Thank you, Mr. Chair.
My name is Randy Bundus, and I am senior vice-president, legal and general counsel with the Insurance Bureau of Canada. I am joined by my colleague Steven Lingard, who is IBC's director, legal services, and chief privacy officer.
We are pleased to represent the Insurance Bureau of Canada and our member companies to contribute to the discussion on the next review of the Personal Information Protection and Electronic Documents Act. We understand that the committee is interested in hearing views on issues that were contained in the federal Privacy Commissioner's 2016 paper that discusses the challenges that traditional notions of consent will face as technology and business models continue to evolve and also potential enhancements to consent under PIPEDA. IBC's comments today are based on the submission we filed in response to the OPC discussion paper.
IBC is the national industry association, representing over 90% by premium volume of the private property and casualty insurance sold in Canada. The private P and C insurance industry in Canada provides insurance protection for homes, motor vehicles, and commercial enterprises throughout the country. There are over 200 private P and C insurers actively competing in Canada.
The P and C insurance industry also works to improve the quality of life in Canadian communities by promoting loss prevention, safer roads, crime prevention, improved building codes, and coordinated preparation for coping with natural disasters.
I'd first like to comment on the insurance industry's layered approach to consent. PIPEDA is a consent-based privacy law that requires that, with limited exceptions, the individual must give consent for the collection, use, or disclosure of that individual's personal information.
While IBC acknowledges the concerns and issues raised in the Privacy Commissioner's discussion paper, we are of the view that the current consent model under PIPEDA is appropriate for Canadian P and C insurers and their customers and does not need to be changed in any significant manner.
PIPEDA was amended in 2015 by the Digital Privacy Act, also known as Bill S-4, to include the concept of “valid consent”, which says that consent is only valid if it is reasonable to expect that an individual to whom the organization's activities are directed would understand the nature, purpose, and consequences of the collection, use, or disclosure of the personal information to which they are consenting.
It must be noted that the P and C insurance industry is regulated, from a business perspective, at the provincial and federal levels. The provincial and territorial superintendents of insurance have jurisdiction over market conduct and policy wordings, while the federal superintendent of insurance has jurisdiction over corporate governance and solvency. This is in addition to the privacy regulation of insurers by the federal and provincial privacy commissioners.
Canadian P and C insurers have, for many years, used a layered approach for obtaining consent to the collection, use, or disclosure of personal information. For example, when an individual applies for an insurance policy, they are asked to consent to the collection, use, or disclosure of their personal information for a variety of immediate and potential future legitimate insurance purposes, including assessing the risk—what we call “underwriting”—investigating and settling claims, and detecting and preventing fraud. The wording of the consent language in the automobile insurance application forms and claims forms is mandated by the provincial and territorial superintendents of insurance, and insurers and consumers must use these mandated forms. Then, if a claim is made under the insurance policy, the insurer will typically obtain a consent from the claimant to collect, use and disclose their personal information for the purpose of adjusting and settling the claim.
Insurers also employ the use of separate consent agreements obtained when providing insurance quotes and stand-alone products and services. An example would be usage-based insurance. Usage-based insurance, or UBI, is a relatively new product in Canada, although it has been sold for several years in other countries. UBI is an example of a new technology-enabled insurance offering. UBI allows an insurer to customize auto insurance premiums to reflect the actual driving usage by the customer by recording some basic information, such as frequency of use, distance driven, time of day when the vehicle is driven, turning, acceleration, speed, and braking. The information is collected by means of an interface between the individual's vehicle and the insurer.
UBI is a voluntary product, and it is entirely up to the consumer to decide whether they want to accept and use this offering.
Like other auto insurance products, UBI is regulated by the provincial superintendents of insurance. The superintendents of insurance in Ontario and Alberta have set certain standards around how insurers can collect and use this UBI information. It should be noted that the Office of the Information and Privacy Commissioner of Alberta has become involved in the regulation of UBI in that province.
In addition, personal information can be collected about automobile insurance accident benefit claimants through the mandated use of auto insurance claims forms. These forms are mandated by the superintendent of insurance and also contain certain privacy and consent wordings similar to those contained in the auto insurance application. This layered, circumstance-specific approach gives insurers the ability to inform their customers of new uses and disclosures of their personal information, and to obtain their consent as the need arises and the relationship with the individual evolves, including with the offering of new technology-based insurance products.
Next I'd like to speak a bit about updating the consent regime.
Legislative and regulatory regimes need to be periodically updated to keep them current. IBC and its members support the following proposals to enhance PIPEDA's consent regime.
First, with respect to exceptions or alternatives to consent, there are situations in which insurers rely upon certain exceptions to the current model that exist in section 7 of PIPEDA, such as the investigation of fraudulent claims, or obtaining witness statements in order to adjust and settle insurance claims. There is a similar, but different regime in the EU general data protection regulation, or GDPR, that will come into force in 2018. The GDPR includes reference to legitimate business interests, but it is unclear how this would apply in practice and how it is different from the current exceptions in PIPEDA. Legitimate business interest might be useful as a supplement to the PIPEDA exceptions.
The importance of PIPEDA and the provincial privacy laws continuing to be adequate for the purpose of the GDPR is a matter for in-depth consideration by this committee.
Next I'd like to touch on anonymized aggregate data.
The use of anonymized aggregate data, as a form of de-identified data, is currently being used by insurers and should remain a viable alternative to the consent requirement. It can be used in various legitimate ways, and safeguards against misuse of this data by third party service providers are built into contracts between them and the insurers.
With regard to codes of practice, insurers are heavily regulated by a number of regulatory authorities, particularly the federal Office of the Superintendent of Financial Institutions, or OSFI, which regulates solvency and corporate governance; and the provincial and territorial superintendents of insurance, which regulate market conduct, including the wording of certain mandated insurance policies and forms.
Were codes of practice to be considered, our view is that they would be redundant and add little value due to the strict requirements already put into effect by federal and provincial regulators.
With regard to the OPC enforcement model, IBC agrees that independent oversight bodies such as OPC play an essential role in protecting the privacy interests of Canadians. Based on insurers' experience with OPC to date, the industry is of the view that OPC has done an extremely effective job of protecting individuals' privacy with the powers currently afforded to it under its governing legislation. Insurers take their privacy and consent obligations very seriously and understand the importance of strict compliance with the requirements imposed upon them by privacy legislation and insurance regulators. Recognizing the importance of these obligations, insurers have an internal ombudsman's office whose role is to conduct independent and impartial investigations of consumer complaints. The role of the ombudsman's office would likely have to be re-evaluated should the OPC's powers be expanded.
Furthermore, it is noteworthy that the 2015 amendments to PIPEDA found in the Digital Privacy Act included new enforcement powers for OPC, including the ability to compel organizations to enter into compliance agreements. Also, recent developments in privacy jurisprudence, particularly the creation of the new privacy torts commonly referred to as “intrusion upon seclusion” and “public disclosure of private facts”, creates further incentives for organizations to protect against privacy breaches at the risk of increased reputational and monetary damage.
For these reasons, IBC does not believe OPC needs additional powers to be able to continue to function appropriately and fulfill its mandate.
Thank you for your attention. My colleague Steven Lingard and I would be happy to take questions later.