Thank you very much, Mr. Chair, for inviting us here to review the Personal Information Protection and Electronic Documents Act, or PIPEDA.
British Columbia's private sector privacy law is the Personal Information Protection Act, which I will call the “B.C. act”. As acting commissioner, I oversee how it is applied to over 380,000 private sector organizations, including businesses, charities, associations, trade unions, and political parties. The B.C. act is substantially similar to PIPEDA.
I will address in turn the items raised in the federal Privacy Commissioner's letter to this committee.
First, meaningful consent is a key aspect of PIPEDA and in privacy laws around the world, including the B.C. act. Although these acts were designed to be neutral with respect to technology, we are now seeing challenges to that neutrality with big data. There are concerns that some organizations are somewhat vague in their description of the purposes for which they use personal information.
To provide consumers with a better understanding of how their personal information is being used, organizations need to include clarity of purpose in the use of personal information for data analytics in their notifications to consumers. We believe this can be done within the existing consent-based model. Still, big data analytics represent a potential for both positive and negative outcomes to individuals.
Many of Canada's privacy commissioners and a group of Canadian organizations have been working with the International Accountability Foundation to examine the use of ethical frameworks in addition to existing privacy frameworks in the processing of personal data. These can be very complex and challenging issues. In practice, my office has not seen a situation where consent could not be obtained to enable a valid use of information. Granted, organizations could improve on how they describe their data processing activities in their privacy policies and use cases. Some suggest that organizations should be explicitly authorized to de-identify data so that they may then conduct data analysis without needing to obtain the consent of the individual. This approach would authorize data analytics on information that was already collected but not collected for that purpose.
My concern with this approach is that it is becoming easier and easier to reidentify data, using increasingly sophisticated algorithms. It may be that in a number of years, these reidentification techniques will be so effective that any previously de-identified information will be able to be reidentified.
Some jurisdictions are addressing this problem through legislation that allows processing of de-identified personal information while mitigating against the risk of misuse. Australia is now considering a bill that would make reidentification an offence, with intentional reidentification subject to a criminal offence with up to two years of imprisonment or a fine.
Recent amendments to Japan's Act on the Protection of Personal Information contain requirements for secure processing of de-identified information, including that reidentified information must be processed in a manner such that it cannot be reidentified and it must be handled securely, even though the information is de-identified.
Turning now to privacy and reputation, today personal information that is online or stored in databases has a permanence and availability that did not exist prior to the emergence of digital technologies. The ready availability of this information can, at times, have significant impact on people's lives, for better or for worse.
There are limited tools available to have personal information removed or corrected in the B.C. act, as in PIPEDA. An individual has a right to withdraw consent, but this is subject to exceptions, such as where withdrawing consent would frustrate a legal obligation. An individual also has a right to request correction of their personal information. However, these are not comprehensive tools if someone wants to eliminate their digital footprint, in whole or in part.
While the B.C. act and PIPEDA can provide some redress where incorrect personal information is being disclosed online, there is also the potential for the disclosure of truthful information to cause harm. This is where the right to be forgotten, the right to erasure that exists in Europe, is useful to individuals who have experienced damaging effects to their reputation owing to information that is online.
While I can see the potential benefit of creating such a right in Canada, as others have observed, it remains to be seen how a right to be forgotten could exist within our legal system alongside the right to freedom of expression. We are seeing many unanticipated consequences of the implementation of the right to be forgotten, so it is a concept that must be approached carefully.
One of these issues is the ability of governments to undertake censorship, and another is that the right to be forgotten is being administered currently by private sector organizations.
On enforcement powers, personal information has become integral to the business model of a number of companies. In this context, order-making power is essential to any privacy commissioner. I believe order-making powers need to be used effectively and judiciously. Allow me to describe how they are used in my office.
Relationships with organizations and public bodies are critical to providing effective oversight over B.C. privacy laws, and order-making powers may, indeed, encourage organizations to work with my office. More than 90% of the complaints to my office are resolved at mediation. My investigators have expert knowledge on B.C.'s privacy laws and work to help parties understand their respective rights and responsibilities. At mediation the parties are aware that, if a resolution is not reached, the matter may go to adjudication, resulting in an order. This encourages the parties to work with us at mediation to find a resolution. Orders from my office require that organizations bring themselves into compliance with B.C.'s private sector privacy law.
The act sets out the kinds of things I may do; for example, to require that a duty be performed under the B.C. act, and I have the authority to specify any terms and conditions for fulfilling that duty.
On the matter of adequacy, now that Europe's general data protection regulation has passed, ensuring that Canada's privacy laws also provide an adequate level of protection will assist businesses that rely upon personal information flows from Europe to Canada. The GDPR says that an adequacy determination can be made where a country or territory offers levels of protection that are essentially equivalent to those within the European Union. Note that an adequacy finding can be made for a territory; so interestingly, a provincial privacy law could be found to be adequate for transfers, even if PIPEDA is not. Essential equivalency is the bar, so there is some work to be done if adequacy is to be maintained.
I've already mentioned the right to erasure. Here are two other areas for consideration.
Parliament has already addressed breach notification under PIPEDA. In B.C., my office recommended mandatory breach notification for both the private and public sectors in the recent legislative review of B.C.'s privacy laws, and the provincial government has committed to doing so.
In Europe, failure to notify can be subject to administrative fines of up to 10 million euros, or 2% of a company's total worldwide annual turnover, whichever is higher. In other areas, fines may be as high as up to 20 million euros, or 4% of annual turnover, whichever is higher. In B.C. and Canada, our fines do not keep up with these standards.
Before I wrap up, I want to comment on one additional area. In response to the Spencer decision by the Supreme Court, law enforcement agencies have indicated that they want warrantless access to online subscriber information. A change like this in PIPEDA would not be consistent with the reasonable expectations of Canadians. Warrants are already available for circumstances that require them, and judicial oversight is critical to public confidence in how personal information is released or disclosed.
Thank you very much, and I'd be happy to respond to questions at the appropriate time.