Information & Ethics Committee on March 23rd, 2017

Thank you very much, Mr. Chair.

Good afternoon everyone.

I'm honoured to be invited here. Being a retired person, I don't have a formal presentation, so I hope you will bear with me. There are some handouts, which are notes on which I based my remarks.

I've read the transcripts with great interest. You have a variety of opinions of some very expert people. I'm going to focus, in my short presentation, on areas in which I think I have more experience. I'm going to divide my remarks in a chronological fashion, that is, dealing with what's coming up, what is already extant, and what has already been suggested to you.

I'll start then with the future, the challenges for PIPEDA. You will not be surprised that I'm going to single out the effects of the general data protection regulation of the European Union. I have spent part of my retirement working with some other people on a scholarly article on the administration of the adequacy principle, so it's more recent than some other issues to my mind.

You will have already heard that there's a more rigorous test than the one that PIPEDA went through in the past: effectively equivalent. The problem is that there are no real specifics. The more serious problem is that in the European Union, in the study I made of all the adequacy decisions that had been made and the ones that had not been made for which analyses had been done, there is a very checkered history of evaluation of countries' personal information protection frameworks.

You should also realize that there's a huge amount of pressure within the European Union post-Snowden both from activists and political parties to be rigorous in imposing European standards on the rest of the world.

In looking at what PIPEDA may need for the future, I would say it's best to aim high and to remember that it also applies to the European standards, that is, the public sector use of personal information as well. There is an overlap to my mind in EU law between the right of erasure or correction, which is already in PIPEDA, and the right to be forgotten. Several of the people who have appeared here have said that they don't know whether the right to be forgotten exists in Canadian law.

It actually has existed in Quebec law, and as we are a bi-juridical country, it exists in Canadian law and has for quite a long time. I heard about the right to be forgotten when I was in law school, and I graduated in 1980 so that's a long time ago. There is jurisprudence on the right to be forgotten, and I encourage the committee to take notice of this.

I would encourage you to distinguish, as not all of your witnesses have, between the right to be forgotten, which has been interpreted so far in the European Union as the right to delink information in search engines, and an act of destruction of original information. I don't think anybody I've heard is talking about this, but it seems to be a bogeyman that comes out somewhere as soon as we talk about the right to be forgotten. That's not what is involved at all.

I would urge you too to remember, as all the witnesses in my opinion have not, that PIPEDA is a law that only governs federally regulated business. It does not govern individuals, and it does not govern a host of things that are in provincial jurisdiction.

Coming back to the right to be forgotten, interestingly in the recital—that's what they call it; we call it a preamble—to the general data protection regulation they talk about the reasons for it, including the right to take down postings that you may have made on the Internet in your youth and which you now regret. I would urge you to think about that as a reason for motivating some extended possibility of having things taken down and to think about it in the context of the human right to dignity, the right that, I think, we all have to be a person who evolves. What you do at 16 is not what you're going to do at 36 as you're contemplating running for office or something else. I think that's just taking into account human nature and a necessary respect for human dignity.

The committee has heard other ideas, such as special rules for children. Again I would encourage you to think about the division of powers, which is a reality in our Canadian constitution.

One thing you might look into is the possibility of putting within PIPEDA some kind of special mention for the Office of the Privacy Commissioner or for the commissioner to harmonize, to discuss with provincial counterparts, and to support the development of strong, compatible laws throughout Canada, given that so much personal information protection comes under provincial jurisdiction. This is because criminalizing behaviour, in my opinion, is not always the best way. That's the federal jurisdiction for personal behaviour. It's not the best way to deal with a lot of things.

I'll move on secondly, Mr. Chair, to what is trending now, and I'll refer to what are the current values of Canadians.

I think transparency is now a hallmark of democracies, post-Snowden. We've seen recent examples of demands for more transparency from public figures, and so on.

I would contrast this with the very opaque system of some 20 years ago, when it was originally devised, by which PIPEDA is administered. No real thought was put into it at the time, because there wasn't a huge public preoccupation with what the public can see or what the public can understand about the application of personal information protection. It was a convenient ombudsman model. It had been adopted by the Canadian government in the late 1970s from Scandinavia, where at the time the countries were almost totally homogeneous, ethnically and socially, and where there was and still is a huge public trust in government.

I think also that the public should know more about complaints against commercial organizations. One reason is that many things don't seem to have improved over the years with the present system. I'll refer you to the recent posting of the Office of the Privacy Commissioner on March 15 about a complaint into the use of personal information by a Canadian bank. I think there would be more impact among the public if both this particular bank and the retailer involved in this incident were named.

Again on the same theme of transparency, I'll remind you of the need for business organizations themselves to be transparent in their use of personal information that they hand over to government agencies, the police, CSIS, etc.—hopefully always legally.

Secondly under the theme of transparency, I'll talk about individual empowerment. The Office of the Privacy Commissioner has an important budget, but it is not a budget that is commensurate with the challenge of protecting personal information in this century. I believe that investigating individual complaints is a time-consuming and not very productive way of trying to enforce privacy rights for Canadians. I think the system should be modified. The commissioner should be able to do as the U.S. Federal Trade Commission does: look at the complaints that are made as a bellwether of public opinion, pick and choose the complaints he or she wants to investigate, and then give individuals commensurately the right to take their own case forward to the Federal Court.

Finally under the theme of transparency, I think we have to allow the Office of the Privacy Commissioner to concentrate on areas in which there are new and serious threats in the changing context of new technology and new behaviour, and therefore, not investigate every complaint. We, therefore, also have to give the commissioner broad audit or self-initiated investigation powers. These are necessary, I think, to strengthen the accountability principle, which is coming forward as consent becomes, for such technological reasons as big data, ever more difficult. The need to stand ready to demonstrate that you are accountable becomes a key part of a modern enforcement scheme.

I'd also mention ethics, but I think ethics need to be placed within a more rigorous framework.

Finally, as for the previously determined missing elements, suggestions were made long ago regarding the review of PIPEDA. As you will recall, there was a report in 2013 outlining four points, and I made a recommendation a few years ago that political parties themselves be subject to PIPEDA.

In the wake of two decisions made by the Supreme Court of Canada, one of which was handed down barely a few months ago, I believe that a review of the act should include giving the commissioner clearer powers to conduct investigations, notwithstanding the protection conveyed by jurisprudence and the legislation regarding privileges. Counsel-client privilege has evolved enormously since the 19th century in our society. I believe that privilege no longer has any reason to exist with regard to complaints or allegations of inappropriate use of personal information, and should not prevent a commissioner from conducting an investigation in that regard. The act must thus contain clearer and stronger language.

I would conclude by pointing your attention to some recent work, which I think is the most contemporary work on smart regulation. It's out of the University of Oxford, by Professor Christopher Hodges. It talks about what successful regulation is.

Successful regulation is really about influencing behaviour, and influencing behaviour in a variety of ways, depending on the context, depending on the issue, and depending on what we used to call the “industry” but may be the “sector” or the “activity”. It could be information to consumers. It could be constant dialogue with the regulated entities. It could be creating peer pressure through action within that sector or that activity.

It's about making responses seem targeted, fair, and proportionate to what the problem is, not automatic or because the law says so: “We're going to investigate you, because I have to investigate every complaint; therefore, you're going to have to pay for a lawyer to see this through.” That's not necessarily, I think, fair or proportionate. It's about rewarding those who can demonstrate compliance and about sanctioning inappropriate behaviour.

I would encourage you in moving forward to give the Office of the Privacy Commissioner more flexibility to take on a wider range of regulatory approaches, given the changing needs over time.

Thank you very much for your attention.

Thank you, Mr. Chair.

Thank you for having me here again. My name is Tamir Israel, and I am a staff lawyer with CIPPIC, the Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic at the University of Ottawa's centre for law, technology, and society, which is at the faculty of law. CIPPIC is a legal clinic that works to advance the public interest in policy debates that arise at the intersection of law and technology.

I want to thank you for inviting us once again to contribute to the important work the committee undertakes, in this instance in relation to its review of PIPEDA.

We note at the outset that in our view the principled framework adopted by PIPEDA has largely withstood the test of time. Its general adaptability has allowed it to keep pace with often rapid and tectonic social and technological changes. That being said, some targeted clarifications and additions to PIPEDA's consent and transparency mechanisms are desirable, while PIPEDA's lack of effective enforceability continues to hinder the full realization of the important rights it grants Canadians.

As this committee has heard, the modern era has strained one of PIPEDA's core pillars: consent. This strain arises from the increasingly complex nature of modern data practices, which in turn leads to opaque data capabilities, powerful incentives that are often directly at odds with those of consumers, and inaccessible privacy policies that seek either to capture this complexity, or at the other extreme, to obscure it in order to maintain flexibility for future organizational practices.

In light of this complexity, it is neither practical nor desirable to expect every individual to gain the necessary expertise needed to assess the data practices of every data service encountered on a daily basis. It would be equally undesirable, however, to jettison the concept of consent in favour of a risk-based accountability framework. Such a framework would effectively amount to open season on individual data. Moreover, it is likely to undermine the adoption and usage of services, as empirical research suggests that individuals' confidence in and adoption of services are greatly tied to the ability to exercise consent over data practices.

Too often, however, this confidence is misplaced. Frequently, individuals' expectations are simply not reflected in the unintuitive privacy policies and data practices to which they implicitly consent on a regular basis. In this regard, formalizing some elements of PIPEDA's existing principled framework could assist in realigning practices with expectations.

PIPEDA generally recognizes that more explicit forms of consent are required where such a disconnect occurs, and especially where sensitive data is involved. However, recognizing an explicit “privacy by default” approach will further underscore the need to obtain user input in relation to privacy practices, helping to narrow the gap between individual expectations and actual practice.

Formally empowering the Privacy Commissioner to impose context-specific restrictions may encourage greater use of PIPEDA's current power to designate certain practices as generally unacceptable, and create context-specific regulatory policies. Greater recourse to such tools would enhance certainty and consistency on the business side, while allowing for more frequent proactive policies from the Privacy Commissioner. A formal procedural mechanism for their development would in turn strengthen the quality and legitimacy of such policies.

Finally, some measures might be considered to address specific data protection challenges raised by data brokers. Such entities amass detailed profiles on individuals from disparate online and offline sources, typically without the knowledge or input of the affected individual, who is usually far removed from the collection process. Information held by data brokers is increasingly used by a range of secondary entities to make decisions that often have serious impacts on individuals. A 2014 report issued by the Federal Trade Commission recommended that data brokers be obligated to create readily accessible portals that would allow individuals to easily determine whether their data is being held by a particular broker and that data's initial source. This would then act as an avenue for the exercise of other rights, such as the rights of correction or erasure, that are already integral components of PIPEDA's existing data quality mechanisms.

This framework could be imposed by the Privacy Commissioner as a sector-specific regulatory policy under subsection 5(3) of PIPEDA, but legislating it may provide a stronger and clearer mechanism.

With respect to enforcement, PIPEDA's recommendation and de novo enforcement model is significantly out of touch with the realities of modern data protection. The individual stakes and counter-incentives under which many organizations operate require a serious and responsive regulatory regime. PIPEDA's enforcement mechanism is procedurally difficult, unnecessarily time-consuming, and lacking in deference to the expertise of the Privacy Commissioner.

Personal data is the commodity of the information age and requires a regulatory framework of commensurate formality. It is unsurprising that most jurisdictions with data protection regimes have included enforceability measures in recognition of this basic truth. Imbuing the Privacy Commissioner with order-making powers will assist the office in its interactions with large multinational organizations, enabling it to better carry out its mandate with the authority of a regulatory body.

Further, the prospect of incurring damages under PIPEDA violations remains currently distant, and the anticipated quanta of such damage is minimal. We have seen recent developments in tort law that have supplemented this gap to a certain degree and have led to a notable improvement in proactive compliance, with privacy implications being subject to class actions.

Class actions in tort are, however, limited in scope to certain types of privacy invasion, and there remains little incentive for robust and proactive compliance with other critical elements of PIPEDA. We would therefore encourage imbuing the Office of the Privacy Commissioner with the power to issue administrative monetary penalties comparable in character to those recently allotted to the Canadian Radio-television and Telecommunications Commission.

We would further recommend examining the development of an independent private right of action, which would allow for individuals and classes of litigants to advance their privacy claims directly. This could be supplemented with statutory damages covering some or all of PIPEDA. It could apply to specific principles and violations or to all of the act, and that would facilitate an analogous regime of private enforcement, further incentivizing compliance.

Finally, some transparency mechanisms would address specific and pressing problems under PIPEDA's current regime. It has become accepted practice in many industries, and particularly those industries engaging in facilitating electronic communications, to periodically report on the scope and nature of state agency requests for customer data. While such reporting is arguably required under PIPEDA's openness principle, we would recommend adopting a legislative mechanism that would explicitly empower the Privacy Commissioner to designate transparency reporting obligations on a sector-by-sector basis and also to impose detailed obligations as to the substance of the obligations. This would lead to more consistent and standardized transparency reporting in lieu of the current incomplete and ad hoc reporting.

A secondary transparency mechanism that would benefit from legislative adoption relates to algorithmic decision-making. Automated processes are responsible for a growing range of determinations that significantly affect individuals' lives. Academic and legal literature has demonstrated that algorithmic decision-making often operates as a proxy for decision-making that is discriminatory on religious, ethnic, racial, disability, gender-based, and other protected grounds. Algorithmic decision-making can also gloss over important individual distinctions in favour of broad generalizations, leading to incorrect outcomes for affected individuals. More generally, algorithmic decision-making often obscures the reasoning that animates a given output, making it impossible to determine precisely why a teacher was fired, a consumer was denied particular advantages, or an individual's credit request was rejected. It then becomes difficult to assess whether a decision is accurate, fair, or discriminatory.

Transparency in algorithmic decision-making intersects directly with core and long-standing data protection principles designed to ensure the quality of data used for decision-making. In PIPEDA this is encoded through the data accuracy principle and the right of individual access to personal information held by an organization. However, commercial secrecy is increasingly used as a means of obscuring the underlying logic of an algorithmically determined outcome. In addition, and in the absence of strong transparency obligations, more sophisticated algorithms are now evolving that wholly obscure underlying considerations even from the companies relying on them.

CIPPIC would therefore recommend the addition of a distinct right of access to the underlying logic of any automated decision-making process, and in particular in relation to automated decision-making with a substantial impact on individuals' lives, their access to economic opportunities, and their treatment on the basis of protected grounds.

The committee may further wish to consider the need to undertake a broader study of automated decision-making in both private and public sectors.

Those are my comments for today. I welcome any questions.

First of all, with great respect, honourable member, I don't think the air will be clear on this for probably a generation.

Yes, I know. I hate to put such a damper on your observations, but I think we have to put this into perspective.

As I said, the right to be forgotten does exist in Canadian law. The easiest parallel to it in law of common law origin is a pardon. A pardon, I think, still exists in Canadian criminal law whereby, if you haven't done anything wrong for...it used to be five years, you can apply to the Governor General for a pardon. That then shields you. It used to shield you from inquiries into your past, except for the police. I don't know now, with the evolution of security checks and so on, what it is, but we have had that principle in our law for a very long time.

The idea is redemption, rehabilitation. I think it's a valuable part of a society that values people, so I urge us to look at the right to be forgotten as it has evolved more recently in Europe—in a civil not a penal law context—in that perspective, given that we already have a right of correction that could be strengthened into a right of erasure.

We as an organization continue also to struggle. We have yet to come to a conclusion on what a properly formulated right to be forgotten could look like. What we've done is go through and identify some of the things it should address and some of the hazards it should avoid.

Maybe I'll give you that and it will help a little.

Hopefully it won't muddy the water further.

We actually view it less as a right to be forgotten, as others have said, and more as related to PIPEDA's data accuracy component. What we hear from people who have issues of a “right to be forgotten” type is that it creates a skewed perception of their reputation by highlighting specific things that are not necessarily the definition of their reputation.

We prefer at the outset to even not really think of it. Their solution is not necessarily to make the information disappear but to obscure it, to some degree, so that it's not the first thing that people learn about them, in a way that skews their perception of their reputation.

That being said, reputation is a tricky thing. Many of us have things out there about us that we wouldn't want to define us but which should, for legitimate reasons, be part of our reputation. There's an objective component to it. That's where the struggle, in our view, comes. It's about how we formulate something that addresses what is a challenge for some people.

In relation to the EU right, we think that a Canadian right would probably be narrower in scope, in the sense that it would at the very least apply to a smaller subset of subject matter. It might not apply to every piece of information about me that's outdated, but maybe to the more sensitive types of information, information that is having a demonstrably negative impact—medical conditions, financial information that got out there in a way that wasn't necessarily within my control, or information like that. The scope would be narrower, I think, for a Canadian-formulated right, and we have some judicial decisions that have talked about what a privacy harm is in that context, which are relevant there.

There are also additional problems with respect to how this becomes implemented.

The EU relied on intermediary search engines to carry out the right. Those engines are responsible for removing or delisting. We've seen many problems with this intermediary model in many legal contexts. I've heard that, similar to a recent decision of the Federal Court, Globe24h, the Privacy Commissioner went instead after the host site and said it could keep the information up—so it's not forgotten, it's still there—but that it needed to shield certain things from certain types of search exposure.

Something like that, which looks at the primary site as opposed to the intermediary, might be more appropriate and might get at some of the concerns that arise in this context.

That's as far as we've gotten. I hope it helps a little.

They may have gotten a bit further than we have. We've kept our remarks more on the cautionary side because there's a desire to quickly think about how we can change our PIPEDA law to make sure we're adequate, and I would rather flip it on its head and say let's decide whether or not the right to be forgotten is actually something we need and want in Canada, keeping in mind freedom of expression and other rights that we value in our democratic society. Then we can address to what extent we meet adequacy or not, because the rest of the world that doesn't have adequacy is still having transfers of data between countries.

Once again, I guess maybe what I would repeat is that adequacy is great and it's very convenient, but we shouldn't do it to contradict the democratic values that we have.

We propose some specific tweaks that we think will help improve the overall ability of the act to address modern challenges, but we think enforceability and including the incentive to proactively comply constitute the biggest step that needs to be taken, in part because it has far-reaching implications. It makes organizations take it more seriously and start looking at their own practices proactively and not necessary wait until there is a complaint before the commissioner or the commissioner comes knocking.

From what we've heard from lawyers who regularly advise businesses of different sizes and from our experience working with companies internationally on this, we think they simply take it more seriously when there is a potential penalty.

We think that's the single biggest thing.