Thank you. I've been using this timer to keep us honest, because last time both Tamir and I went way over.
We spent the 30 minutes or so that we were waiting having quite a good debate here beforehand.
Thank you very much, and good afternoon, Mr. Chair, and honourable members of the committee. We appreciate your invitation and are very pleased to be here today on behalf of the national privacy and access law section and the Canadian Corporate Counsel Association, both sections of the Canadian Bar Association, to present our views on the Personal Information Protection and Electronic Documents Act, which as you all know is called PIPEDA.
The CBA is a national association of more than 36,000 lawyers, law students, notaries, and academics. An important aspect of the CBA's mandate is seeking improvement in the law and the administration of justice. It is that capacity and perspective that brings us before you here today.
Our members of both sections are lawyers with in-depth knowledge in the areas of privacy and access to information law from every part of the country. They are lawyers in private practice, they are in-house counsel working for public and private companies, crown corporations, government and regulatory bodies, municipalities, hospitals. You name it, we have it covered.
My name is Suzanne Morin. I'm vice-chair of the national privacy and access law section, and I work for Sun Life.
The sections have made numerous submissions on PIPEDA since its enactment in 2001. We continue to support the existing consent and ombudsperson models in PIPEDA in the absence of the compelling need for legislative change, while carefully continuing to monitor Canada's European Union or EU adequacy status, as mentioned by Madam Stoddart.
Within these existing models, we suggest that targeted amendments are needed: one, to the concept of “publicly available information” to ensure that our PIPEDA framework remains technology-neutral; and two, to allow the Office of the Privacy Commissioner to issue non-binding advance opinions.
I will briefly address each of these issues.
Regarding consent, the CBA sections recommend maintaining the consent model in PIPEDA in the absence, we would argue, of a compelling need for legislative change, and the continuing use of a multi-faceted tool kit approach to privacy protection in Canada. Canadian privacy rights, obligations on business, and remedies available to individuals exist in an extensive legal framework in this country that encompasses federal and provincial, private and public sector privacy laws, criminal and human rights legislation, emerging common-law and civil actions, and civil liability regimes in Quebec.
PIPEDA speaks directly to the principle of consent, laying the foundation that businesses must seek meaningful and valid consent and cannot force individuals to consent to the use of personal information beyond legitimately identified purposes. PIPEDA's consent model comes with 10 fair information principles. As an umbrella, all treatment of personal information is subject to the “reasonable person” test, which limits the use of personal information to what is reasonable in the circumstances. This goes to the context that we heard just moments ago.
The PIPEDA consent model, supported by the broader legal framework, in our view continues to be both robust in its protection of the privacy of Canadians, including vulnerable groups, and flexible for business in the face of rapidly evolving technologies, business models, and evolving customer privacy expectations.
Regarding the ombudsperson model, the CBA sections recommend maintaining this model unless, once again, there is evidence that a change to the OPC's enforcement powers is actually needed. The OPC enforces privacy rights by leveraging the powers that exist in PIPEDA today: one, to investigate and issue formal findings, including the naming of names when doing so is in the public interest; two, to audit the practices of organizations when they have reason to believe that an organization is not complying with its obligations under PIPEDA; and three, to take organizations that fail to uphold their privacy obligations to court.
In turn, our Canadian courts have proven to be well placed to assess damages uncovered by OPC investigations, and they have recognized new civil actions or common law torts, adding to the Canadian privacy legal framework. Taken together, this tool kit approach has proven to be powerful, actually, in forcing domestic and foreign organizations of all sizes to revise their privacy practices through the great efforts of former commissioners such as Madam Stoddart.
It would be prudent to wait to see how the OPC's new power to issue and enforce binding compliance agreements through the courts is interpreted and used, and how the new breach reporting regime—which is still not yet in force—with the potential for fines unfolds over the next year.
Third, concerning non-binding advance opinions the CBA sections recommend amending PIPEDA to clearly authorize the OPC to issue non-binding advance opinions to organizations proposing new programs, technologies, methodologies, or specific transactions. While the OPC currently offers general guidance, such as investigation summaries and interpretation bulletins, it chooses not to provide organization-specific guidance in the absence of an investigation or an audit.
Providing express authority would make it clear that the OPC is expected to perform this function, providing clear guidance for and confidence in the privacy compliance of some new initiative and, through the publication of anonymized opinions, adding to the body of guidance available to organizations.
Fourth, concerning publicly available information the CBA sections recommend amending PIPEDA or its regulations to ensure that they are technology-neutral and able to accommodate both existing and evolving business models and customer expectations when it comes to the use of personal information that customers choose to make publicly available.
PIPEDA was indeed carefully drafted to be technology-neutral, and after more than 15 years I too agree that it continues to stand the test of time, allowing organizations to evolve their practices to reflect all of these changes. While PIPEDA is consent-based, it also offers specific exemptions to consent when obtaining consent is either not practical or not necessary, including exemptions for publicly available information.
However, unlike PIPEDA, the regulations that accompany PIPEDA miss the mark in certain respects and have created uncertainty about what level of consent is required to use personal information that individuals have chosen to make public. In our submission we've identified several options for you to consider.
Fifth, concerning EU adequacy the CBA sections recommend carefully monitoring Canada's EU adequacy status. We caution, however, that amending PIPEDA to anticipate changes that may be required to maintain the status would be premature. Canada has enjoyed adequacy status under the EU's 1995 data protection directive since 2001. This status has enabled the convenient transfer of personal information from the EU to organizations in Canada.
Recent developments in the EU are indeed raising questions about whether Canada's adequacy status is at risk. It's unclear what the EU's new approach will be; we just don't know. However, when the time comes, they will examine, as Madam Stoddart identified, the entire Canadian legal framework, including public and private sector legislation, and including laws concerning public security, defence, and national security; our criminal law; and Canada's other international obligations or commitments.
PIPEDA is only one part of Canada's privacy legal framework and may not be the only or even the appropriate vehicle for addressing adequacy concerns that may arise. Adequacy is great, but not at all costs, and we caution on making amendments at this early stage.
Finally, we leave a word about the right to be forgotten. We have not made any recommendations on whether a specific right to be forgotten should be included in PIPEDA or introduced into our broader legal framework, but it is an issue that merits attention. The right to be forgotten as it has evolved in the EU is not addressed directly in PIPEDA; however, PIPEDA includes the right for an individual to withdraw consent or to delete certain information and the obligation upon organizations to use published personal information for consistent purposes and to delete information that they no longer require.
We need to be mindful that PIPEDA and other private sector laws are not the catch-all for issues that arise from the ongoing evolution of technology, and that beyond PIPEDA there are numerous other considerations, such as the right to freedom of expression, which is a critical piece of the democratic fabric found in the charter.
The CBA sections, once again, appreciate the opportunity to share our views with you on PIPEDA.
It will be my pleasure to answer your questions.
Thank you.