Thank you.
Mr. Chair, members of the committee, it is my pleasure to be here today to discuss the Personal Information Protection and Electronic Documents Act.
We've introduced colleagues. I'm pleased to be here with counsel and my director responsible for this piece of legislation.
The responsibilities of my team include providing advice, guidance, and support to the minister for his role as the lead minister of PIPEDA.
I should note that we hold similar responsibilities for Canada's anti-spam legislation, also known as CASL. We operate the national coordinating body for CASL, which is responsible for the policy oversight and coordination of the anti-spam initiative.
It's a best practice to review marketplace rules on a regular basis, particularly in the case of legislation that is foundational to building trust in the digital economy. I commend the committee for undertaking this important work.
The Personal Information Protection and Electronic Documents Act is a key element of the Canadian legal framework to support development of the digital economy. It is the principal instrument for protecting personal information within the context of commercial activities. It is designed to balance privacy protection with the needs of organizations for information to conduct their business.
As stated by the Privacy Commissioner during his testimony, there is evidence that PIPEDA still provides a solid foundation, but that does not preclude refinements and adjustments to the act to ensure that it remains relevant.
Witnesses have proposed legislative changes in a number of areas. Innovation, Science and Economic Development Canada (ISED) looks forward to the committee's thoughts in each of these areas. The results of the study of consent currently being undertaken by the Office of the Privacy Commissioner will also greatly inform this discussion.
My objective for today is to highlight some of PIPEDA's unique and important features and the reason why the act is the responsibility of Innovation, Science and Economic Development, which is the microeconomic department for the Government of Canada.
First, we must consider the purpose of the act. When PIPEDA was introduced in 2000, the industry minister at the time stated that the act was created with a single policy goal: to build trust in electronic commerce, for the purpose of growing electronic commerce. PIPEDA creates trust by preventing organizations from doing things with personal information that the average person would think are not reasonable in the circumstances. At the same time, it allows information to flow so that businesses can provide the products and services that customers have come to agree to and expect.
This balancing of privacy and economic considerations has afforded PIPEDA much success, as you have heard from some previous witnesses. It has adapted to an evolving landscape and the unique circumstances faced by the wide range of organizations that are subject to this act.
The Office of the Privacy Commissioner has successfully conducted investigations into complaints under PIPEDA pertaining to technologies and business models that were unforeseen when the act was first implemented, including online behavioural profiling and social media applications.
PIPEDA is also mindful of other important public policy objectives, such as freedom of expression and public safety. For example, PIPEDA recognizes the right to freedom of expression by permitting information to be collected and used without consent for journalistic or artistic purposes. Any changes to PIPEDA should be made in consideration of these various objectives and must seek to balance those considerations.
Second, we must consider the scope of PIPEDA and the fact that it cannot be understated. It protects all personal information captured in the course of business. It applies to nearly all private sector organizations, with the exception of those governed by substantially similar provincial legislation. Therefore, we must ensure that the act remains flexible. Flexibility ensures that PIPEDA is scalable and that organizations can adapt the act's requirements to the size of their business, whether they're a small dry cleaner or a large multinational corporation. In fact, PIPEDA was designed specifically to apply to all economic sectors.
Finally, we must consider the need for harmonization with other privacy regimes. PIPEDA is based on 10 internationally recognized principles that protect individual privacy by giving individuals control over their personal information. These same principles are the basis for privacy laws around the world.
Harmonization with provincial privacy laws, and those of our international trading partners, provides a huge advantage to Canadian businesses that operate in multiple jurisdictions.
This harmonization also facilitates the free flow of data across borders, which is essential to the growth of electronic commerce, both domestically and internationally.
Related to this, you've heard from many witnesses on the importance of PIPEDA's adequacy status with the EU. This adequacy status relies on PIPEDA maintaining a similar level of protection and redress for EU citizens as afforded by the EU's own privacy regime. As others have remarked, our adequacy will be reviewed at some point in the future. We are working closely with colleagues at Justice Canada, Global Affairs, and Public Safety to engage the European Commission officials in discussions to understand what this review may entail—in particular, the timing and the scope of the next potential review.
I would also highlight that we are still in the process of implementing amendments that arose from the passage of the Digital Privacy Act in 2015. These changes included new enforcement tools for the commissioner, the aim of which was to provide the commissioner with greater leverage to encourage compliance with the act.
Another change implemented by the Digital Privacy Act is the enhancement of the consent requirements. This was implemented primarily in response to calls to strengthen privacy protection for children online. The approach to this amendment respects provincial jurisdiction over minors.
Recent changes also included new exceptions to the requirement to obtain consent for disclosure of personal information, both for public interest reasons, such as prevention of fraud, and to reduce red tape for businesses, such as for managing their employees. We will be closely following the adoption of these legislative changes and their impacts on the marketplace.
The most high-profile change, which has yet to be implemented, is a new requirement for organizations to report data security breaches that pose a risk of harm to individuals. These requirements will come into force when regulations related to the provisions are finalized. We are working with the Department of Justice in support of these regulations. These changes and others were designed to maintain the important balance in PIPEDA between privacy protection, economic development, and innovation, and other public policy goals.
As I mentioned earlier, we look very much forward to hearing the committee's views at the conclusion of this important study. In the meantime, my officials and I are at your disposal to answer questions about the act.
Thank you for your interest in this subject.