Good afternoon, Mr. Chair, and members of the committee.
Thank you for the invitation to appear before you, and to present my views in connection with your study of the Personal Information Protection and Electronic Documents Act, PIPEDA. I have provided a written submission to the committee in which I elaborate on my comments today, and address certain other issues, in particular the right to be forgotten and the European Union’s adequacy requirements. I refer you to that submission for my thoughts on those two issues.
By way of introduction, I am principal at David Young Law, a privacy and regulatory counsel firm. As a privacy lawyer, I have been advising organizations in both the public and private sectors, as well as individuals, since before PIPEDA became law. I’m a member of the Canadian Bar's national privacy and access law section, and have worked on the section’s responses to both the first review of PIPEDA and the current review; however, I want to make clear that the views I express in my submission and here today are my own.
This review is taking place at a particularly apt time. Issues surrounding privacy are very top of mind in today's digitally oriented world. I propose to address specifically two issues: consent and enforcement.
First, the issue of consent. Consent is the key precept of Canada's private sector privacy laws. It says that individuals have the right to control the collection, use, or disclosure of their personal information, subject to limited exceptions. My basic view is that the current PIPEDA consent rule should not be adjusted or qualified in the statute, with the understanding that its application to evolving contexts will be elaborated through practice, responding to the ever-changing realities of information use.
It would be very difficult in an amendment to PIPEDA to try to articulate the precise going forward needs and mechanics to somehow anticipate the dictates of a fast-changing digital world.
The Office of the Privacy Commissioner's current consultation on consent is a timely undertaking. The results of this consultation should enable the OPC to provide guidance and develop principles to ensure that consent continues to operate effectively as the key rule in PIPEDA. It should also be noted that the courts, including the Supreme Court of Canada, have considered issues of consent, and have made clear that it is inherently subject to important qualifications, including the right of freedom of expression and a reasonable application of the role of implied consent.
Some of the adjustments to the rule that have been suggested would weaken its rigour, and potentially open up the scope for much more extensive collection of personal information than exists today. This, I believe, is what the Privacy Commissioner's consultation is likely to conclude. Also, any such weakening could threaten PIPEDA's adequacy status under the European Union's new privacy rule, the general data protection regulation, GDPR, of which I know you've heard a lot of discussion.
In my view, PIPEDA's current consent rule is flexible enough to respond to the needs of evolving information practices and innovation, and should be maintained. The key objective is to ensure that individuals continue to have the right to control and protect their information.
The second issue I want to address is the enforcement model. There's been much discussion about enhancing the enforcement powers of the Privacy Commissioner. As we know, the commissioner's current role is that of an ombudsperson. PIPEDA's remedial provisions direct him to investigate and deliver reports on complaints made to his office.
These requirements currently do not include any authority to order an organization to take remedial actions. I believe that his authority, as exercised through this mechanism, has been very effective. The commissioner does exercise what, in effect, are order-making powers through his authority to make findings, audit organizations, and make recommendations, and as will be available under the recent amendments to PIPEDA, to enter into and enforce compliance agreements.
Furthermore, the commissioner has the power to publicize privacy transgressions and name offending parties. This is essentially the model that has been used by the provincial privacy regulators, with the exception of a formal order-making power. I believe that in terms of effective enforcement, the model is working well.
All this being said, if it is determined that the current model does not provide sufficient enforcement tools, I believe it would be possible to supplement the commissioner's existing powers with an authority to make binding recommendations, in other words, orders. This authority should not undermine the framework of the commissioner's complaint resolution role, which, in essence, is compliance oriented.
A further proposal mentioned is to provide the commissioner with a power to impose fines. You have heard that this power exists under the provincial privacy jurisdictions and around the world. Firstly, I would note that PIPEDA currently does include provision for fines that, once the current amendments come into force, will include failure to report a breach. Secondly, none of the provincial private sector privacy laws contain a provision permitting the regulator to impose a fine or monetary penalty. What some of them do—and the Alberta law is an example—is provide for an offence punishable by a fine for intentionally breaching the law. Actually, I think Alberta is the only one that has that specific provision in it. Under these provisions, prosecuting an offence is the responsibility of the law enforcement authorities, not the regulator.
The international sphere is different. We are aware that in Europe, for example, the regulators have the power to impose financial penalties, and have done so for privacy breaches in some instances in the millions of dollars.
Canada does have experience with legislation imposing such financial penalties, specifically the Competition Act and Canada's anti-spam legislation. However, I suggest that to date our experience in the privacy area does not equate to the type of transgressions sought to be addressed under those laws.
Providing the Privacy Commissioner with the power to impose financial penalties would be a dramatic departure from his existing authority and would not be consistent with an ombudsperson model. However, if deemed appropriate, it would be possible to supplement the current PIPEDA offence provisions to include financial penalties for matters such as an intentional breach of the law. Such a provision would be consistent with the pending offence for failure to comply with breach reporting requirements.
As a final note, I agree that reference to the new EU privacy rule, the GDPR, should be included in the committee's study. However, as it stands today, significant changes to PIPEDA to respond to the GDPR would be premature. A more precise view may be revealed going forward as we have more experience with the GDPR and its transborder adequacy review process. With the GDPR's added focus on law enforcement and national security agencies, adjustments may be required to enhance protective mechanisms regarding access to databases in our country by such bodies.
In the early days of PIPEDA, I heard many criticisms that the law was not well oriented to clear legal guidance since it relied on principles as opposed to prescriptive rules, based as it is on a code intended originally for voluntary compliance. However, the law has clearly stood the test of time, and in my view, its unusual origin provides it with the flexibility to respond to the constantly changing needs of technology and the digital environment of today. This understanding colours very much my view as to what amendments should be considered in this current review.
Thank you again for giving me the opportunity to present my views.