Thank you for inviting me. I am pleased to be here today. I appreciate the opportunity to share with the committee my thoughts on important issues affecting Canadians and their privacy.
I am a partner at Borden Ladner Gervais, and I teach in the faculty of law at Université de Montréal. I am appearing before the committee today as an individual.
I will be discussing two issues that have been the subject of consultations undertaken by the Office of the Privacy Commissioner in the past year: meaningful consent, and reputation and privacy. I will also say a few words about enforcement powers. I will be giving my presentation in English but would be happy to answer questions in English or French.
PIPEDA is based on fair information practices that were initially drafted in the early 1970s. We should keep in mind that their main purpose was to address specific concerns pertaining to computerized databases and the fact that different private sector organizations could exchange personal information more easily without the knowledge or consent of individuals. At that time, the best way to deal with these new concerns was deemed to have individuals keep control of their personal information.
Forty years later, this concept is still one of the most predominant theories of privacy and the basis for data protection laws around the world, including PIPEDA. The notice-and-choice approach is no longer realistic. Individuals are overloaded with quantities of information they cannot realistically be expected to process or comprehend. As raised by the OPC, the complex information flows and new business models involving a multitude of third parties have also challenged the traditional consent model.
A first issue, if we want to maintain that consent model, is whether we should be amending PIPEDA on the issue of consent. Jean Carbonnier, one of the most prominent French jurists of the 20th century, has stated in French, “Ne légiférer qu'en tremblant”. What he meant was that we should be very cautious when enacting or amending laws. We have to be careful to make sure that the amendment will not be detrimental or problematic as soon as new technologies emerge. The current wording pertaining to obtaining consent under PIPEDA is quite flexible and definitely flexible enough to accommodate new types of technologies and business models.
However, the downside of this flexibility is that it creates uncertainty. Therefore, policy guidance on enhancing transparency and obtaining valid consent is increasingly necessary to address some of this uncertainty and allow organizations to innovate without taking major legal risks. Businesses look up to the OPC to provide such guidance and its recent guidance on online behavioural advertising, app development, and the Internet of things is quite useful. These documents are, more than ever, relevant and timely.
Under PIPEDA, in determining the form of consent to use, organizations shall consider the reasonable expectations of the individual. What these expectations are in any given context, and whether certain activities are legitimate from a privacy perspective, is often a function of many factors, including the prevailing social norms. Another argument against amending PIPEDA on the notion of consent pertains to the fact that social norms in connection with any new technology or business practice may not yet be established. The OPC has, in recent years, commissioned certain surveys meant to explore the awareness, understanding, and perceptions of Canadians on certain issues and new technologies. These studies are increasingly important, since they allow us to gain a better understanding of consumers and their expectations and help evaluate how the social norm in connection with a given technology or business practice is evolving.
Over the last few years, I have proposed, through various publications, that perhaps part of the solution to address some of the challenges pertaining to the consent model could include the adoption of a risk-based approach or interpretation, under which we would focus on obtaining express consent only for data collections, uses, or disclosures, if such activities might trigger a risk of harm to individuals. For instance, express consent would be required when using personal information to make an eligibility decision impacting the individual, a disclosure that would involve sensitive or potentially embarrassing information, or a practice that would go against the expectation of the individual.
A risk-based approach may allow organizations to streamline their communications with individuals, reducing the burden and confusion on individual consumers, since they would receive fewer requests for consent. These requests would be meaningful in the sense that they would focus on what matters to them. Although this type of approach would imply rethinking PIPEDA's current consent model to some extent, it could be further explored in the foreseeable future.
Regarding online reputation, the Office of the Privacy Commissioner of Canada recently chose to make reputation and privacy one of its priorities for the next few years, and launched a consultation last year in which it asked if there were a way to apply a right to be forgotten in Canada. With Internet technologies, there is a temporal shift, in the sense that pieces of information can outlive the context in which they were initially published and considered legitimate. Security expert Bruce Schneier stated a few years ago: “We're a species that forgets stuff.... We don't know what it's like to live in a world that never forgets.”
The right to be forgotten is the right famously coined by the Court of Justice of the European Union in its May 2014 landmark decision, in which it authorized an individual's personal information pertaining to past debts to be removed from accessibility via a search engine. While this right may sound appealing at first, especially in view of the protection granted to the privacy and reputation of individuals, this issue is more complex. Aside from the constitutional challenges that a right to be forgotten would raise, there are significant risks with entrusting private entities, such as search engines, with the task of arbitrating fundamental rights and values. A decision to de-index content is quite complex as it would require considering numerous criteria. It would fall to search engines to enforce this right, and these companies would have an incentive to err on the side of more removal rather than less in order to reduce costs or to avoid potential legal liability.
Courts, unlike private sector entities, have the expertise and independence to strike an appropriate balance between the two fundamental values that are often opposed in these types of requests, namely freedom of information, freedom of expression and privacy. On this issue, the Federal Court of Canada recently issued a decision in the Globe24h case, illustrating that courts should be the ones issuing orders to remove information from Google search results.
Quebec has a very stringent privacy and reputation legal framework in place. The right to privacy has been elevated to the rank of a fundamental right, protected by the Quebec Charter of Human Rights and Freedoms. The Civil Code of Quebec prohibits the publishing of someone's “name, image, likeness or voice for a purpose other than the legitimate information of the public”. While recovery for defamation in common law jurisdictions may be barred if the statements are true, in Quebec the fact that information published is true does not suffice to avoid liability.
This said, even with this stringent legal framework in place, some challenges in addressing online reputation issues remain. First, the notion of res judicata may prevent an individual from going before the courts and asking that certain information be removed if this request was made in the past and already decided upon. Periods of limitation must also be revisited to ensure that this legal framework can adequately address the fact that with the Internet, data legitimately published may, after a certain period, become irrelevant, or the fact that the data that was once considered outdated may become relevant again over time.
Second, pursuing litigation can be quite expensive, which may not make this type of tool or recourse always accessible. Perhaps efforts should be directed to improving our legal framework, notably by increasing access to justice or implementing a fast-track system for online removal requests, rather than by copying a European-style right to be forgotten.
Finally, the right to be forgotten includes extraterritorial issues that should be considered. The Federal Court of Canada, in its recent decision, opened up an important debate on the jurisdictional reach of privacy laws. All eyes are now on the Supreme Court of Canada, which will be rendering its decision dealing with these issues in the Equustek v. Google matter in the near future.
Regarding enforcement powers, the former Privacy Commissioner of Canada, Jennifer Stoddart, has asked for stronger enforcement powers under PIPEDA, which could include order-making powers and the power to impose penalties or statutory damages. In foreign jurisdictions, privacy regulators have such powers. This could provide an additional incentive for Canadian businesses to protect the personal information under their control. This being said, I wanted to raise one concern. As mentioned earlier, PIPEDA is based on flexible technology-neutral principles. The benefit of this flexibility is that it can accommodate new types of technologies and business models, but the downside of this flexibility is that it creates uncertainty: it is not always clear for businesses how they must comply with PIPEDA, especially when launching new products or services or innovative technologies. If on top of this uncertainty, there is also the risk of statutory damages or penalties, I am concerned that businesses will hesitate to launch new products and services and that in the end this will affect innovation and our competitive advantages as a nation driven by research, development, and innovation.
I am of the view that any enforcement powers, penalties, or statutory damages should come into play only once a certain practice is clearly illegal and once the organization has been advised of such and is refusing to adjust its business practices.
As a final thought, I have some concerns with the adequacy test that Canada will undergo in the coming years. The European general data protection regulation coming into force in 2018 will include certain new rights that are not currently in PIPEDA: a right to be forgotten and a right to data portability, to name a few.
We have important issues on our plate to ensure that our current data protection regime will survive and remain relevant in the near future. We have some challenges with our current notice and choice model, and perhaps addressing these issues should be our priority.
I have made written submissions in response to the OPC's consultation on privacy and consent and their call for essays on online reputation. My submissions are available on the OPC's website.
Thank you, and I welcome questions.