Good afternoon, colleagues.
I notice that while not everyone is at the table, everyone appears to be in the room. We'll get going, because I have a couple of public service announcements before we hear from our witnesses.
Colleagues, I'm sure you're aware of this, but in case you're not, I'll do a friendly reminder. Karen Shepherd, the outgoing Lobbying Commissioner, is having a farewell reception today. If you get an opportunity, it's at the Mill Street Brew Pub on Wellington Street, just down by the bridge, if I remember correctly. It goes from 3:30 until 7 tonight. I'll do my best to make my way over there on behalf of the committee, but if other committee members wish to go, I think that would be more than appropriate.
Colleagues, we have a very distinguished panel of witnesses today, all appearing by video conference. From the Office of the Information and Privacy Commissioner for British Columbia, we have Mr. Drew McArthur, the acting commissioner. We welcome you. Also from that office, we have Michael McEvoy, the deputy commissioner. From the Office of the Information and Privacy Commissioner of Alberta, we have again, Jill Clayton, who has appeared before the committee several times. She has some assistance there, as well. Finally, from the Commission d'accès à l'information du Québec, we have Cynthia Chassigneux, the administrative judge, who is appearing by video conference as well.
We'll have 10 minutes of opening remarks by each group. That will take up about the first 30 minutes. Then we'll proceed to our questioning.
Keep in mind, colleagues, that with PIPEDA, this is about the private sector. If we can focus on that in our questioning, we'll have a great discussion.
Who's going first, Mr. McArthur or Mr. McEvoy?
Thank you very much, Mr. Chair, for inviting us here to review the Personal Information Protection and Electronic Documents Act, or PIPEDA.
British Columbia's private sector privacy law is the Personal Information Protection Act, which I will call the “B.C. act”. As acting commissioner, I oversee how it is applied to over 380,000 private sector organizations, including businesses, charities, associations, trade unions, and political parties. The B.C. act is substantially similar to PIPEDA.
I will address in turn the items raised in the federal Privacy Commissioner's letter to this committee.
First, meaningful consent is a key aspect of PIPEDA and in privacy laws around the world, including the B.C. act. Although these acts were designed to be neutral with respect to technology, we are now seeing challenges to that neutrality with big data. There are concerns that some organizations are somewhat vague in their description of the purposes for which they use personal information.
To provide consumers with a better understanding of how their personal information is being used, organizations need to include clarity of purpose in the use of personal information for data analytics in their notifications to consumers. We believe this can be done within the existing consent-based model. Still, big data analytics represent a potential for both positive and negative outcomes to individuals.
Many of Canada's privacy commissioners and a group of Canadian organizations have been working with the International Accountability Foundation to examine the use of ethical frameworks in addition to existing privacy frameworks in the processing of personal data. These can be very complex and challenging issues. In practice, my office has not seen a situation where consent could not be obtained to enable a valid use of information. Granted, organizations could improve on how they describe their data processing activities in their privacy policies and use cases. Some suggest that organizations should be explicitly authorized to de-identify data so that they may then conduct data analysis without needing to obtain the consent of the individual. This approach would authorize data analytics on information that was already collected but not collected for that purpose.
My concern with this approach is that it is becoming easier and easier to reidentify data, using increasingly sophisticated algorithms. It may be that in a number of years, these reidentification techniques will be so effective that any previously de-identified information will be able to be reidentified.
Some jurisdictions are addressing this problem through legislation that allows processing of de-identified personal information while mitigating against the risk of misuse. Australia is now considering a bill that would make reidentification an offence, with intentional reidentification subject to a criminal offence with up to two years of imprisonment or a fine.
Recent amendments to Japan's Act on the Protection of Personal Information contain requirements for secure processing of de-identified information, including that reidentified information must be processed in a manner such that it cannot be reidentified and it must be handled securely, even though the information is de-identified.
Turning now to privacy and reputation, today personal information that is online or stored in databases has a permanence and availability that did not exist prior to the emergence of digital technologies. The ready availability of this information can, at times, have significant impact on people's lives, for better or for worse.
There are limited tools available to have personal information removed or corrected in the B.C. act, as in PIPEDA. An individual has a right to withdraw consent, but this is subject to exceptions, such as where withdrawing consent would frustrate a legal obligation. An individual also has a right to request correction of their personal information. However, these are not comprehensive tools if someone wants to eliminate their digital footprint, in whole or in part.
While the B.C. act and PIPEDA can provide some redress where incorrect personal information is being disclosed online, there is also the potential for the disclosure of truthful information to cause harm. This is where the right to be forgotten, the right to erasure that exists in Europe, is useful to individuals who have experienced damaging effects to their reputation owing to information that is online.
While I can see the potential benefit of creating such a right in Canada, as others have observed, it remains to be seen how a right to be forgotten could exist within our legal system alongside the right to freedom of expression. We are seeing many unanticipated consequences of the implementation of the right to be forgotten, so it is a concept that must be approached carefully.
One of these issues is the ability of governments to undertake censorship, and another is that the right to be forgotten is being administered currently by private sector organizations.
On enforcement powers, personal information has become integral to the business model of a number of companies. In this context, order-making power is essential to any privacy commissioner. I believe order-making powers need to be used effectively and judiciously. Allow me to describe how they are used in my office.
Relationships with organizations and public bodies are critical to providing effective oversight over B.C. privacy laws, and order-making powers may, indeed, encourage organizations to work with my office. More than 90% of the complaints to my office are resolved at mediation. My investigators have expert knowledge on B.C.'s privacy laws and work to help parties understand their respective rights and responsibilities. At mediation the parties are aware that, if a resolution is not reached, the matter may go to adjudication, resulting in an order. This encourages the parties to work with us at mediation to find a resolution. Orders from my office require that organizations bring themselves into compliance with B.C.'s private sector privacy law.
The act sets out the kinds of things I may do; for example, to require that a duty be performed under the B.C. act, and I have the authority to specify any terms and conditions for fulfilling that duty.
On the matter of adequacy, now that Europe's general data protection regulation has passed, ensuring that Canada's privacy laws also provide an adequate level of protection will assist businesses that rely upon personal information flows from Europe to Canada. The GDPR says that an adequacy determination can be made where a country or territory offers levels of protection that are essentially equivalent to those within the European Union. Note that an adequacy finding can be made for a territory; so interestingly, a provincial privacy law could be found to be adequate for transfers, even if PIPEDA is not. Essential equivalency is the bar, so there is some work to be done if adequacy is to be maintained.
I've already mentioned the right to erasure. Here are two other areas for consideration.
Parliament has already addressed breach notification under PIPEDA. In B.C., my office recommended mandatory breach notification for both the private and public sectors in the recent legislative review of B.C.'s privacy laws, and the provincial government has committed to doing so.
In Europe, failure to notify can be subject to administrative fines of up to 10 million euros, or 2% of a company's total worldwide annual turnover, whichever is higher. In other areas, fines may be as high as up to 20 million euros, or 4% of annual turnover, whichever is higher. In B.C. and Canada, our fines do not keep up with these standards.
Before I wrap up, I want to comment on one additional area. In response to the Spencer decision by the Supreme Court, law enforcement agencies have indicated that they want warrantless access to online subscriber information. A change like this in PIPEDA would not be consistent with the reasonable expectations of Canadians. Warrants are already available for circumstances that require them, and judicial oversight is critical to public confidence in how personal information is released or disclosed.
Thank you very much, and I'd be happy to respond to questions at the appropriate time.
Thank you, Mr. Chair and committee members, for the invitation to speak to you today as you review the Personal Information Protection and Electronic Documents Act. Here in Alberta, we call it “PIPEEDA” as opposed to “PIPEDA”, as Drew just referred to it. With me are Sharon Ashmore, who is general counsel with my office, and Kim Kreutzer Work, who is the director of knowledge management.
I thought I would start my comments today by speaking briefly about Alberta's Personal Information Protection Act, or PIPA, and then in a very similar way to Drew's presentation, I will provide some brief comments on the four topics that I understand you're interested in. I'll speak about PIPEDA's adequacy vis-à-vis the European Union enforcement powers, and in particular my ability to order compliance, as well as meaningful consent and privacy and reputation. Then, of course, I would be happy to address any questions you might have.
To begin, Alberta's Personal Information Protection Act, or PIPA, came into force on January 1, 2004. The act balances the privacy interest of Albertans with the need of organizations to collect, use, and disclose personal information of their customers, clients, employees, and volunteers for reasonable purposes. PIPA has been declared substantially similar to PIPEDA, which means that in Alberta it is PIPA, and not PIPEDA, that generally covers provincially regulated private sector organizations and businesses.
My role is to provide oversight for the act. I have a number of powers and responsibilities under the legislation to ensure that its purposes are achieved. So far, PIPA has undergone two reviews by all-party committees of the Alberta legislature. This in fact is built into the legislation and is a statutory requirement.
The first review took place in 2006-07 and led to several amendments, most notably, mandatory breach reporting and notification requirements, which came into effect in May of 2010. Alberta became the first private sector jurisdiction in Canada to have mandatory breach reporting and notification, and we have since become the model for many other jurisdictions that are contemplating similar amendments.
I think I'll mention that since 2010 we have seen close to 750 breach reports under PIPA and have issued close to 600 notification decisions. So far, we've found that in approximately 56% of those cases there was a real risk of significant harm, in which case I required the organization to notify affected individuals.
The second review of PIPA was more recent and concluded at the end of 2016. During one of my appearances before that review committee, I spoke about the importance of global considerations when considering amendments to Alberta's legislation. I believe those comments are relevant here again in regard to PIPEDA's adequacy status vis-à-vis the European Union.
When it comes into force, the European Union's general data protection regulation, or GDPR, will make privacy law across Europe stricter and will enhance the protection for Europeans' personal information in such areas as consent, accountability, privacy management frameworks, breach notification, and privacy impact assessments. In a global economy where Canadian and Alberta businesses are participants, and where private sector privacy law needs to be adequate and substantially similar, the effect of the GDPR must be considered in any discussion about amendments to our legislation governing the collection, use, and disclosure of personal information.
I'm not necessarily suggesting that PIPEDA or, by extension, PIPA will be deemed to be inadequate, but I am suggesting that there's a need to be mindful of global and national considerations when we're contemplating amendments, to ensure that they don't weaken the legislation and that they are not out of step with global and national considerations. I think it's important to remember that although legislative requirements and regulations may sometimes seem to be burdensome, they also help to provide the public and businesses and their service partners with stability and reassurance, both of which are necessary to win customers and to facilitate business and information sharing.
Going on to enforcement powers, I'm able to issue orders under all three of the acts for which I provide oversight: our public sector's Freedom of Information and Protection of Privacy Act and our health sector's Health Information Act, as well as PIPA.
Order-making power does not preclude my office from resolving cases by an informal mediation process rather than going through the formal inquiry process. In fact, in most cases when we receive a request for review or a complaint, we investigate and attempt to mediate and resolve that matter informally. It's only when findings and recommendations are not accepted that the matter may proceed to inquiry. In 2015-16, approximately 80% of our cases under PIPA were resolved through that mediation process as opposed to inquiry, and since 2004 we have issued 134 PIPA orders.
In most cases organizations comply with orders. In the very odd case where an organization does not, I can file the order in the Court of Queen's Bench, at which time it becomes enforceable as a judgment of that court. I have had occasion to file orders twice in the last year. In one of those cases it was under the Health Information Act and not PIPA, and in the other case, it had to do with ensuring compliance with a breach notification decision I had issued under PIPA. In both cases, after filing with the court, the matters were resolved before the court heard the cases. In those examples, order-making power was extremely valuable in obtaining compliance.
Moving on to meaningful consent, I will first note that in Alberta, we talk about PIPA as being consent-based legislation, and generally, I think it works well. Requiring organizations to obtain the consent of an individual before collecting personal information and to provide notice of the purpose for collection helps to ensure that individuals are able to make informed decisions and exert some measure of control over their personal information.
However, I am aware of ongoing discussions in certain forums that suggest that a consent-based framework is not always adequate. I seldom hear that consent and notice should be done away with entirely, but there does seem to be concern that in this age of big data, predictive analytics, and complex information systems, consent and notice may not be adequate in all cases and may stifle innovation as well as initiatives that are in the public interest.
I've certainly participated in a number of these conversations where we've tried to define the problem, if there is a problem, and to identify and consider some proposed solutions. In those discussions, I often make reference to Alberta's Health Information Act, for example, which is not consent-based but based on a circle-of-care idea, the concept of legislated acceptable uses. We also make reference to the personal information code under Alberta's PIPA, which again recognizes that consent in an employer-employee relationship might not work, and so consent is not required for collecting certain information. We also look to the Health Information Act for the framework around research and research ethics boards. As Drew mentioned earlier, there are commissioners in the country who are interested in some of the projects, notably the Information Accountability Foundation, and a project on developing an ethical assessment framework for certain big data initiatives.
In any event, I believe any solution to the problem, if there is a problem in this area, would involve a mix of legislative, regulatory, and voluntary options, and I certainly support discussion of these issues, including consultations such as the exercise the federal Privacy Commissioner recently undertook.
Finally, I have a few words to say on privacy and reputation. This topic has seen a lot of attention in recent times, particularly around the idea of a right to be forgotten, and whether such a thing exists in Canada or not, and if it does, how it might be enforced in today's global world.
I mentioned this in the trends and issues section of my 2014-15 annual report and said that this was a topic we should be watching over the next couple of years. In particular, we've seen cases like the May 2014 case in the Court of Justice of the European Union; the recent case involving Globe24h at Canada's Federal Court involving information posted on a Romanian website; and a pending decision from the Supreme Court of Canada in Google v. Equustek Solutions. I think that brings home the fact that these are live issues.
Of note, these cases highlight questions of jurisdiction and legal boundaries and the ability to compel compliance; privacy versus freedom of expression; transparency for public figures such as politicians; and the technical challenges and costs for global companies. These are all complicated issues, but they have found their way to my office, as we have seen a recent uptick in the number of right-to-be-forgotten-type cases in the office. We had previously seen about half a dozen of them over the first seven or eight years of the legislation, but I think we have half a dozen in the office right now. They tend to be focused on such issues as websites publishing personal information collected from some source other than the individual whom the information is about. There are also sometimes complaints around decision-making bodies, including personal information, in their published decisions.
As there are a number of live matters in my office at the moment, I'm not going to get into too many specifics. We will be issuing decisions in some of these cases. It is worth noting that these discussions have made their way from other countries, contexts, and the courts to real complaints made by real individuals that are currently in my office.
On that note, I will leave my comments there. I'd be happy to respond to any questions.
Mr. Chair and members of the committee, thank you for inviting the Commission d'accès à l'information du Québec to participate in the study on the Personal Information Protection and Electronic Documents Act.
This invitation gives me the opportunity to briefly describe the legislation applicable to Quebec in terms of personal information protection in the private sector, as well as the role of the commission and its latest five-year report.
Before examining the Act respecting the protection of personal information in the private sector, which came into force on January 1, 1994, I should point out that, by adopting this act, Quebec became the first Canadian province and the first government in North America to regulate personal information protection in both the private and public sectors. The public sector is subject to the Act respecting Access to documents held by public bodies and the Protection of personal information.
With that clarification, I should mention that the Act respecting the protection of personal information in the private sector applies to all the businesses that, in Quebec, carry on an economic activity of a commercial nature. It regulates the collection, use, disclosure within and outside the province, and the security of the personal information a company has. To that end, it sets out a number of principles in relation to consent, prior information of the individuals in question or even the reason why the personal information is collected, used or disclosed.
It also governs the right of a person to have access to or to correct their personal information held by a company. If rejected, the person in question may submit a request for the disagreement to be reviewed by the commission's adjudicative division. The Act respecting the protection of personal information in the private sector also sets out the duties and powers of the commission in audits and investigations carried out by its oversight division.
Before I describe the commission's role, I should say that the Act respecting the protection of personal information in the private sector, just like the Act respecting Access to documents held by public bodies and the Protection of personal information, overrides any other piece of legislation applicable in Quebec.
This demonstrates the legislator's intent to highlight the paramount importance of the rights given to the individuals in question and the obligations provided for both public bodies and private companies in terms of the protection of personal information.
I will now say a few words about the commission, which was established in 1982.
The commission has two divisions: an adjudicative division and an oversight division, of which I am a member.
The commission's adjudicative division acts as an administrative tribunal and reviews requests filed by those whose access to or correction of their personal information has been denied. The members assigned to the adjudicative division generally sit in at hearings, during which the parties involved have the opportunity to make their case.
After hearing from the parties, the commission may decide on any question of fact or of law and make any appropriate order to safeguard the rights of the parties. The decision rendered by the commission is public. The decision is binding 30 days after the parties have received it and it is subject to a right of appeal provided to the Court of Quebec on a question of law or jurisdiction only. When a decision becomes binding, it can be submitted to the Superior Court. It then has the same force and effect as if it were a ruling rendered by that court.
Under its oversight functions, the commission is responsible for promoting access to the documents and the protection of personal information. It also ensures that the legislation is applied in those matters. To do so, it can carry out audits and investigations into potentially problematic situations brought to its attention, in order to ensure that public bodies and private enterprises comply with the legal provisions.
The commission may make recommendations and compliance orders upon completion of its investigations, which are carried out in a non-adversarial way. The orders made by the commission may, under the Act respecting the protection of personal information in the private sector, be submitted to the Superior Court for registration. Furthermore, if an order is not complied with, the commission may, in the case of enterprises, release a notice to inform the public. It may also initiate criminal proceedings.
Now, allow me to quickly go over some of the points raised in the commission's 2016 five-year report. In fact, the commission must report to the government every five years on the application of the act respecting access to documents held by public bodies and the protection of personal information and the Act respecting the protection of personal information in the private sector. In the report, it makes recommendations to improve the government's transparency and the protection of personal information in Quebec. The report, tabled in the National Assembly, may lead to legislative amendments.
In its last report, just like in the previous one, the commission stressed the need to strengthen the protection of personal information in both the public and private sectors, especially since the Act respecting the protection of personal information in the private sector has not undergone any significant amendments since it was passed more than 20 years ago.
Among other things, it calls on the government to amend the Act respecting the protection of personal information in the private sector in order to include an obligation for corporate responsibility and to provide for the designation of a person responsible for access and the protection of personal information. This amendment would help to develop a corporate culture that protects personal information, to ensure more transparency and to increase public confidence.
It also calls on the legislator to update the concepts inherent to the protection of personal information in the private sector. Actually, for a number of years, the commission has noted, particularly because of the proliferation of electronic platforms, that some of the concepts under the Act respecting the protection of personal information in the private sector no longer fit, or correspond with limited effectiveness, to the new business models that result.
A number of those models, whether free or paid, are fed by information gathered here and there, from users or without their knowledge. Because of the emergence of those new business models, we often hear that personal information has become the petroleum of the 21st century, that it is worth a fortune, or that it is the lungs of the digital economy.
So, in order for the Act respecting the protection of personal information in the private sector to be fully applied to those new business models and to restore user confidence, in its five-year report, the commission calls on the legislator to revisit some of the concepts set out in the act. For instance, these include the concepts of a file, of the disclosure of information or of consent.
In terms of the concept of a file, I should first specify that a number of the obligations under the Act respecting the protection of personal information in the private sector are related to that notion. Right now, the legislation imposes obligations on businesses that create or keep a file for an individual. However, the fact is that more and more companies gather images, identification, use and location data, creating profiles to analyze the behaviours of users in order to improve the goods and services provided online or to attract their attention with targeted advertising.
Those companies gather information likely to identify an individual often without their knowledge and without necessarily establishing a contractual relationship. Although those companies hold personal information, they don't always keep it in a “file” with the person's name on it. So, although the concept of a file is sufficiently comprehensive to be interpreted broadly and to apply to electronic environments, the examples described above have prompted the commission to propose that the term “file” be replaced with the “purpose of the collection”, a principle underlying a number of personal information protection systems. As a result, corporate obligations would be linked to the initial reason for the collection of personal information.
As for the obligation of disclosure to the person in question when personal information is collected, the commission notes that it is one of the obligations that are met the least in the Act respecting the protection of personal information in the private sector. However, the protection of personal information is a shared responsibility. How can people assess how their personal information is protected by businesses and determine whether they are trustworthy, if they are not even informed, at a minimum, of the nature of the information the enterprise has and the subsequent use?
That is why, just like in the previous report, the commission has called on the legislator to amend the Act respecting the protection of personal information in the private sector, in order to specify when the information must be given to the person in question, to include the obligation to disclose the personal information collected and how it was collected. The commission also stresses the importance of the information being clear, intelligible and accessible, regardless of the platform used to collect the personal information.
In terms of consent, it must be noted that consent is the driving force behind the protection of personal information. In principle, it allows users to control what companies can and cannot do with their personal information. That's only in principle, because the notion of consent is increasingly criticized and considered inadequate in some contexts.
This raises the question of how to give consent its true meaning back. How can it be ensured that it truly means that individuals have agreed to a company managing and using their personal information, giving them real choice in the matter, rather than an opaque legal text created to limit the responsibility of companies to obtain an all-encompassing and irreversible “I agree”?
Therefore, although the Act respecting the protection of personal information in the private sector states that the consent must be manifest, free, and enlightened, and given for specific purposes and that it is valid only for the length of time needed to achieve the purposes for which it was requested, the commission notes that the scope of the criteria for consent is not well understood by enterprises. It therefore feels that clarifications about the obligations of enterprises under each of the criteria for consent should be included in the Act respecting the protection of personal information in the private sector. It also believes that the legislator should indicate that consent may be withdrawn at any time subject to restrictions under the act.
In closing, I must clarify that the commission does not claim to think those amendments will provide a solution to all the current consent-related issues. It believes that discussions must continue and that other avenues must be explored. To that end, in its five-year report, the commission stresses the importance of considering the amendments made to European legislation on the protection of personal information.
Mr. Chair, thank you. I will be pleased to answer any questions you and the other members of the committee may have.
I certainly think some of the reasons there is interest in this issue have to do with the explosion or proliferation of technology and social media. You can't pick up the papers without hearing about sexting, cyber-bullying, or information that has been posted that you can never get rid of, but is out there. I think some of that contributes to public awareness: the Internet generally, social media sites, and the amount of information that is out there.
Of course, what has gone along with that is the rise of some of websites in particular. In the office we've seen examples of websites where ex-girlfriends or ex-boyfriends can post information about somebody, and it doesn't necessarily have to be accurate, but it's out there, and they're concerned that it's out there. They're concerned that it will be out there forever and that they will never be able to get rid of it. They're concerned that it will affect their ability to hold a job or get a job, so I think there can be real ramifications.
What is the balance? I mentioned in my opening comments some of the concerns around privacy and freedom of expression. We had a matter under Alberta's PIPA that went to the Supreme Court that was balancing just that. The court found in favour of freedom of expression with respect some political information that a union might post. I think all of these issues in this conversation, this technology, and use of social media sites are pushing discussion about it. So I think we will have to be talking about and dealing with them. Court decisions are also furthering that conversation.
As for finding the balance, I think there is a really important role that regulators have to play, that I, as a regulator, have to play, and that the rest of us who are appearing before you today have to play, as information and privacy commissioners, in being able to balance that. Frequently, under freedom of information legislation—which is access to information and protection of privacy legislation—we are trying to balance privacy with the public interest and the right to access information.
There is often a tension that needs to be resolved. I think we have some experience in that as information and privacy regulators. I often don't hear that as part of the conversation around the right to be forgotten. It's often more of a question of whether there are charter issues and how the courts will resolve this, but I do think that there's potentially a role for information and privacy commissioners.
Does that answer your question?