Information & Ethics committee  Yes, I think there is. For example, PIPEDA provided for the situation where, when a subscription to a magazine is expiring, organizations would be following up and remarketing that magazine to individuals. I think it is possible. I wasn't thinking particularly of secondary marketing.

Information & Ethics committee  No, not sharing the information with third parties, except in situations where third parties are providing a service to the organization. I think when you're sharing information, you need express consent.

Information & Ethics committee  I'm not an expert in that field, but PIPEDA does impose very clear responsibilities on organizations with regard to the securing of information, safeguarding information, and proper destruction of information when it is no longer needed. That varies in terms of how long you have to retain information, the level of sensitivity, and so on.

Information & Ethics committee  Within the staff of the organization, within our advocacy team, we have people who focus on the issue of privacy. As well, we have our own privacy officer within our organization to make sure that we ourselves are doing things. Of course, we also have outside counsel, through David here, advising us on privacy issues, especially those related to the digital developments.

Information & Ethics committee  In much the same way you would in terms of following the literature out there and what's happening.... We also have marketing councils that deal with a variety. There's a digital marketing council, a branding council, and so on. Those councils are following very closely the changing technologies and trends within the various disciplines of marketing, so it's through mechanisms like that within the association.

Information & Ethics committee  They have, to some extent, a more stringent consent model. We would suggest it's not as innovation friendly, for example. On the GDPR, the comment I would want to make is that adequacy is not the same as being identical. It would be premature for Canada to move to make changes to our privacy law before having consulted with Europeans going through the process.

Information & Ethics committee  Certainly negative publicity, the impact with customers, and all of these things are incentives to compliance. I'd also point out that the commissioner does have other powers, as I mentioned in the submission. The commissioner, to make an important point, can go to the Federal Court.

Information & Ethics committee  You observed that people come forward and make the case, but they seldom point to glaring examples of where it isn't working. In my submission I tried to talk about all of the successes of the current structure, the collaborative structure that has existed in the ombudsman model to develop guidelines with the commissioner's office, the breach guidelines that were in place for seven or eight years, developed in collaboration with civil society, stakeholders, businesses, and others.

Information & Ethics committee  Typically high-risk and sensitive information certainly includes financial information or types of health information. Various categories of information are sensitive. Children's information by definition, because of the group in that instance, can be sensitive. I think it depends on context.

Information & Ethics committee  I think it would. It may be possible to do that in the context of the existing regulations, I believe. PIPEDA does have regulation-making powers for the government. The Privacy Commissioner can seek to have regulatory changes that would help in that regard. Go ahead, David.

Information & Ethics committee  For sure, smaller organizations are challenged. Everything you say is true. Proportionally, it can challenge smaller organizations, but I think they will move forward. A lot of education needs to flow regarding things like the breach notification requirements of PIPEDA. Again, this is one of the reasons we have our current framework, with the ombudsman model and the Privacy Commissioner, as an advocate and educator, getting out there to these communities and ensuring that they're up to speed.

Information & Ethics committee  I think they could always do more, but I think they do a pretty good job. They have tools for small businesses on their website, so I think they do try and they do a pretty good job. Could they do more? There's always more needed, as well as working with organizations like ours, the chambers, the Retail Council, and so on.

Information & Ethics committee  It wasn't really to differentiate. It was to point out, for example, how the new breach requirements revolve around the concept of organizations reporting a breach where there is a real risk of significant harm, organizations having to make a judgment, and imposing that accountability on organizations.

Information & Ethics committee  It's very much supportive of innovation. The way PIPEDA is now framed, it's designed for the kind of collaboration that is needed on a wide range of the innovative activity happening out there. To try to create a prescriptive law that deals with all the different areas that are evolving out there will just not be possible.

Information & Ethics committee  I don't know that we were touching on the GDPR in our brief, but we were suggesting that it is challenging. Obtaining consent in the world in which we're operating today is indeed a challenge. We have touchpoints every day where individuals and organizations are asking us if we've read the privacy policy.