Information & Ethics Committee on Feb. 16th, 2017

Thank you very much, Mr. Chair.

Members of the committee, thank you for inviting us here for your study of the Personal Information Protection and Electronic Documents Act, the PIPEDA.

As you know, PIPEDA is technology-neutral and based on principles of general application, two qualities that should remain as these are strengths that make this law a flexible tool.

However, the constant and accelerating pace of technological change since the turn of the 21st century, when PIPEDA came into force, is challenging the law's effectiveness and sustainability as an instrument for protecting the privacy of Canadians.

These technological changes bring important benefits to individuals. They greatly facilitate communications, they make available a wealth of information of all sorts, and they bring products and services from all areas of the world.

But these technologies also create important risks. Internet users want to share their views and search sensitive issues like health without fear that these activities will be tracked and shared with others with adverse interests. In fact, it is an essential aspect of the right to privacy that individuals have control over with whom one they share their personal information.

New technologies also hold the promise of important benefits for society. Future economic growth will come in large part from growth in the digital economy. For instance, Canada is well placed to become a world leader in artificial intelligence, which depends on the collection and use of massive amounts of data.

The 2016 OECD Ministerial Declaration on the Digital Economy, to which Canada is a signatory, commits, among other things, to an international effort to protect privacy, recognizing its importance for economic and social prosperity. Indeed, the protection of privacy is critical for building consumer trust and enabling a vibrant, robust and competitive digital economy.

Yet, the vast majority of Canadians are worried that they are losing control of their personal information, with 92% of Canadians expressing concern, and 57% being very concerned, about a loss of privacy in our most recent public opinion poll.

Without significant improvements to the ways in which their privacy is protected, Canadians will not have the trust required for the digital economy to flourish, they will not reap all the benefits made possible through innovation and, ultimately, their rights will not be adequately respected.

Consent has always been considered a foundational element of PIPEDA, but obtaining meaningful consent has become increasingly challenging in the age of big data, the Internet of Things, artificial intelligence and robotics.

When PIPEDA was adopted, the interactions with businesses were generally predictable, transparent and bidirectional. Consumers understood why the company that they were dealing with needed certain personal information. It is no longer entirely clear who is processing our data and for what purposes.

As such, the practicability of the current consent model has been called into question.

To be clear, I think there remains an important role for consent in protecting the right to privacy, where it can be meaningfully given with better information.

There may also be situations in which consent is maybe simply impracticable, and under appropriate conditions, it is worth exploring whether alternatives to consent can otherwise protect the privacy of Canadians. Some of these may require legislative amendments.

Through written submissions and in-person consultations with stakeholders across Canada, we've heard a broad range of suggestions.

For instance, individuals could be empowered to make decisions through simplified privacy notices. Organizations, on the other hand, could enhance their trustworthiness through the use of privacy by design, demonstrable accountability, or the adoption of industry codes of practice.

We heard that some wanted us to provide further guidance for organizations or promoting compliance through more proactive means such as audits. Others wanted us to have greater enforcement powers, a point to which I will return.

We also heard consistently that public education is essential and that more needs to be done.

We have therefore consulted a great many Canadians on the issue of consent. We are currently analyzing the proposed solutions, and many others in our general findings on the matter. We will be happy to share our consolidated findings with you once we have completed our work in mid-2017.

Another priority area for our office is reputation and privacy. Our ultimate goal here is to help create an environment in which individuals may use the Internet to explore their interests and develop as persons without fear that their digital trace will lead to unfair treatment.

As with the consent project, we started our work by issuing a discussion paper and inviting submissions. Many of the submissions received commented on the right to be forgotten, the concept arising out of the EU that individuals can request that certain links be removed from search results associated with their name. While acknowledging the potential harms that can come from a net that never forgets, some submissions raise significant concern about what a formally recognized right to be forgotten would mean for freedom of expression. Others question whether PIPEDA even applies to a number of aspects of online reputation or to search engines that are important players in that debate, and they call for other solutions instead. These ranged from greater use of targeted legislation to prevent specific harms, as we have seen in the cases of cyber-bullying and revenge porn; improved education on safe and appropriate use of the Internet, especially for vulnerable populations; and improved practices for websites and online services such as social networks. We would be pleased to inform the committee of our views once our policy position has been fully shaped later during the year.

Let me now turn to the question of enforcement powers. Enforcement is key to securing trust in the digital ecosystem. Our recent poll found that seven out of ten Canadians would be more likely to do business with companies if they were subject to financial penalties for misusing their information.

Currently my office cannot make orders or impose fines and it is, in many respects, weaker than some of our provincial and international counterparts. Industry worries that, should enforcement powers be granted to my office, organizations would be less willing to collaborate with us and negotiate toward solutions, yet my colleagues elsewhere have not had that experience. Perhaps it is time, then, to bring my office's powers in line with those of others around the world.

That being said, I also believe there is an important role for proactive compliance. Organizations are using data in innovative ways to derive value, and Canadians expect this activity to be regulated. A proactive approach to overseeing compliance at the front end before complaints happen would bring certainty to the market and further reassure Canadians that their concerns are being addressed.

Given time considerations, I will stop here, but let me conclude—can I continue?

I have some notes on adequacy. I assume there will be questions about adequacy. I can speak about that if you want.

All right.

Adequacy is another issue that I think the committee should bear in mind during its review: the adequacy of privacy laws in Europe. In Europe, the GDPR, the general data protection regulation, which has been adopted and will come into force in 2018, will require a review of adequacy decisions every four years, and Canada's adequacy status, which since 2001 has allowed data to flow freely from the EU to Canada, will have to be revisited.

A January 2017 communication from the European Commission notes that Canada's adequacy status is “partial”, in that it covers only PIPEDA, and that all future adequacy decisions will involve a comprehensive assessment of a country's privacy regime, including access to personal data by public authorities for law enforcement, national security, and other public interest purposes.

Given the far-reaching impacts of our country's adequacy status on trade, as well as the differences between GDPR and PIPEDA, it will be important to keep this consideration in mind as the committee moves forward with its study.

In conclusion, Professor Klaus Schwab, founder of the World Economic Forum, states that we stand on the brink of a fourth industrial revolution, characterized by a blurring of lines between the physical, digital, and biological spheres. This transformation, he argues, will be unlike anything humankind has experienced before.

PIPEDA was good legislation when it came into force in 2001, and it continues to provide a sound foundation upon which to build. However, in light of this new revolution, and more importantly, to meet the privacy expectations of Canadians, I believe that PIPEDA must be modernized.

Thank you very much. I look forward to your questions.

Yes. There is no absolute certainty in these matters, but I will give you my sense of what the considerations are.

The bottom line is that I think the committee should give serious consideration to reviewing any gaps or differences that may exist between Canadian privacy law and European law, because ultimately, under the European regulation, Canada's laws will be assessed—at the latest in 2022, four years after the coming into force of the GDPR—as to whether our laws are adequate, i.e., essentially equivalent to European laws.

Now, I say that there is no certainty in this matter because this standard of “essential equivalency” has not been defined very precisely by Europe. We know that equivalency does not mean “sameness”, so Canada's laws will not be expected to be a carbon copy of European laws, but still the standard appears to be quite high. It's one of essential equivalency. There may be some differences, but ultimately the laws should be essentially similar.

There are two areas in which potential differences between Canadian law and European law will have to be looked at. The first area is any differences between PIPEDA and the European regulation, the GDPR. The GDPR adds a few new rights to European law, one being the right to data erasure, which is the child, so to speak, of the “right to be forgotten”. That's one right that does not exist, per se, in Canadian law but exists in European law, and we should give consideration to whether we should bring our law closer to European law, if not to the same place. There is a right to data portability in European law that I urge you to look at.

For Canadian law, as it pertains to private organizations, this is a bit of the landscape. An important development in Europe over the past few years has been a decision of the European Court of Justice, essentially the supreme court of the European Union, which held, in a case called Schrems, that adequacy decisions in Europe should relate not only to privacy laws in other countries that relate to private organizations but also to public sector laws, including laws that govern law enforcement and national security.

What the European Court of Justice said in that case was that U.S. laws, under the previous safe harbour agreement, were not essentially equivalent to European laws for a number of reasons, including the fact that they did not contain criteria of reasonableness and proportionality. I would urge you to have a look at our laws governing the public sector as well for equivalency.

One of the reasons why, in the context of Bill C-51, I recommended that the relevance standard be elevated to proportionality and necessity was the fact that in a few years our laws will be assessed against European laws, and European authorities will give consideration to necessity and proportionality as important factors.

At the OPC we ourselves have not reached a conclusion on this point. We have issued a discussion paper. We have sought comments by stakeholders, and we are in the process of determining what our position should be. As I mentioned in my opening remarks, some of the submissions we have received are very critical and signal that, in Canada, the constitutional protection of freedom of expression may be slightly different from that in Europe and may lead us to a different outcome from the one in Europe. I'm not saying this is right or wrong. I'm saying this is a credible argument that needs to be seriously considered.

Beyond constitutional law we also heard from stakeholders that the way in which PIPEDA is currently constructed may not be consistent with a right to be forgotten. Particularly when search engines conduct search activities, they may not be governed by PIPEDA, because PIPEDA is consent-based and search engines do not require consent before they put results on their website.

So both as a matter of constitutional law, freedom of expression, and as a matter of statute law there is a gap as to whether PIPEDA applies. Should we close the gap? That's where I say it's very uncertain. Europe will require essential equivalency. It doesn't mean sameness. Presumably when they assess our laws they will consider differences in constitutional protections, for instance, on freedom of expression. So I think we should look at this question of the right to be forgotten. It is certainly consistent with privacy notions generally that information should not sit on servers or continue to be retained by organizations beyond the period when it's necessary. So should we look for exactly the same thing? Probably not. We should aim to go towards a right to be forgotten, but I don't think we need to reach the same place.

Our first train stop will be the consent paper in mid-2017. After that we will issue a position on reputation, including the right to be forgotten. In all likelihood that will be by the end of this calendar year.

I don't know if Patricia will be able to add something. The only thing that comes to mind is a recent judgment by the Japanese supreme court, which addressed this issue without recognizing the right to be forgotten per se. If did outline a number of factors that companies should bear in mind with regard to similar requests. Is there anywhere else?

Perhaps I could just add that, on the constitutional question from a Canadian perspective of freedom of expression and whether a right to be forgotten would contravene the charter, I think at the end of the day it's going to be a question of balance, balancing the right to privacy of individuals, which may include some form of a right to be forgotten, against the constitutionally protected freedom of expression. So I think we should be looking for a balance.

In the U.S., there is a statute—the acronym is COPPA, I believe—that prohibits the collection of information about children under 13. In Canada, we don't have that kind of legislation for a number of reasons. I think one is the fact that PIPEDA is framed in terms of general principles, one of them being consent. So consent is required for the collection, use, and disclosure of information. Consent must be meaningful and informed. For children under a certain age, certainly it cannot be informed or meaningful, so we don't have a definite age limit and an outright prohibition, but we get a similar outcome in a different way.

Certainly as well, I believe that because the age of majority in Canada is a matter for provincial legislators to legislate on, the federal PIPEDA has not sought to define an age of majority in the past. Now does that mean that it could not be done in concert with provinces to have an absolute prohibition? It could. This is something that could be done. But I think we get that, or something pretty close, with the legislation we have.

There is certainly a level of protection for children. It doesn't reach the level of an absolute prohibition, but there is a level of protection. So, yes, I'm comfortable that it exists.

Thank you. The first reason I think you should consider giving us stronger enforcement powers is that our reading of the expectations and the will of Canadians is that we should have these powers. We have consulted Canadians regularly over the years, and the percentage of Canadians who say, for instance, that they would be more likely to do business with an organization if the organization were subject to order-making or fines is higher than 70%. In the context of our consent consultations, we have conducted a number of focus groups, and when we ask them whether they think it would be a good idea for companies to be subject to orders and fines, they overwhelmingly say it would be a good idea, so I think Canadians expect it.

In terms of the importance of privacy that would come from that kind of a regime, we were told by companies during our consent consultations that, if the OPC had these powers, the current collaborative status that we have with companies might change. As I said in my remarks, that's not been the experience of other jurisdictions.

The experience of other jurisdictions is that having fines and orders that come with privacy violations changes the risk calculus for executives of companies. If an executive in a company has a choice between investing in consumer protection or environmental protection where there are fines that will potentially be imposed if there is a violation and investing in privacy where there is not, we were told quite point-blank that they will put their money where there is a financial risk.

So a not insignificant consequence of giving the OPC order-making and fine-imposing power is that it will change the risk calculus for businesses such that they will invest more in privacy protection, which I think is a good thing. Just the fact that these powers exist will change the risk calculus, whether or not we find them to be in violation of the act.