Evidence of meeting #64 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was gdpr.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

Giovanni Buttarelli  Supervisor, European Data Protection Supervisor

12:35 p.m.

NDP

Daniel Blaikie NDP Elmwood—Transcona, MB

Okay, and that includes not just inside Europe but outside Europe as well.

12:35 p.m.

Supervisor, European Data Protection Supervisor

Giovanni Buttarelli

Yes.

We have published a paper to recommend, in case of future talks—an upgrade or very familiar existing provisions, including those in the GATT area—to assist the approach I've just described.

12:35 p.m.

NDP

Daniel Blaikie NDP Elmwood—Transcona, MB

My final question in the time we have is, what do you see as the instrument? Would signing on to the GDPR in a similar legislative framework, then, be a condition of trade agreements with Europe going forward? What's the mechanism for enforcing that over time?

12:35 p.m.

Supervisor, European Data Protection Supervisor

Giovanni Buttarelli

In the communication of the commission that I mentioned, they declare that on top of their priorities now, they have, for this year and early next year, Japan and South Korea. Both countries want—and this was a point discussed even at the G7 meeting in Taormina—to sign trade agreements. Europe is ready for it, but the message from Brussels was: okay, but without any provisions in terms of data protection, the two areas are to be kept separate and working in parallel; the substantive approach on data protection should only be on one side.

12:35 p.m.

Conservative

The Chair Conservative Blaine Calkins

Okay, good.

Thank you, Mr. Blaikie.

For our last seven-minute conversation, the floor goes to Mr. Erskine-Smith

12:35 p.m.

Liberal

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

Great.

First, thanks very much.

I have a couple of quick questions and then want to get into some of the larger concepts you raised.

We had a number of witnesses from the business community to suggest that a right of erasure or a right to be forgotten—and I know there are different iterations of that—would be very burdensome on the business community. We had some lawyers attend before us to say that the right of erasure would be important, especially as it relates to minors. One lawyer in particular noted that for those 16 and under there should be a right of erasure.

In your experience, given your role, do you think a right to be forgotten—even a modest one for those under the age of 16—would be too burdensome for the business community?

12:35 p.m.

Supervisor, European Data Protection Supervisor

Giovanni Buttarelli

Yes, it is.

We would like to see how things will evolve. This was a point made for a compromise approach by member states. It could be that some countries might decide differently, although, for instance, the first piece of legislation introduced by the EU with regard to EU institutions and bodies follows the line.

Age is not the main point. There are many other important details, such as the verification mode. This has to be carefully analyzed. This is one of the key points of the action plan of the Article 29 Working Party, where important guidelines are also planned. My institution is also working with other colleagues on a way to exercise data subjects' rights, with particular regard to erasure and to children.

12:40 p.m.

Liberal

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

Another area of dispute we've had is with respect to powers. Our Privacy Commissioner, Mr. Therrien, has an ombudsman model currently. Of course there are other jurisdictions, including the U.K., that have fining powers. We're looking at potentially recommending an alternative to the ombudsman model.

In your experience, do you think giving powers such as the ability to penalize companies by way of fines would be a useful new set of powers for our commissioner?

12:40 p.m.

Supervisor, European Data Protection Supervisor

Giovanni Buttarelli

We have not in the past been forcing third countries to copy the European Union, although an inefficient legal system is also to be dissuaded. I successfully persuaded the legislators to say that administrative fines are not to apply in a tot capita, tot sententiae approach, in the sense that they should necessarily, in 100% of the cases, follow any breach.

Article 83 of the GDPR says that when a fine is to be applied, because the exercise of other powers has been effective—warnings, for instance, or admonishment—then the criteria are the following. There is—

12:40 p.m.

Liberal

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

If I may, with respect to the fine powers currently in the EU, you're suggesting there are certain instances where it would, perhaps, not be appropriate and that a resolution without a fine may be more appropriate.

In our circumstance, there have been situations where our commissioner has made a finding, the companies simply flout the finding and, in fact, the commissioner then has to go to court or the injured party has to bring an application to court to seek justice.

Do you think it would be appropriate to improve upon our ombudsman model by giving fine powers?

12:40 p.m.

Supervisor, European Data Protection Supervisor

Giovanni Buttarelli

I'm not best placed to—

12:40 p.m.

Liberal

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

Okay, that's fair.

12:40 p.m.

Supervisor, European Data Protection Supervisor

Giovanni Buttarelli

Let me say that the vast majority of DPAs in EU member states are currently not equipped with the duty to apply sanctions. The near future is exactly the opposite. There is a provision in the GDPR saying that member states may, at the end, decide that the DPA brings a controller before the court. This could be the system in perhaps one or two member states. But your ombudsman approach seems to be much less effective.

12:40 p.m.

Liberal

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

I only have about a minute and a half left.

We haven't heard a lot about the right to portability of data before our committee, but it strikes me as an incredibly important right, especially as we look to the Internet of things, particularly for consumer choices as customers wish to move from one company to another and take their data and their preference history with them.

Perhaps you could explain to the committee a little bit more about the right to portability, and also give us some key delineation of the right to privacy by design or privacy by default. We have that concept here in Ontario, by virtue of our former privacy commissioner, Ann Cavoukian, but it's a larger concept than only a legal concept.

Perhaps you could speak to those two concepts.

12:40 p.m.

Supervisor, European Data Protection Supervisor

Giovanni Buttarelli

Privacy by design and privacy by default are no longer recommendations. They are now legal grounds and clear obligations for every controller. It means that systems are to be designed with a user-friendly and less invasive approach. There are obligations addressed to controllers, but there is a system to make designers, producers, and developers engaged in practice.

Privacy by default means that in case of plurality of different settings, the starting one should be the one closer to the data subject's rights.

12:45 p.m.

Liberal

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

Portability is a new concept in the GDPR as well.

12:45 p.m.

Supervisor, European Data Protection Supervisor

Giovanni Buttarelli

Portability is less new than originally expected. It means that if I move to another provider, there is no detrimental approach in practice. The Article 29 Working Party has adopted guidelines recently. They appear on one point to be controversial with regard to the interpretation of article 25 of the GDPR, because the GDPR says that portability only relates to data provided by the business. We know and experience shows that many other data are on the device or are accessible to the provider, to the controller, although they are not, formally speaking communicated by the data subject. This is an area of limbo where the Article 29 Working Party has decided to consider this area as part of the portability.

12:45 p.m.

Liberal

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

Thanks very much.

12:45 p.m.

Conservative

The Chair Conservative Blaine Calkins

Thank you, Mr. Erskine-Smith.

We'll now move to the round of questions where the conversation should be around five minutes. We'll go to you, Mr. Kelly.

12:45 p.m.

Conservative

Pat Kelly Conservative Calgary Rocky Ridge, AB

Thank you for attending our meeting.

Perhaps this will take us in a similar vein. In your opening comments, you mentioned the four areas that our commissioner had identified as being areas where PIPEDA, our existing law, may be deficient. You identified our commissioner's concern over the right of erasure, right of privacy by default, and privacy of design, but what was the fourth one? The fourth one was portability. Is that the other area of concern around PIPEDA identified by our commissioner?

12:45 p.m.

Supervisor, European Data Protection Supervisor

Giovanni Buttarelli

Yes, it is an area of major concern, but I would like to take this opportunity to draw your attention to a recent position by the Article 29 Working Party, according to which our opinion for the assessment by the commissioner will be based on more than those principles.

We would like to draw attention first to the basic rules for the data protection purpose limitation principle, data quality and proportionality, transparency—to reach a standard on how data subjects are effectively informed, security—the security of a database's data and systems, the exercise of rights of access in opposition—not only portability, and something that is particularly highlighted in the GDPR, which is onward transfer. There are a few other additional points on sensitive data, direct marketing, and automated individual decisions, but I would like to recommend that you not focus too much on the novelties in the GDPR, such as design, default, and portability.

Of course, they will contribute to the review of the current assessment by the EU, but we have time. The European Commission has been requested to submit in three years from now—by spring of 2020—a record of the first round of implementation of the GDPR and of the approach to be taken with regard to existing adequacy findings.

If I go back to the one adopted for Canada, I have to go back to an opinion adopted by the Article 29 Working Party in 1998, to the Working Party 12 document. Default, design, and portability were not considered in that document, but we started at that time to consider the conditions on surveillance, which are now much more relevant.

We would encourage that there be a global approach and that you not have a sort of point-to-point replication of every single rule, so the adequacy test is an important message I would like to share with you. It relates to the substance of all privacy rights, globally speaking, in terms of implementation, enforceability, supervision—

12:50 p.m.

Conservative

Pat Kelly Conservative Calgary Rocky Ridge, AB

If I may just jump in again, I want to ensure the clarity of what I heard you say. Your suggestion to us is not to fixate on the areas that our commissioner has identified, where our law may not be compliant.

12:50 p.m.

Supervisor, European Data Protection Supervisor

Giovanni Buttarelli

No. I don't want to displease my—

12:50 p.m.

Conservative

Pat Kelly Conservative Calgary Rocky Ridge, AB

I thought that's what you said.

12:50 p.m.

Supervisor, European Data Protection Supervisor

Giovanni Buttarelli

I would welcome a similar approach on those areas, of course, but I'm saying that the evaluation by the EU side builds on a different approach, where they are part of the global analysis, but we look to many other things that are—in a few cases—more essential.

Being the one taking a decision by considering the EU approach, I would say that, for instance, the restrictions, exceptions, and derogations for law enforcement are more important than design and default. One member of my team will be part of the joint review of the privacy shield. Of course, we will consider privacy by default, privacy by design, and data portability as well, but law enforcement is at the top of our concerns. Globally speaking, it counts more.

This is what I want to say, then I can simply welcome that you harmonize as much as possible with this approach.

If I had a couple of minutes with you or one of your colleagues, I would like to share with you the latest update on what other countries are doing around the world, what's going on in 35 countries in addition to the 109 already equipped with a new generation of data protection rules.