Information & Ethics committee  Thank you. The central theme of our comments this afternoon is our view that PIPEDA's statutory framework is very well suited for innovation. While there are certain challenges in applying PIPEDA's fair information principles in today's highly dynamic data environment, it is c

Information & Ethics committee  Thank you. As the committee has heard from previous witnesses, there is an increasingly active discourse and growing recognition in the global privacy arena of the legal and practical challenges posed by the statutory consent requirement in an evolving data environment, but desp

Information & Ethics committee  I'm happy to begin.

Information & Ethics committee  My first comment would be that the GDPR is an incredibly complex piece of legislation. It is still being actively reviewed, and there is a tremendous effort globally to understand what certain aspects of the legislation even mean. We're just getting policy guidance from regulator

Information & Ethics committee  I'd be pleased to do so. We offered four. All of them relate to the ability to process certain data—to collect, use, and disclose personal information—without consent. One of them, as mentioned by my colleague as well, was to create an exception for legitimate interest. This wou

Information & Ethics committee  Number two, there's currently an exception under PIPEDA in paragraph 7(2)(c) for the use of data for statistical and scholarly study and research. It's just for the use of data. The wording, in my view, allows for the conducting, for example, of analytics, which is a form of rese

Information & Ethics committee  Finally I mentioned, consistent with my colleagues, that organizations now engage in a practice referred to as de-identification or anonymization or obfuscation, which is extraordinary helpful to protect the privacy interests of individuals while it's processing, but it protects

Information & Ethics committee  I agree with both colleagues. Striking a balance is difficult. I'm not sure that the answer is necessarily embedding that principle within a statutory framework. There is an existing framework right now that allows for respectful treatment of the life cycle of data, including da

Information & Ethics committee  I'm happy to answer that. In the context of numerous client engagements, we've had to address that exact issue. The best place to start, actually, is with your reference to COPPA. Under PIPEDA, as we've heard throughout the afternoon, there's a consent-based requirement. Indivi

Information & Ethics committee  I have two comments. With respect to your first question, I think there are times when it seems as though it would be helpful to have different age gates for different types of scenarios, but given the explosion of the array of different types of services and offerings and cont

Information & Ethics committee  I would just reiterate that in dealing personally with scores of investigations, I have found that there is a benefit to having an ombudsman model that can be unleashed to have even greater benefits, to allow for what I would call a conversation. Unlike other types of statutes in

Information & Ethics committee  I want to clarify if the question is whether there are recommendations for helping organizations respond to incidents that would be incorporated into the statutory regime or it is a more general question.

Information & Ethics committee  As the committee is aware, we've had these discussions, and PIPEDA has a pending statutory security breach notification requirement, which will come into effect once the regulations are put out for comment and then ultimately implemented. One of the comments that industry has ma

Information & Ethics committee  Yes, those compliance agreements are voluntary for organizations to enter into. There are certain reasons it would make sense for organizations to enter into them with the OPC, like a binding agreement, just as you would have in the private sector, so that would make sense in its

Information & Ethics committee  We've had to work on several dozen client mandates in which we were dealing with concepts in the EU, with global companies, and importing them. These are very tricky, and what seemed to be the case in every single context is that that was unnecessary for the protection of privacy