Industry Committee on Oct. 24th, 2017

The investigation in question, the one into WhatsApp, did not deal with illegal behaviour under Canada's Anti-Spam Legislation. We have been granted information-sharing authorities through consequential amendments, as part of our broader mandate.

You are wondering about the effectiveness of the tools and how information-sharing is done. I must say that sharing information with other international data protection authorities has been very important. The starting point of the analysis is that, obviously, the data crosses borders and the behaviours that may be problematic for privacy protection or to consumers also cross borders. We must therefore collaborate with other similar organizations to tackle common and global problems.

How do we do this? We have bilateral agreements with certain colleagues and certain other data protection authorities or multilateral agreements. These agreements allow us to share information, but they also contain provisions that protect the confidentiality of data collected by investigators for investigation purposes. We may share information with law enforcement agencies, but the agreements include provisions that the information is to be used for investigative purposes only and cannot be disclosed. When we conduct an investigation, PIPEDA, which is a federal act, requires our office to process information that is collected confidentially, which is normal. However, once the investigation is completed, we will inform the complainant and the respondent.

Under the federal legislation, I have the power to make certain information publicly available for public information purposes, as well as to learn from such behaviour. If it's in the public interest, I can disclose certain information. We can talk to the investigators within that framework. Unless the public interest requires some information to be made public to better inform the public, I think there are still some limitations.

I would prefer to limit my response to applying the right of action with respect to the two behaviours that fall within my jurisdiction. I won't say anything beyond that. Should there be any changes to the plan with respect to these two behaviours? I don't think so.

There was discussion of the amount of fines, for instance, and factors that would allow the regulator to decide on the amount of a fine or whether or not to impose a fine. I think these factors are reasonable. Has the company committed multiple offences? How serious is the offence? These are all factors that seem reasonable to me.

Of course, applying these criteria in a reasonable way is also important. The criteria set out in the legislation make sense. It's about applying them correctly on a case-by-case basis.

The two behaviours that fall under my responsibility do not concern consent in the broad sense. It relates to two highly targeted and clearly unacceptable behaviours, namely, the harvesting of email addresses and the installation of spyware.

There is no doubt in my mind that spyware should be prohibited. There should be no exceptions that allow this kind of behaviour. Harvesting email addresses falls under the same category, but less clearly. There is a direct link between harvesting email addresses and the risks that consumers are exposed to, because email addresses can then be used to distribute malware, for instance. Because of the link between the two, I don't think there should be any exceptions.

I referred, in answer to Mr. Bernier, to some of our efforts with the Dutch under bilateral or collective agreements. I'll ask my colleague Brent Homan to speak to networks, for instance, that have been created between regulators in various countries to tackle that very issue.

With respect to networks that have been created, these are enforcement networks that have evolved somewhat organically in order to address issues, whether they be with respect to privacy, such as the Global Privacy Enforcement Network, or Usenet, which is the network associated with electronic threats.

One of the benefits of such networks is the ability to not only come together to share expertise and to identify potential opportunities for collaborating together on investigations, but also to carry out informal actions and enforcement actions, such as global sweeps that have been carried out both by the Global Privacy Enforcement Network in areas such as children's privacy, and most recently with respect to Usenet in this area of electronic threats and spam.

Making use of those networks is a key part of the solution in terms of collaborating with our international partners. Often it can be an ability to identify who we may want to expand our ability to work more closely with on more formal investigations, because we can't in all situations. There has to be some MOU, or some mechanism that allows us to share confidential information.

With respect—

To clarify, we have these networks. We have bilateral agreements with other countries. In terms of sharing our information to enforce spam legislation, we're good. We have authority under CASL to share information. Our recommendations to improve the legislation with respect to sharing of information deal with domestic agencies outside of CASL per se.

Yes.

Just to make one point as well, what we're seeing is often an intersection between issues of different regulatory spheres, an intersection between privacy issues and consumer protection issues. The commissioner talked about the one instance with respect to Ashley Madison where, while we were able to share information with the U.S. Federal Trade Commission on something that bled into the consumer protection issues, we ironically were unable to share information with our domestic counterparts. So that's where the mischief—

To be generous, I would not say obstruction. I would say there were good authorities who gave us helpful additional tools to share information as consequential amendments to CASL. Parliament just did not cover all of the territory, and we would want all of the territory to be covered.

Exactly.