Thank you very much, Mr. Chair.
Good afternoon everyone.
I'm honoured to be invited here. Being a retired person, I don't have a formal presentation, so I hope you will bear with me. There are some handouts, which are notes on which I based my remarks.
I've read the transcripts with great interest. You have a variety of opinions of some very expert people. I'm going to focus, in my short presentation, on areas in which I think I have more experience. I'm going to divide my remarks in a chronological fashion, that is, dealing with what's coming up, what is already extant, and what has already been suggested to you.
I'll start then with the future, the challenges for PIPEDA. You will not be surprised that I'm going to single out the effects of the general data protection regulation of the European Union. I have spent part of my retirement working with some other people on a scholarly article on the administration of the adequacy principle, so it's more recent than some other issues to my mind.
You will have already heard that there's a more rigorous test than the one that PIPEDA went through in the past: effectively equivalent. The problem is that there are no real specifics. The more serious problem is that in the European Union, in the study I made of all the adequacy decisions that had been made and the ones that had not been made for which analyses had been done, there is a very checkered history of evaluation of countries' personal information protection frameworks.
You should also realize that there's a huge amount of pressure within the European Union post-Snowden both from activists and political parties to be rigorous in imposing European standards on the rest of the world.
In looking at what PIPEDA may need for the future, I would say it's best to aim high and to remember that it also applies to the European standards, that is, the public sector use of personal information as well. There is an overlap to my mind in EU law between the right of erasure or correction, which is already in PIPEDA, and the right to be forgotten. Several of the people who have appeared here have said that they don't know whether the right to be forgotten exists in Canadian law.
It actually has existed in Quebec law, and as we are a bi-juridical country, it exists in Canadian law and has for quite a long time. I heard about the right to be forgotten when I was in law school, and I graduated in 1980 so that's a long time ago. There is jurisprudence on the right to be forgotten, and I encourage the committee to take notice of this.
I would encourage you to distinguish, as not all of your witnesses have, between the right to be forgotten, which has been interpreted so far in the European Union as the right to delink information in search engines, and an act of destruction of original information. I don't think anybody I've heard is talking about this, but it seems to be a bogeyman that comes out somewhere as soon as we talk about the right to be forgotten. That's not what is involved at all.
I would urge you too to remember, as all the witnesses in my opinion have not, that PIPEDA is a law that only governs federally regulated business. It does not govern individuals, and it does not govern a host of things that are in provincial jurisdiction.
Coming back to the right to be forgotten, interestingly in the recital—that's what they call it; we call it a preamble—to the general data protection regulation they talk about the reasons for it, including the right to take down postings that you may have made on the Internet in your youth and which you now regret. I would urge you to think about that as a reason for motivating some extended possibility of having things taken down and to think about it in the context of the human right to dignity, the right that, I think, we all have to be a person who evolves. What you do at 16 is not what you're going to do at 36 as you're contemplating running for office or something else. I think that's just taking into account human nature and a necessary respect for human dignity.
The committee has heard other ideas, such as special rules for children. Again I would encourage you to think about the division of powers, which is a reality in our Canadian constitution.
One thing you might look into is the possibility of putting within PIPEDA some kind of special mention for the Office of the Privacy Commissioner or for the commissioner to harmonize, to discuss with provincial counterparts, and to support the development of strong, compatible laws throughout Canada, given that so much personal information protection comes under provincial jurisdiction. This is because criminalizing behaviour, in my opinion, is not always the best way. That's the federal jurisdiction for personal behaviour. It's not the best way to deal with a lot of things.
I'll move on secondly, Mr. Chair, to what is trending now, and I'll refer to what are the current values of Canadians.
I think transparency is now a hallmark of democracies, post-Snowden. We've seen recent examples of demands for more transparency from public figures, and so on.
I would contrast this with the very opaque system of some 20 years ago, when it was originally devised, by which PIPEDA is administered. No real thought was put into it at the time, because there wasn't a huge public preoccupation with what the public can see or what the public can understand about the application of personal information protection. It was a convenient ombudsman model. It had been adopted by the Canadian government in the late 1970s from Scandinavia, where at the time the countries were almost totally homogeneous, ethnically and socially, and where there was and still is a huge public trust in government.
I think also that the public should know more about complaints against commercial organizations. One reason is that many things don't seem to have improved over the years with the present system. I'll refer you to the recent posting of the Office of the Privacy Commissioner on March 15 about a complaint into the use of personal information by a Canadian bank. I think there would be more impact among the public if both this particular bank and the retailer involved in this incident were named.
Again on the same theme of transparency, I'll remind you of the need for business organizations themselves to be transparent in their use of personal information that they hand over to government agencies, the police, CSIS, etc.—hopefully always legally.
Secondly under the theme of transparency, I'll talk about individual empowerment. The Office of the Privacy Commissioner has an important budget, but it is not a budget that is commensurate with the challenge of protecting personal information in this century. I believe that investigating individual complaints is a time-consuming and not very productive way of trying to enforce privacy rights for Canadians. I think the system should be modified. The commissioner should be able to do as the U.S. Federal Trade Commission does: look at the complaints that are made as a bellwether of public opinion, pick and choose the complaints he or she wants to investigate, and then give individuals commensurately the right to take their own case forward to the Federal Court.
Finally under the theme of transparency, I think we have to allow the Office of the Privacy Commissioner to concentrate on areas in which there are new and serious threats in the changing context of new technology and new behaviour, and therefore, not investigate every complaint. We, therefore, also have to give the commissioner broad audit or self-initiated investigation powers. These are necessary, I think, to strengthen the accountability principle, which is coming forward as consent becomes, for such technological reasons as big data, ever more difficult. The need to stand ready to demonstrate that you are accountable becomes a key part of a modern enforcement scheme.
I'd also mention ethics, but I think ethics need to be placed within a more rigorous framework.
Finally, as for the previously determined missing elements, suggestions were made long ago regarding the review of PIPEDA. As you will recall, there was a report in 2013 outlining four points, and I made a recommendation a few years ago that political parties themselves be subject to PIPEDA.
In the wake of two decisions made by the Supreme Court of Canada, one of which was handed down barely a few months ago, I believe that a review of the act should include giving the commissioner clearer powers to conduct investigations, notwithstanding the protection conveyed by jurisprudence and the legislation regarding privileges. Counsel-client privilege has evolved enormously since the 19th century in our society. I believe that privilege no longer has any reason to exist with regard to complaints or allegations of inappropriate use of personal information, and should not prevent a commissioner from conducting an investigation in that regard. The act must thus contain clearer and stronger language.
I would conclude by pointing your attention to some recent work, which I think is the most contemporary work on smart regulation. It's out of the University of Oxford, by Professor Christopher Hodges. It talks about what successful regulation is.
Successful regulation is really about influencing behaviour, and influencing behaviour in a variety of ways, depending on the context, depending on the issue, and depending on what we used to call the “industry” but may be the “sector” or the “activity”. It could be information to consumers. It could be constant dialogue with the regulated entities. It could be creating peer pressure through action within that sector or that activity.
It's about making responses seem targeted, fair, and proportionate to what the problem is, not automatic or because the law says so: “We're going to investigate you, because I have to investigate every complaint; therefore, you're going to have to pay for a lawyer to see this through.” That's not necessarily, I think, fair or proportionate. It's about rewarding those who can demonstrate compliance and about sanctioning inappropriate behaviour.
I would encourage you in moving forward to give the Office of the Privacy Commissioner more flexibility to take on a wider range of regulatory approaches, given the changing needs over time.
Thank you very much for your attention.