Industry Committee on March 10th, 2015

Perhaps I could jump in.

I have three points in answer to your question. I agree with everything Dr. Geist just said.

The first point is to put in place hard limits where we can. For example, when it comes to protecting children and seniors, just say in the act under subsection 5(3), which is already a hard limit but is vague, that it include no marketing of children or seniors; no collection, use, or disclosure of personal data of children and seniors for marketing purposes. That's already in the marketing industry's code of conduct. Put it in the legislation.

The second point is on real consent. As Dr. Geist said, forget this fiction of negative-option consent. Require express opt-in consent for all non-essential uses of customer data, including marketing. What I found in my research is that companies across the board are now including marketing as one of their primary purposes of collecting our data in order to provide the service we've asked them to provide. They are now treating marketing as a primary purpose. They're certainly not getting express consent. In many cases they're not even getting negative-option consent; they're not even letting us opt out of that.

The third point is on order-making powers. As Dr. Geist said, penalties should be easy to impose. Penalties should not require intent, proof of intent, and quasi-criminal proceedings, but should be administrative monetary penalties such as what the anti-spam law is using.

Just to elaborate a little bit and maybe take it to a slightly different place and come back to some of the things we were talking about before, one of the advantages of having penalties is that penalties generally are reported: company X was fined by the Privacy Commissioner. It's not just the monetary hit, but the reputational hit. Companies that have bad practices and bad procedures will have to pay a price for it. They will pay the price in terms of the fine, but they will also have to pay a price in the marketplace. As for deals with the private sector, companies don't want to be obviously and consistently deficient in protecting the personal information of their customers.

You are the politicians. You've presumably all used your various party data bases. You know that there's a lot of information collected on a lot of people. One of the problems is that parties are not subject to any restrictions on this. All the various penalties and protections we've been talking about here in terms of the private sector don't apply to political parties, at least not at the federal level.

Again, I would offer you the example of the situation in British Columbia, where the parties are subject to the act and where we have seen the process in action, with the commissioner conducting investigations and issuing reports as a result of complaints about how personal information was being dealt with or about party procedures. The parties have changed the way they deal with things and life goes on. I think everybody involved has a better feeling of how the system works. At least we know that there is some level of protection. If something goes wrong or we feel uncomfortable, we do have an avenue of redress, which doesn't exist right now at the federal level.

No, I was not.

No, we did not.

Well, we were not asked.

No, I did not. I was not invited and I did not appear or participate at the Senate stage.

However, I believe both CIPPIC and PIAC did, and they made a number of the same points that I'm making now. When I look back at the debates, many of these points were made at that stage, and I just don't understand why those amendments were not made by the Senate.

Sure. I'll do that. I'd also like to just note a couple of things. The commissioner did not appear before the Senate committee on Bill S-4. Because of the long delays in getting a commissioner appointed at that time, there was no commissioner, but people from that office were in a position to appear because it had been studied. So the commissioner actually didn't appear on Bill S-4.

In terms of lengthy study, with respect, let's be clear. The committee began a review of this bill in November 2006, and by May of 2007 it released its report.

We got first reading of Bill C-29 in May 2010. A second reading took until October. There were never any hearings held on Bill C-29.

The next bill that was introduced was Bill C-12, which was the second attempt at this bill. It sat at second reading for two years without moving forward. There were no committee hearings held on it.

We finally now have Bill S-4, on which there were two sets of hearings. Four days were allocated to this piece of legislation within the Senate: one day for the minister to appear; another day for clause-by-clause; two days for hearings. So if we're going to talk to witnesses about not having appeared, frankly, there were very, very few witnesses who had the opportunity to appear at all. This is, with all respect, not a well-studied bill. It is a bill that has now come through three times, and in most instances there has been no study whatsoever. When the Senate had the chance to hear on this bill, there was not even a privacy commissioner in place to deal with it, due to the long delay in finding a new commissioner to replace Commissioner Stoddart and later acting commissioner Chantal Bernier.

With respect to the commissioner's support, yes, I too can cherry-pick particular comments from the Privacy Commissioner about where the commissioner supports the legislation, but I can also note that the commissioner's office has been consistent in saying that it finds it problematic with respect to voluntary disclosure, and yet that hasn't changed, and in identifying a number of other improvements.

So the question is this. Is this a well-studied bill that we ought to get on with? With respect, it is both not well studied and ought to be fixed. Canadians deserve better.

I have another quick point, which is that, as I mentioned at the beginning of my prepared remarks, the government has decided to refer the bill to this committee before second reading. Presumably, that is because it is open to amendments beyond the statement of principles of the bill. I find your remarks a little puzzling in terms of the difficulty that could ensue if amendments were to be made. Presumably, the government and the government House leader would have been aware of those difficulties when they in fact took the unusual step of breaking the normal process of things, and referring Bill S-4 to this committee before second reading.