Evidence of meeting #59 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was consent.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

Krista Campbell  Director General, Digital Policy Branch, Spectrum, Information Technologies and Telecommunications Sector, Department of Industry
Josephine Palumbo  Deputy Commissioner, Deceptive Marketing Practices Directorate, Competition Bureau
Steven Harroun  Chief Compliance and Enforcement Officer, Canadian Radio-television and Telecommunications Commission
Daniel Roussy  General Counsel and Deputy Executive Director, Canadian Radio-television and Telecommunications Commission
Charles Taillefer  Director, Digital Policy Branch, Spectrum, Information Technologies and Telecommunications Sector, Department of Industry
Morgan Currie  Associate Deputy Commissioner, Deceptive Marketing Practices Directorate, Competition Bureau
Clerk of the Committee  Mr. Hugues La Rue

4:10 p.m.

Chief Compliance and Enforcement Officer, Canadian Radio-television and Telecommunications Commission

Steven Harroun

As I said in my opening remarks, the broader the range of the tools, the better it is for the Privacy Commissioner. What's important is the construct around that. For example, at the CRTC, as I am the chief compliance and enforcement officer, my team leads investigations. I issue notices of violation, etc. The businesses or individuals who are subject to those violations always have the option to make representations before the commissioner writ large—the CRTC writ large—to present their case there if they're not in favour with my views. The construct will be important.

4:10 p.m.

Conservative

Matt Jeneroux Conservative Edmonton Riverbend, AB

I have about 50 seconds left. With that, I'll throw out the question for anybody who wants to get on record first, and hopefully we'll come back to it later in the questioning.

It's on the right to be forgotten. The Privacy Commissioner, right now, says he's on the fence on what to do, and what not to do, with it. He's studying it. Unfortunately, it's not going to be finished before our committee is complete, but it's something that I think is important, not only in public service roles like ours and in those of many around the table, but long term for those of us around the table who have kids as well.

I'll throw it open for about 10 seconds before the chair cuts me off.

4:10 p.m.

Director General, Digital Policy Branch, Spectrum, Information Technologies and Telecommunications Sector, Department of Industry

Krista Campbell

I agree. I would assume that maybe we'll come back to that. I think that we're maybe a lot in the same boat that this requires more thought and study. It's a challenging issue, and there are a number of principles that need to be applied. You're very right about the issues around the right to be forgotten if you did something when you were 14—and technology is so readily available—versus you said something last week online that you now regret having said. How do we find a reasonable balance in that?

4:15 p.m.

Conservative

The Chair Conservative Blaine Calkins

Anyone else? No. I wish I could remember some of the stuff I did when I was a teenager.

Madam Trudel, seven minutes please.

4:15 p.m.

NDP

Karine Trudel NDP Jonquière, QC

Thank you, Mr. Chair.

Witnesses, thank you very much for your remarks and for being here today.

My questions will be primarily for the CRTC.

Just now, you talked about administrative monetary penalties. Can you elaborate on what the administrative monetary penalties are? What is the exact process that leads to such penalties?

4:15 p.m.

General Counsel and Deputy Executive Director, Canadian Radio-television and Telecommunications Commission

Daniel Roussy

An administrative monetary penalty is one of a number of ways to ensure, or to try to ensure, that a company or an individual, who seems to have gone astray, gets back on the right track. The penalty is neither punitive nor criminal, as my colleague from the Competition Bureau mentioned earlier. The purpose of the penalty is to encourage someone or a company to return to the right path. We do not want to prohibit them from doing business, we want to encourage them to do it properly. This is the basic philosophy behind an administrative monetary penalty.

Furthermore, as we mentioned in our opening remarks, administrative monetary penalties are one part of a whole host of other tools, which allows them to be effective. In itself, the penalty would be ineffective if it were not combined with other things at the same time.

Let's now turn to the method. Generally, each law has its own details or its own recipe, if you will, for administrative monetary penalties. In this case, section 20 of Canada’s anti-spam legislation sets out the methods or procedures for assessing how to impose such a penalty. In addition, in recent years, the courts, particularly the Federal Court, have rendered many decisions that we can use to assess cases.

For example, if I take the English copy of the legislation I have before me, the nature and extent of the violation are part of the criteria for determining the amount of a penalty. Questions may come up. Is it a big or small violation? How many violations were there?

In our case, still under the legislation, the individual’s ability to pay is a determining factor. Other questions arise. Can the person pay a large or small penalty? Will the penalty for the violation allow or encourage the person to stop his or her actions that might be outside the scope of the act?

So a bunch of factors are put together. These factors are left to the discretion of the head of Chief Compliance and Enforcement Officer who looks at them when a penalty is required.

4:15 p.m.

NDP

Karine Trudel NDP Jonquière, QC

You're talking about section 20 and all the tools that the legislation gives you. Do you think the legislation is sufficiently comprehensive to set those penalties, or are there improvements to be made?

4:15 p.m.

General Counsel and Deputy Executive Director, Canadian Radio-television and Telecommunications Commission

Daniel Roussy

The current framework of the act is extremely flexible. This inherent flexibility enables us to act with some latitude through a precise framework within which to suggest answers.

To answer your question specifically, you no doubt know that the legislation is still quite new. We are talking about 2014. So it's difficult for me to answer directly as to whether it gives us as much flexibility as possible.

At the moment, there are ongoing investigations, others have been completed and decisions have been made. We are really at the very beginning of our mandate.

So I'm a little embarrassed. I cannot answer that question now. I do not really have the answer.

4:15 p.m.

NDP

Karine Trudel NDP Jonquière, QC

We'll wait a little longer.

4:15 p.m.

General Counsel and Deputy Executive Director, Canadian Radio-television and Telecommunications Commission

Daniel Roussy

Thank you very much.

4:15 p.m.

NDP

Karine Trudel NDP Jonquière, QC

My questions are for Josephine Palumbo.

Earlier, in your speech, you said that investigations were launched after complaints had been filed.

Do investigators in your organization conduct audits or are investigations only launched after complaints have been filed?

4:20 p.m.

Deputy Commissioner, Deceptive Marketing Practices Directorate, Competition Bureau

Josephine Palumbo

Investigations are a very important part of the Competition Bureau's work. With respect to complaints filed under the Competition Act, we first look at the information to determine whether it raises a problem under the act.

Complaints are a big part of what we do at the Competition Bureau. They can come to us from a number of sources, including the public and the media. We also receive complaints from industry associations.

We analyze them to see whether or not they raise issues under our law. If they do, then we may initiate an investigation or launch a formal inquiry. When we do that, we gather additional information. How? We can approach the courts with production orders under section 11 to obtain documents or written returns of information, or to require persons to appear under examination before a presiding officer. We will analyze information that's received as well through other tools, such as search warrant powers. We may execute search warrants or seize computer systems. As well we have the opportunity to garner information through the Criminal Code, through production orders.

4:20 p.m.

NDP

Karine Trudel NDP Jonquière, QC

Thank you.

4:20 p.m.

Conservative

The Chair Conservative Blaine Calkins

For the last of the seven-minute rounds we'll go to Mr. Erskine-Smith, please.

4:20 p.m.

Liberal

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

Thanks very much.

Ms. Campbell, in your remarks you mentioned that PIPEDA is largely effective. You mentioned some fine tuning, I think, with respect to the mandatory breach reporting that has already been implemented. We're obviously undertaking a study on what possible recommendations we should come up with to improve PIPEDA. Is your department undertaking a similar review of further improvements that could be made to PIPEDA, and if so, what's the status of that review?

4:20 p.m.

Director General, Digital Policy Branch, Spectrum, Information Technologies and Telecommunications Sector, Department of Industry

Krista Campbell

We haven't launched a formal review of the act at this point. It recently went under its five-year review. The changes have been implemented, getting the act updated. The data breach reporting regulations are clearly a priority.

I would suggest at this point that work going on along two parallel tracks is really important. Let the act have a bit of breathing time so we can see how these new tools and commitments work themselves out. Businesses need to get comfortable with them. We need to figure out if there are gaps in understanding how the new provisions work with technology as it continues to evolve.

4:20 p.m.

Liberal

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

Do you mean specific to the mandatory breach?

4:20 p.m.

Director General, Digital Policy Branch, Spectrum, Information Technologies and Telecommunications Sector, Department of Industry

Krista Campbell

I mean mandatory data breach reporting, the compliance regime, the compliance agreements that the Office of the Privacy Commissioner can enter into, fine tuning for consent. For example, the idea that if you're selling to children or providing a service such as an app or a game to children and you need consent from them, you should be using language that's appropriate for a child, so they could understand what you're asking of them.

Those changes were important in strengthening PIPEDA, and we need to have some experience in seeing how they work.

We have work that will go on in a more formal way as we understand what the EU wants to discuss with us. Do we need a more formal research agenda? And we have the work that's going on with the Privacy Commissioner around things like consent, data, big data, analytics, the Internet of things; how all those kinds of pressures will change privacy and the perception of privacy.

May 9th, 2017 / 4:20 p.m.

Liberal

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

With respect to harmonization and a question from my colleague Mr. Saini, with respect to the adequacy review, you listed a number of considerations: PIPEDA, the Privacy Act, Bill C-51, provincial privacy laws. Has your department identified any areas of concern?

4:20 p.m.

Director General, Digital Policy Branch, Spectrum, Information Technologies and Telecommunications Sector, Department of Industry

Krista Campbell

At this point, it's not so much areas of concern as trying to understand where the EU would like to focus what it's doing. I think the European Commission and the EU rules definitely take a very citizen-oriented approach to data protection. It is very clear that with thoughts about a more “opt-in” regime, they are handing a significant amount of power to the individual to control their data and to understand where it's going. It is different from PIPEDA. In the past, we have had very good discussions around the privacy regime related to PIPEDA. It has been reviewed more than once by the European Commission and has been found to be a strong regime.

For us, as we continue to work in some of our international fora—I would point to two that are particularly important—we'll be able to evaluate how PIPEDA is standing up internationally. Also, on two of the important fora, the OECD, the Organisation for Economic Co-operation and Development, has very important guidelines that they've put out on privacy and digital security, which were recently reviewed and updated.

Canada was the lead on the subcommittee that resulted in these updated guidelines being put out. One of the purposes of the guidelines is to say that we want to understand how to make privacy regimes interoperable, because if the data can't flow across borders and is kind of landlocked, it's not very useful. Effectively, we want to prevent non-tariff barriers being imposed on this very important economic driver.

4:25 p.m.

Liberal

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

On that point of harmonization and improving our privacy protections, you mentioned a citizen-oriented privacy model. The Privacy Commissioner was before us and spoke about consent and how the consent model is under attack. I have just a couple of examples.

A majority of Canadians apparently don't read privacy policies on mobile apps, yet in the Privacy Commissioner's Internet of things analysis, there's an estimate of 50 billion connected devices by 2020. In the department's view, is the consent model under PIPEDA something that you are looking to improve?

4:25 p.m.

Director General, Digital Policy Branch, Spectrum, Information Technologies and Telecommunications Sector, Department of Industry

Krista Campbell

I think that understanding the consent model will be absolutely fundamental to ensuring that PIPEDA stays relevant and current.

As for what that means in terms of whether it's changes to the act or work that the Office of the Privacy Commissioner could be doing, for example, are there new tools or ways of going about doing business that could educate businesses more? Are we doing enough to help businesses understand this concept of “privacy by design”? That is, if they incorporate privacy aspects earlier, which could include things like simplifying the consent provisions.... I believe the Privacy Commissioner has spoken of things such as trustmarks, so that you understand what it is you're signing up for and so you don't have to read something and scroll through screen after screen every time.

I think there's a range of tools that would definitely need to be considered.

4:25 p.m.

Liberal

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

Yes. We had an interesting witness before us who recommended a model code that would allow us to shorten privacy policies and would require express consent if there were deviation from that model code.

In regard to another recommendation, a 2014 study noted that 24% of grade 4 students and over 50% of grade 7 students had their own cellphones, which suggests that consent from parents ought to perhaps be obtained.

Also, with respect to the right of erasure, which I think my colleague Mr. Jeneroux mentioned briefly, it's noted that over 60% of 13- to 17-year-olds have at least one profile on social networking sites. Is this something that we're taking a serious look at in our policies, especially in light of the EU review?

4:25 p.m.

Director General, Digital Policy Branch, Spectrum, Information Technologies and Telecommunications Sector, Department of Industry

Krista Campbell

Yes, I would absolutely agree that consent is one of the core areas and needs to be given considerable review, but I wouldn't want to leave the impression that the piece of legislation we're working with currently or the tools that exist are insufficient. I think one of the strengths of PIPEDA is just the idea that it's principles based and technology agnostic, technology neutral. For these principles around consent, accountability, transparency, the limited use of collection, storage requirements, and all of those kinds of things, we need to continuously stress-test them as the technology evolves.

You're very right. The Internet of things, with its billions of connected devices—and with the devices talking to other devices, not devices talking to a person and getting consent from a person—will change the landscape. We need to continuously think through what that means, but I wouldn't want to leave the impression that we don't have a robust regime that doesn't evolve with the technology.

4:25 p.m.

Liberal

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

I've run out time, but I would encourage you to be proactive rather than reactive with respect to the EU.

Thanks very much.