Information & Ethics Committee on May 9th, 2017

Thank you.

Mr. Chair, members of the committee, it is my pleasure to be here today to discuss the Personal Information Protection and Electronic Documents Act.

We've introduced colleagues. I'm pleased to be here with counsel and my director responsible for this piece of legislation.

The responsibilities of my team include providing advice, guidance, and support to the minister for his role as the lead minister of PIPEDA.

I should note that we hold similar responsibilities for Canada's anti-spam legislation, also known as CASL. We operate the national coordinating body for CASL, which is responsible for the policy oversight and coordination of the anti-spam initiative.

It's a best practice to review marketplace rules on a regular basis, particularly in the case of legislation that is foundational to building trust in the digital economy. I commend the committee for undertaking this important work.

The Personal Information Protection and Electronic Documents Act is a key element of the Canadian legal framework to support development of the digital economy. It is the principal instrument for protecting personal information within the context of commercial activities. It is designed to balance privacy protection with the needs of organizations for information to conduct their business.

As stated by the Privacy Commissioner during his testimony, there is evidence that PIPEDA still provides a solid foundation, but that does not preclude refinements and adjustments to the act to ensure that it remains relevant.

Witnesses have proposed legislative changes in a number of areas. Innovation, Science and Economic Development Canada (ISED) looks forward to the committee's thoughts in each of these areas. The results of the study of consent currently being undertaken by the Office of the Privacy Commissioner will also greatly inform this discussion.

My objective for today is to highlight some of PIPEDA's unique and important features and the reason why the act is the responsibility of Innovation, Science and Economic Development, which is the microeconomic department for the Government of Canada.

First, we must consider the purpose of the act. When PIPEDA was introduced in 2000, the industry minister at the time stated that the act was created with a single policy goal: to build trust in electronic commerce, for the purpose of growing electronic commerce. PIPEDA creates trust by preventing organizations from doing things with personal information that the average person would think are not reasonable in the circumstances. At the same time, it allows information to flow so that businesses can provide the products and services that customers have come to agree to and expect.

This balancing of privacy and economic considerations has afforded PIPEDA much success, as you have heard from some previous witnesses. It has adapted to an evolving landscape and the unique circumstances faced by the wide range of organizations that are subject to this act.

The Office of the Privacy Commissioner has successfully conducted investigations into complaints under PIPEDA pertaining to technologies and business models that were unforeseen when the act was first implemented, including online behavioural profiling and social media applications.

PIPEDA is also mindful of other important public policy objectives, such as freedom of expression and public safety. For example, PIPEDA recognizes the right to freedom of expression by permitting information to be collected and used without consent for journalistic or artistic purposes. Any changes to PIPEDA should be made in consideration of these various objectives and must seek to balance those considerations.

Second, we must consider the scope of PIPEDA and the fact that it cannot be understated. It protects all personal information captured in the course of business. It applies to nearly all private sector organizations, with the exception of those governed by substantially similar provincial legislation. Therefore, we must ensure that the act remains flexible. Flexibility ensures that PIPEDA is scalable and that organizations can adapt the act's requirements to the size of their business, whether they're a small dry cleaner or a large multinational corporation. In fact, PIPEDA was designed specifically to apply to all economic sectors.

Finally, we must consider the need for harmonization with other privacy regimes. PIPEDA is based on 10 internationally recognized principles that protect individual privacy by giving individuals control over their personal information. These same principles are the basis for privacy laws around the world.

Harmonization with provincial privacy laws, and those of our international trading partners, provides a huge advantage to Canadian businesses that operate in multiple jurisdictions.

This harmonization also facilitates the free flow of data across borders, which is essential to the growth of electronic commerce, both domestically and internationally.

Related to this, you've heard from many witnesses on the importance of PIPEDA's adequacy status with the EU. This adequacy status relies on PIPEDA maintaining a similar level of protection and redress for EU citizens as afforded by the EU's own privacy regime. As others have remarked, our adequacy will be reviewed at some point in the future. We are working closely with colleagues at Justice Canada, Global Affairs, and Public Safety to engage the European Commission officials in discussions to understand what this review may entail—in particular, the timing and the scope of the next potential review.

I would also highlight that we are still in the process of implementing amendments that arose from the passage of the Digital Privacy Act in 2015. These changes included new enforcement tools for the commissioner, the aim of which was to provide the commissioner with greater leverage to encourage compliance with the act.

Another change implemented by the Digital Privacy Act is the enhancement of the consent requirements. This was implemented primarily in response to calls to strengthen privacy protection for children online. The approach to this amendment respects provincial jurisdiction over minors.

Recent changes also included new exceptions to the requirement to obtain consent for disclosure of personal information, both for public interest reasons, such as prevention of fraud, and to reduce red tape for businesses, such as for managing their employees. We will be closely following the adoption of these legislative changes and their impacts on the marketplace.

The most high-profile change, which has yet to be implemented, is a new requirement for organizations to report data security breaches that pose a risk of harm to individuals. These requirements will come into force when regulations related to the provisions are finalized. We are working with the Department of Justice in support of these regulations. These changes and others were designed to maintain the important balance in PIPEDA between privacy protection, economic development, and innovation, and other public policy goals.

As I mentioned earlier, we look very much forward to hearing the committee's views at the conclusion of this important study. In the meantime, my officials and I are at your disposal to answer questions about the act.

Thank you for your interest in this subject.

Thank you for the invitation to attend this committee meeting as well. I'm joined by my colleague from the bureau, Mr. Currie.

I understand the committee is looking into PIPEDA, and in that context has questions about the bureau's role with respect to Canada's anti-spam legislation, or CASL, as well as the bureau's experiences with administrative monetary penalties, or AMPs.

I'll begin by providing some context about the Competition Bureau and its mandate, and then move to your specific concerns. I will not be commenting on PIPEDA per se, as that is outside the bureau's purview.

The Competition Bureau, as an independent law enforcement agency, ensures that Canadian consumers and businesses prosper in a competitive and innovative marketplace. Headed by the Commissioner of Competition, the Bureau is responsible for the administration and enforcement of the Competition Act and three labelling statutes.

The Competition Act provides the commissioner with the authority to investigate anti-competitive behaviour. The act contains both civil and criminal provisions and covers conduct such as bid-rigging, false or misleading representations, price-fixing, and abusing a dominant market position, among other things. The act also grants the commissioner the authority to make representations before regulatory boards, commissions, or other tribunals to promote competition in various sectors.

As noted above, when conducting investigations, the bureau uses the Competition Act's relevant criminal and civil provisions. The introduction of CASL brought about specific amendments to the Competition Act that enabled the bureau to more effectively address false or misleading representations and deceptive marketing practices in the electronic marketplace, such as false or misleading sender or subject-matter information, electronic messages, and website content, such as a locator, meaning a website or an IP address. The changes provided technologically neutral language to allow us to better address competition offences in the digital economy. I would note that the bureau had these powers before CASL, but now the requirements of proof have been lessened.

For the most part, the bureau's investigations are commenced following a complaint. Such complaints may come from a number of sources, including consumers, businesses, industry associations, the media, or stakeholders.

As a law enforcement agency, the bureau conducts its activities, including investigations, in confidence, meaning that all non-public information gathered by the bureau in enforcement matters, whether obtained voluntarily or through the use of formal powers, is held on a confidential basis.

This is fundamental to the Bureau's ability to effectively continue to advance its investigations in the public interest.

The law requires that we not comment publicly on an investigation until the matter has been made public either by the party, or certain steps have been taken, such as the filing of an application with the Competition Tribunal, or the announcement of a settlement.

Even in those instances, we are required by law to keep confidential any information which is not public. This is done both to protect the integrity of the Bureau's investigations as well as to protect the parties and others.

That said, the Competition Act's “confidentiality” provision, section 29, does allow the bureau to share confidential information with other law enforcement agencies for the purpose of the administration and enforcement of our act.

Turning now to AMPs, the bureau may only seek them in a civil context, not criminal. Also, the bureau does not impose AMPs. They are either reached through a settlement with the target of an investigation, or they are imposed by the Competition Tribunal or a court after a finding of reviewable conduct under the Competition Act.

The goal of an administrative monetary penalty for civilly reviewable conduct is to promote compliance in a market and deter companies from misleading Canadian consumers, all of which is in the public interest.

Let me give you three recent examples where the bureau has obtained AMPs under the Competition Act. First, in June of 2016 the bureau announced its first settlement involving the new CASL provisions. The settlement with Avis and Budget resolved an investigation wherein the bureau had concluded there was false or misleading advertising for prices and discounts on car rentals and associated products.

Specifically, certain prices and discounts initially advertised by the two companies were not attainable because consumers were charged additional mandatory fees that were only disclosed later in the purchasing process when making a reservation. The prices were advertised on Avis' and Budget's websites, mobile applications, and emails, as well as through other channels. As part of the settlement in this case, Avis and Budget paid $3 million in an administrative monetary penalty to promote compliance with the law going forward.

Earlier this year, the bureau settled its case with Amazon where we again utilized an amended Competition Act provision introduced through CASL addressing false or misleading representations in all forms of electronic messages. In this instance, Amazon often compared its prices to a regular or list price, signalling attractive savings for Canadian consumers.

The bureau's investigation concluded that these claims created the general impression that prices for items offered on Amazon's website were lower than prevailing market prices. The bureau determined that Amazon relied on its suppliers to provide list prices without verifying those prices were accurate. In this case, the savings claims were advertising on Amazon.ca, in Amazon mobile applications, and in other online advertisements, as well as in emails sent to customers. The bureau negotiated a $1-million AMP in this instance.

Finally, on April 24, 2017, the bureau announced it had reached a negotiated consent agreement with Hertz Canada Limited and Dollar Thrifty Automotive Group Canada, Inc. where both companies will pay a total of $1.25 million in an administrative monetary penalty, ensure their advertising complies with the law, and implement new procedures aimed at preventing advertising issues in the future.

The consent agreement is the result of an investigation where the bureau concluded that Hertz and Dollar Thrifty were advertising enticing low prices to attract consumers. However, those low prices were unattainable because mandatory fees were systemically added to those prices. The bureau concluded that the companies' price representations on their websites and other channels were misleading, and it was not sufficient for the companies to provide an estimate of the total price before consumers completed their reservation.

It is important to understand that, when negotiating an AMP or advocating in favour of one before the Competition Tribunal or the courts in relation to false or misleading advertising, the bureau considers a number of aggravating or mitigating factors that are listed in the Competition Act. Those factors include the reach of conduct within the relevant geographic market, the frequency and duration of the conduct, the vulnerability of the class of persons likely to be adversely affected, the effect on competition in the relevant market, the gross revenue from the sales affected by the conduct, the financial position of the person against whom the order is made, the history of compliance with the Competition Act by the persons against whom the order is made, and any other relevant factor.

In the interests of time, I will end my comments here.

I would be happy to answer any questions you have.

I would like to thank the committee for the opportunity to appear here today.

Mr. Chair, Canada's anti-spam legislation was never intended to eliminate all spam. Its objective is to deter the most damaging and deceptive forms of spam and other electronic threats such as identity theft, phishing and the spread of spyware and malware.

When it is alleged that a violation has occurred, the Chief Compliance and Enforcement Officer has a number of tools at his disposal to ensure the act is complied with.

Our enforcement tools include a warning letter to bring to the attention of the business a minor violation requiring corrective action, and a notice of violation, which is issued for more serious offences. The enforcement measures may include monetary penalties. Notices are also published on our website. We warn Canadians of illegal online practices so that they are aware and can report any suspected violations.

An undertaking, which is similar to a negotiated settlement or agreement with the other party, is where the company or individual undertakes to come into compliance. For instance, the party might need to implement a corporate compliance program and report on its activities, or it may have to pay a specified amount, although this payment is not considered a monetary penalty as such.

The chief compliance enforcement officer uses his discretion in selecting and applying the most appropriate enforcement response. Our goal is to ensure compliance with the law and to prevent recidivism.

Underpinning these enforcement tools are the CRTC's outreach and education program efforts. Before the law came into force, CRTC delivered information sessions to interested parties across the country to explain the new requirements and encourage compliance. To this day, we continue to undertake an education outreach program and share lessons learned from enforcement actions taken.

It's important to understand that administrative monetary penalties are just one part of our toolbox. Penalties tend to be used as a last resort after all other efforts have failed. While we have issued warning letters, monetary penalties have been reserved for the most egregious cases.

Depending on the nature of the violation, the CRTC has the authority to impose up to $1 million per violation for individuals. And up to $10 million per violation for a corporation or group. There are factors laid out in the legislation that we must take into consideration when determining the appropriate penalty.

The tools provided to us in CASL to protect Canadians are not limited to monetary penalties, of course. The chief compliance and enforcement officer also has the authority to seek a judicial pre-authorized warrant in order to enter a residence or business to verify compliance with the act.

For example, along with national and international partners, the CRTC took down a command and control server disseminating spam and malicious malware located in Toronto in December 2015 as part of a coordinated international effort. This disrupted the Win32/Dorkbot, which was one of the most widely distributed malware families and which had infected more than a million personal computers in over 190 countries.

Of course, in today's interconnected world, spam and other electronic threats are not confined to Canada. One of the most important tools Parliament provided to the CRTC is the ability to share information and seek enforcement assistance of our international counterparts.

To date, the CRTC has entered into international agreements with the Federal Trade Commission and the Federal Communications Commission in the United States and the Department of Internal Affairs in New Zealand.

As well, to address the challenge of spam coming from outside our borders, we collaborate with our international partners through the Unsolicited Communications Enforcement Network, or UCENet. The purpose of this network is to promote international spam enforcement co-operation and address spam-related problems such as online fraud and deception, phishing, and dissemination of viruses.

The CRTC has also signed a memorandum of understanding with 11 enforcement agencies from eight different countries throughout UCENet. These countries include the United States, Australia, New Zealand, the Netherlands, the United Kingdom, Korea, and South Africa. We share our knowledge and expertise through training programs and staff exchanges and inform each other of developments in our respective countries' laws.

Working with our partners, we are better equipped to ensure that people who distribute commercial messages, local or foreign, comply with Canada's anti-spam legislation.

In conclusion, we are convinced that administrative monetary penalties, when used with other enforcement methods, are a deterrent to non-compliance. We believe that companies have changed their practices to avoid potential penalties. This observation is based on our experience with CASL to date, as well as our experience in enforcing telemarketing over the past decade.

If we have any advice to offer, Mr. Chair, it is that enforcement agencies need a broad range of tools in their arsenal that they can tailor to the circumstances of each case.

We welcome any questions you may have.

It think it's one of the most important things that businesses are focusing on right now, and there's interest in knowing exactly what will be coming.

The EU has indicated that they will be looking to review Canada. They have not launched any kind of formal process at this point. We have begun reaching out at my level, at the working level, with European Commission officials to start a discussion around timing and scope of the review. We've had discussions with them about how they've gone about their recent reviews with other countries; what did and didn't work well in terms of providing information; and where there are best practices or good standards they thought were very useful.

We have face-to-face meetings with European officials next week. Then we hope to exchange some preliminary information on what Canada's privacy regime looks like. It'll be broader than just PIPEDA, but we'll give them a good primer on PIPEDA; the Privacy Act; changes that would have been made under Bill C-51; and Security Of Canada Information Sharing Act, SCISA; as well as some information about the fact that, because we're a federation, we have a unique set of requirements that include both provincial privacy laws as well as federal laws. Then we'll work from there on what they think they want to discuss with us more formally once they trigger the review. As I said, it hasn't been formally triggered yet. We definitely are starting the work on planning for what the scope and timing would look like.

My only comment with respect to the Competition Bureau is that many of the markets we deal with are global in scale. The bureau co-operates regularly with its international counterparts, the United States and the European Union, and has developed a number of partnerships and MOUs with a number of national and international agencies. We currently have 18 instruments involving 14 different jurisdictions with respect to competition worldwide. Certainly the dialogue continues in the area.

From the commission, I would echo my Competition Bureau colleague's remarks in that we undertake a memorandum of understanding with countries around the world so that we can share information and ensure that those countries comply with our legislation. We're obviously not experts on theirs, but....

Well, we think that the legislative framework under the Competition Act is working quite nicely. Since 2015 we've registered with the Competition Tribunal 13 consent agreements, which totalled $26 million in administrative monetary penalties—$24 million with respect to restitution to Canadian consumers and $1.5 million in terms of donations to public interest groups.

We think we're making a difference. We're working within our legislative framework, looking at aggravating and mitigating circumstances when we're assessing the proper quantum of an administrative monetary penalty. Our ranges in terms of the quantum of an AMP can be as high as $15 million for a corporation and as high as $1 million for an individual. That's within the context of a civil regime. If the offences at issue are criminal in nature, then we're looking at potential jail time for some of the offenders, including fines and jail time of 14 years for an indictable offence or one year for a summary conviction.

We believe that our legislative regime that's in place is quite effective and has been garnering results on behalf of Canadians.

To my understanding, that piece of legislation would be equal to our Privacy Act, so it wouldn't necessarily have an effect in terms of private-sector personal information collection. That order applies to government institutions in the same way our Privacy Act would, so it wouldn't necessarily be related to PIPEDA.

The order that was issued in the States applies to government organizations in terms of the privacy protections provided on the information that they collect, not the information that is collected by private sector organizations.

We've had a lot of success with PIPEDA and with the model that we have with the Office of the Privacy Commissioner. It was established as an ombudsman model and was very much an education-first, collaborative organization that worked with businesses and individuals that had concerns or complaints and tried to find collaborative ways to discuss and get to solutions.

As we watch technology change—and technology is specifically referenced in the purpose statement for PIPEDA—it's very clear that data is now regularly called the new oil. It is flowing internationally and is critically important. It is collected in ways that we didn't even foresee in 2000, when this was first enacted, and that creates pressures in terms of how an organization treats its data. It also creates real concern for individuals about how their data is handled and whether they even know what was collected and how it's being used.

When we look at the model we have for the Privacy Commissioner—and as you said, in 2015 we increased the tools that he had available to him with the introduction of compliance agreements—and as we move into any kind of thinking around the next review of the act, the question will really be around balancing whether we want an ombudsman model with the same types of powers, or whether we move to a different type of model.

The nature of the mandate could be very different. If you give order-making powers but still want to be able to have open conversations with business, saying, “Come in and talk to us early on and we'll work with you on how you go about designing new products and services,” then having greater order-making power in the same organization could cause some concerns about what the core mandate priorities are. A holistic review of the Office of the Privacy Commissioner and PIPEDA would need to be undertaken before we would decide to give new powers.

That being said, lots of organizations have stronger powers, and they are able to balance those stronger powers with a really effective regime of working with businesses and individuals. There is pressure to ensure that the Privacy Commissioner is seen to be a best practice, both domestically and internationally.

There are no challenges specifically. Part of the timing issue, though, was the election in that period, which required that we stand down on any consultations. This was an area where we wanted to make sure we did very full consultations, so we have been able to get out a lot. Actually, the consultations have provided a great deal of information on the regulations, which we've been able to rely on to say that we likely have found some pretty common middle ground for a lot of the initiatives going forward. We expect to have something in the Gazette relatively soon, hopefully within the next couple of months.

From my perspective, again, I'm not in a position to comment on the appropriateness of the power for the Office of the Privacy Commissioner, but I can say that the framework that's in place within the Competition Bureau mandate is quite effective.

From the bureau's perspective, AMPs are an important component of the Competition Act. They clearly act as a means of promoting compliance with the law. They act as a disincentive for targets of investigations to continue to break the law. When you look at them within the context, for example, of the consent agreement framework, whereby consent agreements are registered with the Competition Tribunal and then become court orders, we clearly see them having a tremendous impact because they avoid the costly and lengthy nature of litigation.

Within our legislative framework, we think they're working, they're working quite well, and they're producing results for Canadians.