Thank you, Mr. Chair.
Thank you for this opportunity to contribute to your work on the revision of the Personal Information Protection and Electronic Documents Act.
I will be giving my presentation in both languages and would be happy to answer questions in both as well.
In my presentation, I will refer to the Personal Information Protection and Electronic Documents Act as the act.
My starting point is the letter that the Privacy Commissioner of Canada sent to you on December 2, 2016, bringing to your attention four possible areas of intervention. I will add my observations from my experience as a privacy regulator and now as a lawyer in the private sector.
The first topic concerns valid consent.
Last summer, I submitted a brief further to the Privacy Commissioner's consultations on consent. I concluded that the current system of consent of the act is adequate for two key reasons. First, it has the rigour necessary to obtain valid consent. Second, it has the flexibility to ensure that consent applies to the various applications that exist on the Internet.
Consider section 6.1 of the act, which states the following:
the consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization's activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.
That means the act truly allows for the complexity of the Internet, without specifying the modalities, thereby making it possible to adapt the principle to any application that emerges.
The act also recognizes the possibility of implied consent. Specifically, pursuant to section 4.3.6 of schedule 1, implied consent is acceptable in certain circumstances.
In my brief, I point out that enhancing consent involves privacy policies, which must meet three specific criteria, in my view. First, they must be written in accessible language. Second, they must be adapted to the organization. Third, they must be structured for easy consultation. This does not require any legislative change.
Furthermore, there is an improvement that does not require, but would benefit from, a legislative change. It would be to specify in the act, as European law does, that anonymization is a way to exclude personal information from application of the act.
I make that suggestion because, very often, in privacy policies, I see a paragraph advising the reader or consumer that de-identified personal information will be used for purpose X or Y. That is pointless. When identifiers are severed from the information to prevent identification of the individual, the act does not apply. I think it would be helpful to make that clear, as European law does.
The second concern brought to your attention by the commissioner is a widely shared one. That's the protection of reputation online. However, the issue is only partially in federal jurisdiction. Most of the harm that occurs to reputation online occurs not within the framework of commercial transactions but within the framework of personal relationships, which come under provincial legislation.
I will give you examples of five pieces of provincial legislation that may be helpful in that regard, and one piece of federal legislation.
Regarding provincial legislation, in British Columbia, Manitoba, Saskatchewan, and Newfoundland and Labrador, there are specific acts that say that the violation of privacy can be an actionable tort. In Quebec, a judge can prescribe measures to stop harm to reputation online.
At the federal level, there is the Protecting Canadians from Online Crime Act, which, as you know, criminalizes the online dissemination of intimate images without consent.
So there is a framework in which you can have some tools to stop harm to reputation online, but there is a legal void that remains. That legal void could perhaps be addressed through the federal act. That would be by creating—on the model of European law, and as mentioned by the commissioner in his letter—a right to be forgotten, meaning the right to erasure of certain information.
Such a provision would reduce the dissemination of personal information harmful to reputation and therefore would add some protection. In order to properly control its scope, however, I suggest that it be strictly framed with this beacon in mind: that this right to erasure would apply only to any display of personal data declared by a court as a violation of the right to privacy, with possible injunctions to stop the dissemination during trial. Still, I believe it is important to give it some solidity rather than leave it as discretionary and a burden to the platforms.
Given the seriousness of the damage to online reputation and in spite of the limited nature of federal jurisdiction in this matter, you may want to explore how the federal act could be amended to include the right to erasure as a method of reducing harm to reputation online.
The third issue brought to your attention by the commissioner concerns his enforcement powers. From my practice at Dentons, which is the biggest law firm in the world, I practise privacy law on a world level, which means that I see very concretely the disparity between the enforcement powers of our commissioner, which are actually absent, and those of his counterparts.
I cannot but observe the hold that other commissioners have on business because they can impose fines of millions of dollars. The Federal Trade Commission, for example, in the same investigation as our commissioner, can impose millions of dollars in fines, while our commissioner can only make recommendations.
France can impose fines of 300,000 euros and, interestingly, just this past February 7, Russia has increased tenfold the fines under privacy law. It's still not a big number. It's from 10,000 rubles to 35,000 rubles, which equates to about $1,600 Canadian, but it shows a trend toward increased enforcement powers. The New Zealand privacy commissioner has now recommended to his government $1 million in fines for privacy violations.
As you may have heard, the European regulation, which will come into force on May 25, 2018, does provide for fines of up to 4% of a company's global revenues.
That said, the Canadian commissioner's officer is performing quite well, especially with the right to name companies, because reputation is such an important asset. On the one hand, we have to weigh the advantage of this ombudsman model, which, according to the private sector, favours collaboration between regulators in business and the worldwide peculiarity, I would say, of our commissioner.
However, I have to tell you that in my experience as both a regulator and a privacy counsel to business, I do not see enforcement powers as the determining factor in collaboration, but rather good faith on both sides. That's what really matters.
Also, the imposition of sanctions is not necessarily bad for the private sector, because it evens the playing field. You have good organizations that invest the money up front and, therefore, get good results on privacy protection, and you have negligent organizations that fail to make the upfront investments and, therefore, pay the fine at the end. A lot of good organizations will tell you, “Thank you. You've just evened the playing field.”
That said, comparing the enforcement powers of the Canadian office with the rest of the world favours an upgrade, but I would like to put some parameters around that.
I encourage you to explore the possibility of creating a power to impose fines, but framed rigorously as follows. First of all, I think the fine should be imposed only if there is evidence of negligence. Incessant attacks and uncertainty in the breadth and scope of the law mean that organizations cannot be required to ward off every blow. It's unfair.
Secondly, the fine should be payable, obviously, to the receiver general. There are some data protection authorities where the fine is payable to the data protection authority. It creates a conflict of interest. It should be subject to the Federal Court. Obviously, and this is of huge impact, it has to be appealable.
Finally, as in the case of the European regulation, I would favour the fine being a percentage of annual revenues, because the use of personal information is part of profits. Therefore, the misuse of personal information should be part of financial loss. There is a logic there that I believe recognizes the monetary value of personal information. Secondly, it matches the investment that is required to be made upstream and leaves the issue of damages to the courts, where that would be more appropriately dealt with.
The fourth subject that the commissioner brings to your attention is, in my view, the most urgent. Why? Because it concerns the new General European Data Protection Regulation, which will come into force on May 25, 2018. The regulation considerably changes European legislation on personal data protection and puts our adequacy status at risk. Allow me to explain.
The issue is economic. Canada has the status of suitability to Europe, which allows Canadian companies to receive European data without any other form of authorization. This is a crucial competitive advantage. We could lose our adequacy status for two reasons. First, the new regulation provides for the review of adequacy status every four years, which means that our status will be questioned. Second, we will be evaluated against the standards in the new regulation, which are very different from those in the current federal legislation. The problem is that our rules are not in line with the new regulation.
In short, we could lose a major competitive advantage. Canada is the only North American state to have the status of suitability to Europe, so I encourage you to consider the issue.
On that note, I would be happy to answer any questions you have.