Information & Ethics Committee on Feb. 21st, 2017

Mr. McArthur.

Thank you very much.

Thank you, Mr. Chair and committee members, for the invitation to speak to you today as you review the Personal Information Protection and Electronic Documents Act. Here in Alberta, we call it “PIPEEDA” as opposed to “PIPEDA”, as Drew just referred to it. With me are Sharon Ashmore, who is general counsel with my office, and Kim Kreutzer Work, who is the director of knowledge management.

I thought I would start my comments today by speaking briefly about Alberta's Personal Information Protection Act, or PIPA, and then in a very similar way to Drew's presentation, I will provide some brief comments on the four topics that I understand you're interested in. I'll speak about PIPEDA's adequacy vis-à-vis the European Union enforcement powers, and in particular my ability to order compliance, as well as meaningful consent and privacy and reputation. Then, of course, I would be happy to address any questions you might have.

To begin, Alberta's Personal Information Protection Act, or PIPA, came into force on January 1, 2004. The act balances the privacy interest of Albertans with the need of organizations to collect, use, and disclose personal information of their customers, clients, employees, and volunteers for reasonable purposes. PIPA has been declared substantially similar to PIPEDA, which means that in Alberta it is PIPA, and not PIPEDA, that generally covers provincially regulated private sector organizations and businesses.

My role is to provide oversight for the act. I have a number of powers and responsibilities under the legislation to ensure that its purposes are achieved. So far, PIPA has undergone two reviews by all-party committees of the Alberta legislature. This in fact is built into the legislation and is a statutory requirement.

The first review took place in 2006-07 and led to several amendments, most notably, mandatory breach reporting and notification requirements, which came into effect in May of 2010. Alberta became the first private sector jurisdiction in Canada to have mandatory breach reporting and notification, and we have since become the model for many other jurisdictions that are contemplating similar amendments.

I think I'll mention that since 2010 we have seen close to 750 breach reports under PIPA and have issued close to 600 notification decisions. So far, we've found that in approximately 56% of those cases there was a real risk of significant harm, in which case I required the organization to notify affected individuals.

The second review of PIPA was more recent and concluded at the end of 2016. During one of my appearances before that review committee, I spoke about the importance of global considerations when considering amendments to Alberta's legislation. I believe those comments are relevant here again in regard to PIPEDA's adequacy status vis-à-vis the European Union.

When it comes into force, the European Union's general data protection regulation, or GDPR, will make privacy law across Europe stricter and will enhance the protection for Europeans' personal information in such areas as consent, accountability, privacy management frameworks, breach notification, and privacy impact assessments. In a global economy where Canadian and Alberta businesses are participants, and where private sector privacy law needs to be adequate and substantially similar, the effect of the GDPR must be considered in any discussion about amendments to our legislation governing the collection, use, and disclosure of personal information.

I'm not necessarily suggesting that PIPEDA or, by extension, PIPA will be deemed to be inadequate, but I am suggesting that there's a need to be mindful of global and national considerations when we're contemplating amendments, to ensure that they don't weaken the legislation and that they are not out of step with global and national considerations. I think it's important to remember that although legislative requirements and regulations may sometimes seem to be burdensome, they also help to provide the public and businesses and their service partners with stability and reassurance, both of which are necessary to win customers and to facilitate business and information sharing.

Going on to enforcement powers, I'm able to issue orders under all three of the acts for which I provide oversight: our public sector's Freedom of Information and Protection of Privacy Act and our health sector's Health Information Act, as well as PIPA.

Order-making power does not preclude my office from resolving cases by an informal mediation process rather than going through the formal inquiry process. In fact, in most cases when we receive a request for review or a complaint, we investigate and attempt to mediate and resolve that matter informally. It's only when findings and recommendations are not accepted that the matter may proceed to inquiry. In 2015-16, approximately 80% of our cases under PIPA were resolved through that mediation process as opposed to inquiry, and since 2004 we have issued 134 PIPA orders.

In most cases organizations comply with orders. In the very odd case where an organization does not, I can file the order in the Court of Queen's Bench, at which time it becomes enforceable as a judgment of that court. I have had occasion to file orders twice in the last year. In one of those cases it was under the Health Information Act and not PIPA, and in the other case, it had to do with ensuring compliance with a breach notification decision I had issued under PIPA. In both cases, after filing with the court, the matters were resolved before the court heard the cases. In those examples, order-making power was extremely valuable in obtaining compliance.

Moving on to meaningful consent, I will first note that in Alberta, we talk about PIPA as being consent-based legislation, and generally, I think it works well. Requiring organizations to obtain the consent of an individual before collecting personal information and to provide notice of the purpose for collection helps to ensure that individuals are able to make informed decisions and exert some measure of control over their personal information.

However, I am aware of ongoing discussions in certain forums that suggest that a consent-based framework is not always adequate. I seldom hear that consent and notice should be done away with entirely, but there does seem to be concern that in this age of big data, predictive analytics, and complex information systems, consent and notice may not be adequate in all cases and may stifle innovation as well as initiatives that are in the public interest.

I've certainly participated in a number of these conversations where we've tried to define the problem, if there is a problem, and to identify and consider some proposed solutions. In those discussions, I often make reference to Alberta's Health Information Act, for example, which is not consent-based but based on a circle-of-care idea, the concept of legislated acceptable uses. We also make reference to the personal information code under Alberta's PIPA, which again recognizes that consent in an employer-employee relationship might not work, and so consent is not required for collecting certain information. We also look to the Health Information Act for the framework around research and research ethics boards. As Drew mentioned earlier, there are commissioners in the country who are interested in some of the projects, notably the Information Accountability Foundation, and a project on developing an ethical assessment framework for certain big data initiatives.

In any event, I believe any solution to the problem, if there is a problem in this area, would involve a mix of legislative, regulatory, and voluntary options, and I certainly support discussion of these issues, including consultations such as the exercise the federal Privacy Commissioner recently undertook.

Finally, I have a few words to say on privacy and reputation. This topic has seen a lot of attention in recent times, particularly around the idea of a right to be forgotten, and whether such a thing exists in Canada or not, and if it does, how it might be enforced in today's global world.

I mentioned this in the trends and issues section of my 2014-15 annual report and said that this was a topic we should be watching over the next couple of years. In particular, we've seen cases like the May 2014 case in the Court of Justice of the European Union; the recent case involving Globe24h at Canada's Federal Court involving information posted on a Romanian website; and a pending decision from the Supreme Court of Canada in Google v. Equustek Solutions. I think that brings home the fact that these are live issues.

Of note, these cases highlight questions of jurisdiction and legal boundaries and the ability to compel compliance; privacy versus freedom of expression; transparency for public figures such as politicians; and the technical challenges and costs for global companies. These are all complicated issues, but they have found their way to my office, as we have seen a recent uptick in the number of right-to-be-forgotten-type cases in the office. We had previously seen about half a dozen of them over the first seven or eight years of the legislation, but I think we have half a dozen in the office right now. They tend to be focused on such issues as websites publishing personal information collected from some source other than the individual whom the information is about. There are also sometimes complaints around decision-making bodies, including personal information, in their published decisions.

As there are a number of live matters in my office at the moment, I'm not going to get into too many specifics. We will be issuing decisions in some of these cases. It is worth noting that these discussions have made their way from other countries, contexts, and the courts to real complaints made by real individuals that are currently in my office.

On that note, I will leave my comments there. I'd be happy to respond to any questions.

Thank you.

Mr. Chair and members of the committee, thank you for inviting the Commission d'accès à l'information du Québec to participate in the study on the Personal Information Protection and Electronic Documents Act.

This invitation gives me the opportunity to briefly describe the legislation applicable to Quebec in terms of personal information protection in the private sector, as well as the role of the commission and its latest five-year report.

Before examining the Act respecting the protection of personal information in the private sector, which came into force on January 1, 1994, I should point out that, by adopting this act, Quebec became the first Canadian province and the first government in North America to regulate personal information protection in both the private and public sectors. The public sector is subject to the Act respecting Access to documents held by public bodies and the Protection of personal information.

With that clarification, I should mention that the Act respecting the protection of personal information in the private sector applies to all the businesses that, in Quebec, carry on an economic activity of a commercial nature. It regulates the collection, use, disclosure within and outside the province, and the security of the personal information a company has. To that end, it sets out a number of principles in relation to consent, prior information of the individuals in question or even the reason why the personal information is collected, used or disclosed.

It also governs the right of a person to have access to or to correct their personal information held by a company. If rejected, the person in question may submit a request for the disagreement to be reviewed by the commission's adjudicative division. The Act respecting the protection of personal information in the private sector also sets out the duties and powers of the commission in audits and investigations carried out by its oversight division.

Before I describe the commission's role, I should say that the Act respecting the protection of personal information in the private sector, just like the Act respecting Access to documents held by public bodies and the Protection of personal information, overrides any other piece of legislation applicable in Quebec.

This demonstrates the legislator's intent to highlight the paramount importance of the rights given to the individuals in question and the obligations provided for both public bodies and private companies in terms of the protection of personal information.

I will now say a few words about the commission, which was established in 1982.

The commission has two divisions: an adjudicative division and an oversight division, of which I am a member.

The commission's adjudicative division acts as an administrative tribunal and reviews requests filed by those whose access to or correction of their personal information has been denied. The members assigned to the adjudicative division generally sit in at hearings, during which the parties involved have the opportunity to make their case.

After hearing from the parties, the commission may decide on any question of fact or of law and make any appropriate order to safeguard the rights of the parties. The decision rendered by the commission is public. The decision is binding 30 days after the parties have received it and it is subject to a right of appeal provided to the Court of Quebec on a question of law or jurisdiction only. When a decision becomes binding, it can be submitted to the Superior Court. It then has the same force and effect as if it were a ruling rendered by that court.

Under its oversight functions, the commission is responsible for promoting access to the documents and the protection of personal information. It also ensures that the legislation is applied in those matters. To do so, it can carry out audits and investigations into potentially problematic situations brought to its attention, in order to ensure that public bodies and private enterprises comply with the legal provisions.

The commission may make recommendations and compliance orders upon completion of its investigations, which are carried out in a non-adversarial way. The orders made by the commission may, under the Act respecting the protection of personal information in the private sector, be submitted to the Superior Court for registration. Furthermore, if an order is not complied with, the commission may, in the case of enterprises, release a notice to inform the public. It may also initiate criminal proceedings.

Now, allow me to quickly go over some of the points raised in the commission's 2016 five-year report. In fact, the commission must report to the government every five years on the application of the act respecting access to documents held by public bodies and the protection of personal information and the Act respecting the protection of personal information in the private sector. In the report, it makes recommendations to improve the government's transparency and the protection of personal information in Quebec. The report, tabled in the National Assembly, may lead to legislative amendments.

In its last report, just like in the previous one, the commission stressed the need to strengthen the protection of personal information in both the public and private sectors, especially since the Act respecting the protection of personal information in the private sector has not undergone any significant amendments since it was passed more than 20 years ago.

Among other things, it calls on the government to amend the Act respecting the protection of personal information in the private sector in order to include an obligation for corporate responsibility and to provide for the designation of a person responsible for access and the protection of personal information. This amendment would help to develop a corporate culture that protects personal information, to ensure more transparency and to increase public confidence.

It also calls on the legislator to update the concepts inherent to the protection of personal information in the private sector. Actually, for a number of years, the commission has noted, particularly because of the proliferation of electronic platforms, that some of the concepts under the Act respecting the protection of personal information in the private sector no longer fit, or correspond with limited effectiveness, to the new business models that result.

A number of those models, whether free or paid, are fed by information gathered here and there, from users or without their knowledge. Because of the emergence of those new business models, we often hear that personal information has become the petroleum of the 21st century, that it is worth a fortune, or that it is the lungs of the digital economy.

So, in order for the Act respecting the protection of personal information in the private sector to be fully applied to those new business models and to restore user confidence, in its five-year report, the commission calls on the legislator to revisit some of the concepts set out in the act. For instance, these include the concepts of a file, of the disclosure of information or of consent.

In terms of the concept of a file, I should first specify that a number of the obligations under the Act respecting the protection of personal information in the private sector are related to that notion. Right now, the legislation imposes obligations on businesses that create or keep a file for an individual. However, the fact is that more and more companies gather images, identification, use and location data, creating profiles to analyze the behaviours of users in order to improve the goods and services provided online or to attract their attention with targeted advertising.

Those companies gather information likely to identify an individual often without their knowledge and without necessarily establishing a contractual relationship. Although those companies hold personal information, they don't always keep it in a “file” with the person's name on it. So, although the concept of a file is sufficiently comprehensive to be interpreted broadly and to apply to electronic environments, the examples described above have prompted the commission to propose that the term “file” be replaced with the “purpose of the collection”, a principle underlying a number of personal information protection systems. As a result, corporate obligations would be linked to the initial reason for the collection of personal information.

As for the obligation of disclosure to the person in question when personal information is collected, the commission notes that it is one of the obligations that are met the least in the Act respecting the protection of personal information in the private sector. However, the protection of personal information is a shared responsibility. How can people assess how their personal information is protected by businesses and determine whether they are trustworthy, if they are not even informed, at a minimum, of the nature of the information the enterprise has and the subsequent use?

That is why, just like in the previous report, the commission has called on the legislator to amend the Act respecting the protection of personal information in the private sector, in order to specify when the information must be given to the person in question, to include the obligation to disclose the personal information collected and how it was collected. The commission also stresses the importance of the information being clear, intelligible and accessible, regardless of the platform used to collect the personal information.

In terms of consent, it must be noted that consent is the driving force behind the protection of personal information. In principle, it allows users to control what companies can and cannot do with their personal information. That's only in principle, because the notion of consent is increasingly criticized and considered inadequate in some contexts.

This raises the question of how to give consent its true meaning back. How can it be ensured that it truly means that individuals have agreed to a company managing and using their personal information, giving them real choice in the matter, rather than an opaque legal text created to limit the responsibility of companies to obtain an all-encompassing and irreversible “I agree”?

Therefore, although the Act respecting the protection of personal information in the private sector states that the consent must be manifest, free, and enlightened, and given for specific purposes and that it is valid only for the length of time needed to achieve the purposes for which it was requested, the commission notes that the scope of the criteria for consent is not well understood by enterprises. It therefore feels that clarifications about the obligations of enterprises under each of the criteria for consent should be included in the Act respecting the protection of personal information in the private sector. It also believes that the legislator should indicate that consent may be withdrawn at any time subject to restrictions under the act.

In closing, I must clarify that the commission does not claim to think those amendments will provide a solution to all the current consent-related issues. It believes that discussions must continue and that other avenues must be explored. To that end, in its five-year report, the commission stresses the importance of considering the amendments made to European legislation on the protection of personal information.

Mr. Chair, thank you. I will be pleased to answer any questions you and the other members of the committee may have.

Well, first, while I agree that information flows and really knows, often, no boundaries, it's the information of citizens in particular jurisdictions that is of interest to those citizens, whether it's federal or provincial, as is the case in Canada, or whether it's country by country or the European Union, in Europe. I think those decisions are best left to the legislators in those countries and in those particular territories.

To us in Canada, I don't think it has been complicated. It's well understood that B.C. citizens are protected by our private sector act, and we have the opportunity to focus on their particular concerns when addressing their complaints.

There's a recognition as well in this country, on the part of our offices that have jurisdiction over the private sector, that we work together. For example, when you have breaches that happen in companies that operate across the country, the B.C., Alberta, Quebec, and the federal offices work together in a coordinated way. It's important to our citizens to do that, but it also provides a unified face, if I can put it that way, to the private sector companies that they're not having to deal with the offices individually.

We also extend that, frankly, to the international sector, where we increasingly co-operate with data protection authorities around the world on data breaches. You may be familiar with the recent Ashley Madison breach, where the Canadian office worked with authorities in the United States and Australia and other places. We were also involved in that. There's an increasing level of co-operation between data protection commissioner offices around Canada and around the world.

Essentially all of the private sector complaints that come into our office go through a process of mediation, where the interests of the parties are examined and investigated, and the rights of the individual are balanced with the obligations of the organizations. We say it's a process of mediation in addressing a complaint and determining an outcome in which both parties' interests are given consideration. Organizations, understanding that we do have order-making powers, are certainly more compelled to work creatively or effectively with us through that process.

Well, it continues to increase; every year we receive more reports under PIPA. We have managed so far. I will say I have some concerns. There is some expectation that we'll be seeing mandatory breach reporting in the health sector in Alberta sometime in the fairly near future. That will probably tax the resources of my office.

I will perhaps just say a bit about the structure of breach reporting notification requirements in Alberta, because they are fairly unique— certainly in Canada. While there are some similarities to what's proposed for PIPEDA through the Digital Privacy Act, they're not exactly the same.

In Alberta, the threshold for reporting a matter to my office is where there is a real risk of significant harm. This is the same threshold as for PIPEDA. However, the framework in Alberta gives me the ability to require an organization to notify affected individuals. The act in Alberta does not require the private sector organization immediately to notify. It instead requires them to tell me. If there is a real risk of significant harm, if a reasonable person would think that threshold had been met, then it's an offence for an organization not to report it to me.

When those reports come in, out of the 750 reports that we've received in almost six years, I have an active role in reviewing them. I review the assessment of harm and the likelihood that harm will result from the incident, and I issue a decision for each one.

I think it's very important to be aware of what is happening in Europe. As I mentioned in my comments, one of the things I said to the committee in Alberta that was reviewing our Personal Information Protection Act was that—at least with respect to mandatory breach reporting and notification—I'm feeling pretty good about that. It looks like that's going to be a requirement under the GDPR when it comes into force, and I think we're ahead of the curve as far as that goes.

So yes, I think that's something we all need to be aware of. We certainly need to be thinking about how to strengthen our legislation. Mr. McArthur said that information knows no boundaries, that it's flowing globally. It doesn't work to have a patchwork. You're only as good as your weakest link or your lowest water level.

I certainly think some of the reasons there is interest in this issue have to do with the explosion or proliferation of technology and social media. You can't pick up the papers without hearing about sexting, cyber-bullying, or information that has been posted that you can never get rid of, but is out there. I think some of that contributes to public awareness: the Internet generally, social media sites, and the amount of information that is out there.

Of course, what has gone along with that is the rise of some of websites in particular. In the office we've seen examples of websites where ex-girlfriends or ex-boyfriends can post information about somebody, and it doesn't necessarily have to be accurate, but it's out there, and they're concerned that it's out there. They're concerned that it will be out there forever and that they will never be able to get rid of it. They're concerned that it will affect their ability to hold a job or get a job, so I think there can be real ramifications.

What is the balance? I mentioned in my opening comments some of the concerns around privacy and freedom of expression. We had a matter under Alberta's PIPA that went to the Supreme Court that was balancing just that. The court found in favour of freedom of expression with respect some political information that a union might post. I think all of these issues in this conversation, this technology, and use of social media sites are pushing discussion about it. So I think we will have to be talking about and dealing with them. Court decisions are also furthering that conversation.

As for finding the balance, I think there is a really important role that regulators have to play, that I, as a regulator, have to play, and that the rest of us who are appearing before you today have to play, as information and privacy commissioners, in being able to balance that. Frequently, under freedom of information legislation—which is access to information and protection of privacy legislation—we are trying to balance privacy with the public interest and the right to access information.

There is often a tension that needs to be resolved. I think we have some experience in that as information and privacy regulators. I often don't hear that as part of the conversation around the right to be forgotten. It's often more of a question of whether there are charter issues and how the courts will resolve this, but I do think that there's potentially a role for information and privacy commissioners.

Does that answer your question?

Absolutely. Enforcement powers [Technical difficulty—Editor] infrequently. As I mentioned, close to 90% of the cases that come into our office are resolved informally. We make recommendations, the organization agrees to implement those recommendations, and the matter is resolved. The complainant is happy, and that's the end of it. A small percentage of cases go to inquiry and result in a binding order. It's a very, very small percentage. I think that only once in 10 years have we actually gone to court, filed an order in court—and even that ended up being resolved before the court heard the matter. It's a helpful tool in the tool box, but it's a last resort.