Evidence of meeting #60 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was pipeda.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

Robert Ghiz  President and Chief Executive Officer, Canadian Wireless Telecommunications Association
Linda Routledge  Director, Consumer Affairs, Canadian Bankers Association
Wally Hill  Vice-President, Government and Consumer Affairs, Canadian Marketing Association
Charles Docherty  Senior Legal Counsel, Canadian Bankers Association
David Elder  Special Digital Privacy Counsel, Canadian Marketing Association

May 11th, 2017 / 4:15 p.m.

President and Chief Executive Officer, Canadian Wireless Telecommunications Association

Robert Ghiz

I'm not sure about the California law, but I'd be willing to get my association to look into it. I think there's also the component today of education. I know that the commissioner does fund such organizations as MediaSmarts, and there are other literacy things we need to do to make sure our kids today are ready for the realities of the world they're coming into. It's different from when we grew up. There is a responsibility to make sure that we educate kids that this is the new reality of the world.

For our members, there are rules and data management tools. The carriers have privacy settings on their phones. Parents need to be educated too, to help educate their kids, but I think we can start with young kids, telling them that these are the new realities of the world, and if they're going to be involved, there are associated consequences.

At any rate, I'd be willing to check out the California law. I understand where you're coming from, but I think there is a literacy and educational component to it as well.

Karine Trudel NDP Jonquière, QC

Thank you.

The Vice-Chair Liberal Nathaniel Erskine-Smith

For our final seven-minute round, we have Mr. Saini.

Raj Saini Liberal Kitchener Centre, ON

Thank you very much, all of you, for coming here.

I'll start with specific questions, and then I'll get to something a little bit more general. Let me start with Ms. Routledge and Mr. Docherty first.

As part of the CBA's submission to the OPC's consultation on consent under PIPEDA, you said that PIPEDA should not “pose a barrier to innovation”. Can you explain what you meant by this? Do you feel that the way PIPEDA is currently structured poses a barrier to innovation?

4:15 p.m.

Senior Legal Counsel, Canadian Bankers Association

Charles Docherty

As reflected in my colleague's remarks at the outset, we do agree that PIPEDA has served Canadian society very well up until now. Its broad-based principles are fairly technology-neutral. But as new products and new services are developed, it could benefit from some tweaks, in particular the concept of legitimate business interests so that privacy notices can be streamlined and people can really focus in on things that matter to them, that are meaningful to them.

I think that's what we were talking about in that submission.

Raj Saini Liberal Kitchener Centre, ON

Mr. Ghiz, do you believe PIPEDA is a barrier to innovation?

4:20 p.m.

President and Chief Executive Officer, Canadian Wireless Telecommunications Association

Robert Ghiz

We're actually in agreement with the CBA. We think as new products develop—as we discussed with the 5G and the automated cars—there are provisions within the consultative process, and with the good relationship we have with the commissioner, we can work with the commissioner along the way to make sure we're ahead of the curve rather than companies making a mistake and then having to retract.

I view it as being more proactive, and I think there are mechanisms within PIPEDA to be able to do that.

Raj Saini Liberal Kitchener Centre, ON

Mr. Hill.

4:20 p.m.

Vice-President, Government and Consumer Affairs, Canadian Marketing Association

Wally Hill

It's very much supportive of innovation. The way PIPEDA is now framed, it's designed for the kind of collaboration that is needed on a wide range of the innovative activity happening out there. To try to create a prescriptive law that deals with all the different areas that are evolving out there will just not be possible. That's why the law was framed the way it was. That's why it works so well and will continue to work well.

Raj Saini Liberal Kitchener Centre, ON

Just to follow up on that, in the CMA's brief to the Privacy Commissioner, your group mentioned that the current EU framework as well as the new GDPR offer ways to process data without necessarily seeking consent each and every time. Can you expand on that a bit?

4:20 p.m.

Vice-President, Government and Consumer Affairs, Canadian Marketing Association

Wally Hill

I don't know that we were touching on the GDPR in our brief, but we were suggesting that it is challenging. Obtaining consent in the world in which we're operating today is indeed a challenge. We have touchpoints every day where individuals and organizations are asking us if we've read the privacy policy. We're dealing with small screens. There are enormous barriers out there to enabling consent in every interaction we have.

The point we're making is that you can retain consent at the core of your privacy framework and at the same time provide greater responsibility and accountability for organizations to utilize personal information where there is maybe a reasonable expectation on the part of the consumer that the information may be used for an additional purpose—in other words, an expanded use of implied consent, if you will. I think the CRTC was here a few days ago talking to you about the anti-spam law. A very robust aspect of that law is built on implied consent as well as express consent. There's a strong element of implied consent where there's an existing customer relationship.

Charles was talking about the fact that organizations may have a legitimate need to use the information for a new purpose that will not put the consumer at risk. It may indeed benefit the customer. In those kinds of instances, going back to consent, is that where we want to be in the environment in which we're operating today, the digital environment? We would suggest that it isn't, and that in different contexts, different industries, you may have different codes and different frameworks that will be established to allow organizations to move forward in the way that I've suggested. Those would be self-regulatory codes, and we think they have a place in what we're describing—that is, a consent-based regime still, but one that imposes great accountability on organizations.

Raj Saini Liberal Kitchener Centre, ON

In some of your submissions and in some of your preambles, you also mentioned data breach notification and how you wanted that to be self-regulating. Can you enlighten the committee on why it would be an advantage for that to be self-regulating as opposed to mandatory?

4:20 p.m.

Vice-President, Government and Consumer Affairs, Canadian Marketing Association

Wally Hill

We're satisfied with the regulatory approach to a breach. It was originally a self-regulatory regime. The self-regulatory regime was built as a result of consultation. It was actually a great example of the kind of collaboration the PIPEDA model affords.

As data breaches became more of an issue through the last five or 10 years, the Privacy Commissioner and others recognized—I don't think there was disagreement within the business community—that there was more of a need to raise the bar and have a formal set of reporting requirements. Certainly the Canadian Marketing Association supports the breach notification provisions that are in PIPEDA now as a result of the amendments. We're engaged in talking to government about what the detailed regulations will look like just to ensure that they're not overly and unnecessarily burdensome to businesses and other organizations. That's our position.

The Vice-Chair Liberal Nathaniel Erskine-Smith

With that, we'll have Mr. Kelly begin our five-minute round.

4:25 p.m.

Conservative

Pat Kelly Conservative Calgary Rocky Ridge, AB

Thank you.

I am going to just pick up right where we left off, if you don't mind, and I'll let you have a little more of a complete answer than time permitted. We talked about compliance, and in your answer you talked about it perhaps being particularly an issue for large organizations.

I kind of thought about it the other way around, from the perspective of somebody who was once the operator of a very small enterprise. The smaller the enterprise, really, the bigger the burden of any kind of compliance and administration as a percentage of the organization. Do you not think that for any organization that has to comply with regulations, if the regulations are onerous, detailed, or large...? Do you think your smaller operators are concerned about compliance?

4:25 p.m.

Vice-President, Government and Consumer Affairs, Canadian Marketing Association

Wally Hill

For sure, smaller organizations are challenged. Everything you say is true. Proportionally, it can challenge smaller organizations, but I think they will move forward.

A lot of education needs to flow regarding things like the breach notification requirements of PIPEDA. Again, this is one of the reasons we have our current framework, with the ombudsman model and the Privacy Commissioner, as an advocate and educator, getting out there to these communities and ensuring that they're up to speed.

4:25 p.m.

Conservative

Pat Kelly Conservative Calgary Rocky Ridge, AB

Does the commission do a good job on the education portion?

4:25 p.m.

Vice-President, Government and Consumer Affairs, Canadian Marketing Association

Wally Hill

I think they could always do more, but I think they do a pretty good job. They have tools for small businesses on their website, so I think they do try and they do a pretty good job. Could they do more? There's always more needed, as well as working with organizations like ours, the chambers, the Retail Council, and so on. Reaching out to smaller businesses and medium-sized businesses is always beneficial. That takes time.

4:25 p.m.

Conservative

Pat Kelly Conservative Calgary Rocky Ridge, AB

In your opening remarks, you spoke about a risk assessment approach as differentiated from the consent model.

4:25 p.m.

Vice-President, Government and Consumer Affairs, Canadian Marketing Association

Wally Hill

It wasn't really to differentiate. It was to point out, for example, how the new breach requirements revolve around the concept of organizations reporting a breach where there is a real risk of significant harm, organizations having to make a judgment, and imposing that accountability on organizations.

I thought that term might catch people's attention if they were wondering whether they should be out there taking more risk.

No, it's that organizations should have imposed on them the requirement to evaluate the risk that is involved in the use of any information and to make appropriate decisions based on that. That's embedded in PIPEDA now, in the sections that deal with consent. There's a higher standard of consent required when you're talking about sensitive information as well as with the new breach requirements. There's a burden placed on organizations to make proper judgments as to the risk posed to consumers or customers with respect to some data that may have been leaked.

4:30 p.m.

Conservative

Pat Kelly Conservative Calgary Rocky Ridge, AB

What do you think about having greater emphasis on this risk assessment? Do you want to tell us right now what kind of information you think is the highest risk and what is low risk?

4:30 p.m.

Vice-President, Government and Consumer Affairs, Canadian Marketing Association

Wally Hill

Typically high-risk and sensitive information certainly includes financial information or types of health information. Various categories of information are sensitive. Children's information by definition, because of the group in that instance, can be sensitive. I think it depends on context. The kind of model we're talking about is going to involve different approaches in different sectors.

4:30 p.m.

Conservative

Pat Kelly Conservative Calgary Rocky Ridge, AB

Would it also help to update the definition of “publicly available”?

4:30 p.m.

Vice-President, Government and Consumer Affairs, Canadian Marketing Association

Wally Hill

I think it would. It may be possible to do that in the context of the existing regulations, I believe. PIPEDA does have regulation-making powers for the government. The Privacy Commissioner can seek to have regulatory changes that would help in that regard.

Go ahead, David.

4:30 p.m.

Special Digital Privacy Counsel, Canadian Marketing Association

David Elder

If I may just add to that, as a very specific example within the regulations now for “publicly available”, one of the categories talks about how if it's “published”, and it gives examples of being published in a newspaper or a magazine or things like that.

We've had several interpretations out of various privacy commissioners' offices across the country that say you can publish a blog every day and have 50,000 readers, but that anything you publish on that blog does not count as being publicly available for the purpose of the regulation. I think, in fact, there's room within that wording to say that “published” includes a blog.