﻿<?xml version="1.0" encoding="UTF-8"?>
<Hansard xml:lang="EN" id="9402254">
  <StartPageNumber>1</StartPageNumber>
  <DocumentTitle>
    <DocumentName>EVIDENCE</DocumentName>
  </DocumentTitle>
  <ExtractedInformation>
    <ExtractedItem Name="InstitutionDebate">Standing Committee on Access to Information, Privacy and Ethics</ExtractedItem>
    <ExtractedItem Name="Number">NUMBER 049</ExtractedItem>
    <ExtractedItem Name="Session">1st SESSION</ExtractedItem>
    <ExtractedItem Name="Parliament">42nd PARLIAMENT</ExtractedItem>
    <ExtractedItem Name="Date">Thursday, February 23, 2017</ExtractedItem>
    <ExtractedItem Name="DateOtherLang">Le jeudi 23 février 2017</ExtractedItem>
    <ExtractedItem Name="Institution">Standing Committee on Access to Information, Privacy and Ethics</ExtractedItem>
    <ExtractedItem Name="Country">CANADA</ExtractedItem>
    <ExtractedItem Name="RecordingNote">[Recorded by Electronic Apparatus]</ExtractedItem>
    <ExtractedItem Name="HeaderTitle">EVIDENCE</ExtractedItem>
    <ExtractedItem Name="HeaderDate">February 23, 2017</ExtractedItem>
    <ExtractedItem Name="MetaDocumentCategory">Committee</ExtractedItem>
    <ExtractedItem Name="MetaTitle">Edited Evidence * Table of Contents * Number 049 (Official Version)</ExtractedItem>
    <ExtractedItem Name="MetaTitleEn">Official Report * Table of Contents * Number 049 (Official Version)</ExtractedItem>
    <ExtractedItem Name="MetaTitleFr">Témoignages * Table des matières * Numéro 049 (Version officielle)</ExtractedItem>
    <ExtractedItem Name="MetaNumberNumber">49</ExtractedItem>
    <ExtractedItem Name="MetaDateNumDay">23</ExtractedItem>
    <ExtractedItem Name="MetaDateNumMonth">02</ExtractedItem>
    <ExtractedItem Name="MetaDateNumYear">2017</ExtractedItem>
    <ExtractedItem Name="MetaCreationTime">2017/02/23 15:30:00</ExtractedItem>
    <ExtractedItem Name="MetaInstitution">House of Commons</ExtractedItem>
    <ExtractedItem Name="InstitutionDebateFr">Comité permanent de l'accès à l'information, de la protection des renseignements personnels et de l'éthique</ExtractedItem>
    <ExtractedItem Name="InstitutionDebateEn">Standing Committee on Access to Information, Privacy and Ethics</ExtractedItem>
    <ExtractedItem Name="Acronyme">ETHI</ExtractedItem>
    <ExtractedItem Name="SpeakerTitle">Chair</ExtractedItem>
    <ExtractedItem Name="SpeakerName">Mr. Blaine Calkins</ExtractedItem>
    <ExtractedItem Name="ParliamentNumber">42</ExtractedItem>
    <ExtractedItem Name="SessionNumber">1</ExtractedItem>
    <ExtractedItem Name="InCameraNote">PUBLIC PART ONLY - PARTIE PUBLIQUE SEULEMENT</ExtractedItem>
  </ExtractedInformation>
  <HansardBody>
    <OrderOfBusiness>
      <CatchLine />
      <SubjectOfBusiness>
        <SubjectOfBusinessContent>
          <Timestamp Hr="15" Mn="30">(1530)</Timestamp>
          <FloorLanguage language="EN">[<I>English</I>]</FloorLanguage>
          <Intervention Type="Interjection" ToC="No" ToCText="" id="9402260">
            <PersonSpeaking>
              <Affiliation DbId="219011" Type="35">The Chair (Mr. Blaine Calkins (Red Deer—Lacombe, CPC))</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4786790"> Good afternoon, colleagues.</ParaText>
              <ParaText id="4786791">I know that many of us are anxious, as this is the last week of four before we go home for a constituency break week, but we have with us some very distinguished panellists to help us in the deliberations on our current study, which is on the Personal Information Protection and Electronic Documents Act, more affectionately known by Canadians on a daily basis as PIPEDA.</ParaText>
              <ParaText id="4786792">From the Centre for Law and Democracy, we are joined once again by Mr. Michael Karanicolas, a senior legal officer, by video conference.</ParaText>
              <ParaText id="4786793"> It's good to see you again, Mr. Karanicolas.</ParaText>
              <ParaText id="4786794">As an individual, we again have joining us Teresa Scassa, a full professor at the University of Ottawa. </ParaText>
              <ParaText id="4786795">Thanks, Teresa, for joining us again. It's always a pleasure to have you here.</ParaText>
              <ParaText id="4786796">For the first time ever appearing before the committee, in his debut game—I mean, debut “appearance”—we have Florian Martin-Bariteau, assistant professor with the common law section of the Faculty of Law and the director of the Centre for Law, Technology and Society at the University of Ottawa.</ParaText>
              <ParaText id="4786797">As we normally do in this committee, we'll have a 10-minute opening statement from each of you. We'll simply go in the order in which I introduced you. I think everybody here is familiar with how this happens.</ParaText>
              <ParaText id="4786798">We'll start with you, Mr. Karanicolas. You have up to 10 minutes, please.</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="Interjection" ToC="No" ToCText="" id="9402280">
            <PersonSpeaking>
              <Affiliation DbId="226632" Type="28">Mr. Michael Karanicolas (Senior Legal Officer, Centre for Law and Democracy)</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4786799">Thanks to the committee for your invitation to appear again.</ParaText>
              <ParaText id="4786800">I'd like to start by offering my congratulations to the standing committee for their recommendations to reform the Privacy Act, which were published late last year and which I thought were excellent.</ParaText>
              <ParaText id="4786801">It is, I believe, fairly clear that the current consent-based model of privacy protection is broken. The core dynamic that underlies this model and that drives much of the digital economy is that users may choose to trade their personal information for services. There are undeniable benefits to this model, which has assisted in the rapid spread of the Internet by lowering costs of entry. However, this dynamic relies on meaningful consent, which in turn requires at least a nominal understanding by the contracting party of what they're signing on to. In fact, virtually nobody reads their terms of service agreements, a state of affairs that significantly undermines the legitimacy of the consent obtained.</ParaText>
              <ParaText id="4786802">The OPC report points in part to the length of these agreements and the frequency with which they're presented to users as a cause of this lack of understanding, but it's also worth noting that these agreements are often drafted in a highly convoluted, confusing, and even self-contradictory manner that even technically and legally trained people struggle to understand. There's a vicious cycle at work. The fact that very few users read these agreements or use their substance as a basis for accepting or declining a service gives companies licence, and indeed an incentive, to draft them incredibly broadly. This drafting style and the lack of accessibility further depresses engagement with the agreements by their signatories and so on.</ParaText>
              <ParaText id="4786803">It's also worth noting that the company that presents the agreement and offers a service may often be distinct from the ones that actually collect and process the information. Third party data brokers play an increasingly common role in the Internet's ecosystem. A 2014 study showed that of the 950,000 most popular websites, 88% of them automatically shared visitor information with third parties, an average of 9.5 different third parties per website. The vast majority of this tracking is carried out surreptitiously, with only 2% of third parties including a visible prompt alerting users to their presence.</ParaText>
              <ParaText id="4786804">There's a clear problem here. However, it's important to try to look for solutions that will not derail the current digital economy. Although there are pros and cons to a system where personal information is used as a major currency by which online services are procured, potential avenues forward should be crafted with an eye to maintaining the tremendous benefits that Internet access provides.</ParaText>
              <ParaText id="4786805">One solution, which we strongly support, is to boost the quality of consent by improving the information available to users. A better practice here may include publishing a summary or explanatory guide of the terms of service alongside the full legal version, ensuring that the agreement is easily available for review, and clearly notifying users when a substantial change to the change of service has been made.</ParaText>
              <ParaText id="4786806">The OPC has an important role to play here: to promote better practice in terms of clarity and accessibility of terms of service agreements, and to audit existing agreements for their clarity and accessibility, as well as their accuracy against how information is actually collected and processed. In addition to these steps, the proposal to shift to opt-in consent as a default to the required approach is one that we support. </ParaText>
              <ParaText id="4786807">The move to expand transparency is another important factor to boosting the quality of consent, allowing people to look under the hood of the services and platforms they use. This may include, for example, a right to request an explanation of how their personal information has been used to customize their online experience, or what factors went into a particular decision by the company that they were subject to. However, while there is substantial room by which the quality of user engagement and of consent may be improved, these improvements alone are not sufficient to safeguard the privacy rights of Canadians. The CLD supports the creation of clearly defined no-go zones, as well as proceed-with-caution zones, as mentioned in the OPC report. One important area to consider here is the need for greater clarity on how information can be transferred out to third parties or resold, and what rules should govern these external uses. Broader investigative powers by the OPC are also needed to promote good practice in terms of information management and security.</ParaText>
              <ParaText id="4786808">In terms of the de-identification or anonymization of information, while I think it should certainly be encouraged, it is not a panacea for the current privacy concerns. I would add to the commentary contained in the OPC's report by noting that as anonymization gets stronger, the commercial value of information can often decline, giving businesses an incentive to pursue incomplete solutions. Moreover, the fact that information has been, quote-unquote, anonymized may create a false sense of security, prompting companies to be less vigilant in safeguarding it and consumers to assume that threats to privacy have been nullified.</ParaText>
              <ParaText id="4786809">I also want to speak briefly about reputation and privacy and the right to be forgotten.</ParaText>
              <Timestamp Hr="15" Mn="35">(1535)</Timestamp>
              <ParaText id="4786810"> The Internet's transformative impact on our social functions has made a person's online footprint a vital aspect of his or her identity. However, the permanence and increased accessibility of online information has led to concerns from some about the Internet's impact on privacy and reputation. </ParaText>
              <ParaText id="4786811">There are benefits to making people's pasts more accessible. A Holocaust museum, for example, has a legitimate interest in knowing if a person it is considering for a job has a history of making racist comments. However, we are also a society that believes in giving people second chances. There can be problems with how the digital records present themselves, such as where a decision by a prosecutor to drop charges may not generate as much coverage as the initial arrest, or where an erroneous and sensational media report may attract more attention than a later retraction.</ParaText>
              <ParaText id="4786812">However, experiences in Europe with the right to be forgotten should be viewed as a cautionary tale about what not to do. Namely, any move to develop a right to be forgotten should be grounded in clear and limited definitions of how it applies, strong transparency, and robust due process. I will address each of these in turn.</ParaText>
              <ParaText id="4786813">First, the application of a right to be forgotten requires a careful balancing of freedom of expression, privacy, and the right to information. Any such balancing will have to be based on a clear test to determine where the public interest lies. People have never had a right to control or curate their reputations. Any move to create a right to be forgotten should be aimed only at the novel aspects of reputation that have come about as a result of the Internet and should be reserved for significant and demonstrably unfair circumstances, such as when a person has been wrongly arrested.</ParaText>
              <ParaText id="4786814">Second, transparency is a key ingredient, including making available detailed information about how decision-making processes work and how they have been applied. There should be as much information as can be provided, short of undermining the efficacy of the processes themselves.</ParaText>
              <ParaText id="4786815">Third, as with any restriction on freedom of expression, due process is critically important. Search engines are simply not equipped to engage in this careful balancing of rights, and unfortunately have an incentive under the current European system to err on the side of removing the information without providing the careful due process such a tricky issue should warrant. Any order to remove material or to reduce its accessibility should be left in the hands of a court or a quasi-judicial authority, including careful due process considerations.</ParaText>
              <ParaText id="4786816">I want to emphasize that none of the above should be interpreted as an endorsement of the right to be forgotten. Indeed, there is a strong argument to be made that the present reputational challenges will sort themselves out over time, as people will gradually become inured to the preponderance of embarrassing or unpleasant information out there and will learn to take such information with a pinch of salt. However, insofar as the right to be forgotten is being considered, it is important that we not repeat the widely criticized mistakes of the Court of Justice of the European Union in how it handled the matter.</ParaText>
              <ParaText id="4786817">I look forward to your questions in the discussion.</ParaText>
            </Content>
          </Intervention>
          <Timestamp Hr="15" Mn="40">(1540)</Timestamp>
          <Intervention Type="Interjection" ToC="No" ToCText="" id="9402329">
            <PersonSpeaking>
              <Affiliation DbId="219011" Type="35">The Chair</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4786818">Thank you very much, Mr. Karanicolas.</ParaText>
              <ParaText id="4786819">We now go to Ms. Scassa, please, for up to 10 minutes.</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="Interjection" ToC="No" id="9402331">
            <PersonSpeaking>
              <Affiliation DbId="223968" Type="28">Prof. Teresa Scassa (Full Professor, University of Ottawa, Canada Research Chair in Information Law, As an Individual)</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4786820">Thank you for the invitation to meet with you today and to contribute to your discussion on PIPEDA. I'm a professor at the University of Ottawa in the Faculty of Law, where I hold the Canada research chair in information law. I'm appearing in my personal capacity.</ParaText>
              <ParaText id="4786821">We're facing what might be considered a crisis of legitimacy when it comes to personal data protection in Canada. Every day we hear new stories in the news about data hacks and breaches, and about the surreptitious collection of personal information by the devices in our homes and on our persons that are linked to the Internet of things. There are stories about how big data profiling impacts the ability of individuals to get health insurance, obtain credit, or find employment. There are also concerns about the extent to which state authorities access our personal information that is in the hands of private sector companies. PIPEDA, as it currently stands, is inadequate to meet these challenges. </ParaText>
              <ParaText id="4786822">My comments are organized around the theme of transparency. Transparency is fundamentally important to data protection and has always played an important role under PIPEDA. At a basic level, transparency means openness and accessibility. In the data protection context, it means requiring organizations to be transparent about the collection, use, and disclosure of personal information, and it means that the commissioner also must be transparent in his oversight functions under the act.</ParaText>
              <ParaText id="4786823">I'm going to also argue that it means that state actors, including law enforcement and national security organizations, must be more transparent about their access to and use of the vast stores of personal information in the hands of private sector organizations. </ParaText>
              <ParaText id="4786824">Under PIPEDA, transparency is at the heart of the consent-based data protection scheme. It's central to the requirement for companies to make their privacy policies available to consumers and to obtain consumer consent to the collection, use, or disclosure of personal information, yet this type of transparency has come under significant pressure and has been substantially undermined by technological change on the one hand, and by piecemeal legislative amendment on the other.</ParaText>
              <ParaText id="4786825">The volume of information that's collected through our digital, mobile, and online interactions is enormous, and its actual and potential uses are limitless. The Internet of things means that more and more of the devices that we have on our person and in our homes are collecting and transmitting information. They may even do so without our awareness, and they often do so on a continuous basis. The result is that there are fewer clear and well-defined points or moments at which data collection takes place, making it difficult to say that notice was provided and that consent was obtained in any meaningful way.</ParaText>
              <ParaText id="4786826">In addition, the number of daily interactions and activities that involve data collection have multiplied beyond the point at which we are capable of reading and assessing each individual privacy policy. Even if we did have the time, privacy policies, as was just mentioned, are often so long, complex, and vague that reading them does not provide much of an idea of what's being collected and shared, with or by whom, or for what purposes.</ParaText>
              <ParaText id="4786827">In this context, consent has become a bit of a joke, although unfortunately the joke is largely on consumers. The only parties capable of saying that our current consent-based model still works are those that benefit from consumer resignation in the face of this ubiquitous data harvesting.</ParaText>
              <ParaText id="4786828">The Privacy Commissioner's recent consultation process on consent identifies a number of possible strategies to address the failures of the current system. There is no quick or easy fix, no slight changing of wording that will address the problems around consent. This means that on the one hand there need to be major changes in how organizations achieve meaningful transparency about their data collection, use, and disclosure practices, and there must also be a new approach to compliance that gives considerably more oversight and enforcement powers to the commissioner. The two changes are inextricably linked.</ParaText>
              <ParaText id="4786829"> The broader public protection mandate of the commissioner requires that he have necessary powers to take action in the public interest. The technological context in which we now find ourselves is so profoundly different from what it was when this legislation was enacted in 2001 that to talk of only minor adjustments to the legislation ignores the transformative impacts of big data and the Internet of things. </ParaText>
              <ParaText id="4786830">A major reworking of PIPEDA may be well overdue, in any event, and it might have important benefits that go beyond addressing the problems of consent. I note that if one were asked to draft a statute as a performance art piece that evokes the problem with incomprehensible, convoluted, and contorted privacy policies and their effective lack of transparency, then PIPEDA would be that statute. As unpopular as it might seem to suggest that it's time to redraft the legislation so that it no longer reads like the worst of all privacy policies, this is one thing this committee should consider.</ParaText>
              <ParaText id="4786831">I make this recommendation in a context in which all of those who collect, use, or disclose personal information in the course of commercial activity, including a vast number of small and medium-sized businesses with limited access to experienced legal counsel, are expected to comply with the legislation. In addition, the public ideally should have a fighting chance of reading the statute and understanding what it means in terms of the protection of their personal information and their rights of recourse. As it's currently drafted, PIPEDA is a convoluted mishmash in which the normative principles are not found in the law itself, but rather are tacked on in a schedule.</ParaText>
              <Timestamp Hr="15" Mn="45">(1545)</Timestamp>
              <ParaText id="4786832"> To make matters worse, the meaning of some of the words in the schedule, as well as the principles contained therein, are modified by the statute, so that it's not possible to fully understand rules and exceptions without engaging in a complex connect-the-dots exercise. After a series of piecemeal amendments, PIPEDA now consists in large part of a growing list of exceptions to the rules around collection, use, or disclosure with consent. While the OPC has worked hard to make the legal principles in PIPEDA accessible to businesses and to individuals, the law itself is not accessible.</ParaText>
              <ParaText id="4786833">In a recent PIPEDA application involving an unrepresented applicant—and most of them who appear before the Federal Court are unrepresented, which I think is another issue with PIPEDA—Justice Roy of the Federal Court expressed the opinion that for a party to “misunderstand the scope of the Act is hardly surprising”.</ParaText>
              <ParaText id="4786834">I've already mentioned the piecemeal amendments to PIPEDA over the years, as well as concerns about transparency. In this respect, it's important to note that the statute has been amended so as to increase the number of exceptions to consent that would otherwise be required for the collection, use, or disclosure of personal information.</ParaText>
              <ParaText id="4786835"> For example, paragraphs 7(3)(d.1) and (d.2) were added in 2015. They permit organizations to share personal information between themselves for the purposes of investigating breaches of an agreement or actual or anticipated contraventions of the laws of Canada or a province, or to detect or suppress fraud. While these are important objectives, I note that no transparency requirements were created in relation to these rather significant powers to share personal information without knowledge or consent. In particular, there's no requirement to notify the commissioner of such sharing. The scope of these exceptions creates a significant transparency gap that undermines personal information protection. This should be fixed.</ParaText>
              <ParaText id="4786836">PIPEDA also contains exceptions that allow organizations to share personal information with government actors for law enforcement or national security purposes without the notice or consent of the individual. These exceptions also lack transparency safeguards. Given the huge volume of highly detailed personal information, including location information, which is now collected by private sector organizations, the lack of mandatory transparency requirements is a glaring privacy problem.</ParaText>
              <ParaText id="4786837">The Department of Innovation, Science and Economic Development has created a set of voluntary transparency guidelines for organizations that choose to disclose the number of requests they receive and how they deal with them. It's time for there to be mandatory transparency obligations around such disclosures, whether it be public reporting or reporting to the commissioner, or a combination of both. Also, that reporting should be by both private and public sector actors.</ParaText>
              <ParaText id="4786838">Another major change that is needed to enable PIPEDA to meet the contemporary data protection challenges relates to the powers of the commissioner. When PIPEDA was enacted in 2001, it represented a fundamental change in how companies were to go about collecting, using, and disclosing personal information. This major change was made with great delicacy. PIPEDA reflects an “ombuds” model that allows for a light touch with an emphasis on facilitating and cajoling compliance, rather than imposing and enforcing it. Sixteen years later, and with exabytes of personal data under the proverbial bridge, it's past time for the commissioner to be given a set of new tools to ensure an adequate level of protection for personal information in Canada.</ParaText>
              <ParaText id="4786839">First, the commissioner should have the authority to impose fines on organizations in circumstances where there has been substantial or systemic non-compliance with privacy obligations. Properly calibrated, such fines can have an important deterrent effect that is currently absent from PIPEDA. They also represent transparent moments of accountability that are important in maintaining public confidence in the data protection regime.</ParaText>
              <ParaText id="4786840">The tool box should also include the power for the commissioner to issue binding orders. I'm sure you're well aware that the commissioners in Quebec, Alberta, and British Columbia already have such powers. As it stands, the only route under PIPEDA to a binding order runs through the Federal Court, and then only after a complaint has passed through the commissioner's internal process. This is an overly long and complex route to an enforceable order, and it requires an investment of time and resources that places an unfair burden on individual complainants.</ParaText>
              <ParaText id="4786841">I note as well that PIPEDA currently does not provide any guidance as to damage awards. The Federal Court has been extremely conservative in damage awards for breaches of PIPEDA, and the amounts awarded are unlikely to have any deterrent effect other than to deter individuals who struggle to defend their personal privacy. Some attention should be paid to establishing parameters for non-pecuniary damages under PIPEDA. At the very least, these will assist unrepresented litigants in understanding the limits of any recourse that's available to them.</ParaText>
              <ParaText id="4786842">Thank you. I welcome any questions.</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="Interjection" ToC="No" ToCText="" id="9402408">
            <PersonSpeaking>
              <Affiliation DbId="219011" Type="35">The Chair</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4786843">Thank you very much, Ms. Scassa.</ParaText>
              <ParaText id="4786844">We now go to Mr. Martin-Bariteau, please, for up to 10 minutes.</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="Interjection" ToC="No" id="9402412">
            <PersonSpeaking>
              <Affiliation DbId="229983" Type="28">Prof. Florian Martin-Bariteau (Assistant Professor, Common Law Section, Faculty of Law, and Director, Centre for Law, Technology and Society, University of Ottawa, As an Individual)</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4786845"> Thank you, Mr. Chair.</ParaText>
              <Timestamp Hr="15" Mn="50">(1550)</Timestamp>
              <FloorLanguage language="FR">[<I>Translation</I>]</FloorLanguage>
              <ParaText id="4786846">I would like to thank you for this opportunity to contribute to your work on the review of the Personal Information Protection and Electronic Documents Act (PIPEDA) and thus offer me the chance to share my thoughts with you about an issue of importance to Canadians.</ParaText>
              <ParaText id="4786847">I am an Assistant Professor of Law and Technology at the Common Law Section, Faculty of Law of the University of Ottawa, where I teach Digital Economy Law, and am the Director of the Centre for Law, Technology and Society. Nonetheless, I appear before you today in my personal capacity.</ParaText>
              <ParaText id="4786848">My comments will be built upon the letter sent to you by the Commissioner last December 2. I will focus on the issues of enforcement powers and reputation. I will then move to the scope of the act, before concluding with some reflections as to its accessibility and readability.</ParaText>
              <ParaText id="4786849"> Throughout my presentation, I will draw references to new European Union's General Data Protection Regulation, GDPR, particularly due to the adequacy issues raised by the Commissioner.</ParaText>
              <ParaText id="4786850">As to the enforcement powers, I believe it is essential to strengthen the Commissioner's powers in order to ensure the effectiveness of the act, in particular by granting the Commissioner order-making powers and the authority to impose administrative monetary penalties. The ability to impose fines appears to be the most effective way to ensure protection.</ParaText>
              <ParaText id="4786851">As with everything, the protection of personal information is subject to a cost-benefit analysis. It is now a matter of either investing in a protection by design or choosing the possibility of a slap on the wrist. With the risk of monetary penalties, the cost-benefit analysis will favour a protection by design approach. Obviously, the amount of the fine will be a critical parameter for its effectiveness—a prohibitive amount is required. For example, if a $500,000 fine may seem significant—and it will be for small and medium-sized businesses—it will be an insignificant amount for companies like Amazon, Facebook or Google. In that respect, it was by imposing a $22.5-million fine that the U.S. Federal Trade Commission succeeded in getting Google to modify its DoubleClick advertising program.</ParaText>
              <ParaText id="4786852">In order to prove effective against big players, we need the maximum fine to be specified based on a percentage of worldwide turnover—for example, 1%. To ensure that the fine is not ludicrous for small and medium-sized enterprises, a second limit should be provided—for example, $500,000; with the greater limit to be retained. Incidentally, the GDPR is based on such a mixed approach.</ParaText>
              <ParaText id="4786853">In my view, this does not threaten the collaborative relationship between operators and the Commissioner. On the contrary, I am of the opinion that strengthened powers will encourage a greater co-operation within actors, before any damage. Besides, such powers seem necessary to obtain an adequate decision of the GDPR.</ParaText>
              <ParaText id="4786854">In order to avoid the appearance of conflicts of interest, fines should be made payable to the Receiver General. So as to protect small businesses and not slow down innovation, we could provide a procedure for a preliminary conformity assessment. In the event of damages, sanctions would only be imposed after an issued recommendation has not been acted upon within a reasonable time.</ParaText>
              <ParaText id="4786855">Finally, I am of the view that none of the Commissioner's powers, including those of order and sanction, should be limited to the receipt of a formal complaint—the totality of these powers evidently remaining subject to possible judicial review.</ParaText>
              <ParaText id="4786856">As to the rights of individuals and online reputation, many favour the creation of a “right to be forgotten”. In the way it is imagined and requested by some, I find this proposition dangerous. The Internet is the archives and the libraries of tomorrow, the new collective memory. Archives have never previously been erased because they were disturbing—at least, not legally in a democracy. This is dangerous ground, and similarly, it is dangerous to want to delegate censorship powers to private actors or to give the power to decide what should be accessible or not to a select few. In the same vein, the right to de-index seems illogical to me, in that it would entail the removal of the index entry, but not the content itself.</ParaText>
              <ParaText id="4786857">Legislation protecting personal information should not be used as a reputation management tool to remove what is embarrassing, but only to remove anything that is unjustified or inaccurate. Otherwise, I am not sure that such a mechanism would satisfy the charter test.</ParaText>
              <ParaText id="4786858">The actual problem with Canadian law is that PIPEDA recommends, but does not require, the erasure of inaccurate or unnecessary data. Certainly, in its recent and already famous Globe24h decision, the Federal Court circumvented this deficiency through the illegitimate and unauthorized nature of the disclosure.</ParaText>
              <ParaText id="4786859">Nevertheless, the erasure of data should be compulsory—and not simply recommended—once it is no longer necessary or accurate through stricter controls of the retention of data over time. One could also provide for an actionable right of erasure of outdated and inaccurate information. I should point out that this need does not only relate to the Internet, but to all databases, computerized or not.</ParaText>
              <ParaText id="4786860">It seems to me that these amendments are necessary—but sufficient—to the GDPR adequacy.</ParaText>
              <ParaText id="4786861">As to the scope, Canadians should be ensured that any harmful collection, use or disclosure of data be subject to strict standards of protection.</ParaText>
              <ParaText id="4786862">The definition of the scopes of the two federal statutes does not meet the citizens' expectation of protection in a global and interconnected world, including protected data and in particular with respect to the subjected organizations.</ParaText>
              <ParaText id="4786863">A solution for organizations would be to redefine the scope of PIPEDA in such a way that would render it applicable to all organizations operating under federal jurisdiction and that are not covered by the public sector act or any other federal law. Evidently, and analogously to our partners, the law shall retain exemptions for personal or journalistic use.</ParaText>
              <ParaText id="4786864">As to the issue of access to law, if it is undeniable that the law requires modifications in view of new realities, the legislator must seize the opportunity of this reform by performing a complete overhaul of the law, instead of making simple amendments.</ParaText>
              <ParaText id="4786865">Indeed, PIPEDA belongs, undoubtedly, in the hall of fame for the worst drafted federal laws—and we know that there is, in that matter, some competition there. The cornerstone of PIPEDA lies in an appendix copy-and-pasted from a document drafted by a private standardization organization. The act only supplements this document and other appendices by making constant references to them.</ParaText>
              <ParaText id="4786866">This poses a problem in terms of the public's access to law. A rewrite of the law, clearly explaining the right and obligations of each, would therefore be welcome—especially to make mandatory all that is presently recommended.</ParaText>
              <ParaText id="4786867">In terms of drafting, the act should remain conceived according to the principle of technological independence and be principles-based. Such an approach is essential to enable the Canadian legal framework to adapt to future social and technological changes, including the development of robotics, of the Internet of objects and artificial intelligence.</ParaText>
              <ParaText id="4786868">In terms of readability, the limitation of the legislation to the protection of personal information would be welcomed. Functional equivalence rules for electronic documents are irrelevant and should be transferred elsewhere.</ParaText>
              <ParaText id="4786869">Conversely, it would be desirable for a single act to contain the entire framework for the protection of personal information, that is, for both the private and public sectors. The concomitant reconsideration of these two acts by this committee offers this opportunity. This would also allow for the creation of a coherent framework for both the protection of personal information and the role of the Commissioner—even if it means providing several sections if it was considered necessary to maintain a public sector exemption regime.</ParaText>
              <ParaText id="4786870">As a final thought, I would like to draw your attention to the need of providing statutory rights of actions and damages. Equally, I would like to underline that it is necessary to update our law in order to satisfy the GDPR's suitability test, but that we must nevertheless consider two important factors: first, that the test does not require a carbon copy of the GDPR and secondly that this applies to all protection frameworks, and not just PIPEDA.</ParaText>
              <ParaText id="4786871">I hope that these few thoughts and recommendations will be useful to the committee. Sadly, I wasn't able to finalize on time a short bilingual brief with examples and recommendations. However, I could send it to you afterwards.</ParaText>
              <ParaText id="4786872">Thank you. I'll be happy to answer any questions that you may have.</ParaText>
            </Content>
          </Intervention>
          <Timestamp Hr="15" Mn="55">(1555)</Timestamp>
          <FloorLanguage language="EN">[<I>English</I>]</FloorLanguage>
          <Intervention Type="Interjection" ToC="No" ToCText="" id="9402504">
            <PersonSpeaking>
              <Affiliation DbId="219011" Type="35">The Chair</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4786873"> Thank you very much. </ParaText>
              <ParaText id="4786874">Colleagues, we'll now proceed to the seven-minute round.</ParaText>
              <ParaText id="4786875">Our opening time allotment goes to Mr. Bratina, please.</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="" ToC="No" ToCText="" id="9402508">
            <PersonSpeaking>
              <Affiliation DbId="216083" Type="47">Mr. Bob Bratina (Hamilton East—Stoney Creek, Lib.)</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4786876">Thank you very much.</ParaText>
              <ParaText id="4786877"> Thank you to all. </ParaText>
              <ParaText id="4786878">Ms. Scassa, I loved your phrasing that it was a “convoluted mishmash”, a “piecemeal” document. Is it because of the dynamic nature of law-making, where the technology has been evolving and they've been adding things on that makes the whole thing unworkable, in the end?</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="Interjection" ToC="No" id="9402516">
            <PersonSpeaking>
              <Affiliation DbId="223968" Type="28">Prof. Teresa Scassa</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4786879"> I think it's really due to the legislative history of the statute. It arose at a time when there was a need to put legislation in place quickly. Europe had just passed its first data protection directive, and there were concerns about cross-border flows of data. We're in a similar situation again. </ParaText>
              <ParaText id="4786880">It was clear that we needed legislation. There wasn't a lot of comfort with legislation. It was decided that if it were built around the CSA model code, there would be a greater acceptance of it, both here and south of the border, in terms of the obligations it imposed on businesses. </ParaText>
              <ParaText id="4786881">The normative core is the CSA model code, which is in the schedule. In the legislation itself, all the exceptions and modifications are found, as are the enforcement powers and so on. For an ordinary individual who is trying to work his or her way through the statute, it's not intuitive. It's not easy to find. As amendments get made, the interaction between the two documents becomes even more complicated. </ParaText>
              <ParaText id="4786882">I think it's in large part due to that history that we have the legislation we have. I think we're mature enough now in our evolution in terms of our data protection that we can walk away from that and fix the statute.</ParaText>
            </Content>
          </Intervention>
          <Timestamp Hr="16" Mn="00">(1600)</Timestamp>
          <Intervention Type="" ToC="No" ToCText="" id="9402531">
            <PersonSpeaking>
              <Affiliation DbId="216083" Type="47">Mr. Bob Bratina</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4786883"> We've heard in testimony about the European Union's general data protection regulation. Relatively, PIPEDA falls short on the right to be forgotten. I'm going to ask Mr. Karanicolas about this, because he made a comment, but I'll ask you first.</ParaText>
              <ParaText id="4786884">Did you review the European Union's general data protection regulation, and how do you feel about that compared to what we have?</ParaText>
              <ParaText id="4786885">Ms. Scassa, I'll ask you first.</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="Interjection" ToC="No" id="9402543">
            <PersonSpeaking>
              <Affiliation DbId="223968" Type="28">Prof. Teresa Scassa</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4786886">On the right to be forgotten, I would draw a distinction between the right to be forgotten, which is talked about a great deal in the context of a particular court decision in the European Union, and the right to erasure, which I think is more what is present in the data protection directive. I think those are very different things.</ParaText>
              <ParaText id="4786887">The right to be forgotten, in a sense, goes so far as to talk about what search engines have to delist, so it affects how you search and how you find information on the Internet. That is very different from the right of people who no longer want a company they perhaps dealt with in the past and which collected their personal information to have their personal information, because they no longer wish to deal with that company. They're asking to have that personal information removed and no longer dealt with. </ParaText>
              <ParaText id="4786888">The right to be forgotten and the right to erasure are very different things. The right to erasure seems to me to fall within the scope of PIPEDA, whereas the right to be forgotten goes beyond it, and I think, as my colleague pointed out, it implicates freedom of expression rights.</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="" ToC="No" ToCText="" id="9402565">
            <PersonSpeaking>
              <Affiliation DbId="216083" Type="47">Mr. Bob Bratina</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4786889">Mr. Karanicolas, is it possible to track how data moves around? I made this comment another day about the offshore havens of money. Can there be offshore havens of data, where things can be slipped over to other servers and hidden away and used at the pleasure of those people? With the current technology, can you follow that data as it travels around?</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="Interjection" ToC="No" id="9402579">
            <PersonSpeaking>
              <Affiliation DbId="226632" Type="28">Mr. Michael Karanicolas</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4786890">If I understand you correctly, it's possible to impose data localization rules. Different governments have experimented in different ways with those kinds of requirements.</ParaText>
              <ParaText id="4786891">That's not necessarily something I would recommend for Canada, but it is possible to control how information is routed. Those kinds of controls tend to raise significant concerns about the functionality and operability of the Internet as a whole, which is designed to allow information to flow by the most efficient route.</ParaText>
              <ParaText id="4786892">I'm not sure if I'm answering your question, or if you're—</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="" ToC="No" ToCText="" id="9402587">
            <PersonSpeaking>
              <Affiliation DbId="216083" Type="47">Mr. Bob Bratina</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4786893">To me, as technology evolves so rapidly, we're trying to set in stone wording for legislation that may miss the next feature of technology, which would allow it to side-swipe that, if you will.</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="Interjection" ToC="No" id="9402590">
            <PersonSpeaking>
              <Affiliation DbId="226632" Type="28">Mr. Michael Karanicolas</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4786894">Okay.</ParaText>
              <ParaText id="4786895">Technological neutrality is an admirable goal to aim for. I think what the drafters of PIPEDA were originally aiming for was to try to keep it as neutral as possible, as far as I understand it. Whether they succeeded is different. I think there have been some fair points brought up by my colleagues, particularly about how the Internet of things has so dramatically changed the way information is being collected. It has opened up all these new avenues that are vastly beyond what was conceived at the time PIPEDA was drafted.</ParaText>
              <ParaText id="4786896">As a general rule, I think that technological neutrality in legislation is a good thing to aim for. In crafting a new law or in revising a law, one should aim to avoid falling into that kind of pitfall as far as possible.</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="" ToC="No" ToCText="" id="9402597">
            <PersonSpeaking>
              <Affiliation DbId="216083" Type="47">Mr. Bob Bratina</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4786897">Can I ask you about the comments you made with regard to the European Union's right to be forgotten, etc.? You didn't seem to be too supportive of its approach. We've heard the opposite testimony.</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="Interjection" ToC="No" ToCText="" id="9402598">
            <PersonSpeaking>
              <Affiliation DbId="226632" Type="28">Mr. Michael Karanicolas</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4786898">The right to be forgotten is not something I strongly oppose. I'm sort of undecided on that issue specifically. I see arguments either way as to whether some sort of right is potentially a good idea, because I do see a problem and I do see a change in the way information is recorded, which the Internet has wrought.</ParaText>
              <ParaText id="4786899">That being said, there are huge problems with the way it's been rolled out in Europe, partly because the decision, when the European Court of Justice first handed it down, didn't provide a huge amount of clarity on how it should be applied. It provided vastly broad categories for what could be susceptible to the right to be forgotten, which led to a huge amount of confusion. I think the last I saw, something like 150,000 or 170,000 websites had been taken down as a result of that. Huge numbers of applications have been made.</ParaText>
              <ParaText id="4786900">I see problems with the way it has been rolled out in terms of a lack of clarity. I also question the wisdom of bundling it with the search engines themselves. As private sector actors, they're not well equipped to engage in that kind of balancing. When you impose this kind of potential for liability on them, without their necessarily having the proper processes in place to respect the freedom of expression interests that are engaged, what you end up with is a tendency to remove information whenever there's a complaint. That's a problematic approach.</ParaText>
            </Content>
          </Intervention>
          <Timestamp Hr="16" Mn="05">(1605)</Timestamp>
          <Intervention Type="Interjection" ToC="No" ToCText="" id="9402607">
            <PersonSpeaking>
              <Affiliation DbId="219011" Type="35">The Chair</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4786901"> Thank you very much.</ParaText>
              <ParaText id="4786902">We now move to Mr. Jeneroux, please, for seven minutes.</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="" ToC="No" ToCText="" id="9402608">
            <PersonSpeaking>
              <Affiliation DbId="218277" Type="47">Mr. Matt Jeneroux (Edmonton Riverbend, CPC)</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4786903"> Thanks to all three of you, two of you for coming back, and to you, Mr. Martin-Bariteau, in your first time here, welcome.</ParaText>
              <ParaText id="4786904">My first question was going to be about what all of you think of PIPEDA, but it's pretty clear. Nobody here in the room is too pleased with it, so I'll move on to my second question.</ParaText>
              <ParaText id="4786905"> In terms of order-making powers, Ms. Scassa, you made your thoughts clear in the last answer, but could we get the other two gentlemen on the record in terms of their thoughts on providing the Privacy Commissioner order-making powers?</ParaText>
              <ParaText id="4786906">You're first, Mr. Martin-Bariteau.</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="Interjection" ToC="No" id="9402610">
            <PersonSpeaking>
              <Affiliation DbId="229983" Type="28">Prof. Florian Martin-Bariteau</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4786907">I'm not sure I understand....</ParaText>
              <FloorLanguage language="FR">[<I>Translation</I>]</FloorLanguage>
              <ParaText id="4786908">Like my colleague Teresa Scassa, I am fully in favour of the idea of granting the Commissioner order-making powers.</ParaText>
            </Content>
          </Intervention>
          <FloorLanguage language="EN">[<I>English</I>]</FloorLanguage>
          <Intervention Type="" ToC="No" ToCText="" id="9402611">
            <PersonSpeaking>
              <Affiliation DbId="218277" Type="47">Mr. Matt Jeneroux</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4786909">Mr. Karanicolas.</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="Interjection" ToC="No" ToCText="" id="9402612">
            <PersonSpeaking>
              <Affiliation DbId="226632" Type="28">Mr. Michael Karanicolas</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4786910">I'm not entirely convinced of the need for order-making powers. It's not something that I necessarily oppose, but I do think it raises some issues in terms of the procedural fairness of investigations, which the OPC itself has mentioned.</ParaText>
              <ParaText id="4786911"> To me, the bottom line is necessity. I think the reason I'm not completely sold on the order-making power is that we've previously heard from the Privacy Commissioner that most of their recommendations are ultimately complied with. If that's the case, and if you have a system in which the recommendations are already being complied with, I'm not sure why you need a strengthening of the powers.</ParaText>
              <ParaText id="4786912"> It was mentioned that recommendations are often very slow in being implemented, which is a significant problem. Some people have suggested a hybrid model, whereby the companies would need to apply to the court for permission to not comply within a particular time period. I'm not sure why a specific order-making power would solve the problem more than a hybrid model, which is I think why I'm not necessarily opposed to it but not fully convinced of the need for an order-making power either.</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="" ToC="No" ToCText="" id="9402621">
            <PersonSpeaking>
              <Affiliation DbId="218277" Type="47">Mr. Matt Jeneroux</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4786913">We're going to try to pin you down on some answers here, Mr. Karanicolas. I'll skip to the right to be forgotten, where it sounds like you're equally on the fence. It sounds like the Privacy Commissioner is also struggling with the same focus as to what type of law he should put in place, if any. I find it personally fascinating. I think that somebody's right to be forgotten is somebody else's argument that, no, they should be remembered.</ParaText>
              <ParaText id="4786914"> You gave a bit of an on-the-fence argument. I'll start with you and go around the table to see if there's any guidance or support you can provide us. The Privacy Commissioner is coming out with a position paper on this, but unfortunately not until after our study is done. We're looking for some advice or support in terms of our recommendations to the Privacy Commissioner.</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="Interjection" ToC="No" ToCText="" id="9402632">
            <PersonSpeaking>
              <Affiliation DbId="226632" Type="28">Mr. Michael Karanicolas</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4786915">At the moment, I wouldn't make a recommendation in favour of the right to be forgotten.</ParaText>
              <ParaText id="4786916"> The reason I'm a bit couched in that is that I do see some potential problems that could be addressed, but if you want a recommendation on whether or not to legislate that, I would be against it. I think there's a huge amount of potential to do harm, and a huge amount of potential to craft it in a way that has the negative impact on freedom of expression.</ParaText>
              <ParaText id="4786917"> I do see the problem there, but there are a lot of ways that the legislation could be done badly, which is why I would be concerned.</ParaText>
            </Content>
          </Intervention>
          <Timestamp Hr="16" Mn="10">(1610)</Timestamp>
          <Intervention Type="" ToC="No" ToCText="" id="9402640">
            <PersonSpeaking>
              <Affiliation DbId="218277" Type="47">Mr. Matt Jeneroux</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4786918">That's a little better.</ParaText>
              <ParaText id="4786919">Ms. Scassa.</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="Interjection" ToC="No" id="9402641">
            <PersonSpeaking>
              <Affiliation DbId="223968" Type="28">Prof. Teresa Scassa</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4786920">I'll make clearer the distinction I'm making between the right to be forgotten and data erasure.</ParaText>
              <ParaText id="4786921"> Let's say you've joined a social networking site, and you've created a profile, you have photographs, and you have information on your profile, or let's say it's a dating site and you've created a profile for that. You have that up for a couple of years and you decide you no longer want to be part of that site. You don't want to do business with it—this happens all the time—and you say to the company, “Remove my account and get rid of my personal information, because I'm done.” That's the right to erasure. That's different from the right to be forgotten.</ParaText>
              <ParaText id="4786922">You're not saying that there are newspaper stories about you out there that you don't want anyone reading anymore and you want them de-indexed. You're saying that you've had this relationship with a private sector company that you're terminating and you want the data that you have provided as part of that relationship to be removed. In many circumstances that has been very difficult for people to achieve. That's the right to erasure.</ParaText>
              <ParaText id="4786923"> I think that's very important. If we can strengthen the right for people to be able to take those kinds of measures with the private sector organizations that have been collecting and using their personal information, I think that's important.</ParaText>
              <ParaText id="4786924">The other aspect of the right to be forgotten, I have substantial misgivings about.</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="" ToC="No" ToCText="" id="9402651">
            <PersonSpeaking>
              <Affiliation DbId="218277" Type="47">Mr. Matt Jeneroux</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4786925"> Fair enough. </ParaText>
              <ParaText id="4786926">If I could jump in here, and I hope to bring Mr. Martin-Bariteau into this as well, let's say a 16-year-old posts something on a Facebook account. Fast-forward 20 years and they decide to, I don't know, do an honourable profession and run to be a member of Parliament perhaps. Even though they've entered into that contract, what's not to say that somebody hasn't gone and screen-captured that particular story, with a news story perhaps written about it? I guess that's where I'm struggling with the right to be forgotten piece. It's not necessarily the contract you've entered into with that organization, it's the fallout, the public fallout, I guess, after that.</ParaText>
              <ParaText id="4786927">I used the example of a member of Parliament only because I know that there are people around the room here who would agree with me that it's prevalent.</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="Interjection" ToC="No" id="9402662">
            <PersonSpeaking>
              <Affiliation DbId="223968" Type="28">Prof. Teresa Scassa</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4786928">I think that's a serious issue as well. I'm not sure it's a PIPEDA issue. In some circumstances, issues like that have been dealt with through the tort system. Where it's been done maliciously, they've been dealt with through other mechanisms, because I think they raise issues that go beyond simply data protection. </ParaText>
              <ParaText id="4786929">While I agree that it's an important issue, I'm not entirely convinced it's as much a PIPEDA issue as it is a problem that maybe requires multiple different solutions, depending on the circumstances. I mean, revenge porn falls into that category. That's clearly a tort and also perhaps criminal activity and so on.</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="" ToC="No" ToCText="" id="9402669">
            <PersonSpeaking>
              <Affiliation DbId="218277" Type="47">Mr. Matt Jeneroux</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4786930">I think I'm out of time.</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="Interjection" ToC="No" ToCText="" id="9402671">
            <PersonSpeaking>
              <Affiliation DbId="219011" Type="35">The Chair</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4786931">You certainly are, buddy.</ParaText>
              <ParaText id="4786932">
                <B>Voices:</B> Oh, oh!</ParaText>
              <ParaText id="4786933">
                <B>The Chair:</B> Mr. Blaikie, you have up to seven minutes.</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="" ToC="No" ToCText="" id="9402673">
            <PersonSpeaking>
              <Affiliation DbId="219013" Type="40">Mr. Daniel Blaikie (Elmwood—Transcona, NDP)</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4786934">Thank you very much.</ParaText>
              <ParaText id="4786935">Mr. Karanicolas, I want to start with a couple of questions about the right to be forgotten. You mentioned that the rollout of that in Europe has not gone very well. I was just wondering if, for the benefit of our record and testimony, you could provide a couple of the best examples of what didn't go well, what didn't work, in the European context. </ParaText>
            </Content>
          </Intervention>
          <Intervention Type="Interjection" ToC="No" ToCText="" id="9402676">
            <PersonSpeaking>
              <Affiliation DbId="226632" Type="28">Mr. Michael Karanicolas</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4786936">I'll start by endorsing the distinction that Professor Scassa made between data protection and a right to deletion and a right to be forgotten, because that is a key distinction.</ParaText>
              <ParaText id="4786937">The way it was handed down was the first problem we saw. There was a decision by the European Court of Justice that didn't even really mention freedom of expression, and included statements that, for example, the right to privacy generally trumps people's right to obtain information. There was a lack of proper consideration of the rights that were being infringed. That would be the first one. With that decision, which was relatively bare, providing the only guidance at the outset at least that Google was going to have in implementing that, it was hugely problematic, because you create this enormous new responsibility without a huge amount of guidance on how it's supposed to be implemented.</ParaText>
              <ParaText id="4786938">As I mentioned briefly before, putting this on the private sector is hugely problematic, because this is a very tricky decision. It involves balancing different rights against one another, and it involves considering the overall public interest. Google is absolutely not equipped to do that. Even for a company of their size, this is something that you need judicial or quasi-judicial decision-makers to take on. Saddling it onto the private sector was also a significant mistake. I think you saw that the floodgates sort of came open. I looked it up in the interim, and I saw 348,000 requests to remove links by Google.</ParaText>
              <ParaText id="4786939">When I say that I have a certain amount of sympathy with regard to a few limited cases of where the right to be forgotten could be applied, I think it's a challenging thing to implement in terms of just applying it to those extreme cases. I think the European example shows that once the right is implemented, the floodgates kind of come open, and you have a huge amount of legitimate or accurate information, or perfectly relevant information, that people would request deletion for. </ParaText>
            </Content>
          </Intervention>
          <Timestamp Hr="16" Mn="15">(1615)</Timestamp>
          <Intervention Type="" ToC="No" ToCText="" id="9402694">
            <PersonSpeaking>
              <Affiliation DbId="219013" Type="40">Mr. Daniel Blaikie</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4786940">This comes from a decision of the European Court of Justice. Without a great background on this subject, is there anything in the general data protection regulation about the right to forget?</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="Interjection" ToC="No" ToCText="" id="9402695">
            <PersonSpeaking>
              <Affiliation DbId="226632" Type="28">Mr. Michael Karanicolas</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4786941">My understanding of the way in which it's applied is based on the initial rollout of the ECJ decision. I believe the data protection regulation does address that, but I haven't reviewed that specific aspect.</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="" ToC="No" ToCText="" id="9402697">
            <PersonSpeaking>
              <Affiliation DbId="219013" Type="40">Mr. Daniel Blaikie</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4786942">For me, the next question, and perhaps some of our other witnesses have an idea on this, is that when we talk about worrying about whether our privacy laws are adequate under the European test so as not to disrupt the commercial data flows, is having some aspect of a right to forget a necessary component of meeting the adequacy test for Europe?</ParaText>
            </Content>
          </Intervention>
          <FloorLanguage language="FR">[<I>Translation</I>]</FloorLanguage>
          <Intervention Type="Interjection" ToC="No" id="9402698">
            <PersonSpeaking>
              <Affiliation DbId="229983" Type="28">Prof. Florian Martin-Bariteau</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4786943">No. Absolutely not.</ParaText>
              <ParaText id="4786944">Even in the new GDPR, which addresses the issue of the right to be forgotten, it is in quotation marks. In that context, it is called “the right to erasure”. The Regulation makes the distinction that Professor Scassa mentioned. In fact, the right to erasure provided for in the GDPR is somewhat in line with the one already in the 1995 directive, which was in force in most European Union countries.</ParaText>
              <ParaText id="4786945">It is possible to request that data be deleted, but only for the data whose collection, communication or disclosure violates the Regulation. However, the Regulation sets out exceptions for freedom of expression, freedom of the press, the right to information and so on.</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="" ToC="No" ToCText="" id="9402705">
            <PersonSpeaking>
              <Affiliation DbId="219013" Type="40">Mr. Daniel Blaikie</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4786946">The right to erasure already exists in Canada. I wonder whether it fits in with the European model or whether the option should be there.</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="Interjection" ToC="No" id="9402706">
            <PersonSpeaking>
              <Affiliation DbId="229983" Type="28">Prof. Florian Martin-Bariteau</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4786947">Like Professor Scassa, I think PIPEDA should clearly provide for the right to erase inaccurate and erroneous data so that it is not just a recommendation.</ParaText>
              <ParaText id="4786948">I would also like to point out that the second paragraph of article 45, which talks about adequacy, does not mean just doing a cut-and-paste; it means considering effective and enforceable rights. Direct rights would therefore be appropriate. In terms of data protection, it does not directly relate to any right to erasure, but indicates that the country’s rules on human rights and fundamental freedoms will be taken into account. In this case, we are talking about the Canadian Charter of Rights and Freedoms.</ParaText>
            </Content>
          </Intervention>
          <FloorLanguage language="EN">[<I>English</I>]</FloorLanguage>
          <Intervention Type="" ToC="No" ToCText="" id="9402712">
            <PersonSpeaking>
              <Affiliation DbId="219013" Type="40">Mr. Daniel Blaikie</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4786949"> Thank you.</ParaText>
              <ParaText id="4786950">On the issue of consent, I'm just looking for some practical advice. I think it's pretty clear that the current consent model really doesn't work very well. Anyone who has signed up for software over the Internet and been confronted with user agreements has a pretty good sense that these are opaque and long and technical. Even when you do start to read them, they tend to be overly broad and you feel like you're signing up for just about anything when you click “I agree”. </ParaText>
              <ParaText id="4786951">How do you have a model that isn't overly prescriptive but nevertheless offers something that ordinary Canadians who don't have a background in that particular kind of law can digest so they can feel comfortable that they know what they're signing on to? Do you have template agreements, or is that overly prescriptive and you would then have agreements that wouldn't fit the kinds of services being offered? How do you write something into law that actually accomplishes a viable consent model?</ParaText>
            </Content>
          </Intervention>
          <Timestamp Hr="16" Mn="20">(1620)</Timestamp>
          <Intervention Type="Interjection" ToC="No" id="9402743">
            <PersonSpeaking>
              <Affiliation DbId="223968" Type="28">Prof. Teresa Scassa</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4786952">That's a very good question. </ParaText>
              <ParaText id="4786953">It's challenging. I think there are small fixes in terms of tools, direction, and guidance in drafting better privacy policies and more condensed or short-form privacy policy templates, as you suggest. </ParaText>
              <ParaText id="4786954">In terms of ubiquitous and continuous collection, people have suggested that there should be pop-ups from time to time to remind people that their information is being collected by the toaster, for example, and that they might want to think about whether they still want that to be happening. There are those types of things. Some of those could be mandated in legislation. Some could be done through guidance from the Privacy Commissioner. </ParaText>
              <ParaText id="4786955">There are others who suggest, as you know, broader fixes, such as moving all sorts of data collection and considering it fairly routine, and consent wouldn't be required. What worries me about that, of course, is the threshold that there be no risk or no harm. I think that in the big data environment, we're still trying to figure out exactly what the risks and the harms are. It's not always obvious at the outset what the implications of the collection of certain types of data are going to be, depending on what is then subsequently collected by someone else and put together.</ParaText>
              <ParaText id="4786956">I think there are some very serious challenges there, and I wish I could say, “Here are the three things that need to be done”, but I'm still struggling with it myself. </ParaText>
            </Content>
          </Intervention>
          <Intervention Type="Interjection" ToC="No" ToCText="" id="9402761">
            <PersonSpeaking>
              <Affiliation DbId="219011" Type="35">The Chair</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4786957">We are out of time for Mr. Blaikie's allotted time, but I know that if there are others who want to get in on this, there will be an opportunity, I'm sure. </ParaText>
              <ParaText id="4786958">We'll now move to Mr. Saini, for the last of our seven-minute rounds. </ParaText>
            </Content>
          </Intervention>
          <Intervention Type="" ToC="No" ToCText="" id="9402765">
            <PersonSpeaking>
              <Affiliation DbId="216078" Type="47">Mr. Raj Saini (Kitchener Centre, Lib.)</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4786959">Thank you very much.</ParaText>
              <ParaText id="4786960">I want to start off with one point. Canada, having recently signed CETA, is going to be under some pressure to rise to the level of the GDPR, general data protection regulation, that will come into effect in May 2018 in Europe. There are stark differences between what we currently have and what has been indicated in the GDPR. One is data erasure and privacy by design and by default. </ParaText>
              <ParaText id="4786961">Could you give a broad outline to the committee as to what significant or important areas we should focus on? I guess ultimately we'll have to rise to that level to do business with Europe. Are there any key indicators you feel we should focus on?</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="Interjection" ToC="No" id="9402774">
            <PersonSpeaking>
              <Affiliation DbId="223968" Type="28">Prof. Teresa Scassa</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4786962"> Maybe I'll pass the floor to our resident European. </ParaText>
              <ParaText id="4786963">
                <B>Voices:</B> Oh, oh!</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="" ToC="No" ToCText="" id="9402778">
            <PersonSpeaking>
              <Affiliation DbId="216078" Type="47">Mr. Raj Saini</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4786964">I have a lot of questions. I can ask another question.</ParaText>
            </Content>
          </Intervention>
          <FloorLanguage language="FR">[<I>Translation</I>]</FloorLanguage>
          <Intervention Type="Interjection" ToC="No" id="9402780">
            <PersonSpeaking>
              <Affiliation DbId="229983" Type="28">Prof. Florian Martin-Bariteau</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4786965"> In my view, PIPEDA should clarify the issue of the retention of data over time, provide for an obligation for organizations, and also provide a direct right to litigants. The direct rights of litigants are one of the conditions for adequacy. As with the enforceable orders and fines, paragraph 45(2)(b) of the Regulation tells us to look at whether the supervisory authority is truly independent and has adequate enforcement powers. </ParaText>
            </Content>
          </Intervention>
          <FloorLanguage language="EN">[<I>English</I>]</FloorLanguage>
          <Intervention Type="" ToC="No" ToCText="" id="9402786">
            <PersonSpeaking>
              <Affiliation DbId="216078" Type="47">Mr. Raj Saini</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4786966">Ms. Scassa, do you have anything to add?</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="Interjection" ToC="No" id="9402788">
            <PersonSpeaking>
              <Affiliation DbId="223968" Type="28">Prof. Teresa Scassa</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4786967">Yes. I would agree with that. I certainly think the biggest weakness in PIPEDA in terms of conformity with European norms is on the enforcement side. There are simply not enough powers for the commissioner.</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="" ToC="No" ToCText="" id="9402792">
            <PersonSpeaking>
              <Affiliation DbId="216078" Type="47">Mr. Raj Saini</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4786968">Mr. Martin-Bariteau, you mentioned a structure for fines within Europe under the GDPR right now. The fine structure is either 4% of annual turnover or 29 million euros, whichever is the higher number. Do you think we should follow some sort of mechanism? Right now, as you've very aptly said, there is no fine procedure. The Office of the Privacy Commissioner cannot fine.</ParaText>
              <ParaText id="4786969"> Ms. Scassa, in your writings, you've mentioned Globe24h. In that Romanian case specifically, the fine imposed was only $5,000, and there was no way to collect on that or to even prevent Romania from stopping the indexing of files on the CanLII website.</ParaText>
              <ParaText id="4786970">Do you think the fine procedure should be there, and at what levels?</ParaText>
            </Content>
          </Intervention>
          <FloorLanguage language="FR">[<I>Translation</I>]</FloorLanguage>
          <Intervention Type="Interjection" ToC="No" id="9402804">
            <PersonSpeaking>
              <Affiliation DbId="229983" Type="28">Prof. Florian Martin-Bariteau</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4786971">I think the GDPR's mixed approach is the good one, regardless of the percentage, because even at 4%, I think it's still calculated based on the number of citizens affected by potential breaches of confidentiality and depending on the area.</ParaText>
              <ParaText id="4786972">We know that there are fewer citizens in Canada than in the European Union. On the other hand, it is important not to have a simple percentage, because 4% of a small structure, for example a start-up company, is not much. The company might want to take the risk with its investors and tell them to go ahead. If anything were to happen, at most, it could be about 4% of $500,000. That’s peanuts. That’s why it has to be doubled.</ParaText>
              <ParaText id="4786973">For example, in France, until 2016, the maximum amount was $150,000 for the first fine and $300,000 afterwards. It did not work. France has just raised this to a single amount of $3 million. This was adopted almost at the same time as the Regulation, which in my view also reflects the number of citizens concerned within the boundaries of a certain territory.</ParaText>
            </Content>
          </Intervention>
          <Timestamp Hr="16" Mn="25">(1625)</Timestamp>
          <FloorLanguage language="EN">[<I>English</I>]</FloorLanguage>
          <Intervention Type="" ToC="No" ToCText="" id="9402825">
            <PersonSpeaking>
              <Affiliation DbId="216078" Type="47">Mr. Raj Saini</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4786974">Ms. Scassa, in your opening preamble, you mentioned business. Right now, the difference between the GDPR and Canada is that we don't have a privacy-by-design or privacy-by-default mechanism. Do you think that's important, or is that a first step to making sure not only that businesses are somewhat concurrent with GDPR but that the relevancy is there?</ParaText>
              <ParaText id="4786975">You also mentioned SMEs. Do you think that, by process, there should be some sort of privacy document or privacy agreement that would be standardized across the Internet, to the extent that we can do it, whereby privacy trust marks could also be used? In this way, we would be helping consumers when they interact with certain businesses to have the confidence that the company has a privacy-by-design or privacy-by-default mechanism and, more important, that it has been authorized by some sort of body so that they would have confidence and there would be a privacy trust mark there. Would that be something that you think would be viable?</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="Interjection" ToC="No" id="9402839">
            <PersonSpeaking>
              <Affiliation DbId="223968" Type="28">Prof. Teresa Scassa</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4786976">I know that in the very early days of PIPEDA there was a lot of talk about trust marks and trust seals and so on. People tried them. They haven't really gone very far. I think there have been concerns about the counterfeiting or faking of trust seals and trust marks as well. I'm not sure how viable that is as a solution.</ParaText>
              <ParaText id="4786977">There are interesting technological developments as well. People are working on codes and apps, for example, that will scan and rate privacy policies, so I would be hesitant to go with a trust mark solution when there may be other technological tools that would be more useful and more effective in terms of helping consumers understand what the privacy policies are.</ParaText>
              <ParaText id="4786978">That said, I know that for some time we've been talking about privacy by design and privacy by default. Those are important principles. It may take amendments or changes to the law to get people's attention on them. </ParaText>
            </Content>
          </Intervention>
          <Intervention Type="" ToC="No" ToCText="" id="9402849">
            <PersonSpeaking>
              <Affiliation DbId="216078" Type="47">Mr. Raj Saini</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4786979"> Okay.</ParaText>
              <ParaText id="4786980">Mr. Karanicolas, you mentioned that Google had 350,000 or 340,000 requests for the right to be forgotten. In those cases, 42% were removed. You mentioned the case in Europe, so I'm thinking you probably meant the Google v. Spain case. Is that what you were talking about?</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="Interjection" ToC="No" ToCText="" id="9402854">
            <PersonSpeaking>
              <Affiliation DbId="226632" Type="28">Mr. Michael Karanicolas</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4786981">That was the original case at the ECJ, yes.</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="" ToC="No" ToCText="" id="9402855">
            <PersonSpeaking>
              <Affiliation DbId="216078" Type="47">Mr. Raj Saini</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4786982">Do you think the Google v. Spain case, and the judgment from that case, should be used in a way? The judgment was clear on the right to be forgotten and the right to erasure. Do you think that was the right judgment, and is that something we should use, or not at all?</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="Interjection" ToC="No" ToCText="" id="9402859">
            <PersonSpeaking>
              <Affiliation DbId="226632" Type="28">Mr. Michael Karanicolas</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4786983">No. I think the judgment of that specific case was terrible. That's a lot of what I was speaking to in terms of the lack of clarity and in terms of the solution that was proposed.</ParaText>
              <ParaText id="4786984">As well, specific to that case, I don't think it's a very good test case in terms of the right to be forgotten. In my opinion, the specific information that's at issue in that case, which is a person's bankruptcy or some sort of financial difficulty that they were in 15 or 20 years ago, is absolutely relevant. That information should certainly still be available. I think what they—</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="" ToC="No" ToCText="" id="9402865">
            <PersonSpeaking>
              <Affiliation DbId="216078" Type="47">Mr. Raj Saini</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4786985">But—</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="Interjection" ToC="No" ToCText="" id="9402867">
            <PersonSpeaking>
              <Affiliation DbId="219011" Type="35">The Chair</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4786986">But we're out of time, Mr. Saini.</ParaText>
              <ParaText id="4786987">
                <B>Voices:</B> Oh, oh!</ParaText>
              <ParaText id="4786988">
                <B>The Chair:</B> Mr. Kelly, you have up to five minutes, please.</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="" ToC="No" ToCText="" id="9402869">
            <PersonSpeaking>
              <Affiliation DbId="218278" Type="47">Mr. Pat Kelly (Calgary Rocky Ridge, CPC)</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4786989">Thank you.</ParaText>
              <ParaText id="4786990">In listening to the witnesses we've had so far, including today's witnesses, I'm struck by the sheer number of different kinds of organizations that this law applies to, and how many different contexts or different anecdotes and examples are discussed that fall under the same law, and yet it would seem virtually meaningless, perhaps, to the different types of businesses and organizations that this law is subject to. You have professional services like law firms, financial services, accounting firms, and my own business from before I became a parliamentarian, the mortgage brokerage business. These are businesses that have long, long understood the need to keep client information private. They do not try to share information publicly or to profit from doing so. It would be completely counter to all the principles which the many different professions that must collect information work under, and yet the same law is also for a social network, for whom the product is the information that is shared.</ParaText>
              <ParaText id="4786991">Do we need to have two different laws? We have personal information and privacy, which seems like one thing. Electronic data, or the deliberate sharing or communication of electronic information, strikes me as something quite different. </ParaText>
              <ParaText id="4786992">I'd like any of you to comment on whether or not, with so many different things going on and the different types of activity that this law tries to regulate, this needs to be split up. </ParaText>
            </Content>
          </Intervention>
          <Timestamp Hr="16" Mn="30">(1630)</Timestamp>
          <Intervention Type="Interjection" ToC="No" id="9402888">
            <PersonSpeaking>
              <Affiliation DbId="223968" Type="28">Prof. Teresa Scassa</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4786993">I could jump in on that. </ParaText>
              <ParaText id="4786994">I think there would be dangers in splitting it up. Increasingly over time the commissioner's approach has been to try to create guidance that is specific to particular sectors or particular contexts so that you have one law that applies to all, but how it applies in particular contexts may be different. The commissioner's office has given attention to mobile apps, and has given attention to fitness devices, and has looked at various specific things with guidance to small businesses and guidance to businesses in particular sectors. </ParaText>
              <ParaText id="4786995">The code of practice model is one that I think is also getting more attention now. This is the idea that perhaps some sectors could work together to develop codes of practice around certain types of information collection use and disclosure within the context of their particular operations, and that this could somehow be developed in consultation with the OPC and approved by the OPC. You would start to shape norms and guidance around particular sectors under the umbrella of one law and one commissioner. It seems to me that this would be a preferable approach to dividing it up and having separate laws.</ParaText>
              <ParaText id="4786996">The other thing, of course, is that some companies start out being brick and mortar companies, then go online, and then they develop apps. Businesses are constantly changing in terms of their information practices and needs. </ParaText>
            </Content>
          </Intervention>
          <Intervention Type="Interjection" ToC="No" id="9402899">
            <PersonSpeaking>
              <Affiliation DbId="229983" Type="28">Prof. Florian Martin-Bariteau</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4786997">I have nothing to add. </ParaText>
              <ParaText id="4786998">
                <B>Mr. Pat Kelly:</B> Okay.</ParaText>
              <ParaText id="4786999">Mr. Karanicolas. </ParaText>
            </Content>
          </Intervention>
          <Intervention Type="Interjection" ToC="No" ToCText="" id="9402901">
            <PersonSpeaking>
              <Affiliation DbId="226632" Type="28">Mr. Michael Karanicolas</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787000"> [<I>Inaudible—Editor</I>] against relying on market incentives or thinking that companies that have a direct interest in keeping their users' information secret or following better practices will necessarily do that. Ashley Madison is a great example of a company that had a direct interest in having strong security and strong privacy protections, had nothing good in place, and didn't follow any industry best practices to safeguard user information or protect users' privacy.</ParaText>
              <ParaText id="4787001">I do think that the idea of building a degree of flexibility into how—</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="" ToC="No" ToCText="" id="9402904">
            <PersonSpeaking>
              <Affiliation DbId="218278" Type="47">Mr. Pat Kelly</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787002">If I may, I'll stop you on that example. I'm not familiar with exactly how that breach happened. Was that a failure of legislation or just a failure of that particular company?</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="Interjection" ToC="No" ToCText="" id="9402908">
            <PersonSpeaking>
              <Affiliation DbId="226632" Type="28">Mr. Michael Karanicolas</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787003">Certainly, it was a failure of that company, but I think you could say that the fact the company was allowed to operate the way it did, with such shoddy security practices, was potentially a failure of legislation or a failure of enforcement, in the sense that there were basic security mistakes being made that weren't necessarily being monitored or followed up on.</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="Interjection" ToC="No" ToCText="" id="9402912">
            <PersonSpeaking>
              <Affiliation DbId="219011" Type="35">The Chair</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787004">Thank you very much, Mr. Kelly.</ParaText>
              <ParaText id="4787005">We now move to Mr. Long, please, for five minutes.</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="" ToC="No" ToCText="" id="9402914">
            <PersonSpeaking>
              <Affiliation DbId="216080" Type="47">Mr. Wayne Long (Saint John—Rothesay, Lib.)</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787006">Thank you, Chair.</ParaText>
              <ParaText id="4787007"> Welcome back to some of our guests, and welcome for the first time to Mr. Martin-Bariteau.</ParaText>
              <ParaText id="4787008">Mr. Karanicolas, I want to start with you with respect to meaningful consent and how that relates to children.</ParaText>
              <ParaText id="4787009"> I talked about this at our last committee meeting, too. I have friends with younger children. We were at their place last weekend. The children were on their computer going through things and clicking on this and clicking on that. What protection does PIPEDA need to ensure that our children are being protected?</ParaText>
              <ParaText id="4787010"> I'll start with you, Mr. Karanicolas, and go to Ms. Scassa after that.</ParaText>
            </Content>
          </Intervention>
          <Timestamp Hr="16" Mn="35">(1635)</Timestamp>
          <Intervention Type="Interjection" ToC="No" ToCText="" id="9402917">
            <PersonSpeaking>
              <Affiliation DbId="226632" Type="28">Mr. Michael Karanicolas</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787011">It's well established to have different rules in place for protecting children in terms of gathering their information and tracking their information. I think there's a huge challenge online in implementing that, because it's quite difficult, I think, in terms of people who navigate to a particular website to know how old the users are. You can require them to enter their birthdate, but again, that's not a particularly difficult hurdle to overcome—</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="" ToC="No" ToCText="" id="9402922">
            <PersonSpeaking>
              <Affiliation DbId="216080" Type="47">Mr. Wayne Long</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787012">I'm going to jump in there, if you don't mind. </ParaText>
              <ParaText id="4787013">One of the articles I read recently stated that a lot of U.S. websites have more tracking software on them for children than they have on sites for adults—the clickbait. Again, what can we do to ensure that our children are being protected?</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="Interjection" ToC="No" ToCText="" id="9402924">
            <PersonSpeaking>
              <Affiliation DbId="226632" Type="28">Mr. Michael Karanicolas</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787014">Because you can't necessarily know how old the person is who's on the website, I think the best option is to look at those websites that are directly targeting children, or that have a target audience geared towards younger web users, and to maybe expect a stronger standard to be imposed on them.</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="" ToC="No" ToCText="" id="9402931">
            <PersonSpeaking>
              <Affiliation DbId="216080" Type="47">Mr. Wayne Long</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787015">Thank you.</ParaText>
              <ParaText id="4787016">Ms. Scassa.</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="Interjection" ToC="No" id="9402938">
            <PersonSpeaking>
              <Affiliation DbId="223968" Type="28">Prof. Teresa Scassa</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787017">The American approach has been to have legislation specifically addressing children's privacy. The Canadian approach has been to deal with it under PIPEDA and to recognize that children may be a special case, so as a matter of interpretation, we take into account the fact that a website might be targeting children.</ParaText>
              <ParaText id="4787018"> I guess the issue is, do we want to have something very specific in the legislation that makes it clear that when you're dealing with children, the rules are different or the rules are stricter? I see some merit in that: in being very explicit and up front that the rules for consent may be expressly different when you're dealing with children.</ParaText>
              <ParaText id="4787019">In that a lot of websites that target children are based in the United States, where they actually have to comply with the American laws, we've benefited to some extent. In Canada, we're simply not clear and explicit about the steps that have to be taken to protect children's privacy.</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="" ToC="No" ToCText="" id="9402970">
            <PersonSpeaking>
              <Affiliation DbId="216080" Type="47">Mr. Wayne Long</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787020">Mr. Martin-Bariteau.</ParaText>
            </Content>
          </Intervention>
          <FloorLanguage language="FR">[<I>Translation</I>]</FloorLanguage>
          <Intervention Type="Interjection" ToC="No" id="9402972">
            <PersonSpeaking>
              <Affiliation DbId="229983" Type="28">Prof. Florian Martin-Bariteau</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787021">I would say the same. American legislation already exists but there is a problem with enforcing it. It does not work. We know full well that, normally, under the age of 13, additional rules apply. Children under 13 are on all social networks in America, as in the rest of the world.</ParaText>
            </Content>
          </Intervention>
          <FloorLanguage language="EN">[<I>English</I>]</FloorLanguage>
          <Intervention Type="" ToC="No" ToCText="" id="9402975">
            <PersonSpeaking>
              <Affiliation DbId="216080" Type="47">Mr. Wayne Long</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787022">Thank you.</ParaText>
              <ParaText id="4787023">Mr. Karanicolas, I want to get your feedback and opinion on Globe24h and that ruling. I'll be honest. I don't know a lot about it, but my spin on it is that it does pave the way for a Canadian version of the right to be forgotten. Can you elaborate for the committee on Globe24h and the impacts and ramifications of that ruling?</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="Interjection" ToC="No" ToCText="" id="9402977">
            <PersonSpeaking>
              <Affiliation DbId="226632" Type="28">Mr. Michael Karanicolas</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787024"> I haven't examined the case. I haven't read the case. I've read only second-hand accounts of it. </ParaText>
              <ParaText id="4787025">What I will say is that one of the things that struck me was that it demonstrates some of the challenges in jurisdiction you have in these kinds of cases. This is not specific to the right to be forgotten. It impacts a lot of online speech, where there are going to be challenges in enforcement and also challenges in imposing a particular Canadian standard on websites that might be operating elsewhere but targeted at Canadians.</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="" ToC="No" ToCText="" id="9402986">
            <PersonSpeaking>
              <Affiliation DbId="216080" Type="47">Mr. Wayne Long</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787026">Ms. Scassa, could you comment on that?</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="Interjection" ToC="No" id="9402988">
            <PersonSpeaking>
              <Affiliation DbId="223968" Type="28">Prof. Teresa Scassa</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787027">Yes. I would hesitate to say that it really creates a Canadian right to be forgotten. The very particular context of the case is that it was dealing with court decisions that had been made publicly available by the courts under specific restrictions that weren't being respected, and—</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="" ToC="No" ToCText="" id="9402990">
            <PersonSpeaking>
              <Affiliation DbId="216080" Type="47">Mr. Wayne Long</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787028">Those decisions were accessible, but they just weren't linked to Google. Was that it?</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="Interjection" ToC="No" id="9402991">
            <PersonSpeaking>
              <Affiliation DbId="223968" Type="28">Prof. Teresa Scassa</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787029">That's right. They were accessible but not indexed, and the courts made them available on the basis that they would not be indexed.</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="" ToC="No" ToCText="" id="9402993">
            <PersonSpeaking>
              <Affiliation DbId="216080" Type="47">Mr. Wayne Long</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787030">Okay. Fair enough.</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="Interjection" ToC="No" id="9402995">
            <PersonSpeaking>
              <Affiliation DbId="223968" Type="28">Prof. Teresa Scassa</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787031">They were scraped and then indexed by this other site. I would hesitate to say that it's really a right-to-be-forgotten case.</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="Interjection" ToC="No" ToCText="" id="9402998">
            <PersonSpeaking>
              <Affiliation DbId="219011" Type="35">The Chair</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787032">Thank you very much. </ParaText>
              <ParaText id="4787033">We'll go back to Mr. Kelly for five minutes.</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="" ToC="No" ToCText="" id="9403000">
            <PersonSpeaking>
              <Affiliation DbId="218278" Type="47">Mr. Pat Kelly</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787034">Thank you.</ParaText>
              <ParaText id="4787035"> In the discussions around the right to be forgotten, that version of being forgotten—being de-indexed by a search engine—sounds more like a right to be lost than a right to be forgotten. It's certainly not erasure. I'm glad that we're finally getting to some distinctions between these different things.</ParaText>
              <ParaText id="4787036">Ms. Scassa, I was pleased to hear in your testimony and get into the record the acknowledgement of PIPEDA being onerous for small businesses and certainly unloved, probably misunderstood and, I would say, probably feared by many. Small business owners I've talked to are certainly not conversant with privacy law. They know there is a privacy law out there. In many cases, they're probably at a loss as to how to comply and, yes, it's beyond the reach of many businesses to have expert advice on how to comply, as you mentioned in your testimony.</ParaText>
              <ParaText id="4787037">In your opening remarks, though, you characterized the consent model as a joke. If so, what's the answer?</ParaText>
            </Content>
          </Intervention>
          <Timestamp Hr="16" Mn="40">(1640)</Timestamp>
          <Intervention Type="Interjection" ToC="No" id="9403018">
            <PersonSpeaking>
              <Affiliation DbId="223968" Type="28">Prof. Teresa Scassa</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787038">Yes, well, I don't know, but I certainly know there's a huge volume of personal information about me that is out there now and is being collected and transmitted probably right now by my phone, information that I don't want to share. I don't even know what it is or how it got there. For me, that makes consent a joke, in that even somebody who's educated in law, has law degrees, and who works in the field of privacy can't get a handle on what's happening to their personal information. To me, that says the system is broken.</ParaText>
              <ParaText id="4787039"> How do you fix it? I think the commissioner's consultation produced some interesting suggestions, ideas, and possibilities. I think it's a question of trying to find the right combination. I don't know. I'm sorry. I really wish I could say, “This is what's going to do it.”</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="" ToC="No" ToCText="" id="9403033">
            <PersonSpeaking>
              <Affiliation DbId="218278" Type="47">Mr. Pat Kelly</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787040">Consent surely has to be the basis on which consumers and businesses interact with each other.</ParaText>
              <ParaText id="4787041"> For anything from going to the local bowling alley, to applying for a mortgage, to signing up for a cellular phone, to choosing to post pictures on Facebook, yes, the vendors of these services must recognize and be aware of privacy expectations on behalf of their customers. Customers have to be able to consent, or not, to these services. I don't know how we get around this idea that consent must end up being the principal basis of these commercial relationships. </ParaText>
              <ParaText id="4787042">Go ahead, Mr. Karanicolas.</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="Interjection" ToC="No" ToCText="" id="9403045">
            <PersonSpeaking>
              <Affiliation DbId="226632" Type="28">Mr. Michael Karanicolas</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787043">I think consent is certainly a prerequisite, and I think you must have some form of consent within any system, but in a lot of the examples that you mention, consent is not the only thing that comes into play. There are also regulations and rules that govern these relationships.</ParaText>
              <ParaText id="4787044"> I think there are ways to boost the current model of consent through greater transparency—that's a big one—on what exactly is being done and also through presenting what's being done to users in a way that promotes engagement and accessibility. Again, that's the opposite of the way things are being done now, with terms of service that are overly legalistic and complicated. I also think there's room for centralized rules to be put in place about what can or can't be done, or particular models that should be followed.</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="" ToC="No" ToCText="" id="9403050">
            <PersonSpeaking>
              <Affiliation DbId="218278" Type="47">Mr. Pat Kelly</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787045"> Go ahead, Mr. Martin-Bariteau.</ParaText>
            </Content>
          </Intervention>
          <FloorLanguage language="FR">[<I>Translation</I>]</FloorLanguage>
          <Intervention Type="Interjection" ToC="No" id="9403052">
            <PersonSpeaking>
              <Affiliation DbId="229983" Type="28">Prof. Florian Martin-Bariteau</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787046">I don’t think that we have a magic solution in the case of consent. Of course, it must remain at the base, but people also have to know what they are consenting to. There was a problem on the consumers' side and we know that the provinces have legislated in the matter.</ParaText>
              <ParaText id="4787047">Perhaps it would be wise for consumers to know that they are consenting to something to do with protecting and managing their personal information. This is because confidentiality notices actually go in the opposite direction, in the sense that they deal with all the ways in which confidentiality is lost.</ParaText>
              <ParaText id="4787048">In addition, clearer legislation would perhaps help small companies to manage this. Principles could be set, with policies then established to reflect them. For each principle in the legislation, there could be an explanation of how to comply with and adhere to it.</ParaText>
            </Content>
          </Intervention>
          <Timestamp Hr="16" Mn="45">(1645)</Timestamp>
          <FloorLanguage language="EN">[<I>English</I>]</FloorLanguage>
          <Intervention Type="Interjection" ToC="No" ToCText="" id="9403061">
            <PersonSpeaking>
              <Affiliation DbId="219011" Type="35">The Chair</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787049">Thank you very much.</ParaText>
              <FloorLanguage language="FR">[<I>Translation</I>]</FloorLanguage>
              <ParaText id="4787050">Mr. Dubourg, you have the floor for five minutes.</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="" ToC="No" ToCText="" id="9403064">
            <PersonSpeaking>
              <Affiliation DbId="229567" Type="47">Mr. Emmanuel Dubourg (Bourassa, Lib.)</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787051">Thank you, Mr. Chair.</ParaText>
              <ParaText id="4787052">My thanks to the witnesses for joining us this afternoon.</ParaText>
              <ParaText id="4787053">Mr. Martin-Bariteau, my questions go to you.</ParaText>
              <ParaText id="4787054">In your brief you say this: “In terms of drafting, the act should remain conceived according to the principle of technological independence and be principles-based.”</ParaText>
              <ParaText id="4787055">The Privacy Commissioner has said that the act should be technologically neutral and based on principles. Given those comments, it looks like we are on the same wavelength.</ParaText>
              <ParaText id="4787056">However, you say that, compared to other federal legislation, there is no doubt that this act is one of the worst drafted, because it has, to an extent, been copied. That being the case, what do you suggest? How can we go about reworking it, rather than improving what we have now?</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="Interjection" ToC="No" id="9403075">
            <PersonSpeaking>
              <Affiliation DbId="229983" Type="28">Prof. Florian Martin-Bariteau</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787057">In reality, it's only a small doctrinal debate. It means practically the same thing.</ParaText>
              <ParaText id="4787058">The idea that the legislation is based on principles is meant to allow greater flexibility, to set limits and, as Professor Scassa said earlier, to allow small and large companies, the mobile and health world to adapt.</ParaText>
              <ParaText id="4787059">The current act evokes great principles in some way, but not at the same time. To understand a principle, you need to read the text of the act in three different places. As with some laws, perhaps the idea would be to gut everything. It is a matter of trying to agree on what the main principles and the number should be. Then, after the mandatory sections in which the title is defined, the first principle can be described, then the second, the third and so on. Then it can be made very clear what the limits are and what the recourse of the users and the powers of the commissioner are.</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="" ToC="No" ToCText="" id="9403082">
            <PersonSpeaking>
              <Affiliation DbId="229567" Type="47">Mr. Emmanuel Dubourg</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787060">Is that how it's done in Europe?</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="Interjection" ToC="No" id="9403085">
            <PersonSpeaking>
              <Affiliation DbId="229983" Type="28">Prof. Florian Martin-Bariteau</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787061">I would say yes, even though I don't have the regulations or the old directive in front of me. The suite of sections includes those on collection, communication and so on. It is also a question of this famous right to deletion—and not to be forgotten—which is something that may need to be clarified.</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="" ToC="No" ToCText="" id="9403089">
            <PersonSpeaking>
              <Affiliation DbId="229567" Type="47">Mr. Emmanuel Dubourg</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787062">Like Ms. Scassa, you agree to giving the commissioner more power. In terms of enforcement, you talked a lot about fines that should be imposed. However, you are also telling us that to avoid the appearance of a conflict of interest, fines should be payable to the Receiver General.</ParaText>
              <ParaText id="4787063">Could you expand on that?</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="Interjection" ToC="No" id="9403093">
            <PersonSpeaking>
              <Affiliation DbId="229983" Type="28">Prof. Florian Martin-Bariteau</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787064">It is simply a matter of avoiding possible attacks by the private sector, which could claim that the commissioner would leave his role as an ombudsman to become a “sanctioner”. To increase his budget and his powers, he would apply greater sanctions.</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="" ToC="No" ToCText="" id="9403094">
            <PersonSpeaking>
              <Affiliation DbId="229567" Type="47">Mr. Emmanuel Dubourg</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787065">However, you agree that the commissioner would be the one to determine and enforce the penalties, but the budget would not be determined on that basis.</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="Interjection" ToC="No" id="9403095">
            <PersonSpeaking>
              <Affiliation DbId="229983" Type="28">Prof. Florian Martin-Bariteau</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787066">Exactly.</ParaText>
              <ParaText id="4787067">His budget would be totally independent of the sanctions he would impose or not, and it would come back to the taxpayers, therefore to Canadians.</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="" ToC="No" ToCText="" id="9403101">
            <PersonSpeaking>
              <Affiliation DbId="229567" Type="47">Mr. Emmanuel Dubourg</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787068">Right.</ParaText>
              <ParaText id="4787069"> However, other organizations or other departments, even if they raise money, do not necessarily keep it. Take, for example, the Canada Revenue Agency.</ParaText>
              <ParaText id="4787070">Lastly, we are talking about the right to be forgotten. You said that it should not be used to manage the reputation of people. Earlier, you heard our colleagues talking about young people, for example, who post messages on Facebook or on other social media. In terms of reputation management, what are you telling us about that?</ParaText>
            </Content>
          </Intervention>
          <Timestamp Hr="16" Mn="50">(1650)</Timestamp>
          <Intervention Type="Interjection" ToC="No" id="9403105">
            <PersonSpeaking>
              <Affiliation DbId="229983" Type="28">Prof. Florian Martin-Bariteau</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787071">I think my way out would be to say that I do not think it would be PIPEDA that would deal with that, but that it's more about private relationships. Some provinces have established remedies. We have the Criminal Code, which provides for a criminal remedy. However, if it was put online and it was in the public interest—</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="" ToC="No" ToCText="" id="9403108">
            <PersonSpeaking>
              <Affiliation DbId="229567" Type="47">Mr. Emmanuel Dubourg</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787072">On the other hand, we know that these organizations have algorithms, that they will take this information, that they will use it, and that they will then offer services. They want to sell products. That is the point raised. Do you not think that PIPEDA should continue to regulate all of this?</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="Interjection" ToC="No" id="9403112">
            <PersonSpeaking>
              <Affiliation DbId="229983" Type="28">Prof. Florian Martin-Bariteau</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787073">Yes, in that case, but in the case of someone who is going to get a photograph and put it elsewhere, then I don't think that person is subject to PIPEDA anymore. There is more talk about the right to the image and civil liability, which is generally a matter of provincial jurisdiction.</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="" ToC="No" ToCText="" id="9403115">
            <PersonSpeaking>
              <Affiliation DbId="229567" Type="47">Mr. Emmanuel Dubourg</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787074">Okay. There's Ms. Scassa—</ParaText>
            </Content>
          </Intervention>
          <FloorLanguage language="EN">[<I>English</I>]</FloorLanguage>
          <Intervention Type="Interjection" ToC="No" ToCText="" id="9403117">
            <PersonSpeaking>
              <Affiliation DbId="219011" Type="35">The Chair</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787075"> We're actually well past the time, Mr. Dubourg.</ParaText>
              <ParaText id="4787076">Mr. Blaikie, for the last of the scheduled time here, please go ahead.</ParaText>
            </Content>
          </Intervention>
          <FloorLanguage language="FR">[<I>Translation</I>]</FloorLanguage>
          <Intervention Type="" ToC="No" ToCText="" id="9403118">
            <PersonSpeaking>
              <Affiliation DbId="219013" Type="40">Mr. Daniel Blaikie</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787077">Thank you, Mr. Chair.</ParaText>
              <ParaText id="4787078">My next question is for Mr. Martin-Bariteau.</ParaText>
              <ParaText id="4787079">Obviously, there is an important economic link between Canada and the United States, and there is a real sharing of information. It may involve a transfer of information between Canadian companies and American companies. This is done even when we record data with a Canadian company, because the infrastructure we use then is in the United States. We know that American law does not give much protection to citizens of other countries.</ParaText>
              <ParaText id="4787080">Does our relationship as such, let alone the other deals with the United States, threaten our relationship with Europe and the judgment Europeans might pass on the protection of their personal data?</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="Interjection" ToC="No" id="9403127">
            <PersonSpeaking>
              <Affiliation DbId="229983" Type="28">Prof. Florian Martin-Bariteau</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787081">That is an excellent question. I must admit that I haven't thought about it.</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="" ToC="No" ToCText="" id="9403129">
            <PersonSpeaking>
              <Affiliation DbId="219013" Type="40">Mr. Daniel Blaikie</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787082">Could you? Maybe not today, but I invite you to think about it a bit and give us your opinion at some point.</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="Interjection" ToC="No" id="9403131">
            <PersonSpeaking>
              <Affiliation DbId="229983" Type="28">Prof. Florian Martin-Bariteau</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787083">It would be a pleasure.</ParaText>
              <ParaText id="4787084">Certainly the problem at the moment is that recent decisions of the new government have made this is an issue for Canadians. I can look at how this would affect an adequacy decision.</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="" ToC="No" ToCText="" id="9403136">
            <PersonSpeaking>
              <Affiliation DbId="219013" Type="40">Mr. Daniel Blaikie</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787085">Okay. Thank you very much.</ParaText>
              <FloorLanguage language="EN">[<I>English</I>]</FloorLanguage>
              <ParaText id="4787086">I'd like to come back to the question of consent. I know we've tried this a couple of times. </ParaText>
              <ParaText id="4787087">One of the things I find as a layperson with respect to consent is that it would be nice to be able to divorce my consent for the use of my personal information from being able to use the service. You know, people can't decide to just not use computers anymore because they don't want to have that personal information shared, or they can't decide not to use a Microsoft product if they're in a work environment where often they're exchanging documents or whatever. In order to get into what have become essential tools for doing your job or even conducting your personal affairs, you can't read those terms of use and say you don't like those terms of use, so you're just not going to use that software, because then you can't actually accomplish the things you need to be able to accomplish, either in your personal life or in your professional life.</ParaText>
              <ParaText id="4787088">I could be wrong about this, but I think consenting to the extent of collection and then third party use of my personal data is often not really relevant to my using the service. Is there a legal way to try and divorce consent to the kind of widespread use of my personal information from what they would really need?</ParaText>
              <ParaText id="4787089">If you have an app like Foursquare, for instance, which uses your location, which is about where you are and about sharing that with other people, obviously collecting my location at that time, and doing that through my phone, is part of the app. With other software, however, you're often consenting to a broad statement about using your personal information that really has nothing to do with the use of that software. It's not integral to the operation of whatever service it is I'm trying to access.</ParaText>
              <ParaText id="4787090">Is there a way to try to carve that up that doesn't become overly cumbersome?</ParaText>
            </Content>
          </Intervention>
          <Timestamp Hr="16" Mn="55">(1655)</Timestamp>
          <Intervention Type="Interjection" ToC="No" id="9403160">
            <PersonSpeaking>
              <Affiliation DbId="223968" Type="28">Prof. Teresa Scassa</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787091"> The overly cumbersome part is the tricky thing. One of the challenges, of course, is that there are a lot of so-called free apps and free social media platforms and free services that are not free. The currency that you pay is your personal information. In that context, it does make it harder to draw a line between what is reasonably necessary, since they're the ones who are deciding what they need in order to make their business model stay afloat. I think that's another challenge as well. </ParaText>
            </Content>
          </Intervention>
          <Intervention Type="Interjection" ToC="No" ToCText="" id="9403169">
            <PersonSpeaking>
              <Affiliation DbId="219011" Type="35">The Chair</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787092">Thank you very much.</ParaText>
              <ParaText id="4787093">Colleagues, we're at the end of the official rounds of questioning. I know that some colleagues want to follow up with some questions. </ParaText>
              <ParaText id="4787094">Mr. Massé, I know that you would like to ask some questions, so I'll go to you right now.</ParaText>
              <ParaText id="4787095">If any of our witnesses have some things that they wished they'd said or that have come to mind, there will be an opportunity at the end to express those thoughts. </ParaText>
              <ParaText id="4787096">Mr. Massé.</ParaText>
            </Content>
          </Intervention>
          <FloorLanguage language="FR">[<I>Translation</I>]</FloorLanguage>
          <Intervention Type="" ToC="No" ToCText="" id="9403173">
            <PersonSpeaking>
              <Affiliation DbId="216079" Type="47">Mr. Rémi Massé (Avignon—La Mitis—Matane—Matapédia, Lib.)</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787097">Thank you, Mr. Chair.</ParaText>
              <ParaText id="4787098">I would like to thank the witnesses for appearing before the committee and for taking part in its work. I know that you must have done a lot of work in order to meet with us. It's greatly appreciated.</ParaText>
              <ParaText id="4787099">Mr. Martin-Bariteau, earlier you referred to the term “technological independence”. I just want to make sure I properly understand the term. Is “technological independence” the same for you as “technological neutrality”? To you, it's the same concept. Is that correct?</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="Interjection" ToC="No" id="9403178">
            <PersonSpeaking>
              <Affiliation DbId="229983" Type="28">Prof. Florian Martin-Bariteau</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787100">Yes, it's the same concept. It's just that, in my doctorate dissertation, I have just defended that we should instead speak of “independence” rather than “neutrality” because the word “neutrality” has two meanings.</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="" ToC="No" ToCText="" id="9403181">
            <PersonSpeaking>
              <Affiliation DbId="216079" Type="47">Mr. Rémi Massé</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787101">That's a good point.</ParaText>
              <ParaText id="4787102">In this context, what recommendations would you make to ensure that the Personal Information Protection and Electronics Documents Act, commonly referred to as PIPEDA, provides this technological independence?</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="Interjection" ToC="No" id="9403183">
            <PersonSpeaking>
              <Affiliation DbId="229983" Type="28">Prof. Florian Martin-Bariteau</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787103">I think that on this point, aside from writing, this is currently the case. There are no rules specific to paper or the Internet.</ParaText>
              <ParaText id="4787104">You are going to propose amendments to the bill and Parliament will pass it. In the time it'll take for the legislation to come into force, technology will have advanced. If we think of artificial intelligence and robotics, for example, we don't know what tomorrow will bring. We only know the situation today. So it's preferable to always keep to this idea of principle. This will allow the law, once it's been properly drafted and not as it is currently worded, to be in force for many years and to adapt to all technological developments that we can't even imagine yet.</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="" ToC="No" ToCText="" id="9403192">
            <PersonSpeaking>
              <Affiliation DbId="216079" Type="47">Mr. Rémi Massé</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787105">Okay. Thank you.</ParaText>
              <ParaText id="4787106">On another point, the comments of all the witnesses obviously caught my attention.</ParaText>
              <ParaText id="4787107">Mr. Martin-Bariteau, in your remarks, you mentioned the right to be forgotten. You find that the proposition dreamed up and demanded by some is dangerous.</ParaText>
              <ParaText id="4787108">Could you tell us more about what led you to make such comments? You said that in a democracy, the archives have never been erased simply because they were disturbing, at least not legally. In your opinion, this is very dangerous ground. I'd like to hear more about that.</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="Interjection" ToC="No" id="9403202">
            <PersonSpeaking>
              <Affiliation DbId="229983" Type="28">Prof. Florian Martin-Bariteau</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787109">This comes back to the idea of reputation management. For many people, when they propose a right to be forgotten, they want the right to be able to erase information that concerns them. For example, it can be disturbing press articles that talk about some things they have done in the past. An article might have appeared in the press last year and, later, they went to a job interview. They would like to be able to erase the information that is recorded.</ParaText>
              <ParaText id="4787110"> It's true that we are in a world today where it is increasingly difficult to forget. The Internet doesn't forget, nor does it forgive. People have never been allowed to go to <I>La Presse </I> or the daily newspaper <I>Le Devoir </I> to ask that articles be deleted. A person might say that, since an article is no longer agreeable, we will remove it from the archives and erase it from all the libraries. </ParaText>
              <ParaText id="4787111">I don't see why today, because it's facilitated by technology, we would allow actions like that, which would erase the memory.</ParaText>
              <ParaText id="4787112">However, as someone said earlier, there are a number of other cases of information gathering, which is the case in Globe24h.com. One of my colleagues insisted that this is perhaps the beginning of the right to forgot. When I read the court ruling, which is on pages 70 to 76 of the judgment, I think that the problem is that the collection of information is in violation of the act and is being used for illegal purposes. In this case, it was to extort people by telling them that we would delete data in exchange for money. This is not reputation management. These are just attempts at fraud.</ParaText>
            </Content>
          </Intervention>
          <Timestamp Hr="17" Mn="00">(1700)</Timestamp>
          <Intervention Type="" ToC="No" ToCText="" id="9403223">
            <PersonSpeaking>
              <Affiliation DbId="216079" Type="47">Mr. Rémi Massé</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787113"> Thank you.</ParaText>
            </Content>
          </Intervention>
          <FloorLanguage language="EN">[<I>English</I>]</FloorLanguage>
          <Intervention Type="Interjection" ToC="No" ToCText="" id="9403229">
            <PersonSpeaking>
              <Affiliation DbId="219011" Type="35">The Chair</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787114">Mr. Dubourg, did you want to follow up? No.</ParaText>
              <ParaText id="4787115">Go ahead, Mr. Saini.</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="" ToC="No" ToCText="" id="9403232">
            <PersonSpeaking>
              <Affiliation DbId="216078" Type="47">Mr. Raj Saini</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787116">I have a very quick question for Ms. Scassa. </ParaText>
              <ParaText id="4787117">My good friend Wayne Long asked a question about kids when it comes to privacy. I just wanted to ask your advice on one issue. In the United States a minor is determined to be the age of 13. That regime is undertaken by the FTC. Under the new GDPR regulations that have come out, the age will be 16. In Canada we don't have an age parameter. Apparently the Privacy Act covers all ages. </ParaText>
              <ParaText id="4787118">I'm wondering if you think that's important for two reasons: one, to have a benchmark where websites can have some control in terms of who they're dealing with; and two, when it comes to the right to be forgotten, to make it easier for people under that age as compared to an adult. </ParaText>
            </Content>
          </Intervention>
          <Intervention Type="Interjection" ToC="No" id="9403236">
            <PersonSpeaking>
              <Affiliation DbId="223968" Type="28">Prof. Teresa Scassa</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787119">As a parent of teenagers, I'm all in favour of the higher level of 16, simply because I think there's an educational function to be played there as well. It's not simply a question of strictly consent. It's a question of ensuring that kids under that age are given more opportunities to reflect on what they're doing, what they're consenting to, and what they understand about information collection. There really is an educational role to be played there.</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="" ToC="No" ToCText="" id="9403239">
            <PersonSpeaking>
              <Affiliation DbId="216078" Type="47">Mr. Raj Saini</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787120">So it's 16, then?</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="Interjection" ToC="No" id="9403240">
            <PersonSpeaking>
              <Affiliation DbId="223968" Type="28">Prof. Teresa Scassa</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787121">As a parent of teenagers, I'd kind of go with 25—</ParaText>
              <ParaText id="4787122">
                <B>Voices:</B> Oh, oh!</ParaText>
              <ParaText id="4787123">
                <B>Prof. Teresa Scassa:</B> —but 16 I could live with, yes. </ParaText>
            </Content>
          </Intervention>
          <Intervention Type="" ToC="No" ToCText="" id="9403241">
            <PersonSpeaking>
              <Affiliation DbId="216078" Type="47">Mr. Raj Saini</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787124">Thank you.</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="Interjection" ToC="No" ToCText="" id="9403242">
            <PersonSpeaking>
              <Affiliation DbId="219011" Type="35">The Chair</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787125">Mr. Massé, and then we'll have a quick question from Mr. Bratina.</ParaText>
            </Content>
          </Intervention>
          <FloorLanguage language="FR">[<I>Translation</I>]</FloorLanguage>
          <Intervention Type="" ToC="No" ToCText="" id="9403243">
            <PersonSpeaking>
              <Affiliation DbId="216079" Type="47">Mr. Rémi Massé</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787126">Thank you, Mr. Chair.</ParaText>
              <ParaText id="4787127">I forgot to ask you something earlier, Mr. Martin-Bariteau.</ParaText>
              <ParaText id="4787128">In your conclusion, you referred to a short bilingual document containing examples and recommendations, and you didn't have time to finish your remarks. We would be very interested in having you send us this document and your recommendations.</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="Interjection" ToC="No" id="9403984">
            <PersonSpeaking>
              <Affiliation DbId="229983" Type="28">Prof. Florian Martin-Bariteau</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787129">I would be pleased to.</ParaText>
            </Content>
          </Intervention>
          <FloorLanguage language="EN">[<I>English</I>]</FloorLanguage>
          <Intervention Type="Interjection" ToC="No" ToCText="" id="9403245">
            <PersonSpeaking>
              <Affiliation DbId="219011" Type="35">The Chair</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787130">Thank you very much.</ParaText>
              <ParaText id="4787131">Mr. Bratina.</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="" ToC="No" ToCText="" id="9403246">
            <PersonSpeaking>
              <Affiliation DbId="216083" Type="47">Mr. Bob Bratina</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787132">Thank you.</ParaText>
              <ParaText id="4787133">Mr. Karanicolas, you focus in your work on digital rights and freedom of expression online. With regard to journalism and personal information protection as it relates to journalists and fake news—we hear all about that right now—much of that is just distributed electronically. What responsibility do you think news outlets should have in receiving, publishing, or broadcasting information that is received through, let's say, digital means? </ParaText>
              <ParaText id="4787134">I guess the only way I can focus this on our conversation is to ask whether the public should have a right to access the sources used by the news media to publish or to put their news on air.</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="Interjection" ToC="No" ToCText="" id="9403248">
            <PersonSpeaking>
              <Affiliation DbId="226632" Type="28">Mr. Michael Karanicolas</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787135">Journalists' source protection is a very important principle of freedom of expression and needs to be protected. We're moving away from PIPEDA here, but I think the law is not as strong in Canada as it should be. It's a cardinal rule that needs to be safeguarded that journalists don't need to divulge their sources.</ParaText>
              <ParaText id="4787136">On the issue of fake news, as soon as the issue started to come out, I think a lot of freedom of expression people were unhappy because they saw the direction in which this conversation was going to go. There's a strong need for initiatives to promote savvy readership and to promote responsible journalism, but the term “fake news” is very often abused by governments around the world to try to prohibit opinions that they don't agree with. As soon as the door to that conversation started, I think a lot of people were very upset, and I think that's the direction that the conversation globally is unfortunately heading in. </ParaText>
            </Content>
          </Intervention>
          <Intervention Type="" ToC="No" ToCText="" id="9403255">
            <PersonSpeaking>
              <Affiliation DbId="216083" Type="47">Mr. Bob Bratina</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787137">Thanks. I just wanted to hear your opinion on that. </ParaText>
            </Content>
          </Intervention>
          <Intervention Type="Interjection" ToC="No" ToCText="" id="9403257">
            <PersonSpeaking>
              <Affiliation DbId="219011" Type="35">The Chair</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787138">I'm not terribly sure about the germaneness to the study, but it's important. </ParaText>
            </Content>
          </Intervention>
          <Intervention Type="" ToC="No" ToCText="" id="9403258">
            <PersonSpeaking>
              <Affiliation DbId="216083" Type="47">Mr. Bob Bratina</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787139">I'll get to it, if you give me another hour. </ParaText>
              <ParaText id="4787140">
                <B>Voices:</B> Oh, oh!</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="Interjection" ToC="No" ToCText="" id="9403259">
            <PersonSpeaking>
              <Affiliation DbId="219011" Type="35">The Chair</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787141">Colleagues, if you'll just indulge me for a quick second, I have a question for the witnesses.</ParaText>
              <ParaText id="4787142"> Notwithstanding the fact that the data garnered by malware, spyware, bots, and so on is covered under different Canadian legislation, that information can sometimes be melded and merged with information that's legitimately garnered through something like the people who follow PIPEDA. Given the fluidity of data, the World Wide Web, and the fact that it's uncertain exactly where the data is actually stored—we have distributed storage around the world, distributed processing around the world, and so on—how important is the harmonious nature of our legislative and regulatory environment when it comes to the protection of information in order to ensure that we get the right balance between protecting people's personal information and not chasing away tech companies in Canada that might be investing, researching, and doing innovative things with the use of data? How do we make sure we get that balance right? </ParaText>
              <ParaText id="4787143">I'll just leave that out there for whoever wants to go first. </ParaText>
              <ParaText id="4787144">Seeing none, I'll pick Mr. Karanicolas.</ParaText>
            </Content>
          </Intervention>
          <Timestamp Hr="17" Mn="05">(1705)</Timestamp>
          <Intervention Type="Interjection" ToC="No" ToCText="" id="9403264">
            <PersonSpeaking>
              <Affiliation DbId="226632" Type="28">Mr. Michael Karanicolas</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787145"> In terms of harmonizing rules and considering how rules are done in different places, it's tremendously important but also tremendously difficult. Ideas about privacy and the appropriate limits of the private sphere, as well as how your personal information should be handled, vary tremendously from place to place, so it's very difficult to come up with a common standard on issues like privacy or data protection. </ParaText>
              <ParaText id="4787146">I do think, though, that you hit on something that I absolutely agree with, which is that the opacity of these data flows is a huge problem. Rather than focusing on the location where information is specifically being stored, to me it's the identity of the players that is a bigger concern and the fact that you can make an agreement with Google or Facebook and you can read their terms of service—difficult to understand as they are, at least you have it in front of you—and then Google or Facebook can pass your information on to a third party data broker and from there it's just a black box. </ParaText>
              <ParaText id="4787147">There is a huge need for transparency on where this information is going after it's been collected by the person you're contracting it with, and generally more information about how information is being processed behind the scenes.</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="Interjection" ToC="No" id="9403271">
            <PersonSpeaking>
              <Affiliation DbId="223968" Type="28">Prof. Teresa Scassa</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787148">I agree with that. Transparency at that level is going to be an enormous issue.</ParaText>
              <ParaText id="4787149">I do think that data protection is becoming interdisciplinary as well. Just to use the example of the data portability right, which is something in the new European directive, we were discussing this earlier today and my view is that it is competition law, not really data protection law. It doesn't really matter, necessarily, in terms of the overall regulation of the environment but I do think we are in a context in which there is a lot of overlap now. I see some big data issues as human rights issues or anti-discrimination issues, and then some of them are consumer protection issues. </ParaText>
              <ParaText id="4787150">We currently have traditionally dealt with different issues under different statutes in different departments of government. There is increasing convergence in terms of the relevance of those provisions to data protection, or perhaps data protection to the relevance of those sorts of issues as well. So I think this is a challenge, too. I definitely would agree with that. </ParaText>
            </Content>
          </Intervention>
          <FloorLanguage language="FR">[<I>Translation</I>]</FloorLanguage>
          <Intervention Type="Interjection" ToC="No" id="9403282">
            <PersonSpeaking>
              <Affiliation DbId="229983" Type="28">Prof. Florian Martin-Bariteau</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787151">I agree with what was said.</ParaText>
            </Content>
          </Intervention>
          <FloorLanguage language="EN">[<I>English</I>]</FloorLanguage>
          <Intervention Type="Interjection" ToC="No" ToCText="" id="9403283">
            <PersonSpeaking>
              <Affiliation DbId="219011" Type="35">The Chair</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787152">Okay.</ParaText>
              <ParaText id="4787153">Subsequent to that, in previous experiences on this committee and in my previous role as a database administrator, my issues with data are a bit technical, but there is a whole debate around deletion and deactivation, which are different things completely. We haven't had a very good discussion about deletion versus deactivation.</ParaText>
              <ParaText id="4787154">The other thing I think we need to flesh out a little bit more on the committee is the language, the simplicity of the language and the layman's use of the language when it comes to agreements or terms of agreement when we sign on for something, because the currency, as you say, in most cases is actually the data that's provided and the personal information that's provided when we log on and use a free app, for example, or even a paid app. </ParaText>
              <ParaText id="4787155">I know there are a lot of questions. Nobody that I know of, and I'm a computer geek of sorts, reads the end user licence agreements that are 65 pages long and full of legalese. I'm wondering if you have any recommendations for this committee in terms of simplifying that for the consumer. </ParaText>
            </Content>
          </Intervention>
          <Intervention Type="Interjection" ToC="No" id="9403288">
            <PersonSpeaking>
              <Affiliation DbId="223968" Type="28">Prof. Teresa Scassa</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787156">Michael, do you want to start?</ParaText>
            </Content>
          </Intervention>
          <Intervention Type="Interjection" ToC="No" ToCText="" id="9403289">
            <PersonSpeaking>
              <Affiliation DbId="226632" Type="28">Mr. Michael Karanicolas</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787157">In terms of the rights of the consumer in terms of deletion and understanding, again, transparency plays an important role at the outset. Users should be able to understand what information about them companies are holding, and then requesting that the deletion is of that information, or the removal of that information when they leave the service, or the correction of that information, are important aspects to pursue.</ParaText>
              <ParaText id="4787158">In terms of simplifying terms of service, there is a fundamental challenge, which is that these terms need to be legally binding. They're drafted by lawyers, and they need to be specific and they need to be written in a particular kind of language. The avenue that we support is generally providing simplified terms of service that go alongside the actual legal terms of service in order to explain things. I think that can be done. There are initiatives that have explored ways to explain what's being done in clear English that have had significant success. </ParaText>
              <ParaText id="4787159">There is a role for the OPC in terms of promoting model terms of service, which I think can be done. You can draft a standardized agreement that can be adapted to different contexts and I think that's an issue that should be pursued. </ParaText>
            </Content>
          </Intervention>
          <Timestamp Hr="17" Mn="10">(1710)</Timestamp>
          <Intervention Type="Interjection" ToC="No" ToCText="" id="9403300">
            <PersonSpeaking>
              <Affiliation DbId="219011" Type="35">The Chair</Affiliation>: </PersonSpeaking>
            <Content>
              <ParaText id="4787160">Thank you very much. </ParaText>
              <ParaText id="4787161">Thank you to my colleagues. I'm not going to adjourn the meeting right now. I'm going to suspend the meeting and go in camera because we have a small matter we need to discuss. </ParaText>
              <ParaText id="4787162">At this point in time I'll excuse our witnesses. Thank you very much for your assistance as we continue our deliberations on PIPEDA. We know we can count on your expertise again in the future should the committee need it. </ParaText>
              <ParaText id="4787163">Colleagues, we're going to suspend for a few moments and we'll come back in camera. </ParaText>
              <ParaText id="4787164">[<I>Proceedings continue in camera</I>]</ParaText>
            </Content>
          </Intervention>
        </SubjectOfBusinessContent>
      </SubjectOfBusiness>
    </OrderOfBusiness>
  </HansardBody>
</Hansard>