Information & Ethics Committee on Feb. 14th, 2017

His quote is still relevant today. What he meant was that when you're enacting a law, you're fixing things. You're making things more permanent; therefore, they're less flexible. That's why I think his quote is still relevant today.

PIPEDA is flexible, so if we want to move forward with a consent model, let's not touch it. We can do whatever we want around it. We can use interpretation. We can get policy guidance from the OPC. That's why I thought it was relevant to mention him, and that's why I think it's still relevant today.

There should be a timeframe. That said, organizations need, in some cases, to keep the data to address risk. Maybe you're going to get a lawsuit so you need to keep it for a certain period of time. You have to keep that in mind. There's also a patchwork of laws that will apply to different types of data.

As a matter of fact, it can be quite a big job for an organization to put together a detailed retention policy. These can be quite expensive, but I'm all for retention and delays that are reasonable, that take into account the fact that the information is no longer in use. You need to get rid of it. You need to destroy it.

I would just add that, in a lot of the discussion around the right to be forgotten, which we've termed “the right of erasure”, I think there's a lot of scope for consumers to have information removed from marketing databases in the future. The right that the Europeans are focusing on is really that, a lot less about trying to take your information off Google, and a lot more about, “I'm tired of getting ads based on what my preferences were 20 years ago.” There's a big scope for adding that to the act, that right to erasure. At the moment, privacy policies are written without it.

Nexopia, the company I was talking about, didn't have a retention policy. Nobody knew how long they were going to keep their personal information. That just leads to conflicts.

Yes, you should have a more specific retention policy; but yes, it should be backed up with the right to remove your data within the borders of constitutionality, freedom of expression, and all the things that people have mentioned.

I might just add that when I was in Saskatchewan, overseeing health trustees and their management of personal health information, it was surprising how often you would find inactive health files in a granary, left behind in an abandoned office. You had providers retiring and so on never having properly disposed records. Often the problem with abandoned health records is these would be records that weren't active treatment and they should have been destroyed. There should have been a record retention schedule. It certainly brought home the importance and the value of not only having an appropriate record retention schedule, but then following that, and destroying those records in a timely way when they're no longer required. It's been a significant issue right across Canada, particularly with health records, as physicians retire not having properly disposed of the records at appropriate times.

Perhaps I can give you a bit of a history of how we've evolved at the OPC. The first investigation that dealt with OBA, online behavioural advertising, was of Facebook in 2009, when the OPC said that since you get Facebook for free, you should expect advertising because that's the only way they can live. That was a business model that the interpretation of privacy law had to take into account. As long as Facebook did not disclose personal information to third parties, and only used it for its own use to filter ads and send them on the basis of interest, it was within the law. Then we moved to Google in 2014, and in our decision found that Google had served ads to a gentleman who had trusted Google not to serve him ads, as they said they would not in their privacy policy on the basis of his sensitive information, but did. In his case it was medical information, and they served him ads. They discovered, in fact, it was a third-party adviser who was not following Google's rules. The problem there was that even though it was a free service, it was outside the bounds of the privacy policy, first, and the Privacy Act, second, which requires a company to refrain from tracking on the basis of sensitive information.

To go to your point of what's sensitive and what's not sensitive, really—and this goes to Maître Gratton's point—it's very much decided on the basis of harm. Think, what is the harm if this information were revealed? If the harm would be high, with financial information, you can be defrauded. If it's medical information, it's a grave intrusion. That's sensitive. That's what we usually use: what's the harm in disclosure? Then, again, the last decision on that was the Bell investigation, which you've referred to, in which the OPC said that Bell does not have a free service. Contrary to the decision on Facebook in 2009, it's not free. Users have already paid for the service; therefore, if the company, on top of that, is going to be taking their personal information, that's an additional payment, let's say, and there has to be express consent.

As you've seen, I've framed it very tightly because the charter challenge could be about the curtailment of freedom of expression in an excessive manner, which would therefore violate the charter. I believe the right to erasure—and I understand PIAC to be of the same view—can be framed in such a manner that it would protect privacy without infringing upon freedom of expression, as, in fact, in my view, the Protecting Canadians from Online Crime Act does as well. In the latter act, we criminalize an expression, if you can say so—for example, putting someone's intimate images without consent on the web. So far, it has not been challenged or not been declared unconstitutional, because the privacy violation is so egregious as not to warrant freedom of expression at large.

Nova Scotia preceded the federal government in regard to Rehtaeh Parsons's suicide, and we followed. The Nova Scotia legislation goes further and did indeed run into a constitutional challenge.

The other legislation I mentioned is that in the four common law provinces, it is an actionable tort to violate privacy. Then in Quebec, as Madame Gratton has described so well, that is perhaps the most cogent and robust measure.

However, to go back to Mr. Massé's point on whether we could use that for PIPEDA, I would remind you that all of that provincial legislation applies to individuals, whereas PIPEDA applies to organizations. This is why I say that if you want to use PIPEDA, you need to go through organizations. How can organizations help to reduce harm to reputations online? It would be through an obligation to erase when the dissemination of information has been declared to be illegal on the basis of these other pieces of legislation.

That's only in Europe. A person applies, say, to Google because Google was the one platform that was protecting it anyway. The European court went quite far out on a limb. You could see that they wanted to have the right to be forgotten recognized. Some could say that they stretched the law a little for that.

So a person goes to Google and says that they want to have their information de-indexed and made non-searchable. There are some criteria that have to be met. It has to be genuine. There has to be some value to it and if the person passes the test, it is therefore made non-searchable.

Our experience with data retention and the right to erasure largely arose as a result of our complaint against a children's website and the company's absolute refusal to remove personal information. We did get contacted by former members of that social network, once we brought the complaint. We had a number of them call us and say that they had this problem with the site, and yes, that it was a difficulty.

Occasionally, a person will email us and say that they don't like the privacy policy of company X or Y and can that company really do this or that. So, yes, we do have some contact with people, but on this particular issue it was more after we raised it that people said they didn't know how to get their information erased, and could they?

The answer, unfortunately, at the moment is no, they can't. Although the Privacy Commissioner did say in that case at the end that they would like the site to remove the information. That was the first time I ever saw it. Nexopia waffled on that. They subsequently sold themselves to other owners, who promised to remove it. I'm not sure if it's been done.

Correct.