Thank you very much, Mr. Chair.
Good afternoon everyone.
I'm honoured to be invited here. Being a retired person, I don't have a formal presentation, so I hope you will bear with me. There are some handouts, which are notes on which I based my remarks.
I've read the transcripts with great interest. You have a variety of opinions of some very expert people. I'm going to focus, in my short presentation, on areas in which I think I have more experience. I'm going to divide my remarks in a chronological fashion, that is, dealing with what's coming up, what is already extant, and what has already been suggested to you.
I'll start then with the future, the challenges for PIPEDA. You will not be surprised that I'm going to single out the effects of the general data protection regulation of the European Union. I have spent part of my retirement working with some other people on a scholarly article on the administration of the adequacy principle, so it's more recent than some other issues to my mind.
You will have already heard that there's a more rigorous test than the one that PIPEDA went through in the past: effectively equivalent. The problem is that there are no real specifics. The more serious problem is that in the European Union, in the study I made of all the adequacy decisions that had been made and the ones that had not been made for which analyses had been done, there is a very checkered history of evaluation of countries' personal information protection frameworks.
You should also realize that there's a huge amount of pressure within the European Union post-Snowden both from activists and political parties to be rigorous in imposing European standards on the rest of the world.
In looking at what PIPEDA may need for the future, I would say it's best to aim high and to remember that it also applies to the European standards, that is, the public sector use of personal information as well. There is an overlap to my mind in EU law between the right of erasure or correction, which is already in PIPEDA, and the right to be forgotten. Several of the people who have appeared here have said that they don't know whether the right to be forgotten exists in Canadian law.
It actually has existed in Quebec law, and as we are a bi-juridical country, it exists in Canadian law and has for quite a long time. I heard about the right to be forgotten when I was in law school, and I graduated in 1980 so that's a long time ago. There is jurisprudence on the right to be forgotten, and I encourage the committee to take notice of this.
I would encourage you to distinguish, as not all of your witnesses have, between the right to be forgotten, which has been interpreted so far in the European Union as the right to delink information in search engines, and an act of destruction of original information. I don't think anybody I've heard is talking about this, but it seems to be a bogeyman that comes out somewhere as soon as we talk about the right to be forgotten. That's not what is involved at all.
I would urge you too to remember, as all the witnesses in my opinion have not, that PIPEDA is a law that only governs federally regulated business. It does not govern individuals, and it does not govern a host of things that are in provincial jurisdiction.
Coming back to the right to be forgotten, interestingly in the recital—that's what they call it; we call it a preamble—to the general data protection regulation they talk about the reasons for it, including the right to take down postings that you may have made on the Internet in your youth and which you now regret. I would urge you to think about that as a reason for motivating some extended possibility of having things taken down and to think about it in the context of the human right to dignity, the right that, I think, we all have to be a person who evolves. What you do at 16 is not what you're going to do at 36 as you're contemplating running for office or something else. I think that's just taking into account human nature and a necessary respect for human dignity.
The committee has heard other ideas, such as special rules for children. Again I would encourage you to think about the division of powers, which is a reality in our Canadian constitution.
One thing you might look into is the possibility of putting within PIPEDA some kind of special mention for the Office of the Privacy Commissioner or for the commissioner to harmonize, to discuss with provincial counterparts, and to support the development of strong, compatible laws throughout Canada, given that so much personal information protection comes under provincial jurisdiction. This is because criminalizing behaviour, in my opinion, is not always the best way. That's the federal jurisdiction for personal behaviour. It's not the best way to deal with a lot of things.
I'll move on secondly, Mr. Chair, to what is trending now, and I'll refer to what are the current values of Canadians.
I think transparency is now a hallmark of democracies, post-Snowden. We've seen recent examples of demands for more transparency from public figures, and so on.
I would contrast this with the very opaque system of some 20 years ago, when it was originally devised, by which PIPEDA is administered. No real thought was put into it at the time, because there wasn't a huge public preoccupation with what the public can see or what the public can understand about the application of personal information protection. It was a convenient ombudsman model. It had been adopted by the Canadian government in the late 1970s from Scandinavia, where at the time the countries were almost totally homogeneous, ethnically and socially, and where there was and still is a huge public trust in government.
I think also that the public should know more about complaints against commercial organizations. One reason is that many things don't seem to have improved over the years with the present system. I'll refer you to the recent posting of the Office of the Privacy Commissioner on March 15 about a complaint into the use of personal information by a Canadian bank. I think there would be more impact among the public if both this particular bank and the retailer involved in this incident were named.
Again on the same theme of transparency, I'll remind you of the need for business organizations themselves to be transparent in their use of personal information that they hand over to government agencies, the police, CSIS, etc.—hopefully always legally.
Secondly under the theme of transparency, I'll talk about individual empowerment. The Office of the Privacy Commissioner has an important budget, but it is not a budget that is commensurate with the challenge of protecting personal information in this century. I believe that investigating individual complaints is a time-consuming and not very productive way of trying to enforce privacy rights for Canadians. I think the system should be modified. The commissioner should be able to do as the U.S. Federal Trade Commission does: look at the complaints that are made as a bellwether of public opinion, pick and choose the complaints he or she wants to investigate, and then give individuals commensurately the right to take their own case forward to the Federal Court.
Finally under the theme of transparency, I think we have to allow the Office of the Privacy Commissioner to concentrate on areas in which there are new and serious threats in the changing context of new technology and new behaviour, and therefore, not investigate every complaint. We, therefore, also have to give the commissioner broad audit or self-initiated investigation powers. These are necessary, I think, to strengthen the accountability principle, which is coming forward as consent becomes, for such technological reasons as big data, ever more difficult. The need to stand ready to demonstrate that you are accountable becomes a key part of a modern enforcement scheme.
I'd also mention ethics, but I think ethics need to be placed within a more rigorous framework.
Finally, as for the previously determined missing elements, suggestions were made long ago regarding the review of PIPEDA. As you will recall, there was a report in 2013 outlining four points, and I made a recommendation a few years ago that political parties themselves be subject to PIPEDA.
In the wake of two decisions made by the Supreme Court of Canada, one of which was handed down barely a few months ago, I believe that a review of the act should include giving the commissioner clearer powers to conduct investigations, notwithstanding the protection conveyed by jurisprudence and the legislation regarding privileges. Counsel-client privilege has evolved enormously since the 19th century in our society. I believe that privilege no longer has any reason to exist with regard to complaints or allegations of inappropriate use of personal information, and should not prevent a commissioner from conducting an investigation in that regard. The act must thus contain clearer and stronger language.
I would conclude by pointing your attention to some recent work, which I think is the most contemporary work on smart regulation. It's out of the University of Oxford, by Professor Christopher Hodges. It talks about what successful regulation is.
Successful regulation is really about influencing behaviour, and influencing behaviour in a variety of ways, depending on the context, depending on the issue, and depending on what we used to call the “industry” but may be the “sector” or the “activity”. It could be information to consumers. It could be constant dialogue with the regulated entities. It could be creating peer pressure through action within that sector or that activity.
It's about making responses seem targeted, fair, and proportionate to what the problem is, not automatic or because the law says so: “We're going to investigate you, because I have to investigate every complaint; therefore, you're going to have to pay for a lawyer to see this through.” That's not necessarily, I think, fair or proportionate. It's about rewarding those who can demonstrate compliance and about sanctioning inappropriate behaviour.
I would encourage you in moving forward to give the Office of the Privacy Commissioner more flexibility to take on a wider range of regulatory approaches, given the changing needs over time.
Thank you very much for your attention.
Thank you for having me here again. My name is Tamir Israel, and I am a staff lawyer with CIPPIC, the Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic at the University of Ottawa's centre for law, technology, and society, which is at the faculty of law. CIPPIC is a legal clinic that works to advance the public interest in policy debates that arise at the intersection of law and technology.
I want to thank you for inviting us once again to contribute to the important work the committee undertakes, in this instance in relation to its review of PIPEDA.
We note at the outset that in our view the principled framework adopted by PIPEDA has largely withstood the test of time. Its general adaptability has allowed it to keep pace with often rapid and tectonic social and technological changes. That being said, some targeted clarifications and additions to PIPEDA's consent and transparency mechanisms are desirable, while PIPEDA's lack of effective enforceability continues to hinder the full realization of the important rights it grants Canadians.
As this committee has heard, the modern era has strained one of PIPEDA's core pillars: consent. This strain arises from the increasingly complex nature of modern data practices, which in turn leads to opaque data capabilities, powerful incentives that are often directly at odds with those of consumers, and inaccessible privacy policies that seek either to capture this complexity, or at the other extreme, to obscure it in order to maintain flexibility for future organizational practices.
In light of this complexity, it is neither practical nor desirable to expect every individual to gain the necessary expertise needed to assess the data practices of every data service encountered on a daily basis. It would be equally undesirable, however, to jettison the concept of consent in favour of a risk-based accountability framework. Such a framework would effectively amount to open season on individual data. Moreover, it is likely to undermine the adoption and usage of services, as empirical research suggests that individuals' confidence in and adoption of services are greatly tied to the ability to exercise consent over data practices.
Too often, however, this confidence is misplaced. Frequently, individuals' expectations are simply not reflected in the unintuitive privacy policies and data practices to which they implicitly consent on a regular basis. In this regard, formalizing some elements of PIPEDA's existing principled framework could assist in realigning practices with expectations.
PIPEDA generally recognizes that more explicit forms of consent are required where such a disconnect occurs, and especially where sensitive data is involved. However, recognizing an explicit “privacy by default” approach will further underscore the need to obtain user input in relation to privacy practices, helping to narrow the gap between individual expectations and actual practice.
Formally empowering the Privacy Commissioner to impose context-specific restrictions may encourage greater use of PIPEDA's current power to designate certain practices as generally unacceptable, and create context-specific regulatory policies. Greater recourse to such tools would enhance certainty and consistency on the business side, while allowing for more frequent proactive policies from the Privacy Commissioner. A formal procedural mechanism for their development would in turn strengthen the quality and legitimacy of such policies.
Finally, some measures might be considered to address specific data protection challenges raised by data brokers. Such entities amass detailed profiles on individuals from disparate online and offline sources, typically without the knowledge or input of the affected individual, who is usually far removed from the collection process. Information held by data brokers is increasingly used by a range of secondary entities to make decisions that often have serious impacts on individuals. A 2014 report issued by the Federal Trade Commission recommended that data brokers be obligated to create readily accessible portals that would allow individuals to easily determine whether their data is being held by a particular broker and that data's initial source. This would then act as an avenue for the exercise of other rights, such as the rights of correction or erasure, that are already integral components of PIPEDA's existing data quality mechanisms.
This framework could be imposed by the Privacy Commissioner as a sector-specific regulatory policy under subsection 5(3) of PIPEDA, but legislating it may provide a stronger and clearer mechanism.
With respect to enforcement, PIPEDA's recommendation and de novo enforcement model is significantly out of touch with the realities of modern data protection. The individual stakes and counter-incentives under which many organizations operate require a serious and responsive regulatory regime. PIPEDA's enforcement mechanism is procedurally difficult, unnecessarily time-consuming, and lacking in deference to the expertise of the Privacy Commissioner.
Personal data is the commodity of the information age and requires a regulatory framework of commensurate formality. It is unsurprising that most jurisdictions with data protection regimes have included enforceability measures in recognition of this basic truth. Imbuing the Privacy Commissioner with order-making powers will assist the office in its interactions with large multinational organizations, enabling it to better carry out its mandate with the authority of a regulatory body.
Further, the prospect of incurring damages under PIPEDA violations remains currently distant, and the anticipated quanta of such damage is minimal. We have seen recent developments in tort law that have supplemented this gap to a certain degree and have led to a notable improvement in proactive compliance, with privacy implications being subject to class actions.
Class actions in tort are, however, limited in scope to certain types of privacy invasion, and there remains little incentive for robust and proactive compliance with other critical elements of PIPEDA. We would therefore encourage imbuing the Office of the Privacy Commissioner with the power to issue administrative monetary penalties comparable in character to those recently allotted to the Canadian Radio-television and Telecommunications Commission.
We would further recommend examining the development of an independent private right of action, which would allow for individuals and classes of litigants to advance their privacy claims directly. This could be supplemented with statutory damages covering some or all of PIPEDA. It could apply to specific principles and violations or to all of the act, and that would facilitate an analogous regime of private enforcement, further incentivizing compliance.
Finally, some transparency mechanisms would address specific and pressing problems under PIPEDA's current regime. It has become accepted practice in many industries, and particularly those industries engaging in facilitating electronic communications, to periodically report on the scope and nature of state agency requests for customer data. While such reporting is arguably required under PIPEDA's openness principle, we would recommend adopting a legislative mechanism that would explicitly empower the Privacy Commissioner to designate transparency reporting obligations on a sector-by-sector basis and also to impose detailed obligations as to the substance of the obligations. This would lead to more consistent and standardized transparency reporting in lieu of the current incomplete and ad hoc reporting.
A secondary transparency mechanism that would benefit from legislative adoption relates to algorithmic decision-making. Automated processes are responsible for a growing range of determinations that significantly affect individuals' lives. Academic and legal literature has demonstrated that algorithmic decision-making often operates as a proxy for decision-making that is discriminatory on religious, ethnic, racial, disability, gender-based, and other protected grounds. Algorithmic decision-making can also gloss over important individual distinctions in favour of broad generalizations, leading to incorrect outcomes for affected individuals. More generally, algorithmic decision-making often obscures the reasoning that animates a given output, making it impossible to determine precisely why a teacher was fired, a consumer was denied particular advantages, or an individual's credit request was rejected. It then becomes difficult to assess whether a decision is accurate, fair, or discriminatory.
Transparency in algorithmic decision-making intersects directly with core and long-standing data protection principles designed to ensure the quality of data used for decision-making. In PIPEDA this is encoded through the data accuracy principle and the right of individual access to personal information held by an organization. However, commercial secrecy is increasingly used as a means of obscuring the underlying logic of an algorithmically determined outcome. In addition, and in the absence of strong transparency obligations, more sophisticated algorithms are now evolving that wholly obscure underlying considerations even from the companies relying on them.
CIPPIC would therefore recommend the addition of a distinct right of access to the underlying logic of any automated decision-making process, and in particular in relation to automated decision-making with a substantial impact on individuals' lives, their access to economic opportunities, and their treatment on the basis of protected grounds.
The committee may further wish to consider the need to undertake a broader study of automated decision-making in both private and public sectors.
Those are my comments for today. I welcome any questions.
Thank you. I've been using this timer to keep us honest, because last time both Tamir and I went way over.
We spent the 30 minutes or so that we were waiting having quite a good debate here beforehand.
Thank you very much, and good afternoon, Mr. Chair, and honourable members of the committee. We appreciate your invitation and are very pleased to be here today on behalf of the national privacy and access law section and the Canadian Corporate Counsel Association, both sections of the Canadian Bar Association, to present our views on the Personal Information Protection and Electronic Documents Act, which as you all know is called PIPEDA.
The CBA is a national association of more than 36,000 lawyers, law students, notaries, and academics. An important aspect of the CBA's mandate is seeking improvement in the law and the administration of justice. It is that capacity and perspective that brings us before you here today.
Our members of both sections are lawyers with in-depth knowledge in the areas of privacy and access to information law from every part of the country. They are lawyers in private practice, they are in-house counsel working for public and private companies, crown corporations, government and regulatory bodies, municipalities, hospitals. You name it, we have it covered.
My name is Suzanne Morin. I'm vice-chair of the national privacy and access law section, and I work for Sun Life.
The sections have made numerous submissions on PIPEDA since its enactment in 2001. We continue to support the existing consent and ombudsperson models in PIPEDA in the absence of the compelling need for legislative change, while carefully continuing to monitor Canada's European Union or EU adequacy status, as mentioned by Madam Stoddart.
Within these existing models, we suggest that targeted amendments are needed: one, to the concept of “publicly available information” to ensure that our PIPEDA framework remains technology-neutral; and two, to allow the Office of the Privacy Commissioner to issue non-binding advance opinions.
I will briefly address each of these issues.
Regarding consent, the CBA sections recommend maintaining the consent model in PIPEDA in the absence, we would argue, of a compelling need for legislative change, and the continuing use of a multi-faceted tool kit approach to privacy protection in Canada. Canadian privacy rights, obligations on business, and remedies available to individuals exist in an extensive legal framework in this country that encompasses federal and provincial, private and public sector privacy laws, criminal and human rights legislation, emerging common-law and civil actions, and civil liability regimes in Quebec.
PIPEDA speaks directly to the principle of consent, laying the foundation that businesses must seek meaningful and valid consent and cannot force individuals to consent to the use of personal information beyond legitimately identified purposes. PIPEDA's consent model comes with 10 fair information principles. As an umbrella, all treatment of personal information is subject to the “reasonable person” test, which limits the use of personal information to what is reasonable in the circumstances. This goes to the context that we heard just moments ago.
The PIPEDA consent model, supported by the broader legal framework, in our view continues to be both robust in its protection of the privacy of Canadians, including vulnerable groups, and flexible for business in the face of rapidly evolving technologies, business models, and evolving customer privacy expectations.
Regarding the ombudsperson model, the CBA sections recommend maintaining this model unless, once again, there is evidence that a change to the OPC's enforcement powers is actually needed. The OPC enforces privacy rights by leveraging the powers that exist in PIPEDA today: one, to investigate and issue formal findings, including the naming of names when doing so is in the public interest; two, to audit the practices of organizations when they have reason to believe that an organization is not complying with its obligations under PIPEDA; and three, to take organizations that fail to uphold their privacy obligations to court.
In turn, our Canadian courts have proven to be well placed to assess damages uncovered by OPC investigations, and they have recognized new civil actions or common law torts, adding to the Canadian privacy legal framework. Taken together, this tool kit approach has proven to be powerful, actually, in forcing domestic and foreign organizations of all sizes to revise their privacy practices through the great efforts of former commissioners such as Madam Stoddart.
It would be prudent to wait to see how the OPC's new power to issue and enforce binding compliance agreements through the courts is interpreted and used, and how the new breach reporting regime—which is still not yet in force—with the potential for fines unfolds over the next year.
Third, concerning non-binding advance opinions the CBA sections recommend amending PIPEDA to clearly authorize the OPC to issue non-binding advance opinions to organizations proposing new programs, technologies, methodologies, or specific transactions. While the OPC currently offers general guidance, such as investigation summaries and interpretation bulletins, it chooses not to provide organization-specific guidance in the absence of an investigation or an audit.
Providing express authority would make it clear that the OPC is expected to perform this function, providing clear guidance for and confidence in the privacy compliance of some new initiative and, through the publication of anonymized opinions, adding to the body of guidance available to organizations.
Fourth, concerning publicly available information the CBA sections recommend amending PIPEDA or its regulations to ensure that they are technology-neutral and able to accommodate both existing and evolving business models and customer expectations when it comes to the use of personal information that customers choose to make publicly available.
PIPEDA was indeed carefully drafted to be technology-neutral, and after more than 15 years I too agree that it continues to stand the test of time, allowing organizations to evolve their practices to reflect all of these changes. While PIPEDA is consent-based, it also offers specific exemptions to consent when obtaining consent is either not practical or not necessary, including exemptions for publicly available information.
However, unlike PIPEDA, the regulations that accompany PIPEDA miss the mark in certain respects and have created uncertainty about what level of consent is required to use personal information that individuals have chosen to make public. In our submission we've identified several options for you to consider.
Fifth, concerning EU adequacy the CBA sections recommend carefully monitoring Canada's EU adequacy status. We caution, however, that amending PIPEDA to anticipate changes that may be required to maintain the status would be premature. Canada has enjoyed adequacy status under the EU's 1995 data protection directive since 2001. This status has enabled the convenient transfer of personal information from the EU to organizations in Canada.
Recent developments in the EU are indeed raising questions about whether Canada's adequacy status is at risk. It's unclear what the EU's new approach will be; we just don't know. However, when the time comes, they will examine, as Madam Stoddart identified, the entire Canadian legal framework, including public and private sector legislation, and including laws concerning public security, defence, and national security; our criminal law; and Canada's other international obligations or commitments.
PIPEDA is only one part of Canada's privacy legal framework and may not be the only or even the appropriate vehicle for addressing adequacy concerns that may arise. Adequacy is great, but not at all costs, and we caution on making amendments at this early stage.
Finally, we leave a word about the right to be forgotten. We have not made any recommendations on whether a specific right to be forgotten should be included in PIPEDA or introduced into our broader legal framework, but it is an issue that merits attention. The right to be forgotten as it has evolved in the EU is not addressed directly in PIPEDA; however, PIPEDA includes the right for an individual to withdraw consent or to delete certain information and the obligation upon organizations to use published personal information for consistent purposes and to delete information that they no longer require.
We need to be mindful that PIPEDA and other private sector laws are not the catch-all for issues that arise from the ongoing evolution of technology, and that beyond PIPEDA there are numerous other considerations, such as the right to freedom of expression, which is a critical piece of the democratic fabric found in the charter.
The CBA sections, once again, appreciate the opportunity to share our views with you on PIPEDA.
It will be my pleasure to answer your questions.
Hopefully it won't muddy the water further.
We actually view it less as a right to be forgotten, as others have said, and more as related to PIPEDA's data accuracy component. What we hear from people who have issues of a “right to be forgotten” type is that it creates a skewed perception of their reputation by highlighting specific things that are not necessarily the definition of their reputation.
We prefer at the outset to even not really think of it. Their solution is not necessarily to make the information disappear but to obscure it, to some degree, so that it's not the first thing that people learn about them, in a way that skews their perception of their reputation.
That being said, reputation is a tricky thing. Many of us have things out there about us that we wouldn't want to define us but which should, for legitimate reasons, be part of our reputation. There's an objective component to it. That's where the struggle, in our view, comes. It's about how we formulate something that addresses what is a challenge for some people.
In relation to the EU right, we think that a Canadian right would probably be narrower in scope, in the sense that it would at the very least apply to a smaller subset of subject matter. It might not apply to every piece of information about me that's outdated, but maybe to the more sensitive types of information, information that is having a demonstrably negative impact—medical conditions, financial information that got out there in a way that wasn't necessarily within my control, or information like that. The scope would be narrower, I think, for a Canadian-formulated right, and we have some judicial decisions that have talked about what a privacy harm is in that context, which are relevant there.
There are also additional problems with respect to how this becomes implemented.
The EU relied on intermediary search engines to carry out the right. Those engines are responsible for removing or delisting. We've seen many problems with this intermediary model in many legal contexts. I've heard that, similar to a recent decision of the Federal Court, Globe24h, the Privacy Commissioner went instead after the host site and said it could keep the information up—so it's not forgotten, it's still there—but that it needed to shield certain things from certain types of search exposure.
Something like that, which looks at the primary site as opposed to the intermediary, might be more appropriate and might get at some of the concerns that arise in this context.
That's as far as we've gotten. I hope it helps a little.