Information & Ethics Committee on Nov. 20th, 2006

Thank you, Mr. Chairman. I'm delighted to be here today to discuss this legislation with you.

You've already asked me probably the afternoon's toughest question. The answer is that we call the bill “PIPEDA”, but I too have heard all kinds of variations. Whether or not you want to adopt our pronunciation is up to you.

You may wonder why Industry Canada is responsible for this particular piece of legislation. Let me tell you that we started worrying about the digital economy long ago. We anticipated the creation of databases and electronic commerce, the whole digital economy that goes with the Internet. We thought there should be pretty reasonable and clear rules of engagement in the marketplace in the so-called digital economy, particularly online. That's why we introduced this bill way back, after many years of trying to get consensus on what the provisions of this particular legislation might be.

As you know, a lot of people on the outside are very eager to appear in front of you to share with you their advice on how this legislation has been performing, and perhaps to give you their suggestions for improvement; you can always improve things.

With your permission, then, I would like to have Richard Simpson take you through a slide deck. I believe you all have copies of this particular deck. It tries to lay out what this act is about and the provisions in it. After that, maybe we can open up the discussion.

A lot of it is to take away and read. We will go very quickly through it.

Richard.

Thank you and good afternoon.

You have received copies of the document that we will refer to as we provide an overview of the legislation.

I'll go through the individual slides, as you've suggested, Mr. Chairman, quite briskly. Please stop me if you want to ask a question at a particular point.

If you look at the first slide, which shows in graphic format the size of the online marketplace in Canada, the key point is that the protection of personal information is a core element in the legal framework for a global networked economy.

The next slide gives you a brief chronology of work that has been under way for a number of years on privacy protection, both here in Canada and internationally. Some of the key dates are 1984, when the Organisation for Economic Co-operation and Development, the OECD, issued guidelines for the protection of privacy and transborder data flows. This is quite important, because it has formed the base for privacy protection laws in several jurisdictions, including Canada and many European countries in the European Union.

The second date, 1996, the CSA Model Code for the Protection of Personal Information was released. You'll see in a moment that this is a core component of Canada's national legislation on privacy and the privacy regime in Canada generally.

The other dates really take you through the phased implementation of PIPEDA. It initially came into force in January 2001. It was extended to the health sector in 2002, but only came into full force in January 2004.

PIPEDA has two main parts, as slide 4 points out and as you've already pointed out, Mr. Chairman. The first provides the privacy protection obligations under the act. Parts 2 to 5 comprise the section dealing with electronic documents, and this part has a number of provisions that enable more effective use of electronic technologies within the federal government administration. It amends the Canada Evidence Act, the Statutory Instruments Act, and other legislation, and has a number of provisions that allow government departments to make use of e-business and electronic commerce techniques in their day-to-day administration.

Part 1, for privacy, actually sets the rules for the private sector in protecting personal information. If you look at the summary statement of the purpose of part 1 on slide 5, you can see that part 1 establishes these ground rules governing “the collection, use and disclosure of personal information”. You'll hear those words used quite often. The different rules regarding collection, use, and disclosure of personal information are set out quite clearly in the act.

The act balances two central considerations that are also contained in that statement of purpose: the need to protect the privacy of individuals and the need of organizations to collect, use, or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances. This really reflects the business reality that personal information is routinely used by consumers, businesses, and other organizations to conduct trade and commerce, and even more so in an online world.

On slide 6 we have tried to outline for you the key features of PIPEDA. First, it applies only to personal information and only to personal information that's used for commercial purposes. This is quite important in terms of defining the area and scope of the legislation.

Second, a very important feature is that this is built on a private sector code. It's a self-regulatory initiative, as it were, taken from the Canadian Standards Association. It's built on the CSA Model Code for the Protection of Personal Information, which, as I mentioned, was adopted before the legislation came into force. It's technology-neutral, although it certainly relates a lot to the way in which electronic technologies are now using and manipulating personal information and data generally. It applies to personal information in all formats, electronic and non-electronic. It applies across the economy as a whole; therefore, it has a broad marketplace scope and does not apply just to individual sectors. It's not based on criminal law and enforcement, but is enforced through the Privacy Commissioner of Canada and the Federal Court.

There are other key features. Just as important is what PIPEDA does not apply to. It does not apply to non-commercial activities or to non-personal information. There's a lot of data out there in electronic and non-electronic form that is not personal information and is not captured by the legislation. It doesn't cover any government institution that is subject to the federal Privacy Act. That's a different act; it is within the scope of this committee's interest, I know, but it is separate from the rules in PIPEDA. It does not cover employee records in the provincially regulated private sector. And there are a number of other areas that are not captured by the legislation.

The essential requirements and obligations under the act, as slide 8 points out, are cited in sections 3 to 5 in the law, but the real obligations are laid out in schedule 1, which, as I mentioned, is the CSA Model Code for the Protection of Personal Information. Subsection 5(3) has a further qualification about the need for a reasonable purpose test. You'll hear about that from many people.

The model code, schedule 1 of the act, has 10 basic principles. I won't go through all the details of those for you, but I think probably first among equals on that list is the need for consent. All privacy legislation, not just in Canada but in many other countries, is founded on the principle of consent.

There's also a number of principles--purpose, limiting collection, limiting use--which really points to the need to define purpose and limit the use of personal information when it is collected. That is sort of a matching set to the requirement for consent.

There's a number of provisions relating to access to ensure the reliability and accuracy of information that is maintained on a person.

If I may interject, Mr. Chair, it took about 10 years to get consensus of all parties--private sector, consumers, government--to come up with these ten commandments of privacy. I have to tell you this is the core understanding of the big policy issues that are embedded in this particular act.

Slide 9 points out that the act contains a number of exemptions relating to the consent requirement, which is contained in section 7, and also to the individual's right to access personal information, which is contained in section 9, and the bullet points out what those exceptions are.

The responsibilities and powers of the Privacy Commissioner, outlined in slide 10, are consistent with the role of ombudsman that the legislation assigns to the Privacy Commissioner. The Privacy Commissioner does not have the authority to make binding orders. She investigates complaints that are received or acts on her own initiative. She has a number of other powers, including an audit power. She publishes an annual report that comes to Parliament, as you know, since she is an officer of Parliament, and she has a number of responsibilities for both promoting the act, privacy protection, and educating the public. How the Privacy Commissioner's responsibilities are undertaken is a very important element of the legislation.

Slide 11 points out that the Federal Court acts as a backstop to the Privacy Commissioner with a number of responsibilities, eventually including the need to deal with an appeal by a complainant or the Privacy Commissioner on a particular finding. It also has some other powers, as you go to slide 12. As issues are taken before the Federal Court, there are some powers that the court can use to take action against organizations in violation of the act. But you can see that the number of points here make it clear that this is aimed at intentional and deliberate behaviour in violation of the law, such things as obstructing a commissioner in an audit or an investigation, rather than a regular exercise of power by the court.

In slide 13, PIPEDA also sets out—

That's correct; they're offences that are specifically contained in the act on which the court can take action.

Slide 13 sets out responsibilities for the Governor in Council. Some of these are very important to the functioning of the act. One of these powers is to make regulations to specify investigative bodies. A number of steps have been taken over the last few years to recognize private sector organizations that, by virtue of their responsibilities in legislation or in law, have to investigate and therefore have to both collect and disclose personal information

A second regulation power is to specify or define publicly available information. These are measures we can talk about in more detail. They're all contained in the regulations that have been distributed to the committee. You can find in there the operating definitions of publicly available information as well as all our investigative bodies' regulations.

The Governor in Council may also, by order, bind agents of the Crown to the act. This was really just a housekeeping measure, Mr. Chairman, in 1998 to ensure that certain crown corporations that were not subject to the Privacy Act would be subject to PIPEDA. This was to make sure there weren't gaps in federal crown corporations' being governed by privacy rules in one domain or the other.

The second power is to exempt from the act organizations that are deemed to be subject to substantially similar provincial privacy rules. The policy published in the Canada Gazette in August 2002 on that is also contained in your documentation, I believe.

Substantially similar, as we go to slide 14--and this may be worth focusing on for a moment--was a means Parliament put in place for aligning federal and provincial privacy laws around a single set of ground rules for data protection. Those rules would be the CSA model code, and they would apply across the economy as a whole.

In paragraph 26(2)(b), you see a power whereby the Governor in Council can exempt organizations that are subject to provincial laws considered “substantially similar”. In this case, the provincial regime for privacy protection would apply within that province, rather than the federal law.

The established criteria for “substantially similar” were to incorporate the CSA model code—those 10 principles—to provide for independent and effective oversight, and to restrict the collection, use, and disclosure of personal information to purposes that are appropriate or legitimate.

You'll see on the bottom of the slide that four provinces now have substantially similar provincial laws in place, and therefore those provinces have exemptions from PIPEDA: Quebec in 2003; the provinces of Alberta and British Columbia in 2004; and Ontario, in respect to their Health Information Protection Act, in 2005. So four laws have been recognized as substantially similar.

Essentially what this does is accommodate provinces that choose to legislate in respect to privacy protection, while allowing the federal law to apply in those provinces that choose not to do so.

As I mentioned, the Quebec privacy law was recognized as substantially similar in 2003. The Province of Quebec, however, has given notice of a constitutional challenge to part 1 of PIPEDA, which has to do with the clarification of the federal trade and commerce power in relation to provincial jurisdiction over property and civil rights. Although some documents have been filed, Mr. Chairman, the court still has not heard the constitutional reference. We expect that will occur sometime later in 2007.

That's correct.

There have been documents filed. The court asked for affidavits to be filed by...I forget what the original date was. Initially the federal affidavit was filed in early 2005, I believe. Or was it earlier? Yes, it was in March 2005. That was then followed by a request for an affidavit from the Government of Quebec, which filed its affidavit in July 2006, and we have filed an affidavit in 2006.

You're right to think about the amount of time that has transpired since the original reference. I think that's partly because essentially it's business as usual in the province of Quebec, since their act has been recognized as substantially similar. The provincial privacy commissioner does exercise authority as beforehand within the province. It has been mainly the time it has taken for some of the litigants to put the material together.

Yes, and we're informed, Mr. Chair, that they've asked for another extension.

That's correct.

The Quebec government.

The Department of Justice.

The Department of Justice.

Yes, it is.

No.