Thank you very much and good afternoon. I very much appreciate the opportunity to share with the committee some of my personal thoughts about important issues of privacy that affect Canadians. As mentioned, I'm a partner with the law firm Fasken Martineau. I've been working in the privacy law field for 17 years—in fact, pretty much since PIPEDA came in. In this case, however, I'm appearing before the committee purely as an individual today.
I have read many of the transcripts of the evidence that has been given to date before the committee, and certainly you have heard from a very wide range of perspectives and experts in the field. I share many of the views that have been expressed to date, in particular the submission by the Canadian Bar Association, of which I am a member.
In very broad strokes, my perspective on the issues before the committee is that the existing consent and ombudsperson model under PIPEDA has been proven to be remarkably resilient, adaptable, and effective in achieving the purpose of PIPEDA, which is, of course, to recognize the right of individuals to privacy and the needs of organizations to collect, use, and disclose personal information. On balance, in my view, the model should continue, absent a compelling need for some legislative change.
As for what I do want to focus my brief remarks on, one of the unique aspects of my practice and experience is privacy-related litigation. I want to suggest to you that the developments in the courts in respect of privacy-related interests and claims, which have been very significant over the last five years in particular, form a very important part of the context in which PIPEDA operates, and as I'll suggest, the context in which any deliberations about changes to PIPEDA should take place.
In addition, in my review of the evidence to date, it does not appear that the committee has heard very much about the developments in the courts. I saw that there have been some references to some developments in passing, but in the interests of trying to contribute something a bit new that you may not have heard or focused on previously, I'll focus my opening remarks on that issue, although I am happy to answer questions on other topics.
As the committee is aware, under PIPEDA there is the possibility of going to Federal Court in respect of matters addressed in a commissioner investigation and report. The court has the power to award damages and other relief, and that power gives some additional teeth to the legislation.
I want to describe what I see by referring to a bit of a story that we have seen outside of PIPEDA, which emerged starting in or about 2010.
First, in or about 2010, we started to see a handful of cases going to Federal Court under PIPEDA, in which individuals were typically awarded $5,000 or less for privacy breaches. Most of those were what I would characterize as relatively minor privacy incidents. We have seen a continuation of those types of cases going to Federal Court under PIPEDA since that time.
However, in terms of where the significant developments have taken place, in or about 2012 and into 2013, what we have witnessed in Canada is really an unprecedented increase in privacy-related litigation activity outside of PIPEDA. These cases are not going through the commissioner's process and on to Federal Court. These cases are being brought directly to court through tort claims, contract claims, negligence claims, and other causes of action. They've been very significant in the range of issues that are covered.
We have many cases that have dealt with cybersecurity-related issues, from computer hacking to snooping in the workplace, lost USB drives and lost devices, alleged misuse of personal information for commercial purposes, and inadvertent disclosures of information. These have crossed both private and public sector boundaries. This real proliferation of litigation started in or about that time and was something that had never really been seen before in Canada.
I highlight further that this development was unprecedented both in terms of the volume of activity—so a lot more cases were being brought—and also, in particular, in the fact that they were being brought not just by individual complainants but also through class action litigation. There are currently many cases that have been brought and a number of class actions that have been certified. A few of them have now been settled, and this litigation activity continues.
Significantly, the developments, in that respect, have meant that many cases that might otherwise have gone to the commissioner or through the PIPEDA process are, instead, just going directly to the courts. In my submission, that's something that can't be ignored in assessing some of the issues that I know are on your mind in terms of potential areas for change in PIPEDA, which I'll come to in just a moment.
The expectation, I would add, is that the litigation trend is going to continue because of the mandatory breach notification provisions, which may yet come into force in PIPEDA. The idea is that as more notifications are required to be given by organizations with respect to privacy breaches, we will see individuals seeking legal advice, and potentially more litigation claims being brought in the wake of notifications being received. That is the expectation.
In terms of how this relates back to some of the questions that I know are on the table with regard to changes in PIPEDA, among the reasons that I suggest this significant development that we've seen over the last five years is relevant is that, for example, it responds to a suggestion that in the absence of enhanced powers for the commissioner, under PIPEDA, organizations will not or might not take privacy compliance sufficiently seriously. It's often touted as one of the reasons in support of doing that.
Certainly in my experience, organizations are taking privacy seriously, but I point to the litigation-related development as part of the broader context in which these issues are being addressed. Those potential claims present very real legal risk—to real dollars having to be spent to deal with those issues and, ultimately, of course, potential liability for a wide range of privacy breaches. The courts have taken on a very significant role in shaping privacy protection in Canada at a practical level in that respect.
I'd further suggest, in terms of other areas of relevance of this development—and I know it's been highlighted by the bar association—that this broader context is also important in terms of assessing the question of adequacy in relation to the GDPR that's emerging from the EU.
I'll stop my remarks at this point. Of course, I'd be happy to take questions on that topic and the others on your mind, but I wanted to contribute that piece in particular, as I haven't seen it reflected much in the testimony to date.