Evidence of meeting #53 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was pipeda.
A recording is available from Parliament.
5:10 p.m.
Conservative
The Chair Conservative Blaine Calkins
Colleagues, you will notice that the bells are ringing. Apparently, we have an unscheduled vote that has been called in the House. The 30-minute countdown clock has started. If we wish to proceed any longer, we will need unanimous consent from the committee to do so.
Madam Trudel still has about three minutes left in her time, and we still have about seven minutes left to finish the first round. Might I suggest that we finish the first round, if we have unanimous consent to finish the first round, to make it worth the time for our witnesses, and then proceed to the vote? Do I have unanimous consent to do that?
5:10 p.m.
Some hon. members
Agreed.
5:10 p.m.
Conservative
The Chair Conservative Blaine Calkins
Thank you, colleagues.
Madam Trudel, please finish with your time.
5:10 p.m.
NDP
Karine Trudel NDP Jonquière, QC
Thank you.
Do technological developments have an impact on the technological neutrality of PIPEDA?
5:10 p.m.
As an Individual
I am going to ask the current practitioner to answer your question.
5:10 p.m.
Staff Lawyer, Canadian Internet Policy and Public Interest Clinic
I think PIPEDA has the flexibility to address new technologies. The challenge is to do it quickly enough. Some of the things that have been discussed, and that the Privacy Commissioner's office has done in the past and is doing now, are to proactively address specific issues like the right to be forgotten and looking at consent to see whether it's keeping up. Maybe issuing context- and sector-specific policies to address specific issues that are emerging under the broader principles can help it continue to do that.
I think the potential for it to address these new technologies is there. The challenge is that it is still mostly complaint-based, even though there are many proactive measures coming out of the office. But I think the flexibility is there to do that, if that helps.
5:15 p.m.
Vice-President, Privacy and Access Law Section, Canadian Bar Association
I agree. PIPEDA is sufficiently flexible to allow us to take into account the changes due to new technologies.
In 2001, there was no Twitter, Facebook, Google or LinkedIn. None of those services existed at the time. And yet those organizations and the Office of the Commissioner managed to resolve complaints and they still do. Technology does evolve, but PIPEDA is flexible enough to allow us to adapt to these changes. As I mentioned previously, the act was drafted with an eye to keeping it neutral.
5:15 p.m.
Staff Lawyer, Canadian Internet Policy and Public Interest Clinic
The one thing I would add is just that in our comments we flagged the issues arising from algorithmic decision-making and automated decision-making. I think those are ones that PIPEDA has struggled with analogs of in the past. That's an area that's technologically becoming very central, so a lot of decisions are becoming automated in ways that are very opaque. The commercial secrecy that can attach to those makes it very difficult to even understand how the decision was made, and because that decision is based on personal information, that is something that PIPEDA has historically tried to address.
I think it's going to be a problem down the road that should at least be examined in a very context-specific way, and it affects children, adults, everyone.
5:15 p.m.
Conservative
The Chair Conservative Blaine Calkins
Okay. Thank you very much.
In order to make sure we get to the vote on time, we'll now move to Mr. Erskine-Smith. Try to keep it within seven minutes, please, sir. Thank you.
March 23rd, 2017 / 5:15 p.m.
Liberal
Nathaniel Erskine-Smith Liberal Beaches—East York, ON
Absolutely.
Thanks to all of the witnesses.
I got married a number of years ago. When I and the wedding party bought our suits for the wedding, we bought them from Indochino online. For the next few months, after I logged into my Gmail, I got a Google ad popping up, saying “Visit Indochino”. I don't recall reading the policy when I signed up for Gmail. I don't recall what I consented to. Apparently I consented to that.
Now I'm okay with that targeted advertising, but I want to ask Ms. Morin this. You say the consent model works. I think the principle-based model that we have under PIPEDA is why you have all said it has stood the test of time in its own way. Now I take your position, Ms. Morin, that we ought not to change the consent model if it's working just fine for private practice.
Ms. Stoddart and Mr. Israel, should we be looking at ways to change the consent model? The current Privacy Commissioner has a discussion paper right now that talks about big data and the Internet of things, and suggests that perhaps the current consent model is insufficient. Is it insufficient?
5:15 p.m.
Staff Lawyer, Canadian Internet Policy and Public Interest Clinic
I think you can get to a more robust consent requirement with the principles that are there. We suggested incorporating privacy by default explicitly as a guiding principle. I glossed over it a bit because you were short on time, but I would emphasize the need—in those situations—to have a pop-up that says, “Oh, by the way, we're going to read through your emails, and if there's something that says 'suits', you're going to get suit ads. If not, go here and check over here”. Privacy by default would push a more explicit interaction there. There is a choice.
5:15 p.m.
Liberal
Nathaniel Erskine-Smith Liberal Beaches—East York, ON
That doesn't sound like a change to the law per se—perhaps in regulations. It wouldn't be a change to PIPEDA. You're saying that it would be building on the current principles in PIPEDA.
5:15 p.m.
Staff Lawyer, Canadian Internet Policy and Public Interest Clinic
I think currently that's implied, but if it becomes more rigorous, such as something that goes to every single device you have in your house and your TV is recording you by default, I think you can get.... There's a principled way of getting there as well as the legislative way. A legislative way would provide the guidance to push you there.
5:15 p.m.
Liberal
Nathaniel Erskine-Smith Liberal Beaches—East York, ON
All right.
Ms. Stoddart, do you have any views on whether we're actually building upon the current consent model?
5:15 p.m.
As an Individual
I think we should look with interest on the work that will come out of the Office of the Privacy Commissioner, just because they have a lot of expertise and a lot of input.
I think what's interesting is what is being done in the European Union. If I understand it correctly, certainly consent is being strengthened. Consent has to be robust and forthright, and up front, but then they say there are areas where you don't need consent unless there's something that they call the overriding interests and rights of the data subject. I wonder if that would not be a clearer way to go for everybody, rather than this gradation of opt-in, opt-out, implicit consent, and upfront consent. I would encourage—
5:20 p.m.
Liberal
Nathaniel Erskine-Smith Liberal Beaches—East York, ON
Do we wait for the Privacy Commissioner's recommendations, consider them, and go from there?
5:20 p.m.
As an Individual
Yes, I think they probably spend more time than any of us on thinking about this.
5:20 p.m.
Liberal
Nathaniel Erskine-Smith Liberal Beaches—East York, ON
In the interests of time, for public reporting requirements with respect to data shared with law enforcement agencies, Ms. Stoddart, you recommended a change when you were Privacy Commissioner.
Mr. Israel and Ms. Morin, should we be imposing a clear transparency requirement on the information that is shared with law enforcement agencies, at least to know the number of times such information has been shared?
5:20 p.m.
Vice-President, Privacy and Access Law Section, Canadian Bar Association
My answer will be easy. We don't have a view on that.
5:20 p.m.
Staff Lawyer, Canadian Internet Policy and Public Interest Clinic
Yes, we would recommend one. We would recommend maybe not a blanket one per se, but a mechanism that would explicitly allow the Privacy Commissioner to impose sector-by-sector and scope obligations. It may be more appropriate for some.... Electronic communications is easy, I think. For others, such as the restaurant sector, maybe they get one a year, but they don't need a transparency report.
5:20 p.m.
Liberal
Nathaniel Erskine-Smith Liberal Beaches—East York, ON
My last question is with respect to the powers of the Privacy Commissioner.
Ms. Stoddart, you recommended improvements to powers, but that wasn't clear to me. You set out a range of different options: statutory damages, administrative monetary penalties, and order-making powers. Do you have a strong view one way or the other about the powers the Privacy Commissioner should have in addition to the current powers under PIPEDA?
5:20 p.m.
As an Individual
Yes. I'm on record as having fairly strong views on the powers of the commissioner. Since my retirement I've gone on to say that today I am very convinced that the Privacy Commissioner of Canada should get out of the business of investigating every complaint that comes to his or her door.
There have been some modifications, but to do smart regulation today and to do smart enforcement, I think you have to be nimble, you have to be sensible, and you have to be up to date. You have to constantly follow what's doing and you have to tailor your response to all the different situations, actors, and technologies.