Thank you, Chairman and members of the committee.
I'm Frank Zinatelli, vice-president and general counsel of the Canadian Life and Health Insurance Association. I'm here today with my colleague Anny Duval.
I would like to thank the committee very much for this opportunity to contribute to the review of PIPEDA. With your permission, Chairman, I would like to make a few introductory comments, and then provide the committee with the industry's views pertaining to the PIPEDA review.
By way of background, CLHIA represents life and health insurance companies accounting for 99% of the life and health insurance in force across Canada. The industry protects about 24 million Canadians and some 20 million people internationally. The Canadian life and health insurance industry provides products that include life insurance, disability insurance, supplementary health insurance, annuities, and pensions. For over a hundred years, Canada's life and health insurers have been handling the personal information of Canadians. Protecting personal information has long been recognized by our industry as an absolutely necessary condition for maintaining access to such information.
Over the years, life and health insurers have taken a leadership role in developing standards and practices for the proper stewardship of personal information. For example, back in 1980, we adopted “right to privacy” guidelines, which represented the first privacy code to be adopted by any industry group in Canada. Since then, the life and health insurance industry has participated actively in the development of personal information protection rules across Canada, starting with Quebec's private sector privacy legislation in 1994, the development of PIPEDA, Alberta's and B.C.'s personal information protection acts in the early 2000s, and health information legislation in various provinces.
The life and health insurance industry has had experience with PIPEDA for over a dozen years now, and we find that generally the current model continues to be effective and workable. That being said, your review of PIPEDA will afford the committee the opportunity to consider areas in which some targeted adjustments may be appropriate.
With this in mind, let me turn to a few of those areas.
One key matter that has been much discussed recently is the consent model. CLHIA participated in the Office of the Privacy Commissioner of Canada's consultation on consent and privacy, including stakeholder meetings. In our view, it is still feasible and appropriate to obtain meaningful consent in our industry under the current model, and there is no need to rethink the concept of consent in its entirety. There could be some helpful enhancements made to PIPEDA that would facilitate the obtaining of consent, but we do not believe that a complete overhaul of the model is necessary to achieve this goal. Rather, improvements can be achieved through supporting guidance or clarifying legislative changes that could reduce the burden on both individuals and organizations.
As an example, to address some uncertainty or stress on the consent model that some stakeholders have raised, it might be helpful to expand the list of exceptions to consent to add a new exception that aligns with the concept of legitimate business interests. The new European Union's general data protection regulation will allow businesses to process personal information without consent if they can prove that the data processing is necessary for the purposes of the legitimate interests pursued by such organizations. These interests would have to be balanced against other interests, and so, in the PIPEDA context, could be tied back to what a reasonable person would consider appropriate in the circumstances.
Now my colleague Anny will continue.