Thank you, committee members.
My name is Vincent Gautrais. I'm a law professor and lawyer, and the director of the Centre de recherche en droit public at the University of Montreal. I have the L. R. Wilson Chair in Information Technologies and E-Commerce Law.
I'm very pleased to be speaking for the second time before this committee regarding issues related to the Personal Information Protection and Electronic Documents Act, and to be participating as a Canadian in this democratic exercise.
Last time, in June 2012, the committee invited us to provide a general response to the legislation. This time, Mr. Therrien's letter dated December 2, 2016, is guiding us through certain points to consider. Therefore, I'll refer to the four topics presented in his document. For my first ten minutes, I'll focus on the first point regarding consent. I've worked a great deal on the electronic contract issue. It was the subject of my doctoral thesis, in another century, about 25 years ago.
I think, and with regard to certain proposals presented before, the current situation is relatively ridiculous. Many people have made this unfortunate observation. There's hardly any debate. We know that nobody reads privacy contracts or has a reasonable possibility of reading them. There's no space limits for contractual content on a screen. The contracts are therefore extremely long. While the Supreme Court is proactive and creative in many cases, it didn't seize the opportunity to fight against this clearly detrimental practice in 2007, during the Dell Computer case. It's too bad.
It's too bad since, over time, consent has lost its initial purpose or initial goal. At first, it was designed to protect individuals by giving them some control over their own data. Instead, consent has become a way to protect the companies that use the data. Companies can now completely free themselves of any contract by burying their obligations and methods in page after page. Information is like oxygen. Yes, it's necessary, but when there's too much, you can't breathe anymore.
In light of this failure, what should we do? On that note, I want to introduce three elements. The first is the format. It's possible that things would be better and that individuals and citizens would be better protected if they had to formally express their intention and if the user had to accept a de facto situation first. That's the debate between opt out and opt in, which has already been presented to you, the committee. I think the debate underscores the classic opposition regarding the matter, since the second term, opt in, provides more protection than the first term.
Unfortunately, although I've liked the idea for years, I think the opt in solution has a few limits. Even a clear contract remains inaccessible to the average person. The contract is inaccessible as a result of its length, the fact that we don't read the same way on a screen, the very complicated legal terms, the hyperlinks that constitute invitations to “get out” of the contract, and so on. The process moves fast, and internet users are expecting that speed. In addition, the functional illiteracy rate often makes it unrealistic for people to read contract clauses. The promotion of the opt in solution first and foremost emphasizes the expression of consent and, to a lesser extent, beforehand, the contract's readability.
Recently, an American researcher showed that clickwrap, which involves clicking an “I accept” button, rather than the frequent browsewrap, which involves having the privacy policy somewhere on the company's website, had practically no impact on whether a document was read. The researcher showed that only 0.36% of people read the contract further, which again, is negligible.
In that sense, the appearance of strips—you've all seen them—at the bottom of websites, which indicate that users accept those infamous cookies, is seen more as an irritation to the reader rather than as a tool to protect the individual.
Second, this wariness regarding consent can also be verified on its merits. I don't think we can consent to everything. In contract law in general, even though there are rules for abusive clauses, for example, this situation is rarely verified when it comes to the protection of personal information. The consent clauses currently available on the Internet are filled with stipulations that clearly go against the interests of individuals. Judges rarely verify these clauses.
What happens when a company asks an internship candidate—this has already happened in a lawyer's office—to consent to providing his Facebook password so that the company can find out what the candidate has written on his profile? An actual study showed that 48% of users would be ready to exchange their password for a chocolate bar. However, we can't consent to everything, and I think we need to have some control over certain parts of the contract.
Third, regarding consent, in some situations, consent can't be provided in practice. This is true for artificial intelligence. I want to challenge a company to properly explain to its users how their personal information is used in the context of big data. That's why, in terms of the deconstruction of this contractual reflex, the cases where consent isn't necessary or required must be increased. For example, sections 67 and 68 of Quebec's Act respecting Access to documents held by public bodies and the Protection of personal information mention cases where so-called “information-sharing agreements” allow for the use of personal information without the consent of the people concerned. Therefore, the two bodies agree on the use of data.
Rather than asking for almost fictional consent, it would be better to present the case to Office of the Commissioner representatives, specialists, and privacy experts. They are best suited to assess the guarantees the company wants to provide to compensate for the use of the data. Your committee proposed this information-sharing agreement solution for the public sector legislation, the Privacy Act, in a recent report dated December 2016, in paragraph 2.2, recommendations 4, 5 and 6.
Through these three areas of examination, namely, the format, the substance, and the release from consent cases, we've tried to make consent less sacred. As noted by a British writer, we need to leave behind “contractual fetishism”.
This brings me to my second point, which will be much shorter, given the lack of time. You'll have understood that I tend to think users have limited control. Individuals can't do much. They can do a bit when it comes to the contract, but not much. Also, where should this control be exercised?
As mentioned by a number of previous speakers, obviously we must have—it's a no-brainer, as Mr. Kerr said—an Office of the Privacy Commissioner whose powers are much more significant than the Commissioner's current ones. The Office of the Commissioner is able to negotiate changes in attitude with regard to international players, and it did so very well with Google and Facebook. However, the current legislation is known for its incredible inability to allow the Office of the Commissioner to take action, in comparison with the legislation of other organizations.
I think the Office of the Commissioner's powers should be increased. The increase must result in the ability to impose financial penalties, as mentioned by a number of people. These penalties could have a more specific impact on reputation. Surprisingly, unlike the vast majority of legal decisions in Canada, the Office of the Commissioner's decisions are anonymous and the names of the companies never appear and are redacted and hidden.
I won't address the third point regarding online reputation. First, this issue has been widely discussed. Also, when I spoke in 2012, I was able to raise concerns regarding the notion of the right to be forgotten. We should be very wary of how this notion can be applied and of its impact on other fundamental rights and freedoms.
Lastly, I want to say a few words about the adequacy of articles 25 and 26 of the 1995 European directive and now article 44 and the subsequent articles of the 2016 European regulation.
It's certainly important to consider working more closely with our European partners. The perception of privacy in that region is interesting. However, I think we shouldn't be too dazzled by how privacy is viewed in Europe. Privacy is a cultural issue, and this view differs from our own. We can look at what's going on in Europe, but we must maintain our Canadian identity.
In short, we need to further integrate the new technology, make consent less sacred, maintain our Canadian identity and ensure the legislation is somewhat less “decorative” in terms of penalties.