store didn't train their employees properly, didn't give patients access to their own medical information in that drugstore, and there was a $4.5-million fine for 53 events that occurred.
So the event, not the intent, was the threshold they appeared to apply in that case.
NDP
Daniel Blaikie NDP Elmwood—Transcona, MB
Okay.
For my last question, I want to follow up on that question of digital exhaust, which, if I've understood correctly, is that if I give my information to one company under a certain umbrella, and then they own that information, what can they do with that information? Can they sell it to another organization?
Advisory Consultant, Risk Masters International Inc., As an Individual
Digital exhaust is what's left over. You executed the transaction and bought the goods, but you left a time-stamp on there as to when you did it. You left your credit card information on there or on PayPal or however you paid for it. You have all of these other pieces of information, which they can sell.