Thank you.
As the committee has heard from previous witnesses, there is an increasingly active discourse and growing recognition in the global privacy arena of the legal and practical challenges posed by the statutory consent requirement in an evolving data environment, but despite these challenges, as you have just heard, it's important to highlight that in many contexts PIPEDA's current consent requirement is and continues to be a legally viable and practical means of authority under PIPEDA for organizations to collect, use, and disclose personal information in today's data environment using what the Federal Court of Appeal has referred to as a flexible, pragmatic, common sense approach.
A prime example of the viability of PIPEDA's current consent requirement within a complex data ecosystem is in the context of the collection and use of information for the purposes of online behavioural advertising, or what is now more commonly referred to as interest-based advertising.
Based in large part on guidance issued by the Office of the Privacy Commissioner of Canada relating to OBA, the Digital Advertising Alliance of Canada, a not-for-profit organization and consortium comprising IAB Canada and seven other leading national advertising and marketing trade associations, developed and launched a program called AdChoices, the Canadian self-regulatory program for online behavioural advertising. Dozens of key players in the online and mobile advertising ecosystem have signed up for the DAAC's AdChoices program, all with the view of helping to enhance their respective compliance with PIPEDA and, overall, to enhance the trust of all stakeholders in the Canadian digital advertising arena.
PIPEDA's consent requirement also establishes a helpful framework for the processing of personal information involved in data analytics or what is referred to as big data processing. Data analysis is an inherent part of research development, and the insights derived from big data analytics now being conducted by companies are leading to profound and unprecedented levels of benefits and improvements in efficiency and convenience, and new products and offerings. PIPEDA's consent provisions, specifically principle 4.3.3, helpfully contemplate circumstances in which organizations must process personal information in connection with providing a product or service offering, such as the case in which data analytics is being conducted for research and development.
In a written submission, which we're providing to the committee, we offer several recommendations for amendments to PIPEDA for the committee's consideration, and I'll touch upon them briefly this afternoon.
While PIPEDA's framework remains viable, it's critically important to ensure that PIPEDA in the long term is able to address the challenges of the consent model as these challenges may become more acute with increasingly complex data ecosystems such as the Internet of things. PIPEDA will impede innovation if companies do not have certainty regarding the legal viability of their authority under PIPEDA to process personal information. Certain of these challenges can be addressed by surgically amending PIPEDA to expand the circumstances in which organizations can collect, use, or disclose without consent. We are of the view that the amendments to PIPEDA, if appropriately drafted, could address the range of challenges in a manner that balances the interests of all stakeholders.
Very briefly, these proposed amendments include, as you heard just a few minutes ago, the following:
First, broadening the permissible grounds under PIPEDA to collect, use, or disclose personal information without consent where there are legitimate business interests of the organization.
Second, modifying the wording of PIPEDA's research exception to expressly include analytics.
Third, modernizing the exceptions to consent for collection, use, and disclosure for publicly available information.
And finally, expressly authorizing organizations to de-identify or anonymize personal information without the necessity of consent.
We invite questions from the committee with respect to any of these recommendations.
I have just one final comment. I want to offer views regarding the sufficiency of the OPC's current enforcement powers under PIPEDA.
PIPEDA currently provides the OPC with a suite of powers to enforce compliance with the act, and despite the calls for enhanced enforcement powers that this committee has heard, we feel strongly that there do not appear to be compelling examples illustrating precisely why the existing arsenal of OPC powers is insufficient.
On the contrary, to date the OPC has been remarkably successful in carrying out its statutory mandate under PIPEDA. The OPC has been highly respected in the international privacy arena for years as a direct result of its enforcement activities. In our view, the OPC does not need to enhance or supplement its enforcement mechanism.
Moreover, given PIPEDA's balancing of interests framework, a remarkable shortcoming of the statutory enforcement regime under PIPEDA is that the statute does not include an express right for organizations to challenge OPC's exercise of its current enforcement powers.
For instance, organizations have no express right under the statute to refer a subject matter to the Federal Court.
We therefore recommend that PIPEDA be amended to provide organizations with an express right under the statute to challenge the OPC's exercise of its current enforcement powers.
I thank you again for the opportunity to speak with you this afternoon. We'd be pleased to respond to any questions from the committee.