Thank you very much for providing me with the opportunity to speak to you today.
My name is Éloïse Gratton. I am a partner at Borden Ladner Gervais. I also teach a privacy law course at the University of Montreal law faculty.
I've been practising in the field of privacy law for over 15 years and I represent a range of clients, mostly private sector businesses from various industries. I appear today in a personal capacity, representing only my own views and not the views of my firm or its clients.
My time is limited, so I'm going to first mention two provisions in Bill S-4 that have my support, and then two that raise concerns.
I offer my support to two important provisions in the bill: mandatory breach notification and business transaction exception.
I have concerns with two provisions in Bill S-4, the first one being the clarification on valid consent. I know that many have appeared before me to discuss Bill S-4 and they have expressed their approval of the proposed amendment to clarify the requirements for valid consent.
Yes, in theory, not many people would logically object to having more stringent provisions governing valid consent; still, I have a few concerns with this proposal.
PIPEDA currently requires that consent be reasonably understandable by the individual. The questions that should be asked are: do we have a concern with this consent requirement, and if so, will the proposed amendment address such concerns?
If the proposed amendment is accepted, the message sent to organizations is that the way they used to get consent may no longer be valid and that perhaps they should be taking additional steps.
PIPEDA is based on a “notice and choice” model that may prove to be a real challenge in 2015. In my recent book Understanding Personal Information, I have a chapter dealing with the challenges with this notice and choice approach. I was raising that in our day and age, it is debatable whether this model still makes sense and is a realistic one. Very busy individuals with limited time are expected to review, understand, and agree to various different—sometimes online—terms of use agreements, and keep up with new technologies and business models constantly evolving.
We have also already begun witnessing how consent forms are now requiring a few additional clicks to ensure that express consent is obtained in compliance with the new Canadian anti-spam law, since under this law certain information has to be brought to the attention of the user separate and apart from the standard terms of use agreement. I am mostly concerned that this type of amendment will be translated by organizations including additional verbiage in their already very long privacy statements and by requiring more clicks from users already overloaded with information.
I also have some reservations about the two new proposed paragraphs 7(3)(d.1) and (d.2), which would allow an organization to disclose personal information to another organization without consent in certain circumstances, although I understand in some situations the necessity for this proposal.
A few files have landed on my desk over the last few years in which this type of provision would have come in handy. One example worth noting was the case of Stevens v. SNF Maritime Metal. It's a case that ended up in the Federal Court in 2010. This was the case of SNF, a company purchasing scrap metal from another company. That company's employee, Mr. Stevens, opened a personal account with SNF and started selling a high volume of scrap metal to them. SNF disclosed the fact to his employer, who was already suspecting that someone was stealing scrap metal from them. The company realized that its employee was indeed stealing from them. They fired him and the employee then sued SNF for breach of his privacy.
Although SNF was probably right to disclose this information to its client, it was nonetheless a technical breach of PIPEDA, since they had disclosed personal information about Stevens, the fraudulent employee, to its employee and their business partner without his prior consent.
The bottom line is that I agree that we need to have a provision authorizing the disclosure of personal information without consent to address these types of situations. Still, given the way the proposed provision is drafted, I am concerned that the amendments could lead to excessive disclosures, used for broad purposes justified under the investigation of a breach of an agreement provision, or the purposes of detecting fraud provision. These disclosures would further be invisible to both the individuals concerned and to the Office of the Privacy Commissioner.
If we could find a way to minimize the risk of over-disclosing, while including a provision under which companies disclosing in such a situation would have to be transparent about these disclosures, I would offer my support to this type of amendment.
Thank you. I welcome your questions.