Information & Ethics Committee on May 11th, 2017

As reflected in my colleague's remarks at the outset, we do agree that PIPEDA has served Canadian society very well up until now. Its broad-based principles are fairly technology-neutral. But as new products and new services are developed, it could benefit from some tweaks, in particular the concept of legitimate business interests so that privacy notices can be streamlined and people can really focus in on things that matter to them, that are meaningful to them.

I think that's what we were talking about in that submission.

We're actually in agreement with the CBA. We think as new products develop—as we discussed with the 5G and the automated cars—there are provisions within the consultative process, and with the good relationship we have with the commissioner, we can work with the commissioner along the way to make sure we're ahead of the curve rather than companies making a mistake and then having to retract.

I view it as being more proactive, and I think there are mechanisms within PIPEDA to be able to do that.

It's very much supportive of innovation. The way PIPEDA is now framed, it's designed for the kind of collaboration that is needed on a wide range of the innovative activity happening out there. To try to create a prescriptive law that deals with all the different areas that are evolving out there will just not be possible. That's why the law was framed the way it was. That's why it works so well and will continue to work well.

I don't know that we were touching on the GDPR in our brief, but we were suggesting that it is challenging. Obtaining consent in the world in which we're operating today is indeed a challenge. We have touchpoints every day where individuals and organizations are asking us if we've read the privacy policy. We're dealing with small screens. There are enormous barriers out there to enabling consent in every interaction we have.

The point we're making is that you can retain consent at the core of your privacy framework and at the same time provide greater responsibility and accountability for organizations to utilize personal information where there is maybe a reasonable expectation on the part of the consumer that the information may be used for an additional purpose—in other words, an expanded use of implied consent, if you will. I think the CRTC was here a few days ago talking to you about the anti-spam law. A very robust aspect of that law is built on implied consent as well as express consent. There's a strong element of implied consent where there's an existing customer relationship.

Charles was talking about the fact that organizations may have a legitimate need to use the information for a new purpose that will not put the consumer at risk. It may indeed benefit the customer. In those kinds of instances, going back to consent, is that where we want to be in the environment in which we're operating today, the digital environment? We would suggest that it isn't, and that in different contexts, different industries, you may have different codes and different frameworks that will be established to allow organizations to move forward in the way that I've suggested. Those would be self-regulatory codes, and we think they have a place in what we're describing—that is, a consent-based regime still, but one that imposes great accountability on organizations.

We're satisfied with the regulatory approach to a breach. It was originally a self-regulatory regime. The self-regulatory regime was built as a result of consultation. It was actually a great example of the kind of collaboration the PIPEDA model affords.

As data breaches became more of an issue through the last five or 10 years, the Privacy Commissioner and others recognized—I don't think there was disagreement within the business community—that there was more of a need to raise the bar and have a formal set of reporting requirements. Certainly the Canadian Marketing Association supports the breach notification provisions that are in PIPEDA now as a result of the amendments. We're engaged in talking to government about what the detailed regulations will look like just to ensure that they're not overly and unnecessarily burdensome to businesses and other organizations. That's our position.

For sure, smaller organizations are challenged. Everything you say is true. Proportionally, it can challenge smaller organizations, but I think they will move forward.

A lot of education needs to flow regarding things like the breach notification requirements of PIPEDA. Again, this is one of the reasons we have our current framework, with the ombudsman model and the Privacy Commissioner, as an advocate and educator, getting out there to these communities and ensuring that they're up to speed.

I think they could always do more, but I think they do a pretty good job. They have tools for small businesses on their website, so I think they do try and they do a pretty good job. Could they do more? There's always more needed, as well as working with organizations like ours, the chambers, the Retail Council, and so on. Reaching out to smaller businesses and medium-sized businesses is always beneficial. That takes time.

It wasn't really to differentiate. It was to point out, for example, how the new breach requirements revolve around the concept of organizations reporting a breach where there is a real risk of significant harm, organizations having to make a judgment, and imposing that accountability on organizations.

I thought that term might catch people's attention if they were wondering whether they should be out there taking more risk.

No, it's that organizations should have imposed on them the requirement to evaluate the risk that is involved in the use of any information and to make appropriate decisions based on that. That's embedded in PIPEDA now, in the sections that deal with consent. There's a higher standard of consent required when you're talking about sensitive information as well as with the new breach requirements. There's a burden placed on organizations to make proper judgments as to the risk posed to consumers or customers with respect to some data that may have been leaked.

Typically high-risk and sensitive information certainly includes financial information or types of health information. Various categories of information are sensitive. Children's information by definition, because of the group in that instance, can be sensitive. I think it depends on context. The kind of model we're talking about is going to involve different approaches in different sectors.

I think it would. It may be possible to do that in the context of the existing regulations, I believe. PIPEDA does have regulation-making powers for the government. The Privacy Commissioner can seek to have regulatory changes that would help in that regard.

Go ahead, David.

If I may just add to that, as a very specific example within the regulations now for “publicly available”, one of the categories talks about how if it's “published”, and it gives examples of being published in a newspaper or a magazine or things like that.

We've had several interpretations out of various privacy commissioners' offices across the country that say you can publish a blog every day and have 50,000 readers, but that anything you publish on that blog does not count as being publicly available for the purpose of the regulation. I think, in fact, there's room within that wording to say that “published” includes a blog.