Evidence of meeting #59 for Access to Information, Privacy and Ethics in the 41st Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was bluekai.
A video is available from Parliament.
Conservative
Brad Butt Conservative Mississauga—Streetsville, ON
Thank you very much, Mr. Chair.
Thank you, Mr. Chapell, for being here for the committee today.
Would you say you're fairly well versed in the Privacy Commissioner's mandate as it now stands in Canada, and in what her roles and responsibilities are and what the general interaction is with the business community—probably with many of your clients—and so on? Would you say that you're fairly well versed in what her role is currently?
Outside Counsel, Privacy Officer, BlueKai Inc.
I believe I'm fairly well versed.
Conservative
Brad Butt Conservative Mississauga—Streetsville, ON
Given that, and given some of the things we're looking at as a committee—her role and the interaction—one of the concerns I have is that sometimes government, even though it may be with the best of intentions, tends to overregulate or to set parameters that actually stifle innovation and creativity.
One of my biggest concerns about social media and so on is that the technology changes so rapidly. I'm not always quite sure that government can keep up with the rapidly changing things that are going on in social media and related sectors.
From your testimony, it sounds as though you would say that your organization is pretty much operating in a more self-regulatory environment, that you're trying to do your corporate best to make sure you're respecting privacy issues, and that you're operating in an appropriate environment, etc.
Is it a strong enough model, in your opinion, to make sure we're all endeavouring as well as we can to protect people's personal privacy while also making sure that the people who are more expert in keeping up with the technological change can react to it a lot faster than we, as parliamentarians, can in trying to come up with laws and chasing after things have already happened? Do you have any more advice in that regard for us?
Outside Counsel, Privacy Officer, BlueKai Inc.
I agree with everything you just said.
I might add that the challenge with creating legislation in a quickly changing technology environment is the proverbial law of unintended consequences. It is generally thought of as a bad idea for the government to pick winners or losers in an emerging media, or really in any marketplace. The challenge with just about any type of legislation is that, almost by definition, it's outdated by the day it's enacted.
The beauty of self-regulation, if there's an adequate enforcement mechanism, is that it can continue to grow and morph around the innovation that's going on in the marketplace.
Conservative
Brad Butt Conservative Mississauga—Streetsville, ON
Has BlueKai had any direct interaction or involvement with the Office of the Privacy Commissioner in Canada, either through its contacting you and saying it had a concern over something or it had heard something or somebody had made a complaint to it about the organization? Have you had any interaction like that with our Privacy Commissioner in Canada?
Outside Counsel, Privacy Officer, BlueKai Inc.
We have not directly.
I believe there was some interaction about two and a half years ago. I chair the privacy committee of a group called the Mobile Marketing Association. We were building out some standards a couple years ago, and I believe there was some interaction. It was not directed interaction on my behalf. That's just so you know that there was at least some interaction going on there, but we have not received a complaint.
Conservative
Brad Butt Conservative Mississauga—Streetsville, ON
Was that more to get some advice or that the office was offering some public education to your organization? Were you seeking some advice from the commissioner's office in drafting some guidelines that the industry itself could look at using? Was it more as a resource to your organization? Was that the primary role at that time?
Outside Counsel, Privacy Officer, BlueKai Inc.
Yes, it was. I think the office was kind enough to offer some of their insights to the Mobile Marketing Association.
Conservative
Brad Butt Conservative Mississauga—Streetsville, ON
Did you find that to be a helpful role for that office? Was that helpful to you folks in coming up with some guidelines? To go back to the self-regulatory regime, were our Privacy Commissioner and her staff able to provide good, helpful advice to you, to help you craft the model that you're using?
Outside Counsel, Privacy Officer, BlueKai Inc.
Absolutely.
To be clear, though, I did not have direct intervention; there were folks on the team. I mean, in any multi-stakeholder process there will be a number of groups that interact. I believe the interactions were very valuable.
Conservative
Brad Butt Conservative Mississauga—Streetsville, ON
This is my final question, Mr. Chair, before I turn it over.
This relates to a trip to Washington by some of the committee members. We met with some excellent organizations, including the FTC and others.
From your perspective, is there anything in the United States that they may be doing well that we could learn from? Is there any advice from your interaction as a company there versus here that we could learn from that you think is particularly helpful, or is it true what we heard from a lot of the organizations that we met with—that in this area Canada is actually quite a bit ahead of the United States in a lot of respects?
Outside Counsel, Privacy Officer, BlueKai Inc.
I think I would agree with the latter. In some respects, I think, we could learn from what you folks in Canada are doing.
In the discussions around self-regulation for online behavioural advertising, to my understanding—again, this is not direct, but I've talked with a number of folks who were involved—the discussions were much less contentious. There was a recognition that there needed to be compromise on all sides.
I feel very confident that the net result will be a program that finds the right balance. Sometimes in the United States we haven't always met that goal.
NDP
The Chair NDP Pierre-Luc Dusseault
Thank you, Mr. Butt.
Mr. Chapell, I want to thank you on the committee's behalf for your willingness to meet with us and help us with our study.
We will suspend the sitting for a few minutes. We will then hear from the Privacy Commissioner.
Thanks again.
Outside Counsel, Privacy Officer, BlueKai Inc.
Thank you, sir, and thank you to the committee. It was an honour.
NDP
The Chair NDP Pierre-Luc Dusseault
We will continue our meeting.
I want to thank Commissioner Stoddart and the two people accompanying her—Ms. Bucknell and Ms. Bernier—for joining us. We have been working on this study for a while, and we have heard good things about you. I wanted to mention that before your begin.
You will have 10 minutes to make your presentation. As usual, a question period will follow. The committee members will most likely have some questions for you. I now yield the floor to you.
Jennifer Stoddart Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
Mr. Chair, thank you very much for your invitation to appear again at the very end of your study, which we have been following with interest.
I'm joined today by Chantal Bernier, assistant commissioner, who directs our day-to-day operations, and Barb Bucknell, strategic policy analyst, who is a specialist in social media. They will, I hope, help me answer your questions.
Honourable members, I'd like to start with an overview of privacy challenges.
Over the last few months, I believe you've heard from an array of interested parties on the benefits and the challenges of social media. When I first appeared in May, I noted the four areas of privacy protection where we had the most concern. These were accountability, meaningful consent, limiting use, and retention. It's noteworthy that the witnesses who appeared before you have largely agreed that these areas are challenged by social media. Where they tended to differ, I understand, was on the adequacy of the tools available to address the problems.
Also noteworthy was the extent to which children and youth privacy permeated the discussions. Many interesting ideas were put forth with respect to digital literacy as well as possible legislative responses.
Mr. Chairman, I would like to commend the committee for its insight and forward thinking in holding this particular study.
Today I want to address the key comments that have emerged from your hearings. I will begin with enforcement powers.
The most important question put forward throughout the study was whether PIPEDA is up to the task of handling the challenges brought about by changing technology. Most witnesses felt that PIPEDA needs to be modernized. Others took the position that PIPEDA does not need to be changed, that its enforcement model works, and that its technology-neutral character is its strength.
In my view, with the emergence of Internet giants, the balance intended by the spirit and letter of PIPEDA is at risk. The quasi-monopoly of these multinationals has made PIPEDA's soft approach, based on non-binding recommendations and the threat of reputation loss, largely ineffective, I believe. We have seen organizations ignore our recommendations until the matter goes to court. We have seen large corporations, in the name of consultation with my office, pay lip service to our concerns and then ignore our advice. Moreover, with vast amounts of personal information held by organizations on increasingly complex platforms, the risk of significant breaches and of unexpected, unwanted, or even intrusive uses of that information calls for commensurate safeguards and financial consequences not currently provided for in PIPEDA.
New incentives, including changes to the enforcement model, are required to encourage organizations to be proactive, to build upfront protections, and to ensure secure treatment of individuals' personal information. I agree with the witnesses who stated that PIPEDA's strength is that it is technology-neutral and principles-based. These are characteristics that must remain.
I also agree—at least in part—with those who noted my office's success in bringing organizations into better compliance with the law. We have made use of the tools the law provides, and we have been able to effect some change—but often after an arduous effort. That effort comes at high cost to Canadians and is less and less effective against powerful, multinational companies.
You heard the arguments that my office cannot be judge, jury and executioner. In response, I would point you to some of my international and even provincial counterparts.
The United Kingdom commissioner can issue fines, as can a number of the international data protection authorities listed in the document I have submitted today. In the United Kingdom, my counterparts have stronger enforcement powers, but that has not precluded an ombudsman approach. Fines are issued where a softer touch has failed. Our counterparts tell us that businesses that invest in adopting good privacy practices from the start feel it is only fair to impose a financial burden on those who do not, in order to even the playing field.
Commissioners in Quebec, Alberta and British Columbia have order-making powers and jurisdiction over the private sector. They also have other duties—prescribed by law—that enable them to perform multiple roles, such as educator, adjudicator, enforcer, advocate, and so on. I have noted that witnesses before this committee had only good things to say about their relationship with the commissioners. Witnesses have said that the Canadian model was the envy of many countries around the world.
What others like about our law is that it does not single out sectors and is non-prescriptive. Yet, given that many of my international counterparts either have stronger enforcement tools or are requesting them, it is not our enforcement model they are admiring.
Indeed, I worry that, if my counterparts continue to gain stronger powers, but Canada does not, we will fall behind in inspiring consumer confidence needed for the digital economy to thrive.
At the least, we must start with mandatory data breach notifications—including financial consequences for egregious cases. Increasingly, other countries are implementing similar legislation. Such requirements would reinforce accountability and, with penalties, provide financial incentives to better protect Canadians' personal information. Such penalties should be flexible and adaptable to circumstances, so as not to unduly burden smaller organizations.
I'd like now to talk a bit about digital literacy.
Another key theme that has emerged from your hearings is the importance of digital literacy. I believe that the moment has come for government, for educators, and for our communities to seriously focus attention on the digital education of all Canadians of all ages.
Such an effort must address the broader societal and ethical issues that are raised by new information technologies but that fall outside data protection law per se. People need to understand that information on the Internet can live on forever and that they should be careful about what they post about themselves and others. That being said, digital literacy does not absolve companies of their obligations under privacy law.
In conclusion, Mr. Chairman, given the global nature of today's digital economy, Canada's federal law needs enforcement powers comparable to those in other jurisdictions. That is the way to have the greatest impact on privacy protection and to improve Canadians' confidence in their online environment.
A law that dates back to a time before social networks and smart technologies were created cannot remain static. The ways in which personal information in this environment can be collected and used by many players makes a formal study of the effectiveness of our privacy framework even more pressing, so I strongly urge Parliament—and this committee particularly—to move forward with a review of the legislation, PIPEDA in particular.
Thank you very much for inviting me once again, and my colleagues and I would be happy to try to answer your questions.
Merci.
NDP
Charmaine Borg NDP Terrebonne—Blainville, QC
Thank you very much, Mr. Chair.
Ms. Stoddart, thank you for joining us today.
After hearing all the testimony, I'm happy to hear your comments now. Differing opinions have been voiced. We have even heard opinions of international scope. That has really been useful to us.
You recently stated in the media that the Bill C-12 provisions on data breaches did not sufficiently protect Canadians' personal information. You even said that, under those circumstances, you could not fully support this bill.
Could you tell me what amendments should be made to the bill to adequately protect Canadians' personal information?
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
Thank you for the question.
I officially met with the Deputy Minister of Industry Canada this past spring. I told him that things had changed a great deal since Bill C-12 was introduced in the House—over two years ago, I think. We discussed that, at the time. I said that other countries had implemented legislation and that, in its current form, Bill C-12 was not an adequate solution to the constant and growing threat of data leakage and data-related breaches of confidence. At the very least, we could consider the prescribed threshold, but even more importantly, we should establish a penalty system—even impose fines—which would encourage investments in data protection and would act as a deterrent to breaches of confidence.
NDP
Charmaine Borg NDP Terrebonne—Blainville, QC
Thank you very much.
A number of witnesses pointed out that you did not have enough power. You also talked about that during your presentation. Even when we went to the United States, people said that the Canadian commissioner was doing excellent work, but that she needed additional powers to successfully fulfill her mandate.
There are many lawsuits against companies like Facebook because that is the only available recourse. If your powers were expanded to allow you to issue orders and impose fines, what would be the best model to follow? We have the examples of Alberta, Quebec and Ontario. Is one model preferable to the others? Do you think one of them works better than the others?
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
I think it would be preferable for the committee to look at different models. There are various options available, and we have to take into account administrative penalties, fines and the possibility of asking the Federal Court for statutory damages.
In the interest of administrative stability, the least cumbersome model—and therefore the preferable one—is the status quo. Once again, I think the committee should look into this issue. If the need arises or it becomes necessary, the commissioner's office could ask the Federal Court to issue an order. That would not fundamentally change the whole operational model.
NDP
Charmaine Borg NDP Terrebonne—Blainville, QC
Thank you.
My next question is about the difference between implied and expressed consent. That has been discussed a lot throughout this study.
Do you think it is possible to demand that businesses or social networking companies use a system where expressed consent is required across the board? Is that technically possible and is it advisable?
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
I will have to ask Ms. Bucknell to answer.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
She has spent days, even months, working on this issue. I think that depends on the kinds of matters or contexts where consent is required. This applies in some cases, but not in others.
Ms. Bucknell surely has something to say about that.