Thank you, Mr. Chair.
Thank you to the committee for the invitation to appear before you today to present CMA's views on your study of the Personal Information Protection and Electronic Documents Act, also well known as PIPEDA.
CMA is the largest marketing association in Canada. It represents communications and marketing agencies as well as major brands in retail, financial services, technology, and other sectors. Our advocacy efforts aim to promote an environment in which ethical marketing prevails in both communicating with and serving customers.
CMA has provided a written submission to the committee in advance, but today I would like to focus my remarks on three issues—namely, is PIPEDA in need of amendments, does the consent model still work, and is OPC enforcement effective?
First, on amending PIPEDA, some argue that PIPEDA is broken or inadequate and needs to be fixed. However, our view is that PIPEDA has in fact withstood the test of time in addressing the new challenges of our fast-changing digital world. By deliberate design, PIPEDA was structured on core principles rather than prescriptive rules precisely in order to create a law that would be able to adapt to new technologies, practices, and expectations. The PIPEDA model promotes a more collaborative approach in developing guidance to organizations operating in a very wide range of different contexts. The OPC is in a position to provide further interpretive guidelines as social, technological, and business developments require. This framework has served and continues to serve Canadians very well.
It's also important to recognize that the recent amendments to the law, introduced in 2015 by the Digital Privacy Act, provide additional protections for individuals. These include an increased responsibility for organizations to obtain valid consent, especially for children and other vulnerable parties; mandatory breach notification requirements; and new powers for the Privacy Commissioner to enter compliance agreements with organizations and coordinate enforcement with international counterparts.
While some may argue that further amendments to the law are necessary, CMA strongly cautions against this approach. Our recommendation is to allow the amendments passed in 2015 to take full effect and then assess the impact and effectiveness of those changes before contemplating further changes to the law. For example, the new breach notification provisions that were enacted nearly two years ago have yet to come into force. We are still waiting for the publication of the related regulations that will allow those to take effect. Once the regulations are finalized, organizations will then need to train their personnel, update their processes, and basically get ready for that set of changes to PIPEDA and meet the new requirements.
The second issue I want to address is consent. CMA believes that the right mix of individual choice and a robust accountability framework will strengthen privacy and consent. With business models becoming increasingly focused on innovation, and greater customization of products and services, which is all in response to consumer expectations, the strains on a consent-based regime must be recognized. Privacy policies that are rarely read, smaller screens, and other device restrictions are realities that pose challenges to obtaining meaningful consent.
While consumer consent must still be regarded as an important element in privacy law, shifting more to a risk assessment-based model, where organizations are given more freedom but also more responsibilities over consumer data, would modernize the Canadian privacy framework to the benefit of businesses and consumers alike. In such a model, the types of notices provided and consent obtained are linked with the sensitivity or risk of harm of a given data-handling activity. This is what we see in the breach provisions that were passed several years ago. This is consistent also with schedule 1 of PIPEDA.
CMA believes that strengthening the accountability framework through self-regulatory codes of practice and other creative tools, such as data anonymization, offers the best approach to enhancing privacy protections for individuals. An excellent example of a self-regulatory initiative is the AdChoices program for interest-based advertising, developed by the Digital Advertising Alliance of Canada, the DAAC.
CMA is among the founding marketing and advertising organizations that launched the DAAC in 2013 in order to give consumers real-time notice and choice over whether their browsing data would be used for interest-based advertising. An enhanced accountability model necessarily comes with more responsibilities for organizations. For example, CMA's code of ethics and standards of practice imposes strict limitations on the collection and use of personal information of children under the age of 13.
My third and last point relates to the Privacy Commissioner's enforcement powers. We do not agree that the commissioner requires additional powers. In fact, the commissioner currently has the power to issue findings, audit organizations, make recommendations, and now enter into compliance agreements. The brand reputation damage, as has been noted already, that can result from an adverse commissioner finding can be significant. The impact of such negative publicity is an enforcement tool that cannot be overstated. In addition, if voluntary co-operation is not forthcoming, the commissioner has the power to summon witnesses, administer oaths, compel the production of evidence, and take matters to the Federal Court to rectify situations that remain unresolved.
CMA believes that the ombudsman model under which PIPEDA operates has been highly effective and has resulted in a high level of voluntary compliance from Canadian businesses. Consider the number of PIPEDA-related complaints brought forth to the OPC. Between January 1, 2015, and March 31, 2016, the OPC received 351 complaints. Only 52 of those cases, or just under 15%, were considered well founded by the commissioner. Of those 52 cases, 46, or upwards of 90%, were either completely or conditionally resolved.
The current ombudsman model of oversight permits the OPC to protect and promote privacy rights of individuals through positive and proactive engagement with industry associations and organizations seeking guidance on compliance and emerging privacy issues. Providing the OPC with more direct enforcement powers would undermine that open and co-operative relationship that has developed between the OPC and Canadian industry.
In conclusion, we would point to the OPC's extensive casework and published findings over the past 17 years and the great many improved privacy practices adopted by businesses over the years as a result. This is valuable evidence that PIPEDA works well in its current form.
We would also caution against positioning PIPEDA as a default, catch-all solution for issues arising from the rapid evolution of technology and data uses. In many instances, there are other laws and regulations that may be better suited to address specific sectoral concerns or other issues that arise. PIPEDA must be effective in protecting Canadians' privacy rights while also encouraging organizations to innovate new products and services for their consumers and customers. This often involves the responsible use of data, including personal information. CMA believes that the existing PIPEDA framework has demonstrated the right measures of flexibility and effectiveness in achieving these goals.
Thank you, Mr. Chairman. We welcome the committee's questions.