<?xml version="1.0" encoding="UTF-8"?>
<Hansard xml:lang="EN" id="9391982"><StartPageNumber>1</StartPageNumber><DocumentTitle><DocumentName>EVIDENCE</DocumentName></DocumentTitle><ExtractedInformation><ExtractedItem Name="InstitutionDebate">Standing Committee on Access to Information, Privacy and Ethics</ExtractedItem><ExtractedItem Name="Number">NUMBER 048</ExtractedItem><ExtractedItem Name="Session">1st SESSION</ExtractedItem><ExtractedItem Name="Parliament">42nd PARLIAMENT</ExtractedItem><ExtractedItem Name="Date">Tuesday, February 21, 2017</ExtractedItem><ExtractedItem Name="DateOtherLang">Le mardi 21 février 2017</ExtractedItem><ExtractedItem Name="Institution">Standing Committee on Access to Information, Privacy and Ethics</ExtractedItem><ExtractedItem Name="Country">CANADA</ExtractedItem><ExtractedItem Name="RecordingNote">[Recorded by Electronic Apparatus]</ExtractedItem><ExtractedItem Name="HeaderTitle">EVIDENCE</ExtractedItem><ExtractedItem Name="HeaderDate">February 21, 2017</ExtractedItem><ExtractedItem Name="MetaDocumentCategory">Committee</ExtractedItem><ExtractedItem Name="MetaTitle">Edited Evidence * Table of Contents * Number 048 (Official Version)</ExtractedItem>
		<ExtractedItem Name="MetaTitleEn">Official Report * Table of Contents * Number 048 (Official Version)</ExtractedItem>
		<ExtractedItem Name="MetaTitleFr">Témoignages * Table des matières * Numéro 048 (Version officielle)</ExtractedItem>
		<ExtractedItem Name="MetaNumberNumber">48</ExtractedItem>
		<ExtractedItem Name="MetaDateNumDay">21</ExtractedItem>
		<ExtractedItem Name="MetaDateNumMonth">02</ExtractedItem>
		<ExtractedItem Name="MetaDateNumYear">2017</ExtractedItem>
		<ExtractedItem Name="MetaCreationTime">2017/02/21 15:30:00</ExtractedItem>
		<ExtractedItem Name="MetaInstitution">House of Commons</ExtractedItem>
		<ExtractedItem Name="InstitutionDebateFr">Comité permanent de l'accès à l'information, de la protection des renseignements personnels et de l'éthique</ExtractedItem>
		<ExtractedItem Name="InstitutionDebateEn">Standing Committee on Access to Information, Privacy and Ethics</ExtractedItem>
		<ExtractedItem Name="Acronyme">ETHI</ExtractedItem>
		<ExtractedItem Name="SpeakerTitle">Chair</ExtractedItem>
		<ExtractedItem Name="SpeakerName">Mr. Blaine Calkins</ExtractedItem>
		<ExtractedItem Name="ParliamentNumber">42</ExtractedItem>
		<ExtractedItem Name="SessionNumber">1</ExtractedItem>
		<ExtractedItem Name="InCameraNote">PUBLIC PART ONLY - PARTIE PUBLIQUE SEULEMENT</ExtractedItem></ExtractedInformation><HansardBody><OrderOfBusiness><CatchLine></CatchLine><SubjectOfBusiness><SubjectOfBusinessContent><Timestamp Hr="15" Mn="30">(1530)</Timestamp><FloorLanguage language="EN">[<I>English</I>]</FloorLanguage><Intervention Type="Interjection" ToC="No" ToCText="" id="9391985"><PersonSpeaking><Affiliation DbId="219011" Type="35">The Chair (Mr. Blaine Calkins (Red Deer—Lacombe, CPC))</Affiliation>: </PersonSpeaking><Content><ParaText id="4781522"> Good afternoon, colleagues.</ParaText><ParaText id="4781523">I notice that while not everyone is at the table, everyone appears to be in the room. We'll get going, because I have a couple of public service announcements before we hear from our witnesses.</ParaText><ParaText id="4781524">Colleagues, I'm sure you're aware of this, but in case you're not, I'll do a friendly reminder. Karen Shepherd, the outgoing Lobbying Commissioner, is having a farewell reception today. If you get an opportunity, it's at the Mill Street Brew Pub on Wellington Street, just down by the bridge, if I remember correctly. It goes from 3:30 until 7 tonight. I'll do my best to make my way over there on behalf of the committee, but if other committee members wish to go, I think that would be more than appropriate.</ParaText><ParaText id="4781525">Colleagues, we have a very distinguished panel of witnesses today, all appearing by video conference. From the Office of the Information and Privacy Commissioner for British Columbia, we have Mr. Drew McArthur, the acting commissioner. We welcome you. Also from that office, we have Michael McEvoy, the deputy commissioner. From the Office of the Information and Privacy Commissioner of Alberta, we have again, Jill Clayton, who has appeared before the committee several times. She has some assistance there, as well. Finally, from the Commission d'accès à l'information du Québec, we have Cynthia Chassigneux, the administrative judge, who is appearing by video conference as well.</ParaText><ParaText id="4781526">We'll have 10 minutes of opening remarks by each group. That will take up about the first 30 minutes. Then we'll proceed to our questioning.</ParaText><ParaText id="4781527"> Keep in mind, colleagues, that with PIPEDA, this is about the private sector. If we can focus on that in our questioning, we'll have a great discussion.</ParaText><ParaText id="4781528">Who's going first, Mr. McArthur or Mr. McEvoy?</ParaText></Content></Intervention>
					<Intervention Type="Interjection" ToC="No" ToCText="" id="9392003"><PersonSpeaking><Affiliation DbId="230007" Type="28">Mr. Michael McEvoy (Deputy Commissioner, Office of the Information and Privacy Commissioner of British Columbia)</Affiliation>: </PersonSpeaking><Content><ParaText id="4781529">Mr. McArthur.</ParaText></Content></Intervention>
					<Intervention Type="Interjection" ToC="No" ToCText="" id="9392006"><PersonSpeaking><Affiliation DbId="219011" Type="35">The Chair</Affiliation>: </PersonSpeaking><Content><ParaText id="4781530">There we go. Thank you very much, sir.</ParaText><ParaText id="4781531">Please begin.</ParaText></Content></Intervention>
					<Intervention Type="Interjection" ToC="No" id="9392009" ToCText=""><PersonSpeaking><Affiliation DbId="225902" Type="28">Mr. Drew McArthur (Acting Commissioner, Office of the Information and Privacy Commissioner of British Columbia)</Affiliation>: </PersonSpeaking><Content><ParaText id="4781532"> Thank you very much, Mr. Chair, for inviting us here to review the Personal Information Protection and Electronic Documents Act, or PIPEDA. </ParaText><ParaText id="4781533">British Columbia's private sector privacy law is the Personal Information Protection Act, which I will call the “B.C. act”. As acting commissioner, I oversee how it is applied to over 380,000 private sector organizations, including businesses, charities, associations, trade unions, and political parties. The B.C. act is substantially similar to PIPEDA.</ParaText><ParaText id="4781534">I will address in turn the items raised in the federal Privacy Commissioner's letter to this committee.</ParaText><ParaText id="4781535">First, meaningful consent is a key aspect of PIPEDA and in privacy laws around the world, including the B.C. act. Although these acts were designed to be neutral with respect to technology, we are now seeing challenges to that neutrality with big data. There are concerns that some organizations are somewhat vague in their description of the purposes for which they use personal information.</ParaText><ParaText id="4781536">To provide consumers with a better understanding of how their personal information is being used, organizations need to include clarity of purpose in the use of personal information for data analytics in their notifications to consumers. We believe this can be done within the existing consent-based model. Still, big data analytics represent a potential for both positive and negative outcomes to individuals.</ParaText><ParaText id="4781537">Many of Canada's privacy commissioners and a group of Canadian organizations have been working with the International Accountability Foundation to examine the use of ethical frameworks in addition to existing privacy frameworks in the processing of personal data. These can be very complex and challenging issues. In practice, my office has not seen a situation where consent could not be obtained to enable a valid use of information. Granted, organizations could improve on how they describe their data processing activities in their privacy policies and use cases. Some suggest that organizations should be explicitly authorized to de-identify data so that they may then conduct data analysis without needing to obtain the consent of the individual. This approach would authorize data analytics on information that was already collected but not collected for that purpose.</ParaText><ParaText id="4781538">My concern with this approach is that it is becoming easier and easier to reidentify data, using increasingly sophisticated algorithms. It may be that in a number of years, these reidentification techniques will be so effective that any previously de-identified information will be able to be reidentified.</ParaText><ParaText id="4781539">Some jurisdictions are addressing this problem through legislation that allows processing of de-identified personal information while mitigating against the risk of misuse. Australia is now considering a bill that would make reidentification an offence, with intentional reidentification subject to a criminal offence with up to two years of imprisonment or a fine.</ParaText><ParaText id="4781540">Recent amendments to Japan's Act on the Protection of Personal Information contain requirements for secure processing of de-identified information, including that reidentified information must be processed in a manner such that it cannot be reidentified and it must be handled securely, even though the information is de-identified.</ParaText><ParaText id="4781541">Turning now to privacy and reputation, today personal information that is online or stored in databases has a permanence and availability that did not exist prior to the emergence of digital technologies. The ready availability of this information can, at times, have significant impact on people's lives, for better or for worse.</ParaText><ParaText id="4781542">There are limited tools available to have personal information removed or corrected in the B.C. act, as in PIPEDA. An individual has a right to withdraw consent, but this is subject to exceptions, such as where withdrawing consent would frustrate a legal obligation. An individual also has a right to request correction of their personal information. However, these are not comprehensive tools if someone wants to eliminate their digital footprint, in whole or in part.</ParaText>
							<Timestamp Hr="15" Mn="35">(1535)</Timestamp><ParaText id="4781543"> While the B.C. act and PIPEDA can provide some redress where incorrect personal information is being disclosed online, there is also the potential for the disclosure of truthful information to cause harm. This is where the right to be forgotten, the right to erasure that exists in Europe, is useful to individuals who have experienced damaging effects to their reputation owing to information that is online. </ParaText><ParaText id="4781544">While I can see the potential benefit of creating such a right in Canada, as others have observed, it remains to be seen how a right to be forgotten could exist within our legal system alongside the right to freedom of expression. We are seeing many unanticipated consequences of the implementation of the right to be forgotten, so it is a concept that must be approached carefully.</ParaText><ParaText id="4781545">One of these issues is the ability of governments to undertake censorship, and another is that the right to be forgotten is being administered currently by private sector organizations. </ParaText><ParaText id="4781546">On enforcement powers, personal information has become integral to the business model of a number of companies. In this context, order-making power is essential to any privacy commissioner. I believe order-making powers need to be used effectively and judiciously. Allow me to describe how they are used in my office.</ParaText><ParaText id="4781547">Relationships with organizations and public bodies are critical to providing effective oversight over B.C. privacy laws, and order-making powers may, indeed, encourage organizations to work with my office. More than 90% of the complaints to my office are resolved at mediation. My investigators have expert knowledge on B.C.'s privacy laws and work to help parties understand their respective rights and responsibilities. At mediation the parties are aware that, if a resolution is not reached, the matter may go to adjudication, resulting in an order. This encourages the parties to work with us at mediation to find a resolution. Orders from my office require that organizations bring themselves into compliance with B.C.'s private sector privacy law. </ParaText><ParaText id="4781548">The act sets out the kinds of things I may do; for example, to require that a duty be performed under the B.C. act, and I have the authority to specify any terms and conditions for fulfilling that duty. </ParaText><ParaText id="4781549">On the matter of adequacy, now that Europe's general data protection regulation has passed, ensuring that Canada's privacy laws also provide an adequate level of protection will assist businesses that rely upon personal information flows from Europe to Canada. The GDPR says that an adequacy determination can be made where a country or territory offers levels of protection that are essentially equivalent to those within the European Union. Note that an adequacy finding can be made for a territory; so interestingly, a provincial privacy law could be found to be adequate for transfers, even if PIPEDA is not. Essential equivalency is the bar, so there is some work to be done if adequacy is to be maintained. </ParaText><ParaText id="4781550">I've already mentioned the right to erasure. Here are two other areas for consideration. </ParaText><ParaText id="4781551">Parliament has already addressed breach notification under PIPEDA. In B.C., my office recommended mandatory breach notification for both the private and public sectors in the recent legislative review of B.C.'s privacy laws, and the provincial government has committed to doing so. </ParaText><ParaText id="4781552">In Europe, failure to notify can be subject to administrative fines of up to 10 million euros, or 2% of a company's total worldwide annual turnover, whichever is higher. In other areas, fines may be as high as up to 20 million euros, or 4% of annual turnover, whichever is higher. In B.C. and Canada, our fines do not keep up with these standards.</ParaText><ParaText id="4781553">Before I wrap up, I want to comment on one additional area. In response to the Spencer decision by the Supreme Court, law enforcement agencies have indicated that they want warrantless access to online subscriber information. A change like this in PIPEDA would not be consistent with the reasonable expectations of Canadians. Warrants are already available for circumstances that require them, and judicial oversight is critical to public confidence in how personal information is released or disclosed. </ParaText><ParaText id="4781554">Thank you very much, and I'd be happy to respond to questions at the appropriate time. </ParaText></Content></Intervention>
					<Timestamp Hr="15" Mn="40">(1540)</Timestamp><Intervention Type="Interjection" ToC="No" ToCText="" id="9392138"><PersonSpeaking><Affiliation DbId="219011" Type="35">The Chair</Affiliation>: </PersonSpeaking><Content><ParaText id="4781555">Thank you very much, Mr. McArthur. </ParaText><ParaText id="4781556">We'll now move to the information and privacy commissioner of Alberta, Jill Clayton, for up to 10 minutes, please. </ParaText><ParaText id="4781557">Welcome back, Jill. </ParaText></Content></Intervention>
					<Intervention Type="Interjection" ToC="No" ToCText="" id="9392142"><PersonSpeaking><Affiliation DbId="220425" Type="28">Ms. Jill Clayton (Commissioner, Office of the Information and Privacy Commissioner of Alberta)</Affiliation>: </PersonSpeaking><Content><ParaText id="4781558"> Thank you very much.</ParaText><ParaText id="4781559">Thank you, Mr. Chair and committee members, for the invitation to speak to you today as you review the Personal Information Protection and Electronic Documents Act. Here in Alberta, we call it “PIPEEDA” as opposed to “PIPEDA”, as Drew just referred to it. With me are Sharon Ashmore, who is general counsel with my office, and Kim Kreutzer Work, who is the director of knowledge management.</ParaText><ParaText id="4781560">I thought I would start my comments today by speaking briefly about Alberta's Personal Information Protection Act, or PIPA, and then in a very similar way to Drew's presentation, I will provide some brief comments on the four topics that I understand you're interested in. I'll speak about PIPEDA's adequacy vis-à-vis the European Union enforcement powers, and in particular my ability to order compliance, as well as meaningful consent and privacy and reputation. Then, of course, I would be happy to address any questions you might have.</ParaText><ParaText id="4781561">To begin, Alberta's Personal Information Protection Act, or PIPA, came into force on January 1, 2004. The act balances the privacy interest of Albertans with the need of organizations to collect, use, and disclose personal information of their customers, clients, employees, and volunteers for reasonable purposes. PIPA has been declared substantially similar to PIPEDA, which means that in Alberta it is PIPA, and not PIPEDA, that generally covers provincially regulated private sector organizations and businesses.</ParaText><ParaText id="4781562"> My role is to provide oversight for the act. I have a number of powers and responsibilities under the legislation to ensure that its purposes are achieved. So far, PIPA has undergone two reviews by all-party committees of the Alberta legislature. This in fact is built into the legislation and is a statutory requirement.</ParaText><ParaText id="4781563">The first review took place in 2006-07 and led to several amendments, most notably, mandatory breach reporting and notification requirements, which came into effect in May of 2010. Alberta became the first private sector jurisdiction in Canada to have mandatory breach reporting and notification, and we have since become the model for many other jurisdictions that are contemplating similar amendments.</ParaText><ParaText id="4781564"> I think I'll mention that since 2010 we have seen close to 750 breach reports under PIPA and have issued close to 600 notification decisions. So far, we've found that in approximately 56% of those cases there was a real risk of significant harm, in which case I required the organization to notify affected individuals.</ParaText><ParaText id="4781565">The second review of PIPA was more recent and concluded at the end of 2016. During one of my appearances before that review committee, I spoke about the importance of global considerations when considering amendments to Alberta's legislation. I believe those comments are relevant here again in regard to PIPEDA's adequacy status vis-à-vis the European Union.</ParaText><ParaText id="4781566"> When it comes into force, the European Union's general data protection regulation, or GDPR, will make privacy law across Europe stricter and will enhance the protection for Europeans' personal information in such areas as consent, accountability, privacy management frameworks, breach notification, and privacy impact assessments. In a global economy where Canadian and Alberta businesses are participants, and where private sector privacy law needs to be adequate and substantially similar, the effect of the GDPR must be considered in any discussion about amendments to our legislation governing the collection, use, and disclosure of personal information. </ParaText><ParaText id="4781567">I'm not necessarily suggesting that PIPEDA or, by extension, PIPA will be deemed to be inadequate, but I am suggesting that there's a need to be mindful of global and national considerations when we're contemplating amendments, to ensure that they don't weaken the legislation and that they are not out of step with global and national considerations. I think it's important to remember that although legislative requirements and regulations may sometimes seem to be burdensome, they also help to provide the public and businesses and their service partners with stability and reassurance, both of which are necessary to win customers and to facilitate business and information sharing.</ParaText><ParaText id="4781568">Going on to enforcement powers, I'm able to issue orders under all three of the acts for which I provide oversight: our public sector's Freedom of Information and Protection of Privacy Act and our health sector's Health Information Act, as well as PIPA. </ParaText><ParaText id="4781569">Order-making power does not preclude my office from resolving cases by an informal mediation process rather than going through the formal inquiry process. In fact, in most cases when we receive a request for review or a complaint, we investigate and attempt to mediate and resolve that matter informally. It's only when findings and recommendations are not accepted that the matter may proceed to inquiry. In 2015-16, approximately 80% of our cases under PIPA were resolved through that mediation process as opposed to inquiry, and since 2004 we have issued 134 PIPA orders.</ParaText>
							<Timestamp Hr="15" Mn="45">(1545)</Timestamp><ParaText id="4781570">In most cases organizations comply with orders. In the very odd case where an organization does not, I can file the order in the Court of Queen's Bench, at which time it becomes enforceable as a judgment of that court. I have had occasion to file orders twice in the last year. In one of those cases it was under the Health Information Act and not PIPA, and in the other case, it had to do with ensuring compliance with a breach notification decision I had issued under PIPA. In both cases, after filing with the court, the matters were resolved before the court heard the cases. In those examples, order-making power was extremely valuable in obtaining compliance.</ParaText><ParaText id="4781571">Moving on to meaningful consent, I will first note that in Alberta, we talk about PIPA as being consent-based legislation, and generally, I think it works well. Requiring organizations to obtain the consent of an individual before collecting personal information and to provide notice of the purpose for collection helps to ensure that individuals are able to make informed decisions and exert some measure of control over their personal information.</ParaText><ParaText id="4781572">However, I am aware of ongoing discussions in certain forums that suggest that a consent-based framework is not always adequate. I seldom hear that consent and notice should be done away with entirely, but there does seem to be concern that in this age of big data, predictive analytics, and complex information systems, consent and notice may not be adequate in all cases and may stifle innovation as well as initiatives that are in the public interest. </ParaText><ParaText id="4781573"> I've certainly participated in a number of these conversations where we've tried to define the problem, if there is a problem, and to identify and consider some proposed solutions. In those discussions, I often make reference to Alberta's Health Information Act, for example, which is not consent-based but based on a circle-of-care idea, the concept of legislated acceptable uses. We also make reference to the personal information code under Alberta's PIPA, which again recognizes that consent in an employer-employee relationship might not work, and so consent is not required for collecting certain information. We also look to the Health Information Act for the framework around research and research ethics boards. As Drew mentioned earlier, there are commissioners in the country who are interested in some of the projects, notably the Information Accountability Foundation, and a project on developing an ethical assessment framework for certain big data initiatives.</ParaText><ParaText id="4781574">In any event, I believe any solution to the problem, if there is a problem in this area, would involve a mix of legislative, regulatory, and voluntary options, and I certainly support discussion of these issues, including consultations such as the exercise the federal Privacy Commissioner recently undertook. </ParaText><ParaText id="4781575">Finally, I have a few words to say on privacy and reputation. This topic has seen a lot of attention in recent times, particularly around the idea of a right to be forgotten, and whether such a thing exists in Canada or not, and if it does, how it might be enforced in today's global world.</ParaText><ParaText id="4781576"> I mentioned this in the trends and issues section of my 2014-15 annual report and said that this was a topic we should be watching over the next couple of years. In particular, we've seen cases like the May 2014 case in the Court of Justice of the European Union; the recent case involving Globe24h at Canada's Federal Court involving information posted on a Romanian website; and a pending decision from the Supreme Court of Canada in Google v. Equustek Solutions. I think that brings home the fact that these are live issues.</ParaText><ParaText id="4781577"> Of note, these cases highlight questions of jurisdiction and legal boundaries and the ability to compel compliance; privacy versus freedom of expression; transparency for public figures such as politicians; and the technical challenges and costs for global companies. These are all complicated issues, but they have found their way to my office, as we have seen a recent uptick in the number of right-to-be-forgotten-type cases in the office. We had previously seen about half a dozen of them over the first seven or eight years of the legislation, but I think we have half a dozen in the office right now. They tend to be focused on such issues as websites publishing personal information collected from some source other than the individual whom the information is about. There are also sometimes complaints around decision-making bodies, including personal information, in their published decisions. </ParaText>
							<Timestamp Hr="15" Mn="50">(1550)</Timestamp><ParaText id="4781578">As there are a number of live matters in my office at the moment, I'm not going to get into too many specifics. We will be issuing decisions in some of these cases. It is worth noting that these discussions have made their way from other countries, contexts, and the courts to real complaints made by real individuals that are currently in my office. </ParaText><ParaText id="4781579">On that note, I will leave my comments there. I'd be happy to respond to any questions. </ParaText><ParaText id="4781580">Thank you.</ParaText></Content></Intervention>
					<Timestamp Hr="15" Mn="55">(1555)</Timestamp><Intervention Type="Interjection" ToC="No" ToCText="" id="9392322"><PersonSpeaking><Affiliation DbId="219011" Type="35">The Chair</Affiliation>: </PersonSpeaking><Content><ParaText id="4781581">Thank you, Ms. Clayton. </ParaText><ParaText id="4781582">We now go to Ms. Chassigneux.</ParaText>
							<FloorLanguage language="FR">[<I>Translation</I>]</FloorLanguage><ParaText id="4781583">You have 10 minutes.</ParaText></Content></Intervention>
					<Intervention Type="Interjection" ToC="No" ToCText="" id="9392327"><PersonSpeaking><Affiliation DbId="230009" Type="28">Ms. Cynthia Chassigneux (Administrative Judge, Surveillance, Commission d'accès à l'information du Québec)</Affiliation>: </PersonSpeaking><Content><ParaText id="4781584">Mr. Chair and members of the committee, thank you for inviting the Commission d'accès à l'information du Québec to participate in the study on the Personal Information Protection and Electronic Documents Act.</ParaText><ParaText id="4781585">This invitation gives me the opportunity to briefly describe the legislation applicable to Quebec in terms of personal information protection in the private sector, as well as the role of the commission and its latest five-year report.</ParaText><ParaText id="4781586">Before examining the Act respecting the protection of personal information in the private sector, which came into force on January 1, 1994, I should point out that, by adopting this act, Quebec became the first Canadian province and the first government in North America to regulate personal information protection in both the private and public sectors. The public sector is subject to the Act respecting Access to documents held by public bodies and the Protection of personal information.</ParaText><ParaText id="4781587">With that clarification, I should mention that the Act respecting the protection of personal information in the private sector applies to all the businesses that, in Quebec, carry on an economic activity of a commercial nature. It regulates the collection, use, disclosure within and outside the province, and the security of the personal information a company has. To that end, it sets out a number of principles in relation to consent, prior information of the individuals in question or even the reason why the personal information is collected, used or disclosed.</ParaText><ParaText id="4781588">It also governs the right of a person to have access to or to correct their personal information held by a company. If rejected, the person in question may submit a request for the disagreement to be reviewed by the commission's adjudicative division. The Act respecting the protection of personal information in the private sector also sets out the duties and powers of the commission in audits and investigations carried out by its oversight division.</ParaText><ParaText id="4781589">Before I describe the commission's role, I should say that the Act respecting the protection of personal information in the private sector, just like the Act respecting Access to documents held by public bodies and the Protection of personal information, overrides any other piece of legislation applicable in Quebec.</ParaText><ParaText id="4781590">This demonstrates the legislator's intent to highlight the paramount importance of the rights given to the individuals in question and the obligations provided for both public bodies and private companies in terms of the protection of personal information.</ParaText><ParaText id="4781591">I will now say a few words about the commission, which was established in 1982.</ParaText><ParaText id="4781592">The commission has two divisions: an adjudicative division and an oversight division, of which I am a member.</ParaText><ParaText id="4781593">The commission's adjudicative division acts as an administrative tribunal and reviews requests filed by those whose access to or correction of their personal information has been denied. The members assigned to the adjudicative division generally sit in at hearings, during which the parties involved have the opportunity to make their case.</ParaText><ParaText id="4781594">After hearing from the parties, the commission may decide on any question of fact or of law and make any appropriate order to safeguard the rights of the parties. The decision rendered by the commission is public. The decision is binding 30 days after the parties have received it and it is subject to a right of appeal provided to the Court of Quebec on a question of law or jurisdiction only. When a decision becomes binding, it can be submitted to the Superior Court. It then has the same force and effect as if it were a ruling rendered by that court.</ParaText><ParaText id="4781595">Under its oversight functions, the commission is responsible for promoting access to the documents and the protection of personal information. It also ensures that the legislation is applied in those matters. To do so, it can carry out audits and investigations into potentially problematic situations brought to its attention, in order to ensure that public bodies and private enterprises comply with the legal provisions.</ParaText><ParaText id="4781596">The commission may make recommendations and compliance orders upon completion of its investigations, which are carried out in a non-adversarial way. The orders made by the commission may, under the Act respecting the protection of personal information in the private sector, be submitted to the Superior Court for registration. Furthermore, if an order is not complied with, the commission may, in the case of enterprises, release a notice to inform the public. It may also initiate criminal proceedings.</ParaText><ParaText id="4781597">Now, allow me to quickly go over some of the points raised in the commission's 2016 five-year report. In fact, the commission must report to the government every five years on the application of the act respecting access to documents held by public bodies and the protection of personal information and the Act respecting the protection of personal information in the private sector. In the report, it makes recommendations to improve the government's transparency and the protection of personal information in Quebec. The report, tabled in the National Assembly, may lead to legislative amendments.</ParaText><ParaText id="4781598">In its last report, just like in the previous one, the commission stressed the need to strengthen the protection of personal information in both the public and private sectors, especially since the Act respecting the protection of personal information in the private sector has not undergone any significant amendments since it was passed more than 20 years ago.</ParaText>
							<Timestamp Hr="16" Mn="00">(1600)</Timestamp><ParaText id="4781599">Among other things, it calls on the government to amend the Act respecting the protection of personal information in the private sector in order to include an obligation for corporate responsibility and to provide for the designation of a person responsible for access and the protection of personal information. This amendment would help to develop a corporate culture that protects personal information, to ensure more transparency and to increase public confidence.</ParaText><ParaText id="4781600">It also calls on the legislator to update the concepts inherent to the protection of personal information in the private sector. Actually, for a number of years, the commission has noted, particularly because of the proliferation of electronic platforms, that some of the concepts under the Act respecting the protection of personal information in the private sector no longer fit, or correspond with limited effectiveness, to the new business models that result.</ParaText><ParaText id="4781601">A number of those models, whether free or paid, are fed by information gathered here and there, from users or without their knowledge. Because of the emergence of those new business models, we often hear that personal information has become the petroleum of the 21st century, that it is worth a fortune, or that it is the lungs of the digital economy.</ParaText><ParaText id="4781602">So, in order for the Act respecting the protection of personal information in the private sector to be fully applied to those new business models and to restore user confidence, in its five-year report, the commission calls on the legislator to revisit some of the concepts set out in the act. For instance, these include the concepts of a file, of the disclosure of information or of consent.</ParaText><ParaText id="4781603">In terms of the concept of a file, I should first specify that a number of the obligations under the Act respecting the protection of personal information in the private sector are related to that notion. Right now, the legislation imposes obligations on businesses that create or keep a file for an individual. However, the fact is that more and more companies gather images, identification, use and location data, creating profiles to analyze the behaviours of users in order to improve the goods and services provided online or to attract their attention with targeted advertising.</ParaText><ParaText id="4781604">Those companies gather information likely to identify an individual often without their knowledge and without necessarily establishing a contractual relationship. Although those companies hold personal information, they don't always keep it in a “file” with the person's name on it. So, although the concept of a file is sufficiently comprehensive to be interpreted broadly and to apply to electronic environments, the examples described above have prompted the commission to propose that the term “file” be replaced with the “purpose of the collection”, a principle underlying a number of personal information protection systems. As a result, corporate obligations would be linked to the initial reason for the collection of personal information.</ParaText><ParaText id="4781605">As for the obligation of disclosure to the person in question when personal information is collected, the commission notes that it is one of the obligations that are met the least in the Act respecting the protection of personal information in the private sector. However, the protection of personal information is a shared responsibility. How can people assess how their personal information is protected by businesses and determine whether they are trustworthy, if they are not even informed, at a minimum, of the nature of the information the enterprise has and the subsequent use?</ParaText><ParaText id="4781606">That is why, just like in the previous report, the commission has called on the legislator to amend the Act respecting the protection of personal information in the private sector, in order to specify when the information must be given to the person in question, to include the obligation to disclose the personal information collected and how it was collected. The commission also stresses the importance of the information being clear, intelligible and accessible, regardless of the platform used to collect the personal information.</ParaText><ParaText id="4781607">In terms of consent, it must be noted that consent is the driving force behind the protection of personal information. In principle, it allows users to control what companies can and cannot do with their personal information. That's only in principle, because the notion of consent is increasingly criticized and considered inadequate in some contexts.</ParaText><ParaText id="4781608">This raises the question of how to give consent its true meaning back. How can it be ensured that it truly means that individuals have agreed to a company managing and using their personal information, giving them real choice in the matter, rather than an opaque legal text created to limit the responsibility of companies to obtain an all-encompassing and irreversible “I agree”?</ParaText>
							<Timestamp Hr="16" Mn="05">(1605)</Timestamp><ParaText id="4781609">Therefore, although the Act respecting the protection of personal information in the private sector states that the consent must be manifest, free, and enlightened, and given for specific purposes and that it is valid only for the length of time needed to achieve the purposes for which it was requested, the commission notes that the scope of the criteria for consent is not well understood by enterprises. It therefore feels that clarifications about the obligations of enterprises under each of the criteria for consent should be included in the Act respecting the protection of personal information in the private sector. It also believes that the legislator should indicate that consent may be withdrawn at any time subject to restrictions under the act.</ParaText><ParaText id="4781610">In closing, I must clarify that the commission does not claim to think those amendments will provide a solution to all the current consent-related issues. It believes that discussions must continue and that other avenues must be explored. To that end, in its five-year report, the commission stresses the importance of considering the amendments made to European legislation on the protection of personal information.</ParaText><ParaText id="4781611">Mr. Chair, thank you. I will be pleased to answer any questions you and the other members of the committee may have.</ParaText></Content></Intervention>
					<Intervention Type="Interjection" ToC="No" ToCText="" id="9392507"><PersonSpeaking><Affiliation DbId="219011" Type="35">The Chair</Affiliation>: </PersonSpeaking><Content><ParaText id="4781612">Thank you, Ms. Chassigneux.</ParaText>
							<FloorLanguage language="EN">[<I>English</I>]</FloorLanguage><ParaText id="4781613"> We will now proceed to our first round of questioning. </ParaText><ParaText id="4781614">We'll start with Mr. Bratina, please, for seven minutes.</ParaText></Content></Intervention>
					<Intervention Type="" ToC="No" ToCText="" id="9392510"><PersonSpeaking><Affiliation DbId="216083" Type="47">Mr. Bob Bratina (Hamilton East—Stoney Creek, Lib.)</Affiliation>: </PersonSpeaking><Content><ParaText id="4781615">Thank you very much.</ParaText><ParaText id="4781616">Thanks, everyone, for really continuing to confuse me over this very complicated situation.</ParaText><ParaText id="4781617">First, to Mr. McArthur, what's the use of provincial or territorial boundaries in describing PIPEDA? We're seeing that Europe seems to have a more robust set of regulations and penalties, and we're not able to come up to their standards—so far, although maybe we will through these discussions. On the question of equivalency, should these kinds of regulations be made by a larger body rather than by many territorial or provincial bodies in order for it to really work properly in the world that we live in?</ParaText></Content></Intervention>
					<Intervention Type="Interjection" ToC="No" ToCText="" id="9392530"><PersonSpeaking><Affiliation DbId="225902" Type="28">Mr. Drew McArthur</Affiliation>: </PersonSpeaking><Content><ParaText id="4781618"> Well, first, while I agree that information flows and really knows, often, no boundaries, it's the information of citizens in particular jurisdictions that is of interest to those citizens, whether it's federal or provincial, as is the case in Canada, or whether it's country by country or the European Union, in Europe. I think those decisions are best left to the legislators in those countries and in those particular territories.</ParaText><ParaText id="4781619">To us in Canada, I don't think it has been complicated. It's well understood that B.C. citizens are protected by our private sector act, and we have the opportunity to focus on their particular concerns when addressing their complaints.</ParaText></Content></Intervention>
					<Intervention Type="" ToC="No" ToCText="" id="9392541"><PersonSpeaking><Affiliation DbId="216083" Type="47">Mr. Bob Bratina</Affiliation>: </PersonSpeaking><Content><ParaText id="4781620">Go ahead, Mr. McEvoy.</ParaText></Content></Intervention>
					<Intervention Type="Interjection" ToC="No" ToCText="" id="9392545"><PersonSpeaking><Affiliation DbId="230007" Type="28">Mr. Michael McEvoy</Affiliation>: </PersonSpeaking><Content><ParaText id="4781621">There's a recognition as well in this country, on the part of our offices that have jurisdiction over the private sector, that we work together. For example, when you have breaches that happen in companies that operate across the country, the B.C., Alberta, Quebec, and the federal offices work together in a coordinated way. It's important to our citizens to do that, but it also provides a unified face, if I can put it that way, to the private sector companies that they're not having to deal with the offices individually.</ParaText><ParaText id="4781622">We also extend that, frankly, to the international sector, where we increasingly co-operate with data protection authorities around the world on data breaches. You may be familiar with the recent Ashley Madison breach, where the Canadian office worked with authorities in the United States and Australia and other places. We were also involved in that. There's an increasing level of co-operation between data protection commissioner offices around Canada and around the world. </ParaText></Content></Intervention>
					<Intervention Type="" ToC="No" ToCText="" id="9392562"><PersonSpeaking><Affiliation DbId="216083" Type="47">Mr. Bob Bratina</Affiliation>: </PersonSpeaking><Content><ParaText id="4781623">Mr. McArthur, you brought up the question of mediation. I'd be very interested in hearing an example of a mediation, without your giving any specifics of it. Could you give me a general idea of how mediation would work?</ParaText></Content></Intervention>
					<Timestamp Hr="16" Mn="10">(1610)</Timestamp><Intervention Type="Interjection" ToC="No" ToCText="" id="9392569"><PersonSpeaking><Affiliation DbId="225902" Type="28">Mr. Drew McArthur</Affiliation>: </PersonSpeaking><Content><ParaText id="4781624">Essentially all of the private sector complaints that come into our office go through a process of mediation, where the interests of the parties are examined and investigated, and the rights of the individual are balanced with the obligations of the organizations. We say it's a process of mediation in addressing a complaint and determining an outcome in which both parties' interests are given consideration. Organizations, understanding that we do have order-making powers, are certainly more compelled to work creatively or effectively with us through that process. </ParaText></Content></Intervention>
					<Intervention Type="" ToC="No" ToCText="" id="9392575"><PersonSpeaking><Affiliation DbId="216083" Type="47">Mr. Bob Bratina</Affiliation>: </PersonSpeaking><Content><ParaText id="4781625"> Could I ask Ms. Clayton in Alberta about the 750 breach reports? It sounds like a big number. Is that a manageable number for your office?</ParaText></Content></Intervention>
					<Intervention Type="Interjection" ToC="No" ToCText="" id="9392579"><PersonSpeaking><Affiliation DbId="220425" Type="28">Ms. Jill Clayton</Affiliation>: </PersonSpeaking><Content><ParaText id="4781626">Well, it continues to increase; every year we receive more reports under PIPA. We have managed so far. I will say I have some concerns. There is some expectation that we'll be seeing mandatory breach reporting in the health sector in Alberta sometime in the fairly near future. That will probably tax the resources of my office.</ParaText><ParaText id="4781627">I will perhaps just say a bit about the structure of breach reporting notification requirements in Alberta, because they are fairly unique— certainly in Canada. While there are some similarities to what's proposed for PIPEDA through the Digital Privacy Act, they're not exactly the same. </ParaText><ParaText id="4781628">In Alberta, the threshold for reporting a matter to my office is where there is a real risk of significant harm. This is the same threshold as for PIPEDA. However, the framework in Alberta gives me the ability to require an organization to notify affected individuals. The act in Alberta does not require the private sector organization immediately to notify. It instead requires them to tell me. If there is a real risk of significant harm, if a reasonable person would think that threshold had been met, then it's an offence for an organization not to report it to me. </ParaText><ParaText id="4781629">When those reports come in, out of the 750 reports that we've received in almost six years, I have an active role in reviewing them. I review the assessment of harm and the likelihood that harm will result from the incident, and I issue a decision for each one. </ParaText></Content></Intervention>
					<Intervention Type="" ToC="No" ToCText="" id="9392604"><PersonSpeaking><Affiliation DbId="216083" Type="47">Mr. Bob Bratina</Affiliation>: </PersonSpeaking><Content><ParaText id="4781630">Should we harmonize our regulations with Europe? It seems that the standard is there.</ParaText><ParaText id="4781631">Ms. Clayton, would you comment on that?</ParaText></Content></Intervention>
					<Intervention Type="Interjection" ToC="No" ToCText="" id="9392606"><PersonSpeaking><Affiliation DbId="220425" Type="28">Ms. Jill Clayton</Affiliation>: </PersonSpeaking><Content><ParaText id="4781632">I think it's very important to be aware of what is happening in Europe. As I mentioned in my comments, one of the things I said to the committee in Alberta that was reviewing our Personal Information Protection Act was that—at least with respect to mandatory breach reporting and notification—I'm feeling pretty good about that. It looks like that's going to be a requirement under the GDPR when it comes into force, and I think we're ahead of the curve as far as that goes.</ParaText><ParaText id="4781633">So yes, I think that's something we all need to be aware of. We certainly need to be thinking about how to strengthen our legislation. Mr. McArthur said that information knows no boundaries, that it's flowing globally. It doesn't work to have a patchwork. You're only as good as your weakest link or your lowest water level. </ParaText></Content></Intervention>
					<Intervention Type="" ToC="No" ToCText="" id="9392640"><PersonSpeaking><Affiliation DbId="216083" Type="47">Mr. Bob Bratina</Affiliation>: </PersonSpeaking><Content><ParaText id="4781634">Thanks very much. </ParaText></Content></Intervention>
					<Intervention Type="Interjection" ToC="No" ToCText="" id="9392642"><PersonSpeaking><Affiliation DbId="219011" Type="35">The Chair</Affiliation>: </PersonSpeaking><Content><ParaText id="4781635">Thank you very much, Mr. Bratina.</ParaText><ParaText id="4781636">We now move to Mr. Jeneroux, please. </ParaText></Content></Intervention>
					<Intervention Type="" ToC="No" ToCText="" id="9392644"><PersonSpeaking><Affiliation DbId="218277" Type="47">Mr. Matt Jeneroux (Edmonton Riverbend, CPC)</Affiliation>: </PersonSpeaking><Content><ParaText id="4781637">Thank you, everybody, for being here virtually.</ParaText><ParaText id="4781638">Ms. Clayton, it's nice to see you in the staff again. Let's start with you because you're from my favourite city, Edmonton. </ParaText><ParaText id="4781639">You spoke a little about the right to be forgotten. Could you maybe touch on, first of all, why you've seen the increase just recently, and also how you will find that balance? It's fascinating to me how somebody's opinion of what's right to be forgotten and somebody else's opinion are probably quite different. I guess if you could help with some of that opinion.... </ParaText><ParaText id="4781640">Again, Ms. Clayton, I'll start with you and then go around the room if you don't mind. </ParaText></Content></Intervention>
					<Intervention Type="Interjection" ToC="No" ToCText="" id="9392650"><PersonSpeaking><Affiliation DbId="220425" Type="28">Ms. Jill Clayton</Affiliation>: </PersonSpeaking><Content><ParaText id="4781641"> I certainly think some of the reasons there is interest in this issue have to do with the explosion or proliferation of technology and social media. You can't pick up the papers without hearing about sexting, cyber-bullying, or information that has been posted that you can never get rid of, but is out there. I think some of that contributes to public awareness: the Internet generally, social media sites, and the amount of information that is out there. </ParaText><ParaText id="4781642">Of course, what has gone along with that is the rise of some of websites in particular. In the office we've seen examples of websites where ex-girlfriends or ex-boyfriends can post information about somebody, and it doesn't necessarily have to be accurate, but it's out there, and they're concerned that it's out there. They're concerned that it will be out there forever and that they will never be able to get rid of it. They're concerned that it will affect their ability to hold a job or get a job, so I think there can be real ramifications.</ParaText><ParaText id="4781643">What is the balance? I mentioned in my opening comments some of the concerns around privacy and freedom of expression. We had a matter under Alberta's PIPA that went to the Supreme Court that was balancing just that. The court found in favour of freedom of expression with respect some political information that a union might post. I think all of these issues in this conversation, this technology, and use of social media sites are pushing discussion about it. So I think we will have to be talking about and dealing with them. Court decisions are also furthering that conversation.</ParaText><ParaText id="4781644">As for finding the balance, I think there is a really important role that regulators have to play, that I, as a regulator, have to play, and that the rest of us who are appearing before you today have to play, as information and privacy commissioners, in being able to balance that. Frequently, under freedom of information legislation—which is access to information and protection of privacy legislation—we are trying to balance privacy with the public interest and the right to access information.</ParaText><ParaText id="4781645"> There is often a tension that needs to be resolved. I think we have some experience in that as information and privacy regulators. I often don't hear that as part of the conversation around the right to be forgotten. It's often more of a question of whether there are charter issues and how the courts will resolve this, but I do think that there's potentially a role for information and privacy commissioners.</ParaText><ParaText id="4781646">Does that answer your question?</ParaText></Content></Intervention>
					<Timestamp Hr="16" Mn="15">(1615)</Timestamp><Intervention Type="" ToC="No" ToCText="" id="9392691"><PersonSpeaking><Affiliation DbId="218277" Type="47">Mr. Matt Jeneroux</Affiliation>: </PersonSpeaking><Content><ParaText id="4781647">Yes, that's good. </ParaText><ParaText id="4781648">Maybe just quickly before we move on from Ms. Clayton, do you agree that the privacy commissioner should have enforcement powers?</ParaText></Content></Intervention>
					<Intervention Type="Interjection" ToC="No" ToCText="" id="9392693"><PersonSpeaking><Affiliation DbId="220425" Type="28">Ms. Jill Clayton</Affiliation>: </PersonSpeaking><Content><ParaText id="4781649">Absolutely. Enforcement powers [<I>Technical difficulty—Editor</I>] infrequently. As I mentioned, close to 90% of the cases that come into our office are resolved informally. We make recommendations, the organization agrees to implement those recommendations, and the matter is resolved. The complainant is happy, and that's the end of it. A small percentage of cases go to inquiry and result in a binding order. It's a very, very small percentage. I think that only once in 10 years have we actually gone to court, filed an order in court—and even that ended up being resolved before the court heard the matter. It's a helpful tool in the tool box, but it's a last resort.</ParaText></Content></Intervention>
					<Intervention Type="" ToC="No" ToCText="" id="9392701"><PersonSpeaking><Affiliation DbId="218277" Type="47">Mr. Matt Jeneroux</Affiliation>: </PersonSpeaking><Content><ParaText id="4781650">Mr. McArthur, I didn't hear you really touch on the right to be forgotten. Do you have an opinion on how you find that right balance, if you don't mind?</ParaText></Content></Intervention>
					<Intervention Type="Interjection" ToC="No" ToCText="" id="9392704"><PersonSpeaking><Affiliation DbId="225902" Type="28">Mr. Drew McArthur</Affiliation>: </PersonSpeaking><Content><ParaText id="4781651">Yes, thank you.</ParaText><ParaText id="4781652">There are a couple of points to be made on the right to be forgotten. Today, with the Google v. Spain decision, the right to be forgotten is one of delisting, whereby the results of a search do not display the information, but the source of the information is still available. In the general data protection regulation in Europe, the right to erasure is broader than just delisting or limiting the results of a search. These two differences, where in one case the personal data of a subject can be erased versus where it is just prohibited from being displayed by search engines, are not subtle differences between some people's interpretations of the right to be forgotten, and it needs to be carefully considered when dealing with legislation.</ParaText></Content></Intervention>
					<Intervention Type="" ToC="No" ToCText="" id="9392719"><PersonSpeaking><Affiliation DbId="218277" Type="47">Mr. Matt Jeneroux</Affiliation>: </PersonSpeaking><Content><ParaText id="4781653">Cynthia?</ParaText></Content></Intervention>
					<FloorLanguage language="FR">[<I>Translation</I>]</FloorLanguage><Intervention Type="Interjection" ToC="No" ToCText="" id="9392720"><PersonSpeaking><Affiliation DbId="230009" Type="28">Ms. Cynthia Chassigneux</Affiliation>: </PersonSpeaking><Content><ParaText id="4781654">In Quebec, another piece of legislation about the private sector provides for the possibility of correcting or deleting information that is inaccurate, incomplete or equivocal. In fact, a request for rectification from an individual has been filed with the Commission d’accès à l'information. This request was considered by the adjudicative division, but not by my division, namely the oversight division. So it was not a complaint.</ParaText><ParaText id="4781655">This person requested that their personal information be deleted from the site of the company for which they had worked. The company said that the information had been deleted after the dismissal of the person. The person found that this had not been done and that it was still possible to find their information if they did a search through a search engine. The evidence showed that the information about the person came from a website called Wayback Machine, which allows people to take screen shots of a site at a given time. So the company was not responsible. The company had deleted all the information it had on that person from its database.</ParaText><ParaText id="4781656">It was determined that, and I quote: “the right of a person to have incorrect, incomplete or equivocal information corrected in a file about himself or herself is not the 'right to be forgotten', which aims to erase information from public spaces.”</ParaText><ParaText id="4781657">Yes, a decision has been rendered by the adjudicative division, but to my knowledge, no complaint has yet been made to the commission’s oversight division. We follow this closely, taking into account what has happened in Europe and the various decisions that may have been made, in order to see how Europe's regulations could be tied in with Quebec's.</ParaText></Content></Intervention>
					<Timestamp Hr="16" Mn="20">(1620)</Timestamp><Intervention Type="Interjection" ToC="No" ToCText="" id="9392748"><PersonSpeaking><Affiliation DbId="219011" Type="35">The Chair</Affiliation>: </PersonSpeaking><Content><ParaText id="4781658">Thank you very much.</ParaText>
							<FloorLanguage language="EN">[<I>English</I>]</FloorLanguage><ParaText id="4781659"> We now move to Madam Trudel, for seven minutes, please. </ParaText><ParaText id="4781660">Welcome to the committee.</ParaText></Content></Intervention>
					<FloorLanguage language="FR">[<I>Translation</I>]</FloorLanguage><Intervention Type="" ToC="No" ToCText="" id="9392750"><PersonSpeaking><Affiliation DbId="230113" Type="49">Ms. Karine Trudel (Jonquière, NDP)</Affiliation>: </PersonSpeaking><Content><ParaText id="4781661">Thank you, Mr. Chair.</ParaText><ParaText id="4781662">Thank you very much for your presentations.</ParaText><ParaText id="4781663">As my colleague Mr. Bratina said, this is a very complex issue. Since I am new on this committee, you will forgive me if don't use the proper terms.</ParaText><ParaText id="4781664">My questions are for you, Ms. Chassigneux. I am from Quebec and I am pleased to speak to you about Ottawa.</ParaText><ParaText id="4781665">When you talked about consent and the phrase “I agree”, images popped up in my head. Yesterday, I was actually surfing a site and I had no way of accessing it without agreeing to give my consent. I’m going to ask you about that, but beforehand, I'd like to hear your opinion on another issue.</ParaText><ParaText id="4781666">In your presentation, you said that European legislation has explored other avenues and you left it at that. Could you elaborate on those other avenues? What should we do to make our lives easier and to bring Canadian legislation more in line with the European legislation?</ParaText></Content></Intervention>
					<Intervention Type="Interjection" ToC="No" ToCText="" id="9392761"><PersonSpeaking><Affiliation DbId="230009" Type="28">Ms. Cynthia Chassigneux</Affiliation>: </PersonSpeaking><Content><ParaText id="4781667">In my presentation, when I spoke of other avenues, I was also referring to the consent document of the federal commissioner's office and the document submitted to committee members. These documents show the different possible avenues.</ParaText><ParaText id="4781668"> Last fall, the federal commissioner's office conducted a consultation. The other avenues considered related to the issue of whether we should move toward no-go zones where it wouldn't be possible to collect personal information and whether we should have much more detailed privacy policies. Also, in its 2011 five-year report, the Commission d'accès à l'information had already recommended that legislators establish detailed privacy policies.</ParaText><ParaText id="4781669">In other words, there would be a fairly detailed general policy and a simplified policy. It's what we call multi-layered policies. These simplified policies can be adapted to each communication tool, such as a cellphone, tablet or computer. There could be even icons or pictograms showing that the required consent concerns people under the age of 13 or parents. It would be something very visual. </ParaText><ParaText id="4781670">As you said, we can't access certain sites without clicking everywhere or filling in all the boxes. To provide a simple email address, does the person's location need to be known and does all sorts of information need to be collected? It happened to me this past weekend. I won't name the site, but we can't register for it without filling in an entire page that contains at least 10 questions.</ParaText><ParaText id="4781671">In this type of case, is our consent truly free and informed? We must ask ourselves these questions. The answer lies in the question.</ParaText></Content></Intervention>
					<Timestamp Hr="16" Mn="25">(1625)</Timestamp><Intervention Type="" ToC="No" ToCText="" id="9392789"><PersonSpeaking><Affiliation DbId="230113" Type="49">Ms. Karine Trudel</Affiliation>: </PersonSpeaking><Content><ParaText id="4781672">Thank you. I appreciate what you're saying. We may not have consulted the same site, but the same thing happened to me.</ParaText><ParaText id="4781673">I think the consent issue should be better regulated. We aren't free to either access these sites or refuse to disclose our personal information.</ParaText><ParaText id="4781674">I'll go back to the consent model, since I have problems with this aspect in particular on both a personal level and in the study.</ParaText><ParaText id="4781675">What can we do?</ParaText><ParaText id="4781676"> You spoke earlier about a person and the right to be forgotten. Another site had captured the images of this person. For me and no doubt for many others, the Internet is a vast territory. It goes on for miles and miles.</ParaText><ParaText id="4781677">My question is really limited, but I want to know what can be done to prevent these incidents from happening after a person has provided personal information and agreed to its disclosure.</ParaText><ParaText id="4781678"> Could we implement stricter processes to prevent this type of situation, including the one you mentioned earlier?</ParaText></Content></Intervention>
					<Intervention Type="Interjection" ToC="No" ToCText="" id="9392800"><PersonSpeaking><Affiliation DbId="230009" Type="28">Ms. Cynthia Chassigneux</Affiliation>: </PersonSpeaking><Content><ParaText id="4781679">Some people think the sites should be required to set preference parameters. When we enter a site, we can agree that our information may be shared for a particular purpose. However, sometimes the site then changes its business model or approach. As a result, our preference settings may be changed. However, in these types of situations, the site should notify us that the privacy policy or preferences have been changed. When a site changes its business model, the preferences indicated by people on the site should be maintained. The businesses are responsible for doing this. That's a fact.</ParaText><ParaText id="4781680">However, as I said earlier, consent is a shared responsibility. One person shouldn't be carrying the entire burden. That person is not responsible for making sure the privacy policies are suitable. A Quebec resident or business can read the policy. However, we all know that, in general, we don't necessarily have enough time and energy to read the privacy policies. Studies have even determined how much time would be needed to read all the privacy policies of the sites we visit each day.</ParaText><ParaText id="4781681">Our preferences must be maintained if a site changes its business model. It would then be our job to check from time to time whether our preferences are still the same. It's a shared responsibility and a matter of finding a balance. That's one solution. I can't think of any others for the moment. If you want, I could provide more information to the committee later on the subject.</ParaText></Content></Intervention>
					<Intervention Type="" ToC="No" ToCText="" id="9392826"><PersonSpeaking><Affiliation DbId="230113" Type="49">Ms. Karine Trudel</Affiliation>: </PersonSpeaking><Content><ParaText id="4781682">Thank you.</ParaText></Content></Intervention>
					<FloorLanguage language="EN">[<I>English</I>]</FloorLanguage><Intervention Type="Interjection" ToC="No" ToCText="" id="9392827"><PersonSpeaking><Affiliation DbId="219011" Type="35">The Chair</Affiliation>: </PersonSpeaking><Content><ParaText id="4781683"> Thank you very much.</ParaText><ParaText id="4781684">We'll now move to the last of the seven-minute rounds.</ParaText><ParaText id="4781685">Mr. Saini, the floor is yours for seven minutes. </ParaText></Content></Intervention>
					<Intervention Type="" ToC="No" ToCText="" id="9392829"><PersonSpeaking><Affiliation DbId="216078" Type="47">Mr. Raj Saini (Kitchener Centre, Lib.)</Affiliation>: </PersonSpeaking><Content><ParaText id="4781686">Thank you all very much for being here. </ParaText><ParaText id="4781687">I wanted to touch on Mr. Bratina's point because I wanted some clarity.</ParaText><ParaText id="4781688">We know that in May of 2018, the GDPR is going to come into effect. Having just recently signed CETA, we know that for our business people, we have to come in compliance with that data protection regulation. We also know that if the United States wants to do business with Europe, it will have to come under that regime also. </ParaText><ParaText id="4781689">Am I assuming correctly?</ParaText></Content></Intervention>
					<Timestamp Hr="16" Mn="30">(1630)</Timestamp><Intervention Type="Interjection" ToC="No" ToCText="" id="9392837"><PersonSpeaking><Affiliation DbId="225902" Type="28">Mr. Drew McArthur</Affiliation>: </PersonSpeaking><Content><ParaText id="4781690">Are you addressing that question to—</ParaText></Content></Intervention>
					<Intervention Type="Interjection" ToC="No" id="9392839" ToCText=""><PersonSpeaking><Affiliation DbId="216078" Type="47">Mr. Raj Saini</Affiliation>: </PersonSpeaking><Content><ParaText id="4781691">Yes. Just the line of questioning.... </ParaText><ParaText id="4781692">If we have to come to the standard of the GDPR, I would assume that the United States would also have to come to the standard of the GDPR. </ParaText><ParaText id="4781693">Now, when I look at the privacy regimes in Canada, I see there are actually four. There is PIPEDA, and then there's what they determined in Alberta, B.C., and Quebec to be substantially similar privacy information protection acts. If you look domestically, if we're looking at reducing internal trade barriers and also looking at the fact that business people in provinces across Canada will have to raise their level to the European standard, would it not be...? Even right now there are differences between Alberta and B.C. Alberta and B.C. have three types of consent. Alberta has a privacy breach provision; B.C. and Quebec don't have a privacy breach provision. Ultimately, if we're going to rise to the GDPR level to make sure that we trade, eventually the whole country will have to have something that's much more substantially similar than what we have now—and also if the United States rises to that level, would it not be better to create one regime across the whole country? </ParaText></Content></Intervention>
					<Intervention Type="Interjection" ToC="No" ToCText="" id="9392852"><PersonSpeaking><Affiliation DbId="230007" Type="28">Mr. Michael McEvoy</Affiliation>: </PersonSpeaking><Content><ParaText id="4781694">May I just make a comment about the U.S. regime?</ParaText><ParaText id="4781695">I think they have some significant challenges. They have used a mechanism described initially, I think, as a “safe harbour”, which is almost a self-certification system for U.S. companies doing business in Europe. That was challenged in court in Europe and in fact went down; it was ruled contrary to European law. They then developed a privacy shield, and I gather that there are challenges to that.</ParaText><ParaText id="4781696">The United States has a very patchwork approach to privacy, and it's often sectoral. There might be a law for child protection; there might be a law through the Federal Trade Commission for unfair trade practices. They don't have a uniform, standard approach to these things. </ParaText><ParaText id="4781697">Frankly, this may actually be a Canadian competitive advantage in dealing with our European colleagues. </ParaText><ParaText id="4781698">I wouldn't overstate the differences among our Canadian jurisdictions. There's some similarity in the consent provisions. I think we would agree that on the mandatory breach notification, everybody is going to have to come up to that standard. Nonetheless, said, there is some degree of uniformity across the country, in addition to the fact, which we mentioned earlier, that there is cooperation among our offices across the country. </ParaText></Content></Intervention>
					<Intervention Type="Interjection" ToC="No" ToCText="" id="9392871"><PersonSpeaking><Affiliation DbId="220425" Type="28">Ms. Jill Clayton</Affiliation>: </PersonSpeaking><Content><ParaText id="4781699">I would like to add to that, to back up what Michael has said.</ParaText><ParaText id="4781700"> Remember that Alberta's legislation and B.C.'s legislation, for example, were drafted at almost the exact same time using almost exactly the same language, so they're very similar. Both have been deemed, along with Quebec's legislation, to be substantially similar to the federal PIPEDA. </ParaText><ParaText id="4781701">Yes, it has been the case that certain provinces have gone ahead with.... We talk about “made in Alberta” legislation. That's the way the legislature wanted to act back in the early 2000s. The idea was that made in Alberta legislation could better address the issues of small and medium-sized businesses, and there was a lot of support for local enforcement, frankly, with a commissioner who has order-making power.</ParaText><ParaText id="4781702">Having said that, we have seen efforts to bring all jurisdictions to the same level. Even though reviews have happened provincially and at a federal level, I think we're all going in the same direction, getting there at slightly different times, perhaps.</ParaText><ParaText id="4781703"> I would also like to go back to the comment that I think Michael made earlier, that we cooperate across the country in the private sector jurisdiction. We meet and discuss as regulators and make an effort and devote a lot of energy to making sure that we are regulating in a consistent and harmonious way, to not introduce challenges where there don't need to be challenges. There are differences in the legislation, but generally the acts are quite similar.</ParaText></Content></Intervention>
					<Intervention Type="" ToC="No" ToCText="" id="9392887"><PersonSpeaking><Affiliation DbId="216078" Type="47">Mr. Raj Saini</Affiliation>: </PersonSpeaking><Content><ParaText id="4781704">I want to go back to a point you raised about children and their privacy. In the United States, the FTC handles the privacy of children under the age of 13, and with the GDPR regulations coming out, the age will be 16. I don't know whether in PIPEDA we have defined in law the age of a child who is considered a minor, but we know that many websites in the United States, especially children's websites, are more highly tracked than adult websites. </ParaText><ParaText id="4781705">Should certain children's websites be no-go zones from which no information can be collected or processed? Under the FTC right now, any child under the age of 13 on certain websites needs parental permission, and for anything over that, the permissions can be circumvented by a child. Should there be a no-go zone in certain children's websites to make sure that their information is not tracked or their privacy breached in any way?</ParaText></Content></Intervention>
					<Timestamp Hr="16" Mn="35">(1635)</Timestamp><Intervention Type="Interjection" ToC="No" ToCText="" id="9392895"><PersonSpeaking><Affiliation DbId="225902" Type="28">Mr. Drew McArthur</Affiliation>: </PersonSpeaking><Content><ParaText id="4781706">I'll take a first shot at answering that. </ParaText><ParaText id="4781707">PIPEDA does not recognize age as an issue for the collection, use, or disclosure of personal information. Citizens of all ages are protected under PIPEDA. </ParaText><ParaText id="4781708">In the B.C. act, a minor who is capable of exercising his or her rights may legally do so under the act, and if the child is not capable, someone acting in the best interest of the individual may act in their capacity. Children, then, are protected already under the B.C. act, and personal information of any citizen, regardless of age, is currently protected under PIPEDA.</ParaText></Content></Intervention>
					<Intervention Type="Interjection" ToC="No" ToCText="" id="9392898"><PersonSpeaking><Affiliation DbId="229706" Type="40">The Vice-Chair (Mr. Nathaniel Erskine-Smith (Beaches—East York, Lib.))</Affiliation>: </PersonSpeaking><Content><ParaText id="4781709">That takes us to the end of the seven-minute round.</ParaText><ParaText id="4781710">We begin the five-minute round with Mr. Kelly.</ParaText></Content></Intervention>
					<Intervention Type="" ToC="No" ToCText="" id="9392901"><PersonSpeaking><Affiliation DbId="218278" Type="47">Mr. Pat Kelly (Calgary Rocky Ridge, CPC)</Affiliation>: </PersonSpeaking><Content><ParaText id="4781711">Thank you, Mr. Chair.</ParaText><ParaText id="4781712"> Commissioner Clayton, in your opening remarks, you talked about discussing our exercise of identifying areas for improvement or shortcomings, if any, in the subject matter we're looking at. What shortcomings have you identified in PIPEDA, or for that matter in PIPA, your own act?</ParaText></Content></Intervention>
					<Intervention Type="Interjection" ToC="No" ToCText="" id="9392910"><PersonSpeaking><Affiliation DbId="220425" Type="28">Ms. Jill Clayton</Affiliation>: </PersonSpeaking><Content><ParaText id="4781713"> I'm happy to answer that. If I can clarify, when I was talking about areas for improvement, that might have been specifically in some comments I was making about consent. Is your question specifically about limitations of the consent model?</ParaText></Content></Intervention>
					<Intervention Type="" ToC="No" ToCText="" id="9392914"><PersonSpeaking><Affiliation DbId="218278" Type="47">Mr. Pat Kelly</Affiliation>: </PersonSpeaking><Content><ParaText id="4781714">No, it's not.</ParaText></Content></Intervention>
					<Intervention Type="Interjection" ToC="No" ToCText="" id="9392916"><PersonSpeaking><Affiliation DbId="220425" Type="28">Ms. Jill Clayton</Affiliation>: </PersonSpeaking><Content><ParaText id="4781715">Or is it just about general limitations in the legislation?</ParaText></Content></Intervention>
					<Intervention Type="" ToC="No" ToCText="" id="9392918"><PersonSpeaking><Affiliation DbId="218278" Type="47">Mr. Pat Kelly</Affiliation>: </PersonSpeaking><Content><ParaText id="4781716">It's limitations in the legislation.</ParaText></Content></Intervention>
					<Intervention Type="Interjection" ToC="No" id="9392920" ToCText=""><PersonSpeaking><Affiliation DbId="220425" Type="28">Ms. Jill Clayton</Affiliation>: </PersonSpeaking><Content><ParaText id="4781717"> I'll start with my own legislation. I did make a submission recently on Alberta's second legislated review of its PIPA. That concluded at the end of last year. My submission to the review committee included 10 recommendations for strengthening the legislation. I said I thought that PIPA worked quite well. I think it's strong legislation. Again, the made in Alberta solution was supposed to be legislation that would make sense to smaller organizations. The feedback I've had from small and medium-sized businesses is that it works quite well from an enforcement point of view as well.</ParaText><ParaText id="4781718">We've had very few recommendations, and some of them are not applicable in the federal context. For example, I had asked to extend the scope of Alberta's legislation to include all non-profit organizations, which is the case in British Columbia, but is not the case in Alberta. </ParaText></Content></Intervention>
					<Intervention Type="" ToC="No" ToCText="" id="9392930"><PersonSpeaking><Affiliation DbId="218278" Type="47">Mr. Pat Kelly</Affiliation>: </PersonSpeaking><Content><ParaText id="4781719">There's no glaring shortcoming that's crying out for immediate action?</ParaText></Content></Intervention>
					<Intervention Type="Interjection" ToC="No" ToCText="" id="9392931"><PersonSpeaking><Affiliation DbId="220425" Type="28">Ms. Jill Clayton</Affiliation>: </PersonSpeaking><Content><ParaText id="4781720">I think there is. That's my concern.</ParaText><ParaText id="4781721">One of the things we did talk about, and a recommendation I made to amend our provincial legislation, was to require that organizations have a privacy management program in place. This does speak to some of what we're expecting to see when the GDPR comes into force. Alberta, B.C., and the federal office all came together in 2012 and came up with a published joint guidance document called, “Getting Accountability Right with a Privacy Management Program”. That document sets out the basic foundational building blocks of a privacy management framework and says, before you can do privacy compliance, you need to have these basic things in place. We all agreed on that, across the country.</ParaText></Content></Intervention>
					<Timestamp Hr="16" Mn="40">(1640)</Timestamp><Intervention Type="" ToC="No" ToCText="" id="9392934"><PersonSpeaking><Affiliation DbId="218278" Type="47">Mr. Pat Kelly</Affiliation>: </PersonSpeaking><Content><ParaText id="4781722">If I think of some of the very smallest enterprises, particularly organizations or enterprises that may not conduct business on the Internet, is that recommendation a bit onerous? Does the local curling club need a privacy officer, a written privacy policy, and a privacy management framework to have people curl at their club, for example?</ParaText></Content></Intervention>
					<Intervention Type="Interjection" ToC="No" ToCText="" id="9392936"><PersonSpeaking><Affiliation DbId="220425" Type="28">Ms. Jill Clayton</Affiliation>: </PersonSpeaking><Content><ParaText id="4781723">I think somebody should be responsible for privacy, and that's already in our legislation. They do need to have policies, but they don't need to be written, according to Alberta's PIPA. I can't speak for PIPEDA or B.C.'s PIPA. I think any legislation of a requirement to have a privacy management program does require that some mindfulness be given to scaling such a program to the organization. I'm not sure that these small organizations shouldn't be concerned about privacy, because it could be a very small organization with only two employees collecting, say, credit card information. As a consumer, I would want to know that if I'm giving my credit card information to this very small organization, they have an obligation to safeguard that information. I do think it's scalable.</ParaText></Content></Intervention>
					<Intervention Type="Interjection" ToC="No" ToCText="" id="9392938"><PersonSpeaking><Affiliation DbId="219011" Type="35">The Chair</Affiliation>: </PersonSpeaking><Content><ParaText id="4781724"> Thank you very much, Mr. Kelly. We're at five minutes.</ParaText><ParaText id="4781725">Mr. Erskine-Smith, you now have five minutes.</ParaText></Content></Intervention>
					<Intervention Type="" ToC="No" ToCText="" id="9392939"><PersonSpeaking><Affiliation DbId="229706" Type="40">Mr. Nathaniel Erskine-Smith (Beaches—East York, Lib.)</Affiliation>: </PersonSpeaking><Content><ParaText id="4781726">Thanks very much.</ParaText><ParaText id="4781727">I wanted to start by asking about enforcement powers. One model is order making. Another model is fining powers, administrative monetary penalties, and/or a combination of the two. </ParaText><ParaText id="4781728">We heard testimony the other day that in the EU there are significant fining powers. I think it's up to 4% of company revenue.</ParaText><ParaText id="4781729">What are your comments on whether we should empower the Office of the Privacy Commissioner with such administrative monetary penalty powers? Would that be a good idea?</ParaText></Content></Intervention>
					<Intervention Type="Interjection" ToC="No" ToCText="" id="9392944"><PersonSpeaking><Affiliation DbId="225902" Type="28">Mr. Drew McArthur</Affiliation>: </PersonSpeaking><Content><ParaText id="4781730">In the B.C. act, there are fines, but they've never been imposed. </ParaText><ParaText id="4781731">In terms of the adequacy of compliance or alignment with the GDPR, I think both Canada and the provinces are going to have to examine the amount of their fines, and to bring them more in line with what the GDPR is looking at in order to be considered adequate.</ParaText></Content></Intervention>
					<Intervention Type="" ToC="No" ToCText="" id="9392947"><PersonSpeaking><Affiliation DbId="216082" Type="40">Mr. Nathaniel Erskine-Smith</Affiliation>: </PersonSpeaking><Content><ParaText id="4781732">With respect to transparency, the previous privacy commissioner suggested that there be public reporting requirements. Under PIPEDA, law enforcement agencies and institutions can obtain personal information from companies without consent or a warrant for a relatively wide range of purposes. The previous commissioner recommended ensuring that the public be made aware of how often this occurs. Do you think that's fair? </ParaText><ParaText id="4781733">Does anyone have objections to that idea? Maybe that's a better way of phrasing it. </ParaText></Content></Intervention>
					<Intervention Type="Interjection" ToC="No" ToCText="" id="9392948"><PersonSpeaking><Affiliation DbId="225902" Type="28">Mr. Drew McArthur</Affiliation>: </PersonSpeaking><Content><ParaText id="4781734">I think it's important that the public be made aware of when or how often law enforcement agencies are approaching certain organizations. We're now seeing organizations taking the opportunity to voluntarily publish transparency reports that indicate how many times they've been approached. </ParaText><ParaText id="4781735">There may be times when an organization may be prohibited from doing so, and the laws currently recognize that. The organization may be prohibited from disclosing the fact that they've been approached, either by a national security organization or a law enforcement agency, but for the most part, I think it's important that Canadians be made aware of how many times their personal information is being requested under lawful access.</ParaText></Content></Intervention>
					<Intervention Type="" ToC="No" ToCText="" id="9392950"><PersonSpeaking><Affiliation DbId="216082" Type="40">Mr. Nathaniel Erskine-Smith</Affiliation>: </PersonSpeaking><Content><ParaText id="4781736">So you favour openness by default, subject to national security or other overriding public interest concerns?</ParaText></Content></Intervention>
					<Intervention Type="Interjection" ToC="No" ToCText="" id="9392951"><PersonSpeaking><Affiliation DbId="225902" Type="28">Mr. Drew McArthur</Affiliation>: </PersonSpeaking><Content><ParaText id="4781737">Correct.</ParaText></Content></Intervention>
					<Intervention Type="" ToC="No" ToCText="" id="9392952"><PersonSpeaking><Affiliation DbId="216082" Type="40">Mr. Nathaniel Erskine-Smith</Affiliation>: </PersonSpeaking><Content><ParaText id="4781738">With respect to a further question on accountability, the previous privacy commissioner spoke of enforceable agreements. Where there has been an audit per se, and the OPC has issued recommendations for compliance to organizations that there would be enforceable agreements that would be entered into. He further recommended that the accountability-related principals in the act, from schedule 1, section 4.1, be reviewable by a federal court.</ParaText><ParaText id="4781739">I don't know if there's a view from your three offices on that. Would there be any opposition to those recommendations?</ParaText></Content></Intervention>
					<Timestamp Hr="16" Mn="45">(1645)</Timestamp><Intervention Type="Interjection" ToC="No" ToCText="" id="9392957"><PersonSpeaking><Affiliation DbId="220425" Type="28">Ms. Jill Clayton</Affiliation>: </PersonSpeaking><Content><ParaText id="4781740">I wouldn't have any objection to that, but I think you would want to look at it within the entire toolbox of enforcement powers. For example, I did not go to the committee that was reviewing PIPA, to talk about the need for enforceable agreements, because I have order-making power.</ParaText><ParaText id="4781741">If you're looking at something like order-making power, you might not be in a position where enforceable agreements—</ParaText></Content></Intervention>
					<Intervention Type="" ToC="No" ToCText="" id="9392960"><PersonSpeaking><Affiliation DbId="216082" Type="40">Mr. Nathaniel Erskine-Smith</Affiliation>: </PersonSpeaking><Content><ParaText id="4781742">That makes sense.</ParaText><ParaText id="4781743">We had the commissioner before us the other day, and he talked about the potential need for alternatives to a consent model under PIPEDA. That struck me as odd, in part because I understand the consent model under PIPEDA to be quite flexible and that it can grow over time with different technologies. Should we be looking at alternatives to consent?</ParaText></Content></Intervention>
					<Intervention Type="Interjection" ToC="No" ToCText="" id="9392962"><PersonSpeaking><Affiliation DbId="225902" Type="28">Mr. Drew McArthur</Affiliation>: </PersonSpeaking><Content><ParaText id="4781744">In the case of the B.C. act, I've indicated already that we haven't seen challenges, but where technology is taking us in the analysis of big data, there is a large amount of discussion around the analytics that can be unleashed upon information that was not originally collected for a purpose that might become apparent upon the running of those analytics. </ParaText><ParaText id="4781745">The challenge that exists now is the ability of organizations to innovate with the data that they have within the context of consent when they don't necessarily understand what might be unveiled at the end of the analytic process.</ParaText><ParaText id="4781746">We see technology now allowing for greater possibilities. At the end of the day, we believe there needs to be protection. People should be aware that their information is going to be analyzed. If it's going to be de-identified, there need to be protections built in so that it's not re-identified.</ParaText></Content></Intervention>
					<Intervention Type="" ToC="No" ToCText="" id="9392970"><PersonSpeaking><Affiliation DbId="216082" Type="40">Mr. Nathaniel Erskine-Smith</Affiliation>: </PersonSpeaking><Content><ParaText id="4781747"> I've run out of time, but if your offices have different models or alternatives to consent that you think this committee should consider, I would appreciate it if you would submit those ideas in writing.</ParaText><ParaText id="4781748">Thanks very much.</ParaText></Content></Intervention>
					<Intervention Type="Interjection" ToC="No" ToCText="" id="9392974"><PersonSpeaking><Affiliation DbId="219011" Type="35">The Chair</Affiliation>: </PersonSpeaking><Content><ParaText id="4781749">Thank you very much.</ParaText><ParaText id="4781750">We now go to Mr. Jeneroux for five more minutes, please.</ParaText></Content></Intervention>
					<Intervention Type="" ToC="No" ToCText="" id="9392976"><PersonSpeaking><Affiliation DbId="218277" Type="47">Mr. Matt Jeneroux</Affiliation>: </PersonSpeaking><Content><ParaText id="4781751">Great. Thanks again, Mr. Chair.</ParaText><ParaText id="4781752">Your offices deal with businesses and in the context of people's relationships with businesses. I'm curious to know if you have any performance indicators, satisfaction metrics, or public consultation information you've done, which you can point to, that support or don't support some of your comments.</ParaText><ParaText id="4781753">We'll start again with Ms. Clayton.</ParaText></Content></Intervention>
					<Intervention Type="Interjection" ToC="No" ToCText="" id="9392981"><PersonSpeaking><Affiliation DbId="220425" Type="28">Ms. Jill Clayton</Affiliation>: </PersonSpeaking><Content><ParaText id="4781754">It depends on which topics you might be looking for performance metrics. We did a general population survey back in 2015 to get a sense of how individuals feel about privacy. We asked if they think it's important, if they feel their information is protected, if they are aware of our office, and if they think this is an important issue. That's on our website.</ParaText><ParaText id="4781755">We also did a survey of the stakeholders that we regulate in all three sectors, and asked them questions about their privacy management programs. Do they do training? Do they have written policies? Do they have incident reporting mechanisms? Do they do privacy impact assessments? We asked a whole lot of questions around those sorts of issues, as well as our own processes and things like that. </ParaText><ParaText id="4781756">Those documents and reports are both available on our website. The plan is to have a five-year interval, so probably it will be next year that we'll do it again and see whether or not there's been any movement.</ParaText></Content></Intervention>
					<Intervention Type="" ToC="No" ToCText="" id="9392987"><PersonSpeaking><Affiliation DbId="218277" Type="47">Mr. Matt Jeneroux</Affiliation>: </PersonSpeaking><Content><ParaText id="4781757">Okay.</ParaText><ParaText id="4781758">Mr. McArthur, go ahead.</ParaText></Content></Intervention>
					<Intervention Type="Interjection" ToC="No" ToCText="" id="9392988"><PersonSpeaking><Affiliation DbId="225902" Type="28">Mr. Drew McArthur</Affiliation>: </PersonSpeaking><Content><ParaText id="4781759">First of all, we publish—as do other commissioners—annual reports on how our legislation is being enforced and our enforcement activities. We've just undertaken our first public awareness survey to assess people's awareness of the functions of our office and their privacy rights, whether in relation to the public or private sector.</ParaText><ParaText id="4781760">We do not have any information to add to the mix that says whether or not people are comfortable or happy with how businesses are performing under that.</ParaText></Content></Intervention>
					<Intervention Type="" ToC="No" ToCText="" id="9392989"><PersonSpeaking><Affiliation DbId="218277" Type="47">Mr. Matt Jeneroux</Affiliation>: </PersonSpeaking><Content><ParaText id="4781761">Sorry, I just want it to be clear: is that also in the context of the businesses, and not just the individuals? You do go out and ask, as Ms. Clayton said, the usual suspects, for lack of a better term....</ParaText></Content></Intervention>
					<Timestamp Hr="16" Mn="50">(1650)</Timestamp><Intervention Type="Interjection" ToC="No" ToCText="" id="9392992"><PersonSpeaking><Affiliation DbId="225902" Type="28">Mr. Drew McArthur</Affiliation>: </PersonSpeaking><Content><ParaText id="4781762">Our public awareness survey surveyed about 1,000 citizens. It was more about their awareness of the functions of our office and their rights. It was not related to specific businesses, or whether or not they were comfortable with business practices.</ParaText></Content></Intervention>
					<Intervention Type="" ToC="No" ToCText="" id="9392993"><PersonSpeaking><Affiliation DbId="218277" Type="47">Mr. Matt Jeneroux</Affiliation>: </PersonSpeaking><Content><ParaText id="4781763">Okay.</ParaText><ParaText id="4781764">Ms. Chassigneux.</ParaText></Content></Intervention>
					<FloorLanguage language="FR">[<I>Translation</I>]</FloorLanguage><Intervention Type="Interjection" ToC="No" ToCText="" id="9392994"><PersonSpeaking><Affiliation DbId="230009" Type="28">Ms. Cynthia Chassigneux</Affiliation>: </PersonSpeaking><Content><ParaText id="4781765"> It's the same thing in Quebec. We also publish annual reports on the number of files, the number of complaints submitted to the Commission d'accès à l'information and the resolved complaints.</ParaText><ParaText id="4781766">I don't think a satisfaction survey has been conducted recently. There may have been one already, but I would need to check. I have been at the Commission d'accès à l'information for six years, and I don't remember any satisfaction survey being conducted with individuals, businesses or public agencies. I know that awareness campaigns are conducted to inform individuals, businesses and public agencies of the commission's existence and role.</ParaText><ParaText id="4781767">At the moment, I can't answer this question. However, I could check and send the information to the committee.</ParaText></Content></Intervention>
					<FloorLanguage language="EN">[<I>English</I>]</FloorLanguage><Intervention Type="" ToC="No" ToCText="" id="9392997"><PersonSpeaking><Affiliation DbId="218277" Type="47">Mr. Matt Jeneroux</Affiliation>: </PersonSpeaking><Content><ParaText id="4781768">That would be great.</ParaText><ParaText id="4781769">There's nothing on your end, Ms. Chassigneux, that would indicate that businesses are pleased, then, or that it's burdensome?</ParaText></Content></Intervention>
					<FloorLanguage language="FR">[<I>Translation</I>]</FloorLanguage><Intervention Type="Interjection" ToC="No" ToCText="" id="9392999"><PersonSpeaking><Affiliation DbId="230009" Type="28">Ms. Cynthia Chassigneux</Affiliation>: </PersonSpeaking><Content><ParaText id="4781770">Government directions were provided in late 2015 or early 2016. A parliamentary commission was held and people presented briefs. The only figures that come to mind don't necessarily concern time frames. The complaints may focus more on the processing times for the commission's files, both for jurisdictional matters and for the oversight of research authorizations. We've heard a lot more about this in the press, but I don't have any figures on hand. As I said, I could check with the general secretariat.</ParaText></Content></Intervention>
					<FloorLanguage language="EN">[<I>English</I>]</FloorLanguage><Intervention Type="" ToC="No" ToCText="" id="9393008"><PersonSpeaking><Affiliation DbId="218277" Type="47">Mr. Matt Jeneroux</Affiliation>: </PersonSpeaking><Content><ParaText id="4781771"> Thank you.</ParaText></Content></Intervention>
					<Intervention Type="Interjection" ToC="No" ToCText="" id="9393010"><PersonSpeaking><Affiliation DbId="219011" Type="35">The Chair</Affiliation>: </PersonSpeaking><Content><ParaText id="4781772">We will now move to Mr. Dubourg for five minutes, please.</ParaText></Content></Intervention>
					<FloorLanguage language="FR">[<I>Translation</I>]</FloorLanguage><Intervention Type="" ToC="No" ToCText="" id="9393013"><PersonSpeaking><Affiliation DbId="229567" Type="47">Mr. Emmanuel Dubourg (Bourassa, Lib.)</Affiliation>: </PersonSpeaking><Content><ParaText id="4781773"> Thank you, Mr. Chair.</ParaText><ParaText id="4781774">It's my turn to acknowledge the witnesses who presented their briefs. I want to thank them.</ParaText><ParaText id="4781775"> We're indeed always saying the subject is complicated. My first questions are for Mr. McArthur. </ParaText><ParaText id="4781776">In your presentation, you spoke of mediation. You said that you resolve the cases submitted to you mostly through mediation. You also said that fines in Canada pale in comparison with the fines in Europe.</ParaText><ParaText id="4781777">Given that you don't seem to impose penalties, do you agree that PIPEDA should establish penalties that are as heavy as or that are similar to the penalties in Europe?</ParaText></Content></Intervention>
					<FloorLanguage language="EN">[<I>English</I>]</FloorLanguage><Intervention Type="Interjection" ToC="No" ToCText="" id="9393024"><PersonSpeaking><Affiliation DbId="225902" Type="28">Mr. Drew McArthur</Affiliation>: </PersonSpeaking><Content><ParaText id="4781778">Yes, we are in favour, and have recommended to our parliamentary review committee, that the fining be increased in the public sector, and also in the private sector acts, to have more of a deterrent effect. We are not seeing cases so much in the private sector, but are in the public sector. Information there is being accessed inappropriately, and individuals, even though they are aware of their obligations not to access that information, are still doing so. We believe that we need greater deterrence in the form of larger fines.</ParaText></Content></Intervention>
					<FloorLanguage language="FR">[<I>Translation</I>]</FloorLanguage><Intervention Type="" ToC="No" ToCText="" id="9393034"><PersonSpeaking><Affiliation DbId="229567" Type="47">Mr. Emmanuel Dubourg</Affiliation>: </PersonSpeaking><Content><ParaText id="4781779">Thank you.</ParaText><ParaText id="4781780">I have one final question for you.</ParaText><ParaText id="4781781">You must certainly know Vincent Gogolek, from the BC Freedom of Information and Privacy Association. He appeared before this committee. He told us, among other things, that the federal political parties should also be subject to PIPEDA.</ParaText><ParaText id="4781782">What do you think?</ParaText></Content></Intervention>
					<Timestamp Hr="16" Mn="55">(1655)</Timestamp><FloorLanguage language="EN">[<I>English</I>]</FloorLanguage><Intervention Type="Interjection" ToC="No" ToCText="" id="9393038"><PersonSpeaking><Affiliation DbId="225902" Type="28">Mr. Drew McArthur</Affiliation>: </PersonSpeaking><Content><ParaText id="4781783">I agree with Mr. Gogolek that Canadians' personal information should be protected, no matter which organization is collecting that information. As I noted in my earlier remarks, in B.C. the political parties fall under the ambit of our act. If a federal political party were collecting the information of a B.C. citizen, we might argue that we would want the ability to investigate that, and we would undertake that.</ParaText></Content></Intervention>
					<Intervention Type="" ToC="No" ToCText="" id="9393041"><PersonSpeaking><Affiliation DbId="229567" Type="47">Mr. Emmanuel Dubourg</Affiliation>: </PersonSpeaking><Content><ParaText id="4781784">Thank you very much.</ParaText>
							<FloorLanguage language="FR">[<I>Translation</I>]</FloorLanguage><ParaText id="4781785">Ms. Chassigneux, in the few minutes I have left, I also want to ask you a few questions.</ParaText><ParaText id="4781786">In your presentation, you said that consent is provided in principle only, and that the term isn't well understood by businesses. Under this legislation, consent is very important, if not crucial.</ParaText><ParaText id="4781787">How can the concept of consent be explained to SMEs and to all businesses?</ParaText></Content></Intervention>
					<Intervention Type="Interjection" ToC="No" ToCText="" id="9393044"><PersonSpeaking><Affiliation DbId="230009" Type="28">Ms. Cynthia Chassigneux</Affiliation>: </PersonSpeaking><Content><ParaText id="4781788">First, I hope that I didn't say consent was just a principle.</ParaText></Content></Intervention>
					<Intervention Type="" ToC="No" ToCText="" id="9393046"><PersonSpeaking><Affiliation DbId="229567" Type="47">Mr. Emmanuel Dubourg</Affiliation>: </PersonSpeaking><Content><ParaText id="4781789">You said “in principle.”</ParaText></Content></Intervention>
					<Intervention Type="Interjection" ToC="No" ToCText="" id="9393047"><PersonSpeaking><Affiliation DbId="230009" Type="28">Ms. Cynthia Chassigneux</Affiliation>: </PersonSpeaking><Content><ParaText id="4781790">Consent is provided in principle only, but consent is not only a principle. It's a key aspect of privacy. I just wanted to make that clear.</ParaText><ParaText id="4781791">The Act respecting the protection of personal information in the private sector clearly states that consent must be obtained from the person concerned as regularly as possible, and not necessarily without the person's knowledge or from a third party. If consent must be obtained from the third party, it can be done with the consent of the person concerned, or, under some circumstances, without the person's knowledge.</ParaText><ParaText id="4781792">In its recent five-year report, the Commission d'accès à l'information also asked that consent be modified with regard to a person entering a public space or a store with surveillance cameras, for example. The people concerned must be informed about this collection of information and they must know they're in a monitored location. This type of collection of information without a person's knowledge must be shared with the person so that they know they'll be filmed when they enter that location. It's a form of implied or express consent.</ParaText></Content></Intervention>
					<Intervention Type="" ToC="No" ToCText="" id="9393061"><PersonSpeaking><Affiliation DbId="229567" Type="47">Mr. Emmanuel Dubourg</Affiliation>: </PersonSpeaking><Content><ParaText id="4781793"> I understand.</ParaText><ParaText id="4781794">Very quickly, Mr. Chair.</ParaText></Content></Intervention>
					<FloorLanguage language="EN">[<I>English</I>]</FloorLanguage><Intervention Type="Interjection" ToC="No" ToCText="" id="9393063"><PersonSpeaking><Affiliation DbId="219011" Type="35">The Chair</Affiliation>: </PersonSpeaking><Content><ParaText id="4781795"> Go ahead, Monsieur Dubourg, very quickly, please. </ParaText></Content></Intervention>
					<FloorLanguage language="FR">[<I>Translation</I>]</FloorLanguage><Intervention Type="" ToC="No" ToCText="" id="9393064"><PersonSpeaking><Affiliation DbId="229567" Type="47">Mr. Emmanuel Dubourg</Affiliation>: </PersonSpeaking><Content><ParaText id="4781796">I want to ask Ms. Chassigneux whether she has any information to give us. She brought up a point that I also find very important. She spoke of files and personal information found in the files. She now wants us to look at the purpose of the collection.</ParaText><ParaText id="4781797">Ms. Chassigneux, since I don't have any more time, I would appreciate it if you could send us the information.</ParaText></Content></Intervention>
					<Intervention Type="Interjection" ToC="No" ToCText="" id="9393066"><PersonSpeaking><Affiliation DbId="230009" Type="28">Ms. Cynthia Chassigneux</Affiliation>: </PersonSpeaking><Content><ParaText id="4781798">No problem.</ParaText></Content></Intervention>
					<Intervention Type="" ToC="No" ToCText="" id="9393067"><PersonSpeaking><Affiliation DbId="229567" Type="47">Mr. Emmanuel Dubourg</Affiliation>: </PersonSpeaking><Content><ParaText id="4781799">Thank you.</ParaText></Content></Intervention>
					<Intervention Type="Debate" ToC="No" ToCText="" id="9394048"><PersonSpeaking><Affiliation DbId="230009" Type="28">Ms. Cynthia Chassigneux</Affiliation>: </PersonSpeaking><Content><ParaText id="4781800">We talked about this in our recent five-year report, but I would be happy to send you the information.</ParaText></Content></Intervention>
					<Intervention Type="Debate" ToC="No" ToCText="" id="9394056"><PersonSpeaking><Affiliation DbId="229567" Type="47">Mr. Emmanuel Dubourg</Affiliation>: </PersonSpeaking><Content><ParaText id="4781801">Thank you.</ParaText></Content></Intervention>
					<FloorLanguage language="EN">[<I>English</I>]</FloorLanguage><Intervention Type="Interjection" ToC="No" ToCText="" id="9393069"><PersonSpeaking><Affiliation DbId="219011" Type="35">The Chair</Affiliation>: </PersonSpeaking><Content><ParaText id="4781802">Thank you, Mr. Dubourg. I appreciate that. </ParaText><ParaText id="4781803">We have our last official time allocation of three minutes for Ms. Trudel, from the New Democratic Party. </ParaText><ParaText id="4781804">But colleagues, we do have a little bit of time. If any of the rest of you have questions, especially those who haven't asked questions yet—I see Mr. Long indicating that he does—we'll have a little bit of time to ask some questions at the end before we break.</ParaText><ParaText id="4781805">Then, colleagues, we do have a little bit of committee business that we need to take care of afterwards in regard to a budget for this committee, so we'll consider that as well. </ParaText><ParaText id="4781806">Ms. Trudel, the floor is yours. </ParaText></Content></Intervention>
					<FloorLanguage language="FR">[<I>Translation</I>]</FloorLanguage><Intervention Type="" ToC="No" ToCText="" id="9393072"><PersonSpeaking><Affiliation DbId="230113" Type="49">Ms. Karine Trudel</Affiliation>: </PersonSpeaking><Content><ParaText id="4781807">Thank you, Mr. Chair.</ParaText><ParaText id="4781808"> I'll continue to ask Ms. Chassigneux questions.</ParaText><ParaText id="4781809">Earlier, we concluded with a discussion on the changing settings of certain websites. Are there related applications that help find information, for example, in a website and transfer it to another website?</ParaText><ParaText id="4781810">Is platform interconnectivity part of the issue of free consent with regard to personal information?</ParaText></Content></Intervention>
					<Intervention Type="Interjection" ToC="No" ToCText="" id="9393080"><PersonSpeaking><Affiliation DbId="230009" Type="28">Ms. Cynthia Chassigneux</Affiliation>: </PersonSpeaking><Content><ParaText id="4781811">Normally, when information is collected on a site and can be transferred to another site, the people responsible for the first site should inform the people providing the information that the information could be transferred to the second site.</ParaText><ParaText id="4781812">If you have a cellphone, you have mobile applications. You also have the possibility of knowing whether the mobile applications can collect the information in your cellphone. When information is transferred from one site to another, it must be done transparently. People must be able to know how their information is getting around.</ParaText><ParaText id="4781813">Does the information remain on the first site? Does it go from the first site to the second site? Where is the information? Where is it retained? Is it retained in Quebec, if we use Quebec as an example? Is it retained outside Quebec?</ParaText><ParaText id="4781814">This must all be transparent, and the businesses must be transparent. We're saying that businesses must establish a culture of privacy. I'm not saying that businesses don't currently have this type of culture. That's not what I mean. I don't remember which of the two commissioners talked about it, but I think it was Ms. Clayton. I'm referring to assessments of the impact of a program's implementation. We need to know what's true, how things are done, who things are done for and why things are done. It's important for the person and Internet user or for anyone who has information that will be collected and shared. </ParaText><ParaText id="4781815">I don't know whether I answered your question.</ParaText></Content></Intervention>
					<Timestamp Hr="17" Mn="00">(1700)</Timestamp><Intervention Type="" ToC="No" ToCText="" id="9393108"><PersonSpeaking><Affiliation DbId="230113" Type="49">Ms. Karine Trudel</Affiliation>: </PersonSpeaking><Content><ParaText id="4781816">Yes, you did. Thank you.</ParaText></Content></Intervention>
					<FloorLanguage language="EN">[<I>English</I>]</FloorLanguage><Intervention Type="Interjection" ToC="No" ToCText="" id="9393110"><PersonSpeaking><Affiliation DbId="219011" Type="35">The Chair</Affiliation>: </PersonSpeaking><Content><ParaText id="4781817">Thank you very much.</ParaText><ParaText id="4781818">Mr. Long, go ahead please. </ParaText></Content></Intervention>
					<Intervention Type="" ToC="No" ToCText="" id="9393112"><PersonSpeaking><Affiliation DbId="216080" Type="47">Mr. Wayne Long (Saint John—Rothesay, Lib.)</Affiliation>: </PersonSpeaking><Content><ParaText id="4781819">Thank you, Chair. </ParaText><ParaText id="4781820">It's great to be back on the committee again after a week away. You did miss me. </ParaText><ParaText id="4781821">I have a question. I want to continue Mr. Saini's questioning with respect to children and ask Ms. Clayton and Ms. Chassigneux their opinions on meaningful consent.</ParaText><ParaText id="4781822">How do you control and manage that? As Mr. Saini said, there are sites for children in the U.S. that have much more tracking software than sites for adults. I have some friends who have kids who are 10, 11, and 12 years old who are on the Internet all the time, and it's a major concern for the parents to know exactly what sites they're going to, what things they're clicking on as well, and what information they are giving away.</ParaText><ParaText id="4781823">Maybe I'll start with Ms. Chassigneux for your opinion whether PIPEDA actually protects children enough, or on what changes you would make to it.</ParaText></Content></Intervention>
					<FloorLanguage language="FR">[<I>Translation</I>]</FloorLanguage><Intervention Type="Interjection" ToC="No" ToCText="" id="9393125"><PersonSpeaking><Affiliation DbId="230009" Type="28">Ms. Cynthia Chassigneux</Affiliation>: </PersonSpeaking><Content><ParaText id="4781824"> I wouldn't dare comment on the federal legislation. However, one thing is certain. As mentioned earlier, in Quebec and British Columbia, the discussions about personal information and privacy concern everyone, regardless of age.</ParaText><ParaText id="4781825"> In its 2011 five-year report, Quebec did recommend that the protection of minors be taken into consideration. Minors are visiting websites more and more often, or, as you said, spending the entire day surfing on the Internet and on mobile applications. This issue is a concern in Quebec. There have even been awareness campaigns.</ParaText><ParaText id="4781826">Recently, the minister responsible for access to information and the reform of democratic institutions launched an information campaign. In 2011-12, the Commission d'accès à l'information du Québec also conducted an awareness campaign in schools for students. It's important. We're continuing to recommend this in our report. I think the federal legislation should take this into consideration. If we're taking this into consideration, it should also be taken into consideration at the federal level.</ParaText></Content></Intervention>
					<FloorLanguage language="EN">[<I>English</I>]</FloorLanguage><Intervention Type="" ToC="No" ToCText="" id="9393129"><PersonSpeaking><Affiliation DbId="216080" Type="47">Mr. Wayne Long</Affiliation>: </PersonSpeaking><Content><ParaText id="4781827"> Thank you.</ParaText><ParaText id="4781828">Ms. Clayton, can you weigh in on that, please?</ParaText></Content></Intervention>
					<Intervention Type="Interjection" ToC="No" ToCText="" id="9393131"><PersonSpeaking><Affiliation DbId="220425" Type="28">Ms. Jill Clayton</Affiliation>: </PersonSpeaking><Content><ParaText id="4781829">In Alberta, I think we have essentially the same situation as was described in B.C. and Quebec. The legislation protects everybody's personal information, regardless of age. We do have the idea of a mature minor who is able to thoughtfully exercise his or her rights under the legislation, who can make access requests, for example, and make a complaint with our office. We had that recently—a matter that resulted in an order in our public sector. It had to do with a transgender student who made a complaint to our office.</ParaText><ParaText id="4781830">The legislation in Alberta does not specifically address this issue of children. Are they particularly vulnerable? That's a matter I would address. Sometimes a self-reported breach comes in, and in terms of notifying individuals, that is a factor that I take into consideration. Whose information was breached? Do we have a vulnerable population? Are there seniors, dependants, adults, children? There are lots of potentially vulnerable populations. </ParaText><ParaText id="4781831">I will say that a couple of years ago, we participated, along with my co-panellists, in the Global Privacy Enforcement Network sweep of Internet sites and apps, specifically those that were targeting children, and we found some disturbing results. A lot of these websites and apps are collecting information of children. They're not particularly transparent about what they're collecting, nor are they necessarily collecting only the information that is necessary for their purpose, for example, the service that the app is producing. That doesn't necessarily require anything special, or amendments to the existing legislation, because I'm not sure that some of those apps and websites are complying with existing legislation. I think you can get at some of those issues through existing legislation.</ParaText></Content></Intervention>
					<Timestamp Hr="17" Mn="05">(1705)</Timestamp><Intervention Type="Interjection" ToC="No" ToCText="" id="9393147"><PersonSpeaking><Affiliation DbId="219011" Type="35">The Chair</Affiliation>: </PersonSpeaking><Content><ParaText id="4781832">Mr. Long.</ParaText></Content></Intervention>
					<Intervention Type="" ToC="No" ToCText="" id="9393149"><PersonSpeaking><Affiliation DbId="216080" Type="47">Mr. Wayne Long</Affiliation>: </PersonSpeaking><Content><ParaText id="4781833">Very good.</ParaText></Content></Intervention>
					<Intervention Type="Interjection" ToC="No" ToCText="" id="9393150"><PersonSpeaking><Affiliation DbId="219011" Type="35">The Chair</Affiliation>: </PersonSpeaking><Content><ParaText id="4781834">Does anybody else have any questions they would like to ask?</ParaText><ParaText id="4781835">No?</ParaText><ParaText id="4781836">Colleagues, I'm going to thank our witnesses on behalf of everyone here. Thank you very much for taking the time out of your very busy schedules to join us here as we deliberate on and review the federal legislation when it comes to private sector protection of information.</ParaText><ParaText id="4781837">Colleagues, I'm going to suspend the meeting right now. We're going to go in camera and have a discussion about a few things. </ParaText><ParaText id="4781838">I would like to thank our witnesses. We know we can call upon you again if we need to. For those of you who have committed to sending us some follow-up information, we look forward to that.</ParaText><ParaText id="4781839">Thank you very much. Have a good day.</ParaText><ParaText id="4781840">[<I>Proceedings continue in camera</I>]</ParaText></Content></Intervention>
				</SubjectOfBusinessContent></SubjectOfBusiness></OrderOfBusiness></HansardBody></Hansard>
