Information & Ethics Committee on May 11th, 2017

Thank you very much, Mr. Chair and committee members, for this opportunity to provide the perspective of the Canadian Wireless Telecommunications Association, to which I will refer as the CWTA, on the Personal Information Protection and Electronic Documents Act.

This is new to me, so bear with me. I sat on these committees for 12 years, but I was in your seats. Now this is a bit of a different perspective for me. I'll do my best.

CWTA represents member companies from every part of the wireless sector, including wireless carriers, equipment manufacturers, and other businesses that provide services and products to the industry. Over the past 30 years, Canada's wireless carriers have made more than $42 billion in capital investments in wireless infrastructure, and they continue to invest at the rate of more than $2.5 billion per year. These investments are paying off. Today, 99.3% of Canadians have access to Canada's world-class networks.

With 5G technology at our door, the entire wireless communications sector is working to maintain its role as a driver of innovation.

Maintaining the flexibility of the Personal Information Protection and Electronic Documents Act and applying it fairly to all sectors will also help foster innovation.

In his testimony, the Privacy Commissioner highlighted the main strengths of the act: it is technologically neutral, and it is based on general application principles.

The commissioner suggested four issues to guide your study: consent, reputation, enforcement powers, and the adequacy of the Canadian regime compared with the new European regulation.

My comments will focus on the impact of those four issues on the ability of the wireless sector to serve its clients, as well as on its ability to compete and innovate in the digital economy.

On the issue of consent, the commissioner suggested that relying on consent alone may no longer be reasonable in every possible circumstance, given the impact of technology. To that I would first paraphrase a comment submitted by one of our members at the Privacy Commissioner's consultations on consent, that as technology evolves, so do customers' appreciation and understanding of it.

The care that our member companies take in being transparent with their customers about how they are processing personal information—for instance, through clearer privacy policies—is a key part of their trust relationship with their customers. The most important asset for doing business in the 21st century is trustworthiness, and our members are well aware of it.

As for the application of the consent principle, the fair and equitable application of this across industry sectors is essential to our members' ability to compete in the digital marketplace and to preserving consumer trust in the digital economy. What we refer to as the wireless sector is roughly 30 years old, which is younger than a good portion of the companies we represent, yet today Canada's dynamic wireless sector is responsible for close to 139,000 full-time jobs and $13.3 billion in direct GDP contribution. To continue to grow, innovate, and compete with larger global entities, our members must be confident that the rules will apply the same way to Canadian companies as they do to non-Canadian players. This symmetry in the application of the rules also benefits consumers, who would be right to expect their personal information to be treated similarly in similar contexts.

We would suggest that expanding the definition of what is acceptable use for legitimate business interests could provide more clarity in that regard. For instance, in the European Union, personal information can be used for purposes that support the data controller's legitimate interests so long as these purposes are not incompatible with the original purpose for which the information was collected and so long as it does not violate the fundamental rights and freedoms of the data subject. Such a model would allow our members to innovate and compete on the global stage in a way that respects people's fundamental rights and the business relationship that already exists between companies and their customers.

On the issue of reputation, several witnesses have suggested that Canada may want to follow Europe's lead and include an explicit right to be forgotten into its legislative framework. In practical terms, the European right to be forgotten requires that commercial entities receive complaints directly from individuals, that they evaluate the merit of these complaints, and that they alter their systems as required. I am not one to advise the committee on whether a European-style right to be forgotten strikes the right balance between privacy and freedom of expression for Canadians. However, I do urge the committee to be mindful of the potential burden such measures could place on the operations of Canadian businesses involved in the digital economy.

On the issue of enforcement powers, the Privacy Commissioner suggested that stronger enforcement powers would foster greater compliance with PIPEDA. CWTA believes the current ombudsman model is best suited to the current principles-based framework. A collaborative relationship between industry and the regulator is more efficient, and results in better outcomes for consumers. By investing the commissioner with the power to issue fines and impose orders, Canadian businesses would find themselves in an adversarial relationship that would discourage the informal and expedient resolution of complaints, which would be to the detriment of consumers.

As it stands, the commissioner is already naming companies that are deemed to be in violation of PIPEDA. The potential reputational damage from a finding of non-compliance by the commissioner is a sufficient deterrent, given the importance of consumer trust in the digital economy. We would argue that fines would be no stronger a deterrent than the damage to business reputation.

In the specific case of breaches, we are anticipating the coming into force of mandatory reporting and record-keeping requirements, which were added to PIPEDA through the passage of the Digital Privacy Act in 2015. These provisions will be supported by fines of up to $100,000. Breaches themselves are already subject to class action. We submit that the principles-based structure of PIPEDA does not call for enforcement powers. It would be better served by regular guidance from the Privacy Commissioner. Proactive guidance from the commissioner could explain how PIPEDA's general principles should be applied to new business models. It is ultimately not fair to consumers that the companies they do business with should have to wait for complaints to arise in order to develop policies on personal information management for new business lines.

One specific example is the Privacy Commissioner's upcoming guidance on connected cars. The connected car—and in a few years from now, the automated car—is one example of the many social benefits that will come from 5G wireless networks. As such, CWTA shares the Privacy Commissioner's concern with getting privacy right early on in the process. We hope to have the opportunity to share our industry's perspective on this with the commissioner and future guidance documents.

On the issue of preserving Canada's adequacy status with the European Union, I will say that our members recognize the importance of maintaining Canadian businesses' ability to operate on other continents, just as foreign Internet companies compete with us on our own turf. We would urge the committee to take into account the operational repercussions for Canadian companies of any legislative changes made to the Canadian regime.

In closing, I would once again say that we are determined to maintain our strong record in terms of complying with the act and our good relationship with the commissioner. The current model supports a collaborative approach with the commissioner. That has enabled us to emphasize positive results for our clients.

Thank you very much for your time today. I will be looking forward to questions after.

Thank you very much, Mr. Chair, and good afternoon.

My name is Linda Routledge, and I'm the director of consumer affairs with the Canadian Bankers Association. With me today is Charles Docherty, our senior counsel. We are pleased to be here today to discuss the Personal Information Protection and Electronic Documents Act.

The CBA works on behalf of 62 domestic banks, foreign bank subsidiaries, and foreign bank branches operating in Canada and their 280,000 employees. The privacy and protection of clients' personal information is and always has been a cornerstone of banking. Given the nature of the services that banks provide to millions of Canadians, banks are trusted custodians of significant amounts of personal information. Banks take very seriously their responsibility to protect customers' information. They are committed to meeting not only the requirements of privacy laws but also the expectations of their customers. A former assistant privacy commissioner once acknowledged that privacy is in the banks' DNA.

The banks were among the first group of organizations subject to PIPEDA in 2001. We believe that PIPEDA has worked well to date to balance the protection of individuals' personal information with the legitimate use of personal information by organizations. PIPEDA is principles-based and technologically neutral, providing the necessary framework for innovation as well as new technologies and business models. It's generally well positioned to continue that mandate going forward. The banks would, however, like to suggest a few changes that we believe might enhance and clarify PIPEDA to make it more effective. These suggestions are related to three broad subject areas—meaningful consent, financial crimes, and access rights.

On meaningful consent, banks collect the personal information that is necessary to provide clients with the products and services they want. This information is collected according to the requirements of PIPEDA, and banks take steps to ensure that their clients understand the nature of the consent being provided. All banks have privacy policies in place and privacy officers who oversee compliance with these policies. Banks have a strong incentive to enhance their customers' ability to provide meaningful consent, because building their customers' trust is and always has been a top priority.

The committee heard from several other witnesses who questioned whether the consent that individuals provide is meaningful, given the complexity of terms and conditions when signing up for any product or service. We suggest that one way to address this concern may be to streamline privacy notices so that consent is not required for uses that the individual would expect and consider reasonable. In particular, we support the concept that express consent should not be required for legitimate business purposes. Some examples of such purposes might include the purposes for which personal information was collected, fulfilling a service, understanding or delivering products or services to customers to meet their needs, and customer service training.

Removing the requirement for express consent for legitimate business purposes would simplify privacy notices, thereby facilitating a more informed consent process where consumers can focus on the information that is most important to them and on which they can take action.

Second, the banking industry suggests that the current narrow definition of publicly available information is out of date. The current regulations reference the dominant technologies of the early 2000s, when the regulations were promulgated. We suggest that the committee should look at updating the definition with a view to modernizing it.

With regard to financial crimes, protecting the security and safety of its employees, customers, and the Canadian financial system is a priority for Canada's banks. Banks are constantly upgrading their security systems and work hard to prevent billions of dollars of financial crime each year. Banks work closely with law enforcement agencies and authorities across the country to help them with their investigations and the prosecution of suspected criminals.

Currently provisions in PIPEDA allow the sharing of information between organizations only where it is reasonable for the purposes of detecting, suppressing, or preventing fraud. This does not include other types of criminal activity such as theft of data or personal information, money laundering, terrorist financing, cybercrime, and even bank robbing.

To enhance the banking industry's ability to prevent this broader criminal activity, we recommend that the provisions in PIPEDA relating to disclosures without consent should use the term “financial crime” instead of “fraud” to capture the broader range of criminal activities that Canada's financial institutions deal with on a daily basis.

Further, we suggest that financial crime be defined to include first, fraud; second, criminal activity and any predicate offence related to money laundering and the financing of terrorism; third, other criminal offences committed against financial institutions, their customers, and their employees; and fourth, contravention of laws of foreign jurisdictions including those relating to money laundering and terrorist financing.

Financial crime negatively affects banks, consumers, and the economic integrity of the financial system. Banks understand the important role they have to play and have highly sophisticated security systems and teams of experts in place to protect Canadians from financial crime. We believe this amendment to PIPEDA would give banks greater ability to perform their role in this important endeavour.

Finally, on access rights, there are times when organizations create documents containing personal information related to anticipated litigation. Consistent with guidance issued by the Privacy Commissioner and provisions in the privacy laws of both Alberta and Quebec, this information should not have to be provided in response to an access request. We would ask that PIPEDA be amended to provide a specific exemption for these types of documents based on litigation privilege.

In conclusion, PIPEDA has served Canadians well over the last 17 years, encouraging organizations to protect the personal information they have about individuals and also encouraging individuals to be more aware of their rights and responsibilities to protect their own personal information. Nevertheless, as with any legislation operating in an environment that is continually evolving, there are some areas where slight adjustments and improvements would be desirable.

We hope that our commentary assists the committee with its review of the act.

We look forward to your questions.

Thank you very much.

Thank you, Mr. Chair.

Thank you to the committee for the invitation to appear before you today to present CMA's views on your study of the Personal Information Protection and Electronic Documents Act, also well known as PIPEDA.

CMA is the largest marketing association in Canada. It represents communications and marketing agencies as well as major brands in retail, financial services, technology, and other sectors. Our advocacy efforts aim to promote an environment in which ethical marketing prevails in both communicating with and serving customers.

CMA has provided a written submission to the committee in advance, but today I would like to focus my remarks on three issues—namely, is PIPEDA in need of amendments, does the consent model still work, and is OPC enforcement effective?

First, on amending PIPEDA, some argue that PIPEDA is broken or inadequate and needs to be fixed. However, our view is that PIPEDA has in fact withstood the test of time in addressing the new challenges of our fast-changing digital world. By deliberate design, PIPEDA was structured on core principles rather than prescriptive rules precisely in order to create a law that would be able to adapt to new technologies, practices, and expectations. The PIPEDA model promotes a more collaborative approach in developing guidance to organizations operating in a very wide range of different contexts. The OPC is in a position to provide further interpretive guidelines as social, technological, and business developments require. This framework has served and continues to serve Canadians very well.

It's also important to recognize that the recent amendments to the law, introduced in 2015 by the Digital Privacy Act, provide additional protections for individuals. These include an increased responsibility for organizations to obtain valid consent, especially for children and other vulnerable parties; mandatory breach notification requirements; and new powers for the Privacy Commissioner to enter compliance agreements with organizations and coordinate enforcement with international counterparts.

While some may argue that further amendments to the law are necessary, CMA strongly cautions against this approach. Our recommendation is to allow the amendments passed in 2015 to take full effect and then assess the impact and effectiveness of those changes before contemplating further changes to the law. For example, the new breach notification provisions that were enacted nearly two years ago have yet to come into force. We are still waiting for the publication of the related regulations that will allow those to take effect. Once the regulations are finalized, organizations will then need to train their personnel, update their processes, and basically get ready for that set of changes to PIPEDA and meet the new requirements.

The second issue I want to address is consent. CMA believes that the right mix of individual choice and a robust accountability framework will strengthen privacy and consent. With business models becoming increasingly focused on innovation, and greater customization of products and services, which is all in response to consumer expectations, the strains on a consent-based regime must be recognized. Privacy policies that are rarely read, smaller screens, and other device restrictions are realities that pose challenges to obtaining meaningful consent.

While consumer consent must still be regarded as an important element in privacy law, shifting more to a risk assessment-based model, where organizations are given more freedom but also more responsibilities over consumer data, would modernize the Canadian privacy framework to the benefit of businesses and consumers alike. In such a model, the types of notices provided and consent obtained are linked with the sensitivity or risk of harm of a given data-handling activity. This is what we see in the breach provisions that were passed several years ago. This is consistent also with schedule 1 of PIPEDA.

CMA believes that strengthening the accountability framework through self-regulatory codes of practice and other creative tools, such as data anonymization, offers the best approach to enhancing privacy protections for individuals. An excellent example of a self-regulatory initiative is the AdChoices program for interest-based advertising, developed by the Digital Advertising Alliance of Canada, the DAAC.

CMA is among the founding marketing and advertising organizations that launched the DAAC in 2013 in order to give consumers real-time notice and choice over whether their browsing data would be used for interest-based advertising. An enhanced accountability model necessarily comes with more responsibilities for organizations. For example, CMA's code of ethics and standards of practice imposes strict limitations on the collection and use of personal information of children under the age of 13.

My third and last point relates to the Privacy Commissioner's enforcement powers. We do not agree that the commissioner requires additional powers. In fact, the commissioner currently has the power to issue findings, audit organizations, make recommendations, and now enter into compliance agreements. The brand reputation damage, as has been noted already, that can result from an adverse commissioner finding can be significant. The impact of such negative publicity is an enforcement tool that cannot be overstated. In addition, if voluntary co-operation is not forthcoming, the commissioner has the power to summon witnesses, administer oaths, compel the production of evidence, and take matters to the Federal Court to rectify situations that remain unresolved.

CMA believes that the ombudsman model under which PIPEDA operates has been highly effective and has resulted in a high level of voluntary compliance from Canadian businesses. Consider the number of PIPEDA-related complaints brought forth to the OPC. Between January 1, 2015, and March 31, 2016, the OPC received 351 complaints. Only 52 of those cases, or just under 15%, were considered well founded by the commissioner. Of those 52 cases, 46, or upwards of 90%, were either completely or conditionally resolved.

The current ombudsman model of oversight permits the OPC to protect and promote privacy rights of individuals through positive and proactive engagement with industry associations and organizations seeking guidance on compliance and emerging privacy issues. Providing the OPC with more direct enforcement powers would undermine that open and co-operative relationship that has developed between the OPC and Canadian industry.

In conclusion, we would point to the OPC's extensive casework and published findings over the past 17 years and the great many improved privacy practices adopted by businesses over the years as a result. This is valuable evidence that PIPEDA works well in its current form.

We would also caution against positioning PIPEDA as a default, catch-all solution for issues arising from the rapid evolution of technology and data uses. In many instances, there are other laws and regulations that may be better suited to address specific sectoral concerns or other issues that arise. PIPEDA must be effective in protecting Canadians' privacy rights while also encouraging organizations to innovate new products and services for their consumers and customers. This often involves the responsible use of data, including personal information. CMA believes that the existing PIPEDA framework has demonstrated the right measures of flexibility and effectiveness in achieving these goals.

Thank you, Mr. Chairman. We welcome the committee's questions.

That's a very good story, which I would say pretty much everybody around this table can relate to. I can for sure.

It's the burden associated with implementing the right to be forgotten with which we have an issue. There are costs associated with it, how you track it down, and who you go through. I just think it's too much work for us to adapt to that European model. That's our opinion. It's not something that's easy to do. There is also freedom of speech; that does exist.

From the wireless association's perspective, we're not for it.

I believe our Canadian companies, in terms of wireless telecommunications, are extremely well prepared for competition. We are competitive within the Canadian market. We are an innovator in terms of our capabilities here. We're a world leader in terms of our technologies. What we're asking for in a competitive model is to make sure that any rules that exist here are equitably delivered to anybody else who wants to do business here.

Yes. We always need to make sure we're being competitive, but I think when it comes down to what's happening in Europe versus what's happening in Canada, we need to worry about what's best for our Canadian economy, and to make sure that our companies are able to compete on a level playing field.

In terms of where we're at with 5G, it depends who you talk to. Some people think we're already on the cusp of 5G, but when will 5G come fully into effect, with the Internet of things and where we're operating in a sort of new world? I don't think we're going to see autonomous cars tomorrow or in a few years, but I think—

That could be the case. I would say that with autonomous cars—and I've had the opportunity to view and visit the QNX labs here in Ottawa—there is what I would call a constant evolution. Today you have your speaker phone; when you're backing up, you have cameras; and when you're driving down the highway now and you veer a little bit offside, your car shakes for you, so it's constantly getting to that level.

In terms of its relation to privacy and PIPEDA, that's where we believe it's important for the commissioner to consult with us. Do I have the answers right now? No. My members are better at that. That's why we're asking that when the commissioner does go out to do his consultations on where we are with 5G, our members and CWTA be involved.

This is a challenging area in terms of actual implementation.

I mentioned in my remarks that we have in our code of ethics stringent guidelines regarding the collection of children's data. Marketers who are doing so are required to obtain express consent from parents or guardians, but—

We have some gradients. There are some issues around teenagers. Teenagers in our society start to assume a greater level of responsibility for their own activities, so our code of ethics does have different provisions for teenagers, but also more stringent provisions on the collection of data from teenagers as opposed to adults, people who have gained age of majority.

Under our requirements, children under the age of 13 are not able to give consent for the collection and use of their personal information, and parental consent should be sought.