Information & Ethics Committee on Feb. 23rd, 2017

I think the GDPR's mixed approach is the good one, regardless of the percentage, because even at 4%, I think it's still calculated based on the number of citizens affected by potential breaches of confidentiality and depending on the area.

We know that there are fewer citizens in Canada than in the European Union. On the other hand, it is important not to have a simple percentage, because 4% of a small structure, for example a start-up company, is not much. The company might want to take the risk with its investors and tell them to go ahead. If anything were to happen, at most, it could be about 4% of $500,000. That’s peanuts. That’s why it has to be doubled.

For example, in France, until 2016, the maximum amount was $150,000 for the first fine and $300,000 afterwards. It did not work. France has just raised this to a single amount of $3 million. This was adopted almost at the same time as the Regulation, which in my view also reflects the number of citizens concerned within the boundaries of a certain territory.

I know that in the very early days of PIPEDA there was a lot of talk about trust marks and trust seals and so on. People tried them. They haven't really gone very far. I think there have been concerns about the counterfeiting or faking of trust seals and trust marks as well. I'm not sure how viable that is as a solution.

There are interesting technological developments as well. People are working on codes and apps, for example, that will scan and rate privacy policies, so I would be hesitant to go with a trust mark solution when there may be other technological tools that would be more useful and more effective in terms of helping consumers understand what the privacy policies are.

That said, I know that for some time we've been talking about privacy by design and privacy by default. Those are important principles. It may take amendments or changes to the law to get people's attention on them.

That was the original case at the ECJ, yes.

No. I think the judgment of that specific case was terrible. That's a lot of what I was speaking to in terms of the lack of clarity and in terms of the solution that was proposed.

As well, specific to that case, I don't think it's a very good test case in terms of the right to be forgotten. In my opinion, the specific information that's at issue in that case, which is a person's bankruptcy or some sort of financial difficulty that they were in 15 or 20 years ago, is absolutely relevant. That information should certainly still be available. I think what they—

Oh, oh!

I could jump in on that.

I think there would be dangers in splitting it up. Increasingly over time the commissioner's approach has been to try to create guidance that is specific to particular sectors or particular contexts so that you have one law that applies to all, but how it applies in particular contexts may be different. The commissioner's office has given attention to mobile apps, and has given attention to fitness devices, and has looked at various specific things with guidance to small businesses and guidance to businesses in particular sectors.

The code of practice model is one that I think is also getting more attention now. This is the idea that perhaps some sectors could work together to develop codes of practice around certain types of information collection use and disclosure within the context of their particular operations, and that this could somehow be developed in consultation with the OPC and approved by the OPC. You would start to shape norms and guidance around particular sectors under the umbrella of one law and one commissioner. It seems to me that this would be a preferable approach to dividing it up and having separate laws.

The other thing, of course, is that some companies start out being brick and mortar companies, then go online, and then they develop apps. Businesses are constantly changing in terms of their information practices and needs.

I have nothing to add.

[Inaudible—Editor] against relying on market incentives or thinking that companies that have a direct interest in keeping their users' information secret or following better practices will necessarily do that. Ashley Madison is a great example of a company that had a direct interest in having strong security and strong privacy protections, had nothing good in place, and didn't follow any industry best practices to safeguard user information or protect users' privacy.

I do think that the idea of building a degree of flexibility into how—

Certainly, it was a failure of that company, but I think you could say that the fact the company was allowed to operate the way it did, with such shoddy security practices, was potentially a failure of legislation or a failure of enforcement, in the sense that there were basic security mistakes being made that weren't necessarily being monitored or followed up on.

It's well established to have different rules in place for protecting children in terms of gathering their information and tracking their information. I think there's a huge challenge online in implementing that, because it's quite difficult, I think, in terms of people who navigate to a particular website to know how old the users are. You can require them to enter their birthdate, but again, that's not a particularly difficult hurdle to overcome—

Because you can't necessarily know how old the person is who's on the website, I think the best option is to look at those websites that are directly targeting children, or that have a target audience geared towards younger web users, and to maybe expect a stronger standard to be imposed on them.