Evidence of meeting #78 for Industry, Science and Technology in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was casl.
A recording is available from Parliament.
Conservative
Matt Jeneroux Conservative Edmonton Riverbend, AB
Who is at those meetings? Mr. Therrien, are you at these meetings?
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
No, Brent is.
Conservative
Director General, Personal Information Protection and Electronic Documents Act Investigations, Office of the Privacy Commissioner of Canada
Often it could be the DGs, or the assistant deputy commissioners, or whoever it might be. There are different steering committees. There's the directors general steering committee, where we talk about broader issues as well as about ongoing investigations. As well, there are enforcement working groups that get together and talk about matters ongoing.
Conservative
Matt Jeneroux Conservative Edmonton Riverbend, AB
In the last minute and a bit that I have left, Mr. Therrien, you and I worked together on the ETHI committee with regard to the PIPEDA legislation review. There were a number of recommendations made out of that report. I'm curious if some of that, particularly the order-making powers, would assist on the CASL side of the legislation. Would you be able to comment on some of those?
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
Absolutely, yes, it would assist. Again, when we look at the two prohibited conducts under CASL, the two conducts relevant to us, these are unacceptable practices by organizations. Generally speaking, I would say that the more tools that are proportionate to the conduct, the better. A private right of action fits within that, in my view, and order-making to require companies to desist from certain conduct would also be very effective.
A number of companies wish to comply with the law, but not all do. In particular, for the two conducts of address harvesting and spyware, these are conducts where you're not dealing with very legitimate companies or organizations, so order-making would help.
Liberal
Liberal
Lloyd Longfield Liberal Guelph, ON
Thank you. I'm not sure what “very fast five minutes” means, but I appreciate that you're giving us a lot of information in a short amount of time. Let's work with that definition.
You mentioned, Mr. Therrien, we're dealing with the movement of data across borders, the fact that this is a global situation versus a Canadian-only situation. Is there some type of a forum where you get together with counterparts? Let's say we just got a free trade agreement, an economic trade agreement , CETA, with Europe, and we'll be doing a lot more back and forth with Europe. Is there, in terms of trade agreements or other commercial activities, a group that meets internationally to look at legislation among the different countries, to see whether it's harmonized, to see whether they complement each other or if there are any gaps?
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
I'll try to answer the best I can with as little time as possible.
The one reality is that privacy laws are not harmonized, but they're not completely dissimilar, either. There are important differences. They're all inspired by the same principles. They are not drafted in the same way. They're not harmonized.
Regulators, other data protection authorities, privacy commissioners have to operate within that environment. It is possible, not perfectly, to work within that environment and enforce our respective laws through the kinds of co-operation that I had referred to in the past, either bilateral or multilateral agreements with other data protection authorities. There is quite a bit that is happening on that front.
There are various networks. There is an international conference of data protection authorities that discusses these issues. There are arrangements under that network. There are other networks. There are a number of networks. The situation is not perfect because, ideally, the laws would be harmonized, and that's not the reality and I don't think it will be the reality anytime soon.
Liberal
Lloyd Longfield Liberal Guelph, ON
Right, so as we review this legislation, in your testimony you've talked about some of your concerns, the three recommendations you've made. In previous meetings we've had other recommendations around the six-month and two-year maintenance of data. Is maintenance of data an issue that countries...or maybe within your own department is that something normal that you deal with under CASL?
Director General, Personal Information Protection and Electronic Documents Act Investigations, Office of the Privacy Commissioner of Canada
Maintenance of data...?
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
Are you referring to the upcoming data breach regulations?
Liberal
Lloyd Longfield Liberal Guelph, ON
No, I'm looking at the consent rules. We've designated holding data for six months or two years. We've had other testimony saying we should get rid of those consent rules because they are onerous, hard to manage, and place a burden upon businesses.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
I'll ask Regan Morris to complete this, but I would refer to the general regime under PIPEDA, wherein the rule is that information collected from consumers by an organization must be kept only as necessary. That's the concept. There's no prescribed time limit.
Regan.
Legal Counsel, Office of the Privacy Commissioner of Canada
I think your question is dealing with the specific consent provisions that the CRTC enforces in relation to proving that they have obtained consent for the—
Liberal
Legal Counsel, Office of the Privacy Commissioner of Canada
I'm not sure we would have a comment on those specific rules. As the commissioner has said, the general rule for storing personal information is to keep it only as long as necessary, and that could be because of legal requirements.
Liberal
Lloyd Longfield Liberal Guelph, ON
My questions in previous discussions have been around there being a lot of external invasion into our networks and about how we manage those invasions, but that's probably not within your mandate—or could you comment on it?
I'm thinking of the Russians getting into the American election and of the things in the media that the public would be familiar with. How do we protect ourselves against that type of activity?
Director General, Personal Information Protection and Electronic Documents Act Investigations, Office of the Privacy Commissioner of Canada
If you are talking specifically about the notion of external invasion into networks, then spyware, for example, might be a gateway in order to allow and facilitate such invasions.
Director General, Personal Information Protection and Electronic Documents Act Investigations, Office of the Privacy Commissioner of Canada
To that extent, address harvesting can result from spyware or can result in the application of spyware. They are all interrelated in that these are threats, and when they are threats to the digital economic platform, they're also threats to the networks, whose robustness and constitution impacts upon trust in that platform.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
[Inaudible—Editor] are a part of the solution, but are not all of the solution, obviously.
Liberal
The Chair Liberal Dan Ruimy
I'm sorry, we are over time.
However, Mr. Masse, you have the final two minutes, so make them count.
NDP
Brian Masse NDP Windsor West, ON
Thank you. I have just one quick question.
The responsibilities of the department have increased with CASL and other types of measures. Has your overall budget reflected that?