Thank you, Chair and members of the committee.
I'd first like to acknowledge that I'm presenting to you today from the traditional territories of the Lekwungen-speaking people of the Songhees and the Esquimalt first nations.
Given my brief time this afternoon, I want to focus my comments on the practical matter of how the privacy rights of Canadians ought to be considered and, where events dictate, enforced.
A common theme of these proceedings is the need to harmonize, to the greatest extent possible, the substantive privacy rights of Canadians across federal and provincial jurisdictions. The principle of harmony or substantial similarity should also apply to the processes that determine and enforce privacy rights.
Why is this so important? Data most often knows no borders. Many significant privacy rights cases impact citizens across the country.
It is therefore incumbent upon us, as privacy regulators with oversight over the private sector in Alberta, British Columbia, Quebec and Canada, to act, to the greatest extent permitted by law, in a coordinated manner. This ensures that concerned individuals are addressed in a consistent way and that affected businesses are not queried by overlapping demands. In short, coordination builds the trust of Canadians in our privacy oversight system.
The coordinated actions I speak about will be enhanced considerably if the avenues for processing and enforcing those privacy rights are as consistent as the law permits across jurisdictions. In concrete terms, this means the federal Privacy Commissioner should certainly be granted order-making powers, which the three provincial authorities now have, and which Bill C-27 recommends.
I would go a step further. The proposed federal order-making powers should be reviewable in the same manner as that applicable to provincial authorities. That is to say that the federal Privacy Commissioner's powers should be directly subject to review by the courts. That has proven to be more than sufficient to protect the rights of all parties at a provincial level. Bill C-27's proposal to add a layer of administrative bureaucracy in between the commissioner's orders and the court review adds an unnecessary level of expense and time to distance Canadians further from the ultimate disposition of their privacy concerns.
The same considerations of federal and provincial harmonization should be applied to the matter of administrative monetary penalties. Quebec—as my colleague has just pointed out—is the first jurisdiction in Canada to authorize the regulator to administer such penalties where circumstances warrant. I have called for British Columbia's government to do the same.
The authority to levy fines—a last resort for regulators—protects the rights of Canadians and the vast majority of businesses from bad actors. It is critical that privacy regulators are able to ensure that when fines are necessary for multi-jurisdictional violations, they are levied in a coordinated, proportionate and non-overlapping way.
That is simply not possible under Bill C-27, which strips power away from the federal Privacy Commissioner to levy fines, and instead puts it in the hands of a third party that would not be in a position to coordinate matters with other authorities. This again creates federal-provincial asymmetries, which in no way benefit Canadians. It bears repeating that if a party is concerned about an imposed fine, a direct referral to the court system is more than adequate to ensure administrative oversight of the system.
In summary, while Bill C-27 goes some ways to strengthen the privacy rights of Canadians, the bill must be improved to ensure that those rights can be fairly, effectively and economically adjudicated and enforced.
Along with my colleagues, of course, I welcome any questions you may have.