Evidence of meeting #78 for Industry, Science and Technology in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was casl.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

Daniel Therrien  Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
Brent Homan  Director General, Personal Information Protection and Electronic Documents Act Investigations, Office of the Privacy Commissioner of Canada
Regan Morris  Legal Counsel, Office of the Privacy Commissioner of Canada
Suzanne Morin  Chair, Privacy and Access Law Section, Canadian Bar Association
Gillian Carter  Lawyer, Legislation and Law Reform, Canadian Bar Association
Neil Schwartzman  Executive Director, Coalition Against Unsolicited Commercial Email
Matthew Vernhout  Director-at-large, Coalition Against Unsolicited Commercial Email

11:55 a.m.

Conservative

Matt Jeneroux Conservative Edmonton Riverbend, AB

Who is at those meetings? Mr. Therrien, are you at these meetings?

11:55 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

No, Brent is.

11:55 a.m.

Conservative

Matt Jeneroux Conservative Edmonton Riverbend, AB

Who would be the equivalent on the other side?

11:55 a.m.

Director General, Personal Information Protection and Electronic Documents Act Investigations, Office of the Privacy Commissioner of Canada

Brent Homan

Often it could be the DGs, or the assistant deputy commissioners, or whoever it might be. There are different steering committees. There's the directors general steering committee, where we talk about broader issues as well as about ongoing investigations. As well, there are enforcement working groups that get together and talk about matters ongoing.

11:55 a.m.

Conservative

Matt Jeneroux Conservative Edmonton Riverbend, AB

In the last minute and a bit that I have left, Mr. Therrien, you and I worked together on the ETHI committee with regard to the PIPEDA legislation review. There were a number of recommendations made out of that report. I'm curious if some of that, particularly the order-making powers, would assist on the CASL side of the legislation. Would you be able to comment on some of those?

11:55 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

Absolutely, yes, it would assist. Again, when we look at the two prohibited conducts under CASL, the two conducts relevant to us, these are unacceptable practices by organizations. Generally speaking, I would say that the more tools that are proportionate to the conduct, the better. A private right of action fits within that, in my view, and order-making to require companies to desist from certain conduct would also be very effective.

A number of companies wish to comply with the law, but not all do. In particular, for the two conducts of address harvesting and spyware, these are conducts where you're not dealing with very legitimate companies or organizations, so order-making would help.

The Chair Liberal Dan Ruimy

Thank you very much.

Mr. Longfield, you have a very fast five minutes.

Lloyd Longfield Liberal Guelph, ON

Thank you. I'm not sure what “very fast five minutes” means, but I appreciate that you're giving us a lot of information in a short amount of time. Let's work with that definition.

You mentioned, Mr. Therrien, we're dealing with the movement of data across borders, the fact that this is a global situation versus a Canadian-only situation. Is there some type of a forum where you get together with counterparts? Let's say we just got a free trade agreement, an economic trade agreement , CETA, with Europe, and we'll be doing a lot more back and forth with Europe. Is there, in terms of trade agreements or other commercial activities, a group that meets internationally to look at legislation among the different countries, to see whether it's harmonized, to see whether they complement each other or if there are any gaps?

11:55 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

I'll try to answer the best I can with as little time as possible.

The one reality is that privacy laws are not harmonized, but they're not completely dissimilar, either. There are important differences. They're all inspired by the same principles. They are not drafted in the same way. They're not harmonized.

Regulators, other data protection authorities, privacy commissioners have to operate within that environment. It is possible, not perfectly, to work within that environment and enforce our respective laws through the kinds of co-operation that I had referred to in the past, either bilateral or multilateral agreements with other data protection authorities. There is quite a bit that is happening on that front.

There are various networks. There is an international conference of data protection authorities that discusses these issues. There are arrangements under that network. There are other networks. There are a number of networks. The situation is not perfect because, ideally, the laws would be harmonized, and that's not the reality and I don't think it will be the reality anytime soon.

Lloyd Longfield Liberal Guelph, ON

Right, so as we review this legislation, in your testimony you've talked about some of your concerns, the three recommendations you've made. In previous meetings we've had other recommendations around the six-month and two-year maintenance of data. Is maintenance of data an issue that countries...or maybe within your own department is that something normal that you deal with under CASL?

Noon

Director General, Personal Information Protection and Electronic Documents Act Investigations, Office of the Privacy Commissioner of Canada

Brent Homan

Maintenance of data...?

Noon

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

Are you referring to the upcoming data breach regulations?

Noon

Liberal

Lloyd Longfield Liberal Guelph, ON

No, I'm looking at the consent rules. We've designated holding data for six months or two years. We've had other testimony saying we should get rid of those consent rules because they are onerous, hard to manage, and place a burden upon businesses.

Noon

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

I'll ask Regan Morris to complete this, but I would refer to the general regime under PIPEDA, wherein the rule is that information collected from consumers by an organization must be kept only as necessary. That's the concept. There's no prescribed time limit.

Regan.

Noon

Legal Counsel, Office of the Privacy Commissioner of Canada

Regan Morris

I think your question is dealing with the specific consent provisions that the CRTC enforces in relation to proving that they have obtained consent for the—

Noon

Liberal

Lloyd Longfield Liberal Guelph, ON

Yes, you have to prove it, and then you have to store it.

Noon

Legal Counsel, Office of the Privacy Commissioner of Canada

Regan Morris

I'm not sure we would have a comment on those specific rules. As the commissioner has said, the general rule for storing personal information is to keep it only as long as necessary, and that could be because of legal requirements.

Noon

Liberal

Lloyd Longfield Liberal Guelph, ON

My questions in previous discussions have been around there being a lot of external invasion into our networks and about how we manage those invasions, but that's probably not within your mandate—or could you comment on it?

I'm thinking of the Russians getting into the American election and of the things in the media that the public would be familiar with. How do we protect ourselves against that type of activity?

Noon

Director General, Personal Information Protection and Electronic Documents Act Investigations, Office of the Privacy Commissioner of Canada

Brent Homan

If you are talking specifically about the notion of external invasion into networks, then spyware, for example, might be a gateway in order to allow and facilitate such invasions.

Noon

Liberal

Lloyd Longfield Liberal Guelph, ON

That's it.

Noon

Director General, Personal Information Protection and Electronic Documents Act Investigations, Office of the Privacy Commissioner of Canada

Brent Homan

To that extent, address harvesting can result from spyware or can result in the application of spyware. They are all interrelated in that these are threats, and when they are threats to the digital economic platform, they're also threats to the networks, whose robustness and constitution impacts upon trust in that platform.

Noon

Liberal

Lloyd Longfield Liberal Guelph, ON

—and are therefore necessary.

Thank you, Mr. Chair.

Noon

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

[Inaudible—Editor] are a part of the solution, but are not all of the solution, obviously.

Noon

Liberal

The Chair Liberal Dan Ruimy

I'm sorry, we are over time.

However, Mr. Masse, you have the final two minutes, so make them count.

Brian Masse NDP Windsor West, ON

Thank you. I have just one quick question.

The responsibilities of the department have increased with CASL and other types of measures. Has your overall budget reflected that?