Industry Committee on Oct. 24th, 2017

No, Brent is.

Often it could be the DGs, or the assistant deputy commissioners, or whoever it might be. There are different steering committees. There's the directors general steering committee, where we talk about broader issues as well as about ongoing investigations. As well, there are enforcement working groups that get together and talk about matters ongoing.

Absolutely, yes, it would assist. Again, when we look at the two prohibited conducts under CASL, the two conducts relevant to us, these are unacceptable practices by organizations. Generally speaking, I would say that the more tools that are proportionate to the conduct, the better. A private right of action fits within that, in my view, and order-making to require companies to desist from certain conduct would also be very effective.

A number of companies wish to comply with the law, but not all do. In particular, for the two conducts of address harvesting and spyware, these are conducts where you're not dealing with very legitimate companies or organizations, so order-making would help.

I'll try to answer the best I can with as little time as possible.

The one reality is that privacy laws are not harmonized, but they're not completely dissimilar, either. There are important differences. They're all inspired by the same principles. They are not drafted in the same way. They're not harmonized.

Regulators, other data protection authorities, privacy commissioners have to operate within that environment. It is possible, not perfectly, to work within that environment and enforce our respective laws through the kinds of co-operation that I had referred to in the past, either bilateral or multilateral agreements with other data protection authorities. There is quite a bit that is happening on that front.

There are various networks. There is an international conference of data protection authorities that discusses these issues. There are arrangements under that network. There are other networks. There are a number of networks. The situation is not perfect because, ideally, the laws would be harmonized, and that's not the reality and I don't think it will be the reality anytime soon.

Maintenance of data...?

Are you referring to the upcoming data breach regulations?

I'll ask Regan Morris to complete this, but I would refer to the general regime under PIPEDA, wherein the rule is that information collected from consumers by an organization must be kept only as necessary. That's the concept. There's no prescribed time limit.

Regan.

I think your question is dealing with the specific consent provisions that the CRTC enforces in relation to proving that they have obtained consent for the—

I'm not sure we would have a comment on those specific rules. As the commissioner has said, the general rule for storing personal information is to keep it only as long as necessary, and that could be because of legal requirements.

If you are talking specifically about the notion of external invasion into networks, then spyware, for example, might be a gateway in order to allow and facilitate such invasions.

To that extent, address harvesting can result from spyware or can result in the application of spyware. They are all interrelated in that these are threats, and when they are threats to the digital economic platform, they're also threats to the networks, whose robustness and constitution impacts upon trust in that platform.

[Inaudible—Editor] are a part of the solution, but are not all of the solution, obviously.