Information & Ethics Committee on Feb. 21st, 2017

Yes, thank you.

There are a couple of points to be made on the right to be forgotten. Today, with the Google v. Spain decision, the right to be forgotten is one of delisting, whereby the results of a search do not display the information, but the source of the information is still available. In the general data protection regulation in Europe, the right to erasure is broader than just delisting or limiting the results of a search. These two differences, where in one case the personal data of a subject can be erased versus where it is just prohibited from being displayed by search engines, are not subtle differences between some people's interpretations of the right to be forgotten, and it needs to be carefully considered when dealing with legislation.

In Quebec, another piece of legislation about the private sector provides for the possibility of correcting or deleting information that is inaccurate, incomplete or equivocal. In fact, a request for rectification from an individual has been filed with the Commission d’accès à l'information. This request was considered by the adjudicative division, but not by my division, namely the oversight division. So it was not a complaint.

This person requested that their personal information be deleted from the site of the company for which they had worked. The company said that the information had been deleted after the dismissal of the person. The person found that this had not been done and that it was still possible to find their information if they did a search through a search engine. The evidence showed that the information about the person came from a website called Wayback Machine, which allows people to take screen shots of a site at a given time. So the company was not responsible. The company had deleted all the information it had on that person from its database.

It was determined that, and I quote: “the right of a person to have incorrect, incomplete or equivocal information corrected in a file about himself or herself is not the 'right to be forgotten', which aims to erase information from public spaces.”

Yes, a decision has been rendered by the adjudicative division, but to my knowledge, no complaint has yet been made to the commission’s oversight division. We follow this closely, taking into account what has happened in Europe and the various decisions that may have been made, in order to see how Europe's regulations could be tied in with Quebec's.

In my presentation, when I spoke of other avenues, I was also referring to the consent document of the federal commissioner's office and the document submitted to committee members. These documents show the different possible avenues.

Last fall, the federal commissioner's office conducted a consultation. The other avenues considered related to the issue of whether we should move toward no-go zones where it wouldn't be possible to collect personal information and whether we should have much more detailed privacy policies. Also, in its 2011 five-year report, the Commission d'accès à l'information had already recommended that legislators establish detailed privacy policies.

In other words, there would be a fairly detailed general policy and a simplified policy. It's what we call multi-layered policies. These simplified policies can be adapted to each communication tool, such as a cellphone, tablet or computer. There could be even icons or pictograms showing that the required consent concerns people under the age of 13 or parents. It would be something very visual.

As you said, we can't access certain sites without clicking everywhere or filling in all the boxes. To provide a simple email address, does the person's location need to be known and does all sorts of information need to be collected? It happened to me this past weekend. I won't name the site, but we can't register for it without filling in an entire page that contains at least 10 questions.

In this type of case, is our consent truly free and informed? We must ask ourselves these questions. The answer lies in the question.

Some people think the sites should be required to set preference parameters. When we enter a site, we can agree that our information may be shared for a particular purpose. However, sometimes the site then changes its business model or approach. As a result, our preference settings may be changed. However, in these types of situations, the site should notify us that the privacy policy or preferences have been changed. When a site changes its business model, the preferences indicated by people on the site should be maintained. The businesses are responsible for doing this. That's a fact.

However, as I said earlier, consent is a shared responsibility. One person shouldn't be carrying the entire burden. That person is not responsible for making sure the privacy policies are suitable. A Quebec resident or business can read the policy. However, we all know that, in general, we don't necessarily have enough time and energy to read the privacy policies. Studies have even determined how much time would be needed to read all the privacy policies of the sites we visit each day.

Our preferences must be maintained if a site changes its business model. It would then be our job to check from time to time whether our preferences are still the same. It's a shared responsibility and a matter of finding a balance. That's one solution. I can't think of any others for the moment. If you want, I could provide more information to the committee later on the subject.

Are you addressing that question to—

May I just make a comment about the U.S. regime?

I think they have some significant challenges. They have used a mechanism described initially, I think, as a “safe harbour”, which is almost a self-certification system for U.S. companies doing business in Europe. That was challenged in court in Europe and in fact went down; it was ruled contrary to European law. They then developed a privacy shield, and I gather that there are challenges to that.

The United States has a very patchwork approach to privacy, and it's often sectoral. There might be a law for child protection; there might be a law through the Federal Trade Commission for unfair trade practices. They don't have a uniform, standard approach to these things.

Frankly, this may actually be a Canadian competitive advantage in dealing with our European colleagues.

I wouldn't overstate the differences among our Canadian jurisdictions. There's some similarity in the consent provisions. I think we would agree that on the mandatory breach notification, everybody is going to have to come up to that standard. Nonetheless, said, there is some degree of uniformity across the country, in addition to the fact, which we mentioned earlier, that there is cooperation among our offices across the country.

I would like to add to that, to back up what Michael has said.

Remember that Alberta's legislation and B.C.'s legislation, for example, were drafted at almost the exact same time using almost exactly the same language, so they're very similar. Both have been deemed, along with Quebec's legislation, to be substantially similar to the federal PIPEDA.

Yes, it has been the case that certain provinces have gone ahead with.... We talk about “made in Alberta” legislation. That's the way the legislature wanted to act back in the early 2000s. The idea was that made in Alberta legislation could better address the issues of small and medium-sized businesses, and there was a lot of support for local enforcement, frankly, with a commissioner who has order-making power.

Having said that, we have seen efforts to bring all jurisdictions to the same level. Even though reviews have happened provincially and at a federal level, I think we're all going in the same direction, getting there at slightly different times, perhaps.

I would also like to go back to the comment that I think Michael made earlier, that we cooperate across the country in the private sector jurisdiction. We meet and discuss as regulators and make an effort and devote a lot of energy to making sure that we are regulating in a consistent and harmonious way, to not introduce challenges where there don't need to be challenges. There are differences in the legislation, but generally the acts are quite similar.

I'll take a first shot at answering that.

PIPEDA does not recognize age as an issue for the collection, use, or disclosure of personal information. Citizens of all ages are protected under PIPEDA.

In the B.C. act, a minor who is capable of exercising his or her rights may legally do so under the act, and if the child is not capable, someone acting in the best interest of the individual may act in their capacity. Children, then, are protected already under the B.C. act, and personal information of any citizen, regardless of age, is currently protected under PIPEDA.

I'm happy to answer that. If I can clarify, when I was talking about areas for improvement, that might have been specifically in some comments I was making about consent. Is your question specifically about limitations of the consent model?

Or is it just about general limitations in the legislation?

I'll start with my own legislation. I did make a submission recently on Alberta's second legislated review of its PIPA. That concluded at the end of last year. My submission to the review committee included 10 recommendations for strengthening the legislation. I said I thought that PIPA worked quite well. I think it's strong legislation. Again, the made in Alberta solution was supposed to be legislation that would make sense to smaller organizations. The feedback I've had from small and medium-sized businesses is that it works quite well from an enforcement point of view as well.

We've had very few recommendations, and some of them are not applicable in the federal context. For example, I had asked to extend the scope of Alberta's legislation to include all non-profit organizations, which is the case in British Columbia, but is not the case in Alberta.