Evidence of meeting #62 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was industry.
A recording is available from Parliament.
5:05 p.m.
Some hon. members
Yes.
5:05 p.m.
The Chair
My first question is to Mr. Kardash. You suggested keeping the status quo with respect to the Privacy Commissioner's powers, and you mentioned that it's a dialogue, and that strikes me as a fair point. Now, if the commissioner has entered into a compliance agreement with a third party, and that third party ignores the compliance agreement, at that point shouldn't there be fines or new powers for the commissioner?
5:05 p.m.
Partner, Privacy and Data Management, Osler, Hoskin and Harcourt LLP, Interactive Advertising Bureau of Canada
Yes, those compliance agreements are voluntary for organizations to enter into. There are certain reasons it would make sense for organizations to enter into them with the OPC, like a binding agreement, just as you would have in the private sector, so that would make sense in its current format.
5:05 p.m.
Liberal
The Vice-Chair Liberal Nathaniel Erskine-Smith
We had a lawyer from a different firm appear before us who suggested that the right of erasure might be fair for those 16 and under. Do you think that would be a fair compromise for this committee?
5:05 p.m.
Partner, Privacy and Data Management, Osler, Hoskin and Harcourt LLP, Interactive Advertising Bureau of Canada
We've had to work on several dozen client mandates in which we were dealing with concepts in the EU, with global companies, and importing them. These are very tricky, and what seemed to be the case in every single context is that that was unnecessary for the protection of privacy.
We have an existing framework that works fine, and it didn't seem necessary at all in the circumstances.
5:05 p.m.
Liberal
The Vice-Chair Liberal Nathaniel Erskine-Smith
Thank you very much.
Australia has a law proposal—I don't think it's enacted yet—that would make it an offence to de-identify government datasets. You mentioned that de-identification and anonymization are important. Do you think we should not only be looking at rules that would expressly authorize de-identification but also looking at whether to make it an offence or otherwise prohibit re-identification?
5:05 p.m.
Partner, Privacy and Data Management, Osler, Hoskin and Harcourt LLP, Interactive Advertising Bureau of Canada
Yes. We recommend having something similar to what exists in provincial privacy statutes: an express deemed authorization for organizations to be able to de-identify. I would suggest that the frameworks already exist. If an individual or a corporation were to be re-identifying some dataset, they would have no authority under PIPEDA or provincial legislation to do so. They would be barred from just outwardly in a vacuum re-identifying, so they would have an existing framework to deal with that, and there would be remedies under the federal or provincial statutes to address that.
5:05 p.m.
Liberal
The Vice-Chair Liberal Nathaniel Erskine-Smith
Lastly, you mentioned a new exception, legitimate business interest. I understand PIPEDA, but you know far more with respect to implied consent, so perhaps you could explain to this committee the difference between how the law currently operates in relation to implied consent and how this exception of legitimate business interest would add to our notion of implied consent.
5:05 p.m.
Partner, Privacy and Data Management, Osler, Hoskin and Harcourt LLP, Interactive Advertising Bureau of Canada
Yes, thank you.
It's a critically important question. There are elements to a valid consent, whether expressed or implied. One of the elements required is that the consent be revocable. For instance, if you provide your consent for secondary marketing, there is the obligation to honour your withdrawal or your “unsubscribe” for that.
There are a myriad of circumstances right now in which providing a revocability for a consent process is very difficult in practice. We have a stunningly complex data ecosystem in which the ability to even contemplate how you would give effect to the withdrawal of consent is going to be very difficult. The Internet of things is one of those examples. If it were carefully constructed—and we were very careful, and you will see this in our written submissions—with a balancing of interests similar to that in the EU, this would allow organizations the ability to process data for legitimate purposes and, at the same time, respect privacy interests.
5:10 p.m.
Liberal
The Vice-Chair Liberal Nathaniel Erskine-Smith
Thanks very much.
I'm out of time.
Madam Trudel, you have three minutes should you wish to use them.
5:10 p.m.
NDP
Karine Trudel NDP Jonquière, QC
Thank you.
I would like to return to you, Mr. Kardash, for a clarification.
You referred earlier to the right to challenge the commissioner. I would like further explanation as to whether you are referring to organizations that want to challenge the commissioner—perhaps it is a translation issue. I simply want to understand what you mean by the “right to challenge”.
5:10 p.m.
Partner, Privacy and Data Management, Osler, Hoskin and Harcourt LLP, Interactive Advertising Bureau of Canada
Sure. Right now, when an organization is the subject of a complaint, the Office of the Privacy Commissioner will commence and carry out an investigation. At the conclusion of that investigation, it will issue a report of findings. These are non-binding findings, and there are express rights in the statute right now for the complainant, the individual who launched the complaint, or the Privacy Commissioner to take that to Federal Court. There is no right for organizations to do the same. It doesn't exist.
There would be rights under administrative law to do so, but organizations don't have the express right to do so. It just doesn't exist in there. So in essence, the remedies at the Federal Court level for both the complainant and a privacy regulatory authority are what are set out in the act.
5:10 p.m.
NDP
Karine Trudel NDP Jonquière, QC
So you recommend that the organization should have the right to challenge. Is that correct?
5:10 p.m.
Partner, Privacy and Data Management, Osler, Hoskin and Harcourt LLP, Interactive Advertising Bureau of Canada
I think it's fair for due process to have rights for organizations balanced. The whole statute is predicated on a balancing. Privacy under PIPEDA is not an absolute right. There's a balance in the preamble of the act and in section 5.3 of the act for the protection of privacy interests to be balanced with the collection, use, and disclosure of personal information for reasonable purposes. Consistent with the balancing of interests, it gives organizations the right to challenge a decision.
One could see in circumstances right now how once the security breach notification rules come into effect, organizations could be fined $100,000 for failure to notify in circumstances where there's a real risk of significant harm. Where are the rights for organizations to challenge something that could have mammoth implications for those that are the subject of such a fine? If organizations could be fined, the only thing I'm suggesting is the express right, within the statute, for organizations to challenge that.
5:10 p.m.
Liberal
The Vice-Chair Liberal Nathaniel Erskine-Smith
I want to thank all of our witnesses today. That will conclude our public meeting. We will suspend for a few minutes and return in camera.
[Proceedings continue in camera]