Information & Ethics Committee on May 30th, 2017

Another aspect which in our opinion needs to be updated is the definition of “publicly available information”.

The current definition in the Regulations Specifying Publicly Available Information no longer reflects reality or the expectations of the individuals it is intended to protect. In our opinion, this definition should be expanded to cover situations in which an individual decides to post personal information on a public website.

In such cases, we presume that the individual is waiving any expectation of protection of privacy and that it would therefore not be necessary to obtain their consent in order to collect, use and disclose that information. All the other provisions of the PIPEDA would continue to apply as they do currently for the collection, use and disclosure of publicly available personal information.

The third point we would like to make pertains to the ombudsman model. The life and health insurance industry believes that the current model should continue to be used since it effectively balances individuals' right to privacy and the rights of organizations to use that information legitimately and reasonably in a business context.

This model makes the Office of the Commissioner more accessible, informal and flexible in helping the parties resolve issues. It also makes it possible to work with consumers and organizations to ensure that everyone better understands what should not be done in order to provide reasonable and appropriate protection of privacy.

Another aspect of the ombudsman model is that it focuses the Office of the Privacy Commissioner's attention on responding to individuals' complaints in order to better process them, and on achieving balance between consumers and organizations, rather than devoting time and resources to creating a file in order to deal with a potential breach.

The right approach is to focus on resolving problems first.

Finally, Mr. Chairman, we would like to make a very technical suggestion regarding the mandatory five-year review of the act. Based on recent experience, the industry believes that it would be beneficial to all involved if section 29 of PIPEDA was amended to set the start of each review five years from the end of the last review period, as opposed to every five calendar years. This would ensure that the review process is duly finished before the next one is set to begin. It would just clarify things in some ways.

In summary, Mr. Chairman, the life and health insurance industry has had experience with PIPEDA for over a dozen years now, and we find that generally the current model continues to be effective and workable. That being said, your review of PIPEDA will afford the committee the opportunity to consider areas in which some targeted adjustments may be appropriate.

The industry appreciates this opportunity to participate in the committee's review of PIPEDA. We would be pleased to answer any questions you may have.

Thank you very much.

Thank you, Mr. Chair.

My name is Randy Bundus, and I am senior vice-president, legal and general counsel with the Insurance Bureau of Canada. I am joined by my colleague Steven Lingard, who is IBC's director, legal services, and chief privacy officer.

We are pleased to represent the Insurance Bureau of Canada and our member companies to contribute to the discussion on the next review of the Personal Information Protection and Electronic Documents Act. We understand that the committee is interested in hearing views on issues that were contained in the federal Privacy Commissioner's 2016 paper that discusses the challenges that traditional notions of consent will face as technology and business models continue to evolve and also potential enhancements to consent under PIPEDA. IBC's comments today are based on the submission we filed in response to the OPC discussion paper.

IBC is the national industry association, representing over 90% by premium volume of the private property and casualty insurance sold in Canada. The private P and C insurance industry in Canada provides insurance protection for homes, motor vehicles, and commercial enterprises throughout the country. There are over 200 private P and C insurers actively competing in Canada.

The P and C insurance industry also works to improve the quality of life in Canadian communities by promoting loss prevention, safer roads, crime prevention, improved building codes, and coordinated preparation for coping with natural disasters.

I'd first like to comment on the insurance industry's layered approach to consent. PIPEDA is a consent-based privacy law that requires that, with limited exceptions, the individual must give consent for the collection, use, or disclosure of that individual's personal information.

While IBC acknowledges the concerns and issues raised in the Privacy Commissioner's discussion paper, we are of the view that the current consent model under PIPEDA is appropriate for Canadian P and C insurers and their customers and does not need to be changed in any significant manner.

PIPEDA was amended in 2015 by the Digital Privacy Act, also known as Bill S-4, to include the concept of “valid consent”, which says that consent is only valid if it is reasonable to expect that an individual to whom the organization's activities are directed would understand the nature, purpose, and consequences of the collection, use, or disclosure of the personal information to which they are consenting.

It must be noted that the P and C insurance industry is regulated, from a business perspective, at the provincial and federal levels. The provincial and territorial superintendents of insurance have jurisdiction over market conduct and policy wordings, while the federal superintendent of insurance has jurisdiction over corporate governance and solvency. This is in addition to the privacy regulation of insurers by the federal and provincial privacy commissioners.

Canadian P and C insurers have, for many years, used a layered approach for obtaining consent to the collection, use, or disclosure of personal information. For example, when an individual applies for an insurance policy, they are asked to consent to the collection, use, or disclosure of their personal information for a variety of immediate and potential future legitimate insurance purposes, including assessing the risk—what we call “underwriting”—investigating and settling claims, and detecting and preventing fraud. The wording of the consent language in the automobile insurance application forms and claims forms is mandated by the provincial and territorial superintendents of insurance, and insurers and consumers must use these mandated forms. Then, if a claim is made under the insurance policy, the insurer will typically obtain a consent from the claimant to collect, use and disclose their personal information for the purpose of adjusting and settling the claim.

Insurers also employ the use of separate consent agreements obtained when providing insurance quotes and stand-alone products and services. An example would be usage-based insurance. Usage-based insurance, or UBI, is a relatively new product in Canada, although it has been sold for several years in other countries. UBI is an example of a new technology-enabled insurance offering. UBI allows an insurer to customize auto insurance premiums to reflect the actual driving usage by the customer by recording some basic information, such as frequency of use, distance driven, time of day when the vehicle is driven, turning, acceleration, speed, and braking. The information is collected by means of an interface between the individual's vehicle and the insurer.

UBI is a voluntary product, and it is entirely up to the consumer to decide whether they want to accept and use this offering.

Like other auto insurance products, UBI is regulated by the provincial superintendents of insurance. The superintendents of insurance in Ontario and Alberta have set certain standards around how insurers can collect and use this UBI information. It should be noted that the Office of the Information and Privacy Commissioner of Alberta has become involved in the regulation of UBI in that province.

In addition, personal information can be collected about automobile insurance accident benefit claimants through the mandated use of auto insurance claims forms. These forms are mandated by the superintendent of insurance and also contain certain privacy and consent wordings similar to those contained in the auto insurance application. This layered, circumstance-specific approach gives insurers the ability to inform their customers of new uses and disclosures of their personal information, and to obtain their consent as the need arises and the relationship with the individual evolves, including with the offering of new technology-based insurance products.

Next I'd like to speak a bit about updating the consent regime.

Legislative and regulatory regimes need to be periodically updated to keep them current. IBC and its members support the following proposals to enhance PIPEDA's consent regime.

First, with respect to exceptions or alternatives to consent, there are situations in which insurers rely upon certain exceptions to the current model that exist in section 7 of PIPEDA, such as the investigation of fraudulent claims, or obtaining witness statements in order to adjust and settle insurance claims. There is a similar, but different regime in the EU general data protection regulation, or GDPR, that will come into force in 2018. The GDPR includes reference to legitimate business interests, but it is unclear how this would apply in practice and how it is different from the current exceptions in PIPEDA. Legitimate business interest might be useful as a supplement to the PIPEDA exceptions.

The importance of PIPEDA and the provincial privacy laws continuing to be adequate for the purpose of the GDPR is a matter for in-depth consideration by this committee.

Next I'd like to touch on anonymized aggregate data.

The use of anonymized aggregate data, as a form of de-identified data, is currently being used by insurers and should remain a viable alternative to the consent requirement. It can be used in various legitimate ways, and safeguards against misuse of this data by third party service providers are built into contracts between them and the insurers.

With regard to codes of practice, insurers are heavily regulated by a number of regulatory authorities, particularly the federal Office of the Superintendent of Financial Institutions, or OSFI, which regulates solvency and corporate governance; and the provincial and territorial superintendents of insurance, which regulate market conduct, including the wording of certain mandated insurance policies and forms.

Were codes of practice to be considered, our view is that they would be redundant and add little value due to the strict requirements already put into effect by federal and provincial regulators.

With regard to the OPC enforcement model, IBC agrees that independent oversight bodies such as OPC play an essential role in protecting the privacy interests of Canadians. Based on insurers' experience with OPC to date, the industry is of the view that OPC has done an extremely effective job of protecting individuals' privacy with the powers currently afforded to it under its governing legislation. Insurers take their privacy and consent obligations very seriously and understand the importance of strict compliance with the requirements imposed upon them by privacy legislation and insurance regulators. Recognizing the importance of these obligations, insurers have an internal ombudsman's office whose role is to conduct independent and impartial investigations of consumer complaints. The role of the ombudsman's office would likely have to be re-evaluated should the OPC's powers be expanded.

Furthermore, it is noteworthy that the 2015 amendments to PIPEDA found in the Digital Privacy Act included new enforcement powers for OPC, including the ability to compel organizations to enter into compliance agreements. Also, recent developments in privacy jurisprudence, particularly the creation of the new privacy torts commonly referred to as “intrusion upon seclusion” and “public disclosure of private facts”, creates further incentives for organizations to protect against privacy breaches at the risk of increased reputational and monetary damage.

For these reasons, IBC does not believe OPC needs additional powers to be able to continue to function appropriately and fulfill its mandate.

Thank you for your attention. My colleague Steven Lingard and I would be happy to take questions later.

Good afternoon, Mr. Chair and honourable members.

My name is Sonia Carreno, and I am the president of the Interactive Advertising Bureau of Canada. I am accompanied today by Adam Kardash. Adam is counsel to the IAB and chairs the national privacy and data management practice at the law firm Osler, Hoskin & Harcourt. We both thank you very much for the opportunity to speak with you this afternoon.

By way of background, IAB Canada is a not-for-profit association exclusively dedicated to the development and promotion of the rapidly growing digital marketing and advertising sector in Canada. IAB Canada represents over 250 of Canada's most well-known and respected stakeholders in the digital advertising and marketing sector, including numerous small and medium-sized enterprises.

Companies in the digital advertising and marketing sector offer a wide range of highly innovative products and services, including valuable service offerings to individual Canadians. This sector is intensely competitive, and the long-term success of its members is fundamentally predicated on their ability to continually design, develop, offer, and improve valuable digital products and services. Our members are data companies. The products and services offered by our members inherently require the processing of data, and often this data includes personal information. Our members recognize that their long-term success as commercial enterprises requires the respectful treatment of personal information in their custody and control, which includes complying with PIPEDA and other applicable privacy legislation.

I'm going to turn it over now to Adam Kardash to talk a little bit more about PIPEDA's framework.

Thank you.

The central theme of our comments this afternoon is our view that PIPEDA's statutory framework is very well suited for innovation.

While there are certain challenges in applying PIPEDA's fair information principles in today's highly dynamic data environment, it is clear that the overall statute has worked and continues to work as an elegant and effective model for organizations to respectfully treat personal information in the course of developing and offering highly innovative and valuable services, products, and features.

The lasting success of PIPEDA in this regard, and the reason PIPEDA can continue to help foster innovation, is largely grounded within the following key features of the statutory framework. PIPEDA is predicated on balancing the interests of individuals and the legitimate need for organizations to process personal information, a balancing that is critical in today's digital economy. PIPEDA's rules are drafted in a principles-based, technologically neutral fashion. Another feature is PIPEDA's accountability model.

PIPEDA remains particularly effective today because it was drafted in a technologically neutral and sectoral-agnostic fashion, and it is well suited to address the seemingly novel privacy considerations that may be raised by new technological developments. As any amendments to the statute are reviewed and considered, it is critically important that PIPEDA remain drafted in a technologically neutral manner, since any statutory requirement that is drafted to focus on a certain data element, process, or ecosystem risks being obsolete and out of date soon after it comes into force.

It is also important to note that while PIPEDA is often referred to as a consent-based statute, in practice, the most powerful feature of PIPEDA is its accountability model, as it provides rules that govern the entire life cycle of an organization's personal information processing. It is important to frame PIPEDA's consent rule as just one part of an organization's broader obligations under the act.

PIPEDA's accountability model is elegant and effective since it holds organizations responsible for their personal information practices and does so in a non-prescriptive manner. The accountability model needs to remain non-prescriptive in nature as this will afford organizations the flexibility to tailor, adapt, and refine their privacy programs in a practical manner that is suitable to the industry sector, size of the organization, nature of a given organization's personal information practices, and evolving commercial needs.

I'm now going to offer a few comments on the continuing viability of PIPEDA's consent requirement, as you've already heard.

As the committee has heard from previous witnesses—

Thank you.

As the committee has heard from previous witnesses, there is an increasingly active discourse and growing recognition in the global privacy arena of the legal and practical challenges posed by the statutory consent requirement in an evolving data environment, but despite these challenges, as you have just heard, it's important to highlight that in many contexts PIPEDA's current consent requirement is and continues to be a legally viable and practical means of authority under PIPEDA for organizations to collect, use, and disclose personal information in today's data environment using what the Federal Court of Appeal has referred to as a flexible, pragmatic, common sense approach.

A prime example of the viability of PIPEDA's current consent requirement within a complex data ecosystem is in the context of the collection and use of information for the purposes of online behavioural advertising, or what is now more commonly referred to as interest-based advertising.

Based in large part on guidance issued by the Office of the Privacy Commissioner of Canada relating to OBA, the Digital Advertising Alliance of Canada, a not-for-profit organization and consortium comprising IAB Canada and seven other leading national advertising and marketing trade associations, developed and launched a program called AdChoices, the Canadian self-regulatory program for online behavioural advertising. Dozens of key players in the online and mobile advertising ecosystem have signed up for the DAAC's AdChoices program, all with the view of helping to enhance their respective compliance with PIPEDA and, overall, to enhance the trust of all stakeholders in the Canadian digital advertising arena.

PIPEDA's consent requirement also establishes a helpful framework for the processing of personal information involved in data analytics or what is referred to as big data processing. Data analysis is an inherent part of research development, and the insights derived from big data analytics now being conducted by companies are leading to profound and unprecedented levels of benefits and improvements in efficiency and convenience, and new products and offerings. PIPEDA's consent provisions, specifically principle 4.3.3, helpfully contemplate circumstances in which organizations must process personal information in connection with providing a product or service offering, such as the case in which data analytics is being conducted for research and development.

In a written submission, which we're providing to the committee, we offer several recommendations for amendments to PIPEDA for the committee's consideration, and I'll touch upon them briefly this afternoon.

While PIPEDA's framework remains viable, it's critically important to ensure that PIPEDA in the long term is able to address the challenges of the consent model as these challenges may become more acute with increasingly complex data ecosystems such as the Internet of things. PIPEDA will impede innovation if companies do not have certainty regarding the legal viability of their authority under PIPEDA to process personal information. Certain of these challenges can be addressed by surgically amending PIPEDA to expand the circumstances in which organizations can collect, use, or disclose without consent. We are of the view that the amendments to PIPEDA, if appropriately drafted, could address the range of challenges in a manner that balances the interests of all stakeholders.

Very briefly, these proposed amendments include, as you heard just a few minutes ago, the following:

First, broadening the permissible grounds under PIPEDA to collect, use, or disclose personal information without consent where there are legitimate business interests of the organization.

Second, modifying the wording of PIPEDA's research exception to expressly include analytics.

Third, modernizing the exceptions to consent for collection, use, and disclosure for publicly available information.

And finally, expressly authorizing organizations to de-identify or anonymize personal information without the necessity of consent.

We invite questions from the committee with respect to any of these recommendations.

I have just one final comment. I want to offer views regarding the sufficiency of the OPC's current enforcement powers under PIPEDA.

PIPEDA currently provides the OPC with a suite of powers to enforce compliance with the act, and despite the calls for enhanced enforcement powers that this committee has heard, we feel strongly that there do not appear to be compelling examples illustrating precisely why the existing arsenal of OPC powers is insufficient.

On the contrary, to date the OPC has been remarkably successful in carrying out its statutory mandate under PIPEDA. The OPC has been highly respected in the international privacy arena for years as a direct result of its enforcement activities. In our view, the OPC does not need to enhance or supplement its enforcement mechanism.

Moreover, given PIPEDA's balancing of interests framework, a remarkable shortcoming of the statutory enforcement regime under PIPEDA is that the statute does not include an express right for organizations to challenge OPC's exercise of its current enforcement powers.

For instance, organizations have no express right under the statute to refer a subject matter to the Federal Court.

We therefore recommend that PIPEDA be amended to provide organizations with an express right under the statute to challenge the OPC's exercise of its current enforcement powers.

I thank you again for the opportunity to speak with you this afternoon. We'd be pleased to respond to any questions from the committee.

I'm happy to begin.

My first comment would be that the GDPR is an incredibly complex piece of legislation. It is still being actively reviewed, and there is a tremendous effort globally to understand what certain aspects of the legislation even mean. We're just getting policy guidance from regulatory authorities in the EU, who are starting to elaborate on what some of the features mean.

Having said that, having had the opportunity to go through the act specifically with respect to client mandates, and having spent years working with the data, I feel that there are vast aspects of PIPEDA that would be substantially similar. There will be a distinction for sure in the sheer prescriptive nature—the GDPR is much lengthier and more prescriptive—but there are aspects under PIPEDA's accountability regime, which has been held up as a model globally, that I think will remain intact and will stand the test of time.

The upshot is that adequacy is a matter of EU consideration and, at a minimum, I think that very careful consideration and a fair amount of time should be taken to understand several of the elements, which even the Office of the Privacy Commissioner of Canada has cited do not expressly exist. There are elements, including the one you've cited—the right to be forgotten—and there are others that don't exist in the GDPR.

Our view, at least practically with clients, has been that certainly with respect to adequacy, while it's a very helpful basis on which to allow for transborder data flows, there are other mechanisms that allow for transborder data flows and that can be accommodated. That's number one. Number two, it would be very important not to enter into a rash revision to the statutory framework until we really understand what some of these provisions mean, and that might take a fair bit of time. At a minimum, we're going to be getting opinions in due course from EU authorities as to the sufficiency. That process will afford us an opportunity to understand the nuance and distinction of where we see the shortcomings, and since it's an EU consideration, that should serve as a starting point for consideration of where the actual gaps are.

I'll just make one point. I mentioned it before but I cannot overstress it. There are vast swaths of the GDPR that, I feel, could be read into our existing framework. I think that, as Canadians, we should feel very proud of how our statute has stood the test of time in the wake of substantial change globally.

I'd like to build on the “right to be forgotten” concept. We have to deal with that very carefully going into the future so that it does not result in unintended consequences.

I have concerns on two fronts.

Insurance fraud is a big issue in our industry. It's a concern. If someone demands the right to be forgotten as a means to perpetuate an insurance fraud, that would be a tragic outcome. We'll have to address it when we go forward with PIPEDA to make sure we don't have any of those unintended consequences.

In addition, with the right to be forgotten, we want to make sure that if the person seeking the right to be forgotten—I'm talking in the insurance context—perhaps approaches their insurer and says they don't want to have any of their records in their files.... They may have had a liability policy with this particular insurer, which 15 or 20 years later, say, might be called upon and is needed by that particular customer. It would be very tragic for that customer if, in seeking the right to be forgotten by this insurer, they would forgo some rights to claim it against that insurance policy when it's needed most.

Agreed.

I'd be pleased to do so.

We offered four. All of them relate to the ability to process certain data—to collect, use, and disclose personal information—without consent. One of them, as mentioned by my colleague as well, was to create an exception for legitimate interest. This would allow organizations to collect, use, or disclose personal information without consent where there's deemed to be legitimate interest. This is something that's more under EU law right now. That's number one.