Mr. Chair and members of the committee, thank you for inviting the Commission d'accès à l'information du Québec to participate in the study on the Personal Information Protection and Electronic Documents Act.
This invitation gives me the opportunity to briefly describe the legislation applicable to Quebec in terms of personal information protection in the private sector, as well as the role of the commission and its latest five-year report.
Before examining the Act respecting the protection of personal information in the private sector, which came into force on January 1, 1994, I should point out that, by adopting this act, Quebec became the first Canadian province and the first government in North America to regulate personal information protection in both the private and public sectors. The public sector is subject to the Act respecting Access to documents held by public bodies and the Protection of personal information.
With that clarification, I should mention that the Act respecting the protection of personal information in the private sector applies to all the businesses that, in Quebec, carry on an economic activity of a commercial nature. It regulates the collection, use, disclosure within and outside the province, and the security of the personal information a company has. To that end, it sets out a number of principles in relation to consent, prior information of the individuals in question or even the reason why the personal information is collected, used or disclosed.
It also governs the right of a person to have access to or to correct their personal information held by a company. If rejected, the person in question may submit a request for the disagreement to be reviewed by the commission's adjudicative division. The Act respecting the protection of personal information in the private sector also sets out the duties and powers of the commission in audits and investigations carried out by its oversight division.
Before I describe the commission's role, I should say that the Act respecting the protection of personal information in the private sector, just like the Act respecting Access to documents held by public bodies and the Protection of personal information, overrides any other piece of legislation applicable in Quebec.
This demonstrates the legislator's intent to highlight the paramount importance of the rights given to the individuals in question and the obligations provided for both public bodies and private companies in terms of the protection of personal information.
I will now say a few words about the commission, which was established in 1982.
The commission has two divisions: an adjudicative division and an oversight division, of which I am a member.
The commission's adjudicative division acts as an administrative tribunal and reviews requests filed by those whose access to or correction of their personal information has been denied. The members assigned to the adjudicative division generally sit in at hearings, during which the parties involved have the opportunity to make their case.
After hearing from the parties, the commission may decide on any question of fact or of law and make any appropriate order to safeguard the rights of the parties. The decision rendered by the commission is public. The decision is binding 30 days after the parties have received it and it is subject to a right of appeal provided to the Court of Quebec on a question of law or jurisdiction only. When a decision becomes binding, it can be submitted to the Superior Court. It then has the same force and effect as if it were a ruling rendered by that court.
Under its oversight functions, the commission is responsible for promoting access to the documents and the protection of personal information. It also ensures that the legislation is applied in those matters. To do so, it can carry out audits and investigations into potentially problematic situations brought to its attention, in order to ensure that public bodies and private enterprises comply with the legal provisions.
The commission may make recommendations and compliance orders upon completion of its investigations, which are carried out in a non-adversarial way. The orders made by the commission may, under the Act respecting the protection of personal information in the private sector, be submitted to the Superior Court for registration. Furthermore, if an order is not complied with, the commission may, in the case of enterprises, release a notice to inform the public. It may also initiate criminal proceedings.
Now, allow me to quickly go over some of the points raised in the commission's 2016 five-year report. In fact, the commission must report to the government every five years on the application of the act respecting access to documents held by public bodies and the protection of personal information and the Act respecting the protection of personal information in the private sector. In the report, it makes recommendations to improve the government's transparency and the protection of personal information in Quebec. The report, tabled in the National Assembly, may lead to legislative amendments.
In its last report, just like in the previous one, the commission stressed the need to strengthen the protection of personal information in both the public and private sectors, especially since the Act respecting the protection of personal information in the private sector has not undergone any significant amendments since it was passed more than 20 years ago.
Among other things, it calls on the government to amend the Act respecting the protection of personal information in the private sector in order to include an obligation for corporate responsibility and to provide for the designation of a person responsible for access and the protection of personal information. This amendment would help to develop a corporate culture that protects personal information, to ensure more transparency and to increase public confidence.
It also calls on the legislator to update the concepts inherent to the protection of personal information in the private sector. Actually, for a number of years, the commission has noted, particularly because of the proliferation of electronic platforms, that some of the concepts under the Act respecting the protection of personal information in the private sector no longer fit, or correspond with limited effectiveness, to the new business models that result.
A number of those models, whether free or paid, are fed by information gathered here and there, from users or without their knowledge. Because of the emergence of those new business models, we often hear that personal information has become the petroleum of the 21st century, that it is worth a fortune, or that it is the lungs of the digital economy.
So, in order for the Act respecting the protection of personal information in the private sector to be fully applied to those new business models and to restore user confidence, in its five-year report, the commission calls on the legislator to revisit some of the concepts set out in the act. For instance, these include the concepts of a file, of the disclosure of information or of consent.
In terms of the concept of a file, I should first specify that a number of the obligations under the Act respecting the protection of personal information in the private sector are related to that notion. Right now, the legislation imposes obligations on businesses that create or keep a file for an individual. However, the fact is that more and more companies gather images, identification, use and location data, creating profiles to analyze the behaviours of users in order to improve the goods and services provided online or to attract their attention with targeted advertising.
Those companies gather information likely to identify an individual often without their knowledge and without necessarily establishing a contractual relationship. Although those companies hold personal information, they don't always keep it in a “file” with the person's name on it. So, although the concept of a file is sufficiently comprehensive to be interpreted broadly and to apply to electronic environments, the examples described above have prompted the commission to propose that the term “file” be replaced with the “purpose of the collection”, a principle underlying a number of personal information protection systems. As a result, corporate obligations would be linked to the initial reason for the collection of personal information.
As for the obligation of disclosure to the person in question when personal information is collected, the commission notes that it is one of the obligations that are met the least in the Act respecting the protection of personal information in the private sector. However, the protection of personal information is a shared responsibility. How can people assess how their personal information is protected by businesses and determine whether they are trustworthy, if they are not even informed, at a minimum, of the nature of the information the enterprise has and the subsequent use?
That is why, just like in the previous report, the commission has called on the legislator to amend the Act respecting the protection of personal information in the private sector, in order to specify when the information must be given to the person in question, to include the obligation to disclose the personal information collected and how it was collected. The commission also stresses the importance of the information being clear, intelligible and accessible, regardless of the platform used to collect the personal information.
In terms of consent, it must be noted that consent is the driving force behind the protection of personal information. In principle, it allows users to control what companies can and cannot do with their personal information. That's only in principle, because the notion of consent is increasingly criticized and considered inadequate in some contexts.
This raises the question of how to give consent its true meaning back. How can it be ensured that it truly means that individuals have agreed to a company managing and using their personal information, giving them real choice in the matter, rather than an opaque legal text created to limit the responsibility of companies to obtain an all-encompassing and irreversible “I agree”?
Therefore, although the Act respecting the protection of personal information in the private sector states that the consent must be manifest, free, and enlightened, and given for specific purposes and that it is valid only for the length of time needed to achieve the purposes for which it was requested, the commission notes that the scope of the criteria for consent is not well understood by enterprises. It therefore feels that clarifications about the obligations of enterprises under each of the criteria for consent should be included in the Act respecting the protection of personal information in the private sector. It also believes that the legislator should indicate that consent may be withdrawn at any time subject to restrictions under the act.
In closing, I must clarify that the commission does not claim to think those amendments will provide a solution to all the current consent-related issues. It believes that discussions must continue and that other avenues must be explored. To that end, in its five-year report, the commission stresses the importance of considering the amendments made to European legislation on the protection of personal information.
Mr. Chair, thank you. I will be pleased to answer any questions you and the other members of the committee may have.