Evidence of meeting #47 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was consent.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

Daniel Therrien  Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
Patricia Kosseim  Senior General Counsel and Director General, Legal Services, Policy, Research and Technology Analysis Branch, Office of the Privacy Commissioner of Canada
Valerie Steeves  Full Professor, Department of Criminology, University of Ottawa, As an Individual
Vincent Gogolek  Executive Director, B.C. Freedom of Information and Privacy Association

Nathan Cullen NDP Skeena—Bulkley Valley, BC

There is nothing yet. We've seen NEXUS cards seized. We've seen young Canadian athletes shielded from the border.

This is so far out of my depth, but I have a quick question about the gathering of people's information. When someone uses a free service—does a Google search or has a Facebook account—there is some shield that's afforded. Can you explain your interpretation of the law with respect to this, in terms of companies gathering and selling that data to a third party for consumer information? Is that the way the law exists right now, and should it be modified?

4:05 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

Are you talking about information that is publicly available through social media, for instance?

Nathan Cullen NDP Skeena—Bulkley Valley, BC

It's not public.... Well, it's nominally publicly available, but it's somebody's searches, interests, and social media activity gathered up by those companies—shielded because the service is offered for free—and then packaged and sold to consumer companies. We all know that if we type “shoes” in Google, suddenly shoe ads start appearing all over the place. There is no protection of that particular data being sold further on, is there?

4:05 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

I would distinguish between two legal notions. You're referring to information that is on the net and under public settings, say, on social media. PIPEDA has a very restricted definition of what is publicly available and would not, per se, authorize the use and disclosure of information except if it fit the very narrow definition of “publicly available”, and in your example, it would not. That's one thing. It may be, though, that in the consent terms for the collection of information there may be a term between the consumer and the organization that would authorize the organization to use the information, to sell it to advertisers—

Nathan Cullen NDP Skeena—Bulkley Valley, BC

Perhaps we'll talk about those consent forms in my next round.

4:10 p.m.

Conservative

The Chair Conservative Blaine Calkins

Thank you very much.

Next will be Mr. Erskine-Smith for a five-minute round.

I was very liberal. Everybody has gone well over their seven minutes, and we're not going to get through the five-minute round as a result. I'm going to ask colleagues to be very concise with their questions.

Mr. Erskine-Smith.

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

Thanks very much.

I wanted to begin with the recommendations of your predecessor with respect to PIPEDA. I want to start with enforcement powers, which you touched on.

There was no clear recommendation in Ms. Stoddart's view. She said there should be greater enforcement powers and that we were actually lagging behind other jurisdictions. Then she recommended statutory damages, the power to make orders, the power to impose administrative monetary penalties, or some combination thereof. She noted that, in 2013, the U.K. Information Commissioner's Office levied a £250,000 fine against Sony for a breach that affected millions of PlayStation users.

In your view, should we be looking at statutory damages? Should we be looking at giving you order-making powers, or should we be looking at giving you administrative monetary fining powers? What would be most effective?

4:10 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

I would say a combination of order making and the ability to impose a financial sanction.

The other day, someone mentioned that perhaps this should be subject to certain parameters. We would be in agreement with that.

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

Ms. Stoddart also recommended mandatory breach notifications, and noted that most U.S. states have passed similar legislation.

You would, I assume—

4:10 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

That's part of Bill S-4, which will come into force soon.

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

Excellent.

With respect to accountability, Ms. Stoddart recommended amending schedule 1 to require that organizations demonstrate, at your request, that they have practices in place for privacy compliance. She also recommended putting in place enforceable agreements under PIPEDA. Would you agree with that analysis?

4:10 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

Yes, that would be an important, proactive action that we could take without waiting for complaints, absolutely.

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

With respect to increasing transparency, Ms. Stoddart recommended public reporting requirements. This is with respect to an exception under PIPEDA for lawful authority. Law enforcement agencies are obtaining information from commercial entities. We currently have no public knowledge of how many times that has occurred.

Would you agree with Ms. Stoddart that there should be public reporting requirements to shed light on the exception under PIPEDA that allows law enforcement agencies and institutions to obtain personal information without consent or a warrant?

4:10 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

Yes. We've made progress on that. Guidelines were issued by the Department of Industry some years ago. These are partially implemented. A legal requirement would improve things.

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

You mentioned that you are working on a draft paper related to consent for mid-2017. You mentioned meaningful consent in your opening remarks. You also mentioned alternatives to consent.

There is no firm view from the OPC at the moment as to how we might update PIPEDA's consent model. I assume we'll get that in the report sometime mid-2017.

4:10 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

I can give you the considerations we have in mind at this point, if that would help.

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

Sure, that would be great.

In terms of alternatives to consent, one option that I noted from the previous commissioner was simplified privacy notices that draw attention to where practices differ from the norm and highlight information that would be most relevant to consumers. Perhaps you've reiterated that as well.

With respect to consumer protection law, sometimes there are provisions between consumers and companies that companies and consumers cannot contract out of because they're in the public interest of consumers.

If there are additional considerations, perhaps you could lay them out for us.

4:10 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

There are a number of improvements that can be made without new legislation. Privacy notices are among them. I think it's a question of the will of industry to give better information to consumers before they collect their information. I don't think legislation is required to do that.

Public education and guidance on our part are also part of the solution. Those do not require legislation.

I'll tell you what we're grappling with, and I would suggest that you ask about the following things.

The reason the consent model is under challenge at this point is that when PIPEDA was adopted, the relationship between companies and consumers was essentially bilateral. There was a service provider, or somebody who was selling a product, and the consumer knew pretty well why their information was being requested. Now, the relationship is much more complex, particularly when the company is engaged in big data or artificial intelligence. The problem, from a legal perspective, is that the purpose for which the information is being sought and will be used may be extremely difficult to define upfront when the information is collected.

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

So it's hard to clarify consistent use under PIPEDA then.

4:15 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

Yes, because the purpose is difficult to define. Consent obtained from the consumer is not really meaningful, because the consumer does not know for which purpose the information will be used.

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

But isn't it under the current law—and correct me if I'm wrong—that the individual consents to a particular purpose, and if there is an additional purpose, they have to go back and get consent from the consumer all over again?

4:15 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

Yes, that is the current law.

We heard from companies during our consultations that the requirement to seek consent afresh once a specific purpose has been defined may be, in the view of some, too onerous or impractical.

But yes, as the law currently stands, the company would have to seek consent once the purpose had been defined. They're saying that it may not be practical. If so, we need a solution.

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

Okay.

4:15 p.m.

Conservative

The Chair Conservative Blaine Calkins

Colleagues, based on the time on the clock and the fact that we have to transition from our first set of witnesses to our second set of witnesses—we have about 12 minutes—I'm seeking your counsel.

We have four questions, which would give us three minutes each, or I can just do two five-minute rounds. How would you like to proceed?

4:15 p.m.

Conservative

Matt Jeneroux Conservative Edmonton Riverbend, AB

How about 12 one-minute rounds?