Evidence of meeting #46 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was pipeda.
A recording is available from Parliament.
5:10 p.m.
Liberal
Bob Bratina Liberal Hamilton East—Stoney Creek, ON
Does this relate to an order-making model for the Privacy Commissioner? Would you lean toward that?
5:10 p.m.
Executive Director and General Counsel, Public Interest Advocacy Centre
Yes, absolutely. If there were a requirement to either produce a retention policy or to erase information, and a company refused after that time to make the policy or to erase the information, then we're looking at.... If people are concerned about jumping straight to large fines, you've seen the anti-spam legislation and the do-not-call list. The authorities in those cases have a spectrum of enforcement. They don't have to start with a million dollar fine, but can start with warnings and notices and guidelines, and work up from there to fines and various larger fines. We think it could work.
February 14th, 2017 / 5:10 p.m.
Liberal
Bob Bratina Liberal Hamilton East—Stoney Creek, ON
What we heard in part throughout today's discussion is the issue of how do you write legislation that anticipates the evolution of technology? That's a tough one, but because of the notion of a retention schedule, could you write legislation that would force companies to request your approval for an extension of their holding your information they had been given in one way or another? In other words, you would hear back within five years from all of the places that somehow had your information, to the effect that they would have to sunset it unless they got your approval. Does that sound like something the legislation could include?
5:10 p.m.
Executive Director and General Counsel, Public Interest Advocacy Centre
I think you could include that. I imagine the Privacy Commissioner might give you an interesting point of view on this, perhaps on Thursday. It may involve a lot of auditing and checking up on the matter, but to at least have this would give some certainty.
It's rather like saying that there shall be a five-year retention policy by default; it's similar. It's possible, then. You might ask the Privacy Commissioner when he is here.
5:10 p.m.
Liberal
Bob Bratina Liberal Hamilton East—Stoney Creek, ON
I have to refer back to the problem of writing legislation; it's so hard. I can see that we have an interesting bit of a conflict in what has been presented.
Mr. Dickson, you said that if you can't tell media to take stuff down.... What is your feeling about our ability to take command of the issue?
5:10 p.m.
Consultant, Former Saskatchewan Information and Privacy Commissioner, As an Individual
I think it's difficult, for all of the reasons that have been discussed already. You see the Privacy Commissioner of Canada attempting to address the mischief, recognizing a problem and attempting to deal with it. We've seen the Federal Court attempting to address this through the one case. I'm afraid it doesn't admit of an easy remedy—or a foolproof solution, if you will.
5:15 p.m.
Liberal
Bob Bratina Liberal Hamilton East—Stoney Creek, ON
Why did you give up on or not complete the report in Saskatchewan?
5:15 p.m.
Consultant, Former Saskatchewan Information and Privacy Commissioner, As an Individual
All I know is that the Privacy Commissioner of Canada had hired an organization to do the work. I had liaised with the assistant commissioner Denham in developing it, we rolled it out in Saskatchewan, there were a number of meetings with business organizations and small and medium-sized businesses, and we certainly received intelligence and input and feedback through that process. Then there was some issue, I think, between the consulting firm and the office that had hired them, and at some point I think the contract was terminated. I wasn't directly involved in that.
It was unfortunate, because it was an interesting exercise and helped to probe in a part of the country in which there isn't a provincial private sector privacy law and PIPEDA was the law that applied. It's important that it have traction in all parts of Canada, and we found lots of evidence—it was manifest—that there wasn't a great deal of traction in that one province, and I suspect not only in that one province.
5:15 p.m.
Conservative
The Chair Conservative Blaine Calkins
Thank you, Mr. Bratina.
I'll be doing the next five minutes on behalf of my political organization. I'm going to ask all my questions up front. I have a question basically for each of you.
First of all, PIAC, you mentioned Mr. Owen Charters, president of the Boys and Girls Club of Canada. In your submission you said that these tracking tools follow our children as they surf the web collecting data about their behaviour and interests and that it's often sold to marketing companies.
Do you have a source for that? I'd like to know where that information is.
5:15 p.m.
Executive Director and General Counsel, Public Interest Advocacy Centre
That's a quote from him. I'd be happy to provide the Wall Street Journal article to the clerk.
5:15 p.m.
Conservative
5:15 p.m.
Conservative
The Chair Conservative Blaine Calkins
We might want to invite him here to talk about that kind of information.
5:15 p.m.
Executive Director and General Counsel, Public Interest Advocacy Centre
Sure.
5:15 p.m.
Conservative
The Chair Conservative Blaine Calkins
The next question I have for you—and I'll go directly to you—has to do with paragraph 25 of your submission to the OPC. You mention the implementation of standard privacy preferences and a trustmark system.
I will ask you my question and then I'll move on and you can answer it later. Is there a voluntary or industry-led preference or trustmark system right now?
Mr. Dickson, my question for you deals with medical health records.
Is it not in the public interest to retain public health records for a very long time even in the case of individuals, simply because I don't know whether some day down the road any of my genetic information might be useful to my children, my grandchildren, and my great-grandchildren, and so on? For health research and all those other kinds of things, it might be a good idea to keep those electronic health records in perpetuity, balancing the weight of the public good.
My question for you, Ms. Gratton, deals with the European Union.
I believe it's a policy of the European Union not to have any of their own directives or initiatives within the European Union influence the domestic policy of other countries they are dealing with; for example, in regard to non-tariff barriers. I'm wondering whether the European Union's privacy legislation is going to do exactly that: influence our ability to trade with them, simply because their own internal directive is forcing a conflict between foreign and domestic policy for Canada.
My question for you, Madame Bernier, is this. You talked about the offence being commensurate with the revenues of the organization. A not-for-profit organization might have lots of data but doesn't have a lot of revenue; a voluntary organization might have a lot of data but doesn't have any revenues; you may have a small company that has a lot of data that might do a massive amount of harm but which has small revenues; and you might have a large corporation with large revenues that does a small amount of harm, and they might be paying more for an offence than a small organization would that does a lot more harm.
Could you square that circle for me?
I'll leave it up to you guys to go with your questions.
5:15 p.m.
Executive Director and General Counsel, Public Interest Advocacy Centre
I guess we'll go from our left to our right. There are some private trustmark systems. Some have come up and gone down over the years. I know there is AdChoices, an American example, which is also followed by the Association of Canadian Advertisers. I believe Alysia mentioned Ann Cavoukian leads one for Privacy by Design.
5:15 p.m.
Legal Counsel, Public Interest Advocacy Centre
Yes, there is one. It's a partnership between Ryerson University and Deloitte.
5:15 p.m.
Executive Director and General Counsel, Public Interest Advocacy Centre
Overall, we think that if there is a trustmark system, it would be good to have. Let's call it a blessing by the Privacy Commissioner, who has looked at this voluntary one and believes it's a good approach that would be helpful because it would increase consumer trust.
5:20 p.m.
Conservative
5:20 p.m.
Consultant, Former Saskatchewan Information and Privacy Commissioner, As an Individual
Generally speaking, when it comes to record retention, privacy laws provide that it's not appropriate to retain information because somewhere down the road you may come up with another purpose for the information. You collect information for a specified purpose. This is fundamental to all privacy law.
When the original purpose for retaining the information has been met, you destroy it.
In practical terms, that means that in virtually every province with a stand-alone health information law, there's a requirement that custodians or trustees must set a record retention schedule. It's usually influenced by legal advice about how long there's a potential legal liability and then the records are to be destroyed.
There's also a provision in every one of those stand-alone health information laws that provides that application can be made to a research ethics board or a research ethics committee for access to information for specific projects.
As the law currently stands, it is not appropriate and not lawful to retain information, because somewhere down the road my personal health information may be useful to my grandchildren or their children.
Part of what's happening is that, as genetic science increases, that information about my health or your health today becomes more valuable. That's going to be a challenge for you and legislators going forward. Currently, there's not the kind of provision that you might like to see.
5:20 p.m.
Partner and National Co-Leader, Privacy and Data Protection Practice Group, Borden Ladner Gervais, As an Individual
Yes, I believe that the EU, clearly, is imposing its privacy standards. I do have some concerns with that.
Moreover, I think we have to consider the fact that every four years, it's going to be re-evaluated, not only in light of PIPEDA but also in light of our national security legislation. That's something to think about.
Last month, there was an article published by Gabe Maldofff and Omer Tene, U.S. academics, who noted that, in light of the recent European decision in Schrems, it's not clear that Canada still passes that test.
So I think we should be focusing on our issues and not bending that much.
5:20 p.m.
Conservative
The Chair Conservative Blaine Calkins
Madame Bernier, if we could have your response quickly, please.
5:20 p.m.
Counsel, Global Privacy and Cybersecurity Group, Dentons Canada
First of all, just to clarify, on fines PIPEDA only applies in the context of commercial activities, so there is always a revenue attached to the personal information.
Secondly, using a percentage, in my view, would be precisely the proportionate and, therefore, fair manner to impose equivalent penalties to all organizations.
Regarding harm, harm is not indicative of fault. You can have a hugely harmful hack; for example, let's take Carbanak. Carbanak hit 100 financial institutions for billions of dollars and the Kaspersky auditors went through it and found the most unbelievably sophisticated hack behind it and stated that they could not find any flaw in the security systems of the 100 banks that were hacked. It was just really bad luck. Therefore, we should not correlate harm and guilt.
Finally, I believe that the best place to assess and award damages is the courts.