Information & Ethics Committee on May 30th, 2017

My first question is to Mr. Kardash. You suggested keeping the status quo with respect to the Privacy Commissioner's powers, and you mentioned that it's a dialogue, and that strikes me as a fair point. Now, if the commissioner has entered into a compliance agreement with a third party, and that third party ignores the compliance agreement, at that point shouldn't there be fines or new powers for the commissioner?

Yes, those compliance agreements are voluntary for organizations to enter into. There are certain reasons it would make sense for organizations to enter into them with the OPC, like a binding agreement, just as you would have in the private sector, so that would make sense in its current format.

We've had to work on several dozen client mandates in which we were dealing with concepts in the EU, with global companies, and importing them. These are very tricky, and what seemed to be the case in every single context is that that was unnecessary for the protection of privacy.

We have an existing framework that works fine, and it didn't seem necessary at all in the circumstances.

Yes. We recommend having something similar to what exists in provincial privacy statutes: an express deemed authorization for organizations to be able to de-identify. I would suggest that the frameworks already exist. If an individual or a corporation were to be re-identifying some dataset, they would have no authority under PIPEDA or provincial legislation to do so. They would be barred from just outwardly in a vacuum re-identifying, so they would have an existing framework to deal with that, and there would be remedies under the federal or provincial statutes to address that.

Yes, thank you.

It's a critically important question. There are elements to a valid consent, whether expressed or implied. One of the elements required is that the consent be revocable. For instance, if you provide your consent for secondary marketing, there is the obligation to honour your withdrawal or your “unsubscribe” for that.

There are a myriad of circumstances right now in which providing a revocability for a consent process is very difficult in practice. We have a stunningly complex data ecosystem in which the ability to even contemplate how you would give effect to the withdrawal of consent is going to be very difficult. The Internet of things is one of those examples. If it were carefully constructed—and we were very careful, and you will see this in our written submissions—with a balancing of interests similar to that in the EU, this would allow organizations the ability to process data for legitimate purposes and, at the same time, respect privacy interests.

Sure. Right now, when an organization is the subject of a complaint, the Office of the Privacy Commissioner will commence and carry out an investigation. At the conclusion of that investigation, it will issue a report of findings. These are non-binding findings, and there are express rights in the statute right now for the complainant, the individual who launched the complaint, or the Privacy Commissioner to take that to Federal Court. There is no right for organizations to do the same. It doesn't exist.

There would be rights under administrative law to do so, but organizations don't have the express right to do so. It just doesn't exist in there. So in essence, the remedies at the Federal Court level for both the complainant and a privacy regulatory authority are what are set out in the act.

I think it's fair for due process to have rights for organizations balanced. The whole statute is predicated on a balancing. Privacy under PIPEDA is not an absolute right. There's a balance in the preamble of the act and in section 5.3 of the act for the protection of privacy interests to be balanced with the collection, use, and disclosure of personal information for reasonable purposes. Consistent with the balancing of interests, it gives organizations the right to challenge a decision.

One could see in circumstances right now how once the security breach notification rules come into effect, organizations could be fined $100,000 for failure to notify in circumstances where there's a real risk of significant harm. Where are the rights for organizations to challenge something that could have mammoth implications for those that are the subject of such a fine? If organizations could be fined, the only thing I'm suggesting is the express right, within the statute, for organizations to challenge that.