Evidence of meeting #62 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was industry.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

Frank Zinatelli  Vice-President and General Counsel, Canadian Life and Health Insurance Association
Anny Duval  Counsel, Canadian Life and Health Insurance Association
Randy Bundus  Senior Vice-President, Legal and General Counsel, Insurance Bureau of Canada
Sonia Carreno  President, Interactive Advertising Bureau of Canada
Adam Kardash  Partner, Privacy and Data Management, Osler, Hoskin and Harcourt LLP, Interactive Advertising Bureau of Canada
Steven Lingard  Director, Legal Services, and Chief Privacy Officer, Insurance Bureau of Canada

4:10 p.m.

Partner, Privacy and Data Management, Osler, Hoskin and Harcourt LLP, Interactive Advertising Bureau of Canada

Adam Kardash

Number two, there's currently an exception under PIPEDA in paragraph 7(2)(c) for the use of data for statistical and scholarly study and research. It's just for the use of data. The wording, in my view, allows for the conducting, for example, of analytics, which is a form of research, but it would be very helpful to have clarification for companies to do what they've been doing for decades already. Now, there would be even more profound benefits to Canadians to having the clarity that, just for the use of data, an expansion of paragraph 7(2)(c) of PIPEDA would expressly permit data analytics as a type of internal research, like research and development, without consent.

Third, I cited the “publicly available” exception. As the committee is aware, there are exceptions under PIPEDA for the collection, use, or disclosure of certain publicly available information. These are very specific provisions. Just by way of example, one of the publicly available exceptions for which you don't require consent is the name, address, and telephone number of someone in relation to “a subscriber that appears in a telephone directory”. That made sense 20 years ago. It just doesn't make sense in the digital economy. So I'm talking about expanding it and making it technologically neutral wording that's more appropriate.

4:10 p.m.

Conservative

Pat Kelly Conservative Calgary Rocky Ridge, AB

Okay.

4:10 p.m.

Partner, Privacy and Data Management, Osler, Hoskin and Harcourt LLP, Interactive Advertising Bureau of Canada

Adam Kardash

Finally I mentioned, consistent with my colleagues, that organizations now engage in a practice referred to as de-identification or anonymization or obfuscation, which is extraordinary helpful to protect the privacy interests of individuals while it's processing, but it protects individuals because the data can be rendered non-identifiable. There's an open question—and this raged in Europe for years—as to whether you need authority to actually just de-identify the information. Our respectful suggestion to the committee is that this discussion be put to rest. Clarity should be required, and organizations should be able to take the step to safeguard the data and should be able to de-identify or anonymize data without consent, rather than having to seek consent to de-identify. This is a helpful safeguarding measure, so that's the basic point.

4:10 p.m.

Conservative

Pat Kelly Conservative Calgary Rocky Ridge, AB

Thank you.

Do I have a moment left?

4:10 p.m.

Liberal

The Vice-Chair Liberal Nathaniel Erskine-Smith

You have one minute.

4:10 p.m.

Conservative

Pat Kelly Conservative Calgary Rocky Ridge, AB

I will just quickly perhaps ask our other two organizations to comment on the suggestion about amending PIPEDA to allow businesses or regulated industries to challenge the OPC through the Federal Court and the recommendation that was made for an amendment to allow for this.

Could I have the other two organizations comment on that recommendation?

4:10 p.m.

Vice-President and General Counsel, Canadian Life and Health Insurance Association

Frank Zinatelli

I had not considered that, but it seems like a good suggestion that this committee should take a look at.

4:15 p.m.

Conservative

Pat Kelly Conservative Calgary Rocky Ridge, AB

Thank you.

4:15 p.m.

Senior Vice-President, Legal and General Counsel, Insurance Bureau of Canada

Randy Bundus

I share Frank's view of our industry. I hadn't thought of it either, but absolutely it would be an interesting proposition to consider.

4:15 p.m.

Conservative

Pat Kelly Conservative Calgary Rocky Ridge, AB

Thank you.

4:15 p.m.

Liberal

The Vice-Chair Liberal Nathaniel Erskine-Smith

Thank you.

Madame Trudel, you have five minutes.

May 30th, 2017 / 4:15 p.m.

NDP

Karine Trudel NDP Jonquière, QC

Thank you, Mr. Chair.

I want to thank the witnesses for their presentation.

My question is general.

We have talked a lot about the right to be forgotten at previous meetings, a subject of great interest to me. In many cases, this issue likely involves individuals aged 18 and over, but we must also remember that children have access to technology today and that they leave traces. The ease with which they can use the various applications available on phones and tablets means they are not always aware of the traces they leave in social media.

We touched earlier on the fact that the right to be forgotten could lead to the disappearance of certain information that might otherwise be used 20 or 30 years later. How can we achieve a balance between the need to preserve certain information and the ability to make other information disappear, or the result of certain acts by individuals that could not be considered fraudulent or criminal? How in your opinion could we combine these two aspects, while still allowing the right to be forgotten for certain information that could disappear? I would like to hear your thoughts on that.

4:15 p.m.

Vice-President and General Counsel, Canadian Life and Health Insurance Association

Frank Zinatelli

I'll make an initial comment.

In our industry, the life and health insurance industry, we enter into contracts that sometimes last 30, 40, or 50 years. There is information that we collect as part of the application process that could be relevant 40 or 50 years down the road. There is this type of information we collect, which is legitimate information we need for our assessments, and then there is also information that is legally required to be collected, for example in the context of anti-money laundering, etc.

Definitely, for legal requirements or information that is required for a legitimate purpose, it would be very damaging if suddenly an individual could simply say, “I don't want that information to be out there anymore.” There may be circumstances, as you said, relating to children, etc. that could be looked at. Certainly, if it is legitimate information that one needs, and if a person enters into a contract and provides that information, they simply should not have the choice of then saying “Let's forget about all that.” I'm sure there are other circumstances in which information needs to be retained for valid reasons.

In my view, it would have to meet a really high threshold for anything to be forgotten, as it were.

4:15 p.m.

Senior Vice-President, Legal and General Counsel, Insurance Bureau of Canada

Randy Bundus

You've raised a very interesting question, and it is going to be very difficult to come to the right spot for an answer. Legislatively, I'm not sure how you would manage that.

We are dealing with young people—that's one example—and they want the right to be forgotten. Perhaps there is an answer in legitimate business interests: If there is a legitimate business interest that's necessary for the relationship of conducting the commercial business, maybe an exception for that should be made to the right to be forgotten. And there are other areas.

My view is that the concern we have with people who want the right to be forgotten is rarely in areas that would really have a business relationship effect. That's the big question we face going forward, I agree.

4:15 p.m.

Partner, Privacy and Data Management, Osler, Hoskin and Harcourt LLP, Interactive Advertising Bureau of Canada

Adam Kardash

I agree with both colleagues.

Striking a balance is difficult. I'm not sure that the answer is necessarily embedding that principle within a statutory framework. There is an existing framework right now that allows for respectful treatment of the life cycle of data, including data retention principles. These are very difficult aspects to enshrine without knowing the unintended consequences of having them embedded.

In the committee's consideration of this, I think we need to be very careful moving forward. In previous testimony, you heard about freedom of expression considerations, which I think are also very ripe for detailed consideration in that type of corporate principle to the legislative scheme.

4:20 p.m.

Liberal

The Vice-Chair Liberal Nathaniel Erskine-Smith

Thank you very much for that.

We will break now and reconvene after the vote has concluded.

4:40 p.m.

Liberal

The Vice-Chair Liberal Nathaniel Erskine-Smith

All right. Let's pick up where we left off.

We will conclude our first round with Mr. Long for five minutes.

4:40 p.m.

Liberal

Wayne Long Liberal Saint John—Rothesay, NB

Thank you, Chair.

Thank you to our witnesses. I apologize on behalf of everyone for the votes and the delays. Your presentations were very informative.

To Sonia and Adam, I want to focus on the subject that I've been focusing on for the last while, and that's children's rights under PIPEDA and I guess the lack of clarification around how we're going to protect our children in terms of meaningful consent. I don't have to tell you that there was a recent sweep of websites, 62% of which share information. My kids are older, but I have friends with younger kids who are on their iPads and Notebooks and stuff, and who are on sites.

I just want the two of you to tell me, if you will, how we're going to protect our children. If you look at COPPA in the States, I think it's a lot more defined with respect to protection and meaningful consent by kids under 13 years old. Can you elaborate on what modifications and amendments we can make to PIPEDA to protect our children?

Perhaps you can start, Adam.

4:45 p.m.

Partner, Privacy and Data Management, Osler, Hoskin and Harcourt LLP, Interactive Advertising Bureau of Canada

Adam Kardash

I'm happy to answer that.

In the context of numerous client engagements, we've had to address that exact issue. The best place to start, actually, is with your reference to COPPA. Under PIPEDA, as we've heard throughout the afternoon, there's a consent-based requirement. Individuals under the age of 13 would not have the capacity to provide consent. Similar to COPPA, but without any wording, if you are 10 or 11 or 12.... Let's take an eight-year-old by way of example. You would need the consent of a guardian or a parent in order to provide the authority for that particular processing.

In common law, consent of minors generally is one of decision-making capacity, so it will be highly contextual when you get to roughly the COPPA-related age of maybe 12 or 13, all the way up to the age of majority, which varies. Legally you'll have to consider whether there's ability to even obtain context in the circumstance. Regardless, PIPEDA contains a whole suite of rules that are, as I mentioned, sectorally and otherwise agnostic.

So these rules would protect sensitive data the way they would protect any other type of sensitive data—

4:45 p.m.

Liberal

Wayne Long Liberal Saint John—Rothesay, NB

Just let me jump in here. With respect to meaningful consent and children, we talk about eight-year-olds and 12-year-olds. Should there be different levels and layers—i.e., where children eight to 10 have certain parental consent? Can 12- to 15-year-olds give meaningful consent, in your opinion?

4:45 p.m.

Partner, Privacy and Data Management, Osler, Hoskin and Harcourt LLP, Interactive Advertising Bureau of Canada

Adam Kardash

I have two comments.

With respect to your first question, I think there are times when it seems as though it would be helpful to have different age gates for different types of scenarios, but given the explosion of the array of different types of services and offerings and context, it's incredibly difficult to operationalize those. PIPEDA has been excellent because it's been agnostic and not prescriptive.

That being said, can a 12- or 13-year-old give consent? It could be in a decision-making capacity, but certainly those under 12, the same way they wouldn't otherwise have capacity if incapacitated by other means, wouldn't be able to provide a valid consent.

4:45 p.m.

Liberal

Wayne Long Liberal Saint John—Rothesay, NB

Okay.

Do you have anything to add to that?

4:45 p.m.

President, Interactive Advertising Bureau of Canada

Sonia Carreno

I don't have any further comments. I do know that our counsel and our committees are talking at length about the subject of children in general. I think there's a lot of policy being written right now, just in the private sector in general, to protect children. They're doing the best they can, and they are sharing ideas with one another.

4:45 p.m.

Liberal

Wayne Long Liberal Saint John—Rothesay, NB

Thank you.

I'll switch to the insurance side of the table here. We've obviously had some insurance brokers up here on the Hill in the last couple of days. Correct me if I'm wrong, but I think it's safe to say that the insurance industry is an older industry. Would you say that? Is the average age for a lot of the independent insurance brokers older, at around 50 or 50 plus?

4:45 p.m.

Senior Vice-President, Legal and General Counsel, Insurance Bureau of Canada

Randy Bundus

We represent the actual manufacturers, the insurers themselves, but I would have to suggest that it seems to be the case that brokers are an older group, yes.