Thank you very much.
Good morning, committee members. Thank you for the opportunity to address you on the matter of Bill S-4, which proposes amendments to PIPEDA.
My involvement with this legislation goes back to its genesis with the CSA model privacy code and the subsequent initiatives to legislate voluntary standards. As a lawyer with the Public Interest Advocacy Centre at the time, I was a public interest representative on the committee that drafted the code. I later advocated for legislation that eventually took the form of PIPEDA.
I have been closely involved with PIPEDA ever since, first in my role as a consumer advocate with PIAC and later as director of CIPPIC, both of whom I understand you have already heard from. In particular, I have conducted studies of private sector compliance with PIPEDA. I have lodged a number of PIPEDA complaints with the Privacy Commissioner. I have taken the Privacy Commissioner to court in order to establish that she had jurisdiction to enforce PIPEDA against foreign corporations acting in Canada. I published a study of security breach notification laws in 2007. I've been urging the government to adopt mandatory security breach notification laws since 2003.
Today I am speaking on my own behalf as a lawyer and privacy advocate. The last formal submissions I made on PIPEDA reform were in 2008 in my role as director of CIPPIC. Those submissions focused on three issues: security breach notification, protection of minors, and compliance and enforcement. The analysis and proposals made in those comments remain apt today, and I would be happy to provide copies of that submission to anyone who is interested.
I'm happy to see that the government has seen fit to address all three of these issues in Bill S-4, but I am disappointed that the measures in each case fall far short of what is needed. I will address each of these three topics briefly, but before doing so I would like to address an elephant in the room. That elephant is consent.
There is a pretense that companies are obtaining informed consent from customers to the collection, use, and sharing of their personal data. But anyone who takes the time to study what is actually going on will quickly see that this is, to a large extent, a fiction and that meaningful consent is rarely obtained from consumers.
Negative option consent is commonly used but rarely brought to the attention of customers. Consent is in fact often assumed simply by virtue of use of the service. Changes to privacy policies are simply posted on the company website and customers are expected to inform themselves. No one really expects individuals to read through lengthy, complex terms of service for every transaction. People simply don't have the time. If they do take the time to read the terms, they may find that they are notionally consenting to have their personal data used for purposes such as—and I'm quoting here from privacy policies that I've looked at—research, marketing, product development, and business purposes. In further violation of PIPEDA, many companies are refusing to deal with customers who won't agree to unnecessary uses of their personal data, such as marketing.
A reality check is needed on what is happening in the marketplace with so-called customer consent. In the meantime, proposed section 6.1 is a helpful qualification on what the law already requires. It may have some positive effect on what is, in my respectful submission, a widespread disgrace.
However, the current wording of proposed section 6.1 could actually have a perverse effect on the protection of children or seniors. If you read the clause, you will see that it fails to protect vulnerable populations to whom an organization's activities are not directed. All that a company needs to do to exploit children is to direct its activities to adults and then turn a blind eye to the fact that children are signing up. A simple fix is to revert to the earlier wording of this clause found in Bill C-12. However, if if the aim is to protect children, a much more effective approach is simply to prohibit certain uses of personal data about children.
I have a few words on breach notification. This is long overdue, and it will certainly be an improvement on the current situation. But are the proposed rules going to be effective? Breach notification is about more than notifying individuals. An equally important goal is to create incentives for organizations to put in place strong security safeguards.
In order to create such incentives, there needs to be a real risk of significant financial harm to a corporation from failing to put in place adequate security measures. This is the test you should be applying to your assessment of the proposed breach notification regime: is there a real risk of significant financial harm to corporations from non-compliance?
I am not convinced there is. Fines apply only to failure to report or failure to keep records and require cumbersome proceedings and proof of intent. Civil lawsuits are too costly to make sense in most cases, and the Privacy Commissioner may be dissuaded from using publicity for this purpose as a result of subsection 20(1.1), which prohibits disclosure of breach notification reports. I do not understand that section.
Until there are real financial incentives for corporations to take appropriate measures to prevent breaches from happening in the first place, and to otherwise comply with privacy laws, non-compliance with PIPEDA will continue to be a cost of doing business in Canada.
I'd like to finish with a few comments on private investigations. I am very concerned that, if the proposed changes to the current investigative body regime exception go through, this bill will actually set back privacy protection in Canada.
I will not repeat the able submissions of my colleague Dr. Geist on this subject, but let me just point out that in the new world of cheap data storage and powerful data analytics, the only limits on how far companies will go in their efforts to detect fraud, criticism, or contractual breaches will be what you put in this law. With today’s technology, it’s less costly to gather more data and to apply analytical tools to a large database than it is to restrict the intake of data to that needed in the first place.
In this context, insurance companies and other companies will, no doubt, argue that it's reasonable for them to conduct what amounts to broad and deep surveillance of their customers in order to detect fraud.
Paragraph 7(3)(d.2) would allow just that. It requires no formal investigation. The disclosure just needs to be reasonable, not even necessary as in the previous formulation in Bill C-12. This provision would open the door to routine sharing of personal data among organizations based on nothing more than the always present risk of fraud. Moreover, there would be no transparency or accountability requirements. It would be a major setback for consumer privacy.
I understand that this amendment was based on the Alberta model, but I looked at the Alberta model, and subsection 20(n) of the Alberta statute is not as permissive as this. It actually limits sharing to certain kinds of organizations.
I urge you to remove these clauses from the bill and stick with the current investigative body regime. I also urge you to adopt the transparency measures that my colleague Dr. Geist recommended.
Thank you very much.