Good afternoon, everyone.
Welcome to the 59th meeting of the Standing Committee on Access to Information, Privacy and Ethics.
Pursuant to Standing Order 108(3)(h)(vi), we are studying the Personal Information Protection and Electronic Documents Act, PIPEDA.
We are very pleased to have with us as witnesses today from the Department of Innovation, Science and Economic Development, Steve Joanisse, legal counsel, innovation, science and economic development legal services; Krista Campbell, director general, digital policy branch, spectrum, information technologies and telecommunications sector; and Charles Taillefer, director, digital policy branch, spectrum, information technologies and telecommunications sector.
From the Competition Bureau, we have Josephine Palumbo, deputy commissioner, deceptive marketing practices directorate; and Morgan Currie, associate deputy commissioner, deceptive marketing practices directorate.
From the CRTC, we have Steven Harroun, chief compliance and enforcement officer; and Daniel Roussy, general counsel and deputy executive director. Welcome, all.
We'll start with opening comments from the organizations in the order you were introduced. I believe that means Madam Campbell we'll start with you for up to 10 minutes, please.
Mr. Chair, members of the committee, it is my pleasure to be here today to discuss the Personal Information Protection and Electronic Documents Act.
We've introduced colleagues. I'm pleased to be here with counsel and my director responsible for this piece of legislation.
The responsibilities of my team include providing advice, guidance, and support to the minister for his role as the lead minister of PIPEDA.
I should note that we hold similar responsibilities for Canada's anti-spam legislation, also known as CASL. We operate the national coordinating body for CASL, which is responsible for the policy oversight and coordination of the anti-spam initiative.
It's a best practice to review marketplace rules on a regular basis, particularly in the case of legislation that is foundational to building trust in the digital economy. I commend the committee for undertaking this important work.
The Personal Information Protection and Electronic Documents Act is a key element of the Canadian legal framework to support development of the digital economy. It is the principal instrument for protecting personal information within the context of commercial activities. It is designed to balance privacy protection with the needs of organizations for information to conduct their business.
As stated by the Privacy Commissioner during his testimony, there is evidence that PIPEDA still provides a solid foundation, but that does not preclude refinements and adjustments to the act to ensure that it remains relevant.
Witnesses have proposed legislative changes in a number of areas. Innovation, Science and Economic Development Canada (ISED) looks forward to the committee's thoughts in each of these areas. The results of the study of consent currently being undertaken by the Office of the Privacy Commissioner will also greatly inform this discussion.
My objective for today is to highlight some of PIPEDA's unique and important features and the reason why the act is the responsibility of Innovation, Science and Economic Development, which is the microeconomic department for the Government of Canada.
First, we must consider the purpose of the act. When PIPEDA was introduced in 2000, the industry minister at the time stated that the act was created with a single policy goal: to build trust in electronic commerce, for the purpose of growing electronic commerce. PIPEDA creates trust by preventing organizations from doing things with personal information that the average person would think are not reasonable in the circumstances. At the same time, it allows information to flow so that businesses can provide the products and services that customers have come to agree to and expect.
This balancing of privacy and economic considerations has afforded PIPEDA much success, as you have heard from some previous witnesses. It has adapted to an evolving landscape and the unique circumstances faced by the wide range of organizations that are subject to this act.
The Office of the Privacy Commissioner has successfully conducted investigations into complaints under PIPEDA pertaining to technologies and business models that were unforeseen when the act was first implemented, including online behavioural profiling and social media applications.
PIPEDA is also mindful of other important public policy objectives, such as freedom of expression and public safety. For example, PIPEDA recognizes the right to freedom of expression by permitting information to be collected and used without consent for journalistic or artistic purposes. Any changes to PIPEDA should be made in consideration of these various objectives and must seek to balance those considerations.
Second, we must consider the scope of PIPEDA and the fact that it cannot be understated. It protects all personal information captured in the course of business. It applies to nearly all private sector organizations, with the exception of those governed by substantially similar provincial legislation. Therefore, we must ensure that the act remains flexible. Flexibility ensures that PIPEDA is scalable and that organizations can adapt the act's requirements to the size of their business, whether they're a small dry cleaner or a large multinational corporation. In fact, PIPEDA was designed specifically to apply to all economic sectors.
Finally, we must consider the need for harmonization with other privacy regimes. PIPEDA is based on 10 internationally recognized principles that protect individual privacy by giving individuals control over their personal information. These same principles are the basis for privacy laws around the world.
Harmonization with provincial privacy laws, and those of our international trading partners, provides a huge advantage to Canadian businesses that operate in multiple jurisdictions.
This harmonization also facilitates the free flow of data across borders, which is essential to the growth of electronic commerce, both domestically and internationally.
Related to this, you've heard from many witnesses on the importance of PIPEDA's adequacy status with the EU. This adequacy status relies on PIPEDA maintaining a similar level of protection and redress for EU citizens as afforded by the EU's own privacy regime. As others have remarked, our adequacy will be reviewed at some point in the future. We are working closely with colleagues at Justice Canada, Global Affairs, and Public Safety to engage the European Commission officials in discussions to understand what this review may entail—in particular, the timing and the scope of the next potential review.
I would also highlight that we are still in the process of implementing amendments that arose from the passage of the Digital Privacy Act in 2015. These changes included new enforcement tools for the commissioner, the aim of which was to provide the commissioner with greater leverage to encourage compliance with the act.
Another change implemented by the Digital Privacy Act is the enhancement of the consent requirements. This was implemented primarily in response to calls to strengthen privacy protection for children online. The approach to this amendment respects provincial jurisdiction over minors.
Recent changes also included new exceptions to the requirement to obtain consent for disclosure of personal information, both for public interest reasons, such as prevention of fraud, and to reduce red tape for businesses, such as for managing their employees. We will be closely following the adoption of these legislative changes and their impacts on the marketplace.
The most high-profile change, which has yet to be implemented, is a new requirement for organizations to report data security breaches that pose a risk of harm to individuals. These requirements will come into force when regulations related to the provisions are finalized. We are working with the Department of Justice in support of these regulations. These changes and others were designed to maintain the important balance in PIPEDA between privacy protection, economic development, and innovation, and other public policy goals.
As I mentioned earlier, we look very much forward to hearing the committee's views at the conclusion of this important study. In the meantime, my officials and I are at your disposal to answer questions about the act.
Thank you for your interest in this subject.
Thank you for the invitation to attend this committee meeting as well. I'm joined by my colleague from the bureau, Mr. Currie.
I understand the committee is looking into PIPEDA, and in that context has questions about the bureau's role with respect to Canada's anti-spam legislation, or CASL, as well as the bureau's experiences with administrative monetary penalties, or AMPs.
I'll begin by providing some context about the Competition Bureau and its mandate, and then move to your specific concerns. I will not be commenting on PIPEDA per se, as that is outside the bureau's purview.
The Competition Bureau, as an independent law enforcement agency, ensures that Canadian consumers and businesses prosper in a competitive and innovative marketplace. Headed by the Commissioner of Competition, the Bureau is responsible for the administration and enforcement of the Competition Act and three labelling statutes.
The Competition Act provides the commissioner with the authority to investigate anti-competitive behaviour. The act contains both civil and criminal provisions and covers conduct such as bid-rigging, false or misleading representations, price-fixing, and abusing a dominant market position, among other things. The act also grants the commissioner the authority to make representations before regulatory boards, commissions, or other tribunals to promote competition in various sectors.
As noted above, when conducting investigations, the bureau uses the Competition Act's relevant criminal and civil provisions. The introduction of CASL brought about specific amendments to the Competition Act that enabled the bureau to more effectively address false or misleading representations and deceptive marketing practices in the electronic marketplace, such as false or misleading sender or subject-matter information, electronic messages, and website content, such as a locator, meaning a website or an IP address. The changes provided technologically neutral language to allow us to better address competition offences in the digital economy. I would note that the bureau had these powers before CASL, but now the requirements of proof have been lessened.
For the most part, the bureau's investigations are commenced following a complaint. Such complaints may come from a number of sources, including consumers, businesses, industry associations, the media, or stakeholders.
As a law enforcement agency, the bureau conducts its activities, including investigations, in confidence, meaning that all non-public information gathered by the bureau in enforcement matters, whether obtained voluntarily or through the use of formal powers, is held on a confidential basis.
This is fundamental to the Bureau's ability to effectively continue to advance its investigations in the public interest.
The law requires that we not comment publicly on an investigation until the matter has been made public either by the party, or certain steps have been taken, such as the filing of an application with the Competition Tribunal, or the announcement of a settlement.
Even in those instances, we are required by law to keep confidential any information which is not public. This is done both to protect the integrity of the Bureau's investigations as well as to protect the parties and others.
That said, the Competition Act's “confidentiality” provision, section 29, does allow the bureau to share confidential information with other law enforcement agencies for the purpose of the administration and enforcement of our act.
Turning now to AMPs, the bureau may only seek them in a civil context, not criminal. Also, the bureau does not impose AMPs. They are either reached through a settlement with the target of an investigation, or they are imposed by the Competition Tribunal or a court after a finding of reviewable conduct under the Competition Act.
The goal of an administrative monetary penalty for civilly reviewable conduct is to promote compliance in a market and deter companies from misleading Canadian consumers, all of which is in the public interest.
Let me give you three recent examples where the bureau has obtained AMPs under the Competition Act. First, in June of 2016 the bureau announced its first settlement involving the new CASL provisions. The settlement with Avis and Budget resolved an investigation wherein the bureau had concluded there was false or misleading advertising for prices and discounts on car rentals and associated products.
Specifically, certain prices and discounts initially advertised by the two companies were not attainable because consumers were charged additional mandatory fees that were only disclosed later in the purchasing process when making a reservation. The prices were advertised on Avis' and Budget's websites, mobile applications, and emails, as well as through other channels. As part of the settlement in this case, Avis and Budget paid $3 million in an administrative monetary penalty to promote compliance with the law going forward.
Earlier this year, the bureau settled its case with Amazon where we again utilized an amended Competition Act provision introduced through CASL addressing false or misleading representations in all forms of electronic messages. In this instance, Amazon often compared its prices to a regular or list price, signalling attractive savings for Canadian consumers.
The bureau's investigation concluded that these claims created the general impression that prices for items offered on Amazon's website were lower than prevailing market prices. The bureau determined that Amazon relied on its suppliers to provide list prices without verifying those prices were accurate. In this case, the savings claims were advertising on Amazon.ca, in Amazon mobile applications, and in other online advertisements, as well as in emails sent to customers. The bureau negotiated a $1-million AMP in this instance.
Finally, on April 24, 2017, the bureau announced it had reached a negotiated consent agreement with Hertz Canada Limited and Dollar Thrifty Automotive Group Canada, Inc. where both companies will pay a total of $1.25 million in an administrative monetary penalty, ensure their advertising complies with the law, and implement new procedures aimed at preventing advertising issues in the future.
The consent agreement is the result of an investigation where the bureau concluded that Hertz and Dollar Thrifty were advertising enticing low prices to attract consumers. However, those low prices were unattainable because mandatory fees were systemically added to those prices. The bureau concluded that the companies' price representations on their websites and other channels were misleading, and it was not sufficient for the companies to provide an estimate of the total price before consumers completed their reservation.
It is important to understand that, when negotiating an AMP or advocating in favour of one before the Competition Tribunal or the courts in relation to false or misleading advertising, the bureau considers a number of aggravating or mitigating factors that are listed in the Competition Act. Those factors include the reach of conduct within the relevant geographic market, the frequency and duration of the conduct, the vulnerability of the class of persons likely to be adversely affected, the effect on competition in the relevant market, the gross revenue from the sales affected by the conduct, the financial position of the person against whom the order is made, the history of compliance with the Competition Act by the persons against whom the order is made, and any other relevant factor.
In the interests of time, I will end my comments here.
I would be happy to answer any questions you have.
I would like to thank the committee for the opportunity to appear here today.
Thank you, Mr. Chair, for inviting us to appear before your committee.
My name is Steven Harroun, and I'm the CRTC's chief compliance and enforcement officer. With me today is my colleague Daniel Roussy, general counsel and deputy executive director of the CRTC's legal sector.
We appreciate the valuable work that your members do to protect Canadians' privacy, a significant concern in today's digital age, and we recognize that the focus of your current work is on the Personal Information Protection and Electronic Documents Act. The CRTC follows the privacy legislation, as do all federal government departments and agencies, but has no direct experience as a regulatory body with this act.
However, we understand that the committee is interested in hearing about our experiences in enforcing Canada's anti-spam legislation. We believe there are aspects of our experience that may be useful to consider as part of your study, in particular, our ability to impose administrative monetary penalties.
Mr. Chair, let me begin with a brief overview of the legislation to provide context for our observations about the effectiveness of such penalties. In a nutshell, Canada's anti-spam legislation, known as CASL, is meant to provide Canadians with a secure online environment while ensuring that businesses can compete in the global marketplace. CASL gives the commission the authority to regulate certain forms of electronic contact, consisting of the sending of commercial electronic messages, the alteration of transmission data in electronic messages, and the installation of computer programs on another person's computer system in the course of commercial activity.
The fundamental underlying principle is that such activities can only be carried out with consent. The CRTC is responsible for CASL's administrative monetary penalty framework, which includes the imposition of penalties for violations. CASL is an opt-in regime, which means that consent must be obtained prior to the sending of commercial electronic messages to Canadians. CASL applies to the commercial electronic messages sent via email and through social media accounts, as well as text messages sent to cellphones.
Consent to receive these messages can either be express or implied, as stipulated in the act. Express consent means that the person has clearly and proactively agreed to receive the message, for example, someone voluntarily opts in by signing up at a website. Once express consent is obtained, commercial electronic messages can be sent, until the recipient notifies the sender that he or she no longer wants to receive them.
Consent can be implied, for example, through an existing business relationship with the consumer based on a previous commercial transaction. It also pertains to personal or family relationships, or in an existing non-business relationship, such as a membership in a club, association, or volunteer organization. In every case, CASL sets out that the burden of proof regarding consent rests with the person alleging consent.
In addition to consent, senders of commercial electronic messages must clearly identify themselves, and each message must also contain an unsubscribe mechanism, which is clearly and prominently set out, that allows consumers to readily unsubscribe if they no longer wish to receive messages.
Mr. Chair, Canada's anti-spam legislation was never intended to eliminate all spam. Its objective is to deter the most damaging and deceptive forms of spam and other electronic threats such as identity theft, phishing and the spread of spyware and malware.
When it is alleged that a violation has occurred, the Chief Compliance and Enforcement Officer has a number of tools at his disposal to ensure the act is complied with.
Our enforcement tools include a warning letter to bring to the attention of the business a minor violation requiring corrective action, and a notice of violation, which is issued for more serious offences. The enforcement measures may include monetary penalties. Notices are also published on our website. We warn Canadians of illegal online practices so that they are aware and can report any suspected violations.
An undertaking, which is similar to a negotiated settlement or agreement with the other party, is where the company or individual undertakes to come into compliance. For instance, the party might need to implement a corporate compliance program and report on its activities, or it may have to pay a specified amount, although this payment is not considered a monetary penalty as such.
The chief compliance enforcement officer uses his discretion in selecting and applying the most appropriate enforcement response. Our goal is to ensure compliance with the law and to prevent recidivism.
Underpinning these enforcement tools are the CRTC's outreach and education program efforts. Before the law came into force, CRTC delivered information sessions to interested parties across the country to explain the new requirements and encourage compliance. To this day, we continue to undertake an education outreach program and share lessons learned from enforcement actions taken.
It's important to understand that administrative monetary penalties are just one part of our toolbox. Penalties tend to be used as a last resort after all other efforts have failed. While we have issued warning letters, monetary penalties have been reserved for the most egregious cases.
Depending on the nature of the violation, the CRTC has the authority to impose up to $1 million per violation for individuals. And up to $10 million per violation for a corporation or group. There are factors laid out in the legislation that we must take into consideration when determining the appropriate penalty.
The tools provided to us in CASL to protect Canadians are not limited to monetary penalties, of course. The chief compliance and enforcement officer also has the authority to seek a judicial pre-authorized warrant in order to enter a residence or business to verify compliance with the act.
For example, along with national and international partners, the CRTC took down a command and control server disseminating spam and malicious malware located in Toronto in December 2015 as part of a coordinated international effort. This disrupted the Win32/Dorkbot, which was one of the most widely distributed malware families and which had infected more than a million personal computers in over 190 countries.
Of course, in today's interconnected world, spam and other electronic threats are not confined to Canada. One of the most important tools Parliament provided to the CRTC is the ability to share information and seek enforcement assistance of our international counterparts.
To date, the CRTC has entered into international agreements with the Federal Trade Commission and the Federal Communications Commission in the United States and the Department of Internal Affairs in New Zealand.
As well, to address the challenge of spam coming from outside our borders, we collaborate with our international partners through the Unsolicited Communications Enforcement Network, or UCENet. The purpose of this network is to promote international spam enforcement co-operation and address spam-related problems such as online fraud and deception, phishing, and dissemination of viruses.
The CRTC has also signed a memorandum of understanding with 11 enforcement agencies from eight different countries throughout UCENet. These countries include the United States, Australia, New Zealand, the Netherlands, the United Kingdom, Korea, and South Africa. We share our knowledge and expertise through training programs and staff exchanges and inform each other of developments in our respective countries' laws.
Working with our partners, we are better equipped to ensure that people who distribute commercial messages, local or foreign, comply with Canada's anti-spam legislation.
In conclusion, we are convinced that administrative monetary penalties, when used with other enforcement methods, are a deterrent to non-compliance. We believe that companies have changed their practices to avoid potential penalties. This observation is based on our experience with CASL to date, as well as our experience in enforcing telemarketing over the past decade.
If we have any advice to offer, Mr. Chair, it is that enforcement agencies need a broad range of tools in their arsenal that they can tailor to the circumstances of each case.
We welcome any questions you may have.
We've had a lot of success with PIPEDA and with the model that we have with the Office of the Privacy Commissioner. It was established as an ombudsman model and was very much an education-first, collaborative organization that worked with businesses and individuals that had concerns or complaints and tried to find collaborative ways to discuss and get to solutions.
As we watch technology change—and technology is specifically referenced in the purpose statement for PIPEDA—it's very clear that data is now regularly called the new oil. It is flowing internationally and is critically important. It is collected in ways that we didn't even foresee in 2000, when this was first enacted, and that creates pressures in terms of how an organization treats its data. It also creates real concern for individuals about how their data is handled and whether they even know what was collected and how it's being used.
When we look at the model we have for the Privacy Commissioner—and as you said, in 2015 we increased the tools that he had available to him with the introduction of compliance agreements—and as we move into any kind of thinking around the next review of the act, the question will really be around balancing whether we want an ombudsman model with the same types of powers, or whether we move to a different type of model.
The nature of the mandate could be very different. If you give order-making powers but still want to be able to have open conversations with business, saying, “Come in and talk to us early on and we'll work with you on how you go about designing new products and services,” then having greater order-making power in the same organization could cause some concerns about what the core mandate priorities are. A holistic review of the Office of the Privacy Commissioner and PIPEDA would need to be undertaken before we would decide to give new powers.
That being said, lots of organizations have stronger powers, and they are able to balance those stronger powers with a really effective regime of working with businesses and individuals. There is pressure to ensure that the Privacy Commissioner is seen to be a best practice, both domestically and internationally.
An administrative monetary penalty is one of a number of ways to ensure, or to try to ensure, that a company or an individual, who seems to have gone astray, gets back on the right track. The penalty is neither punitive nor criminal, as my colleague from the Competition Bureau mentioned earlier. The purpose of the penalty is to encourage someone or a company to return to the right path. We do not want to prohibit them from doing business, we want to encourage them to do it properly. This is the basic philosophy behind an administrative monetary penalty.
Furthermore, as we mentioned in our opening remarks, administrative monetary penalties are one part of a whole host of other tools, which allows them to be effective. In itself, the penalty would be ineffective if it were not combined with other things at the same time.
Let's now turn to the method. Generally, each law has its own details or its own recipe, if you will, for administrative monetary penalties. In this case, section 20 of Canada’s anti-spam legislation sets out the methods or procedures for assessing how to impose such a penalty. In addition, in recent years, the courts, particularly the Federal Court, have rendered many decisions that we can use to assess cases.
For example, if I take the English copy of the legislation I have before me, the nature and extent of the violation are part of the criteria for determining the amount of a penalty. Questions may come up. Is it a big or small violation? How many violations were there?
In our case, still under the legislation, the individual’s ability to pay is a determining factor. Other questions arise. Can the person pay a large or small penalty? Will the penalty for the violation allow or encourage the person to stop his or her actions that might be outside the scope of the act?
So a bunch of factors are put together. These factors are left to the discretion of the head of Chief Compliance and Enforcement Officer who looks at them when a penalty is required.
I'll start and I'll let my legal counsel correct me.
The right for parties to have a recourse mechanism is extremely important. As the chief compliance and enforcement officer, I issue a notice of violation that determines the amount of the AMP that we deem is appropriate, given the circumstances. If there have been 100 violations or 100,000 violations, how participative the company has been...back to my “help negotiate with us.” In the particular Blackstone situation, we issued an AMP for a significant amount of money. The company at that time had not been very co-operative with our investigation. We issued a notice of violation for a significant amount of money.
Those in violation have 30 days to respond to the commission and say they would like to make a representation before the commission. They chose to activate that, and they said, “Okay, we have a whole bunch of additional information now and we're willing to provide some additional information to plead our case.” I think that recourse mechanism is important.
I think the Blackstone case is important in that it shows that the system works. I conduct my investigation, my team conducts their investigation with the information they have available to them, and I issue a judgment, if you will. If the party is not agreeable to that, they can choose to go to the commission and say, “Wait a minute, I don't think they included this information, I don't think they took this into consideration. Oh, we didn't have financial statements at the time but we have them now.” Whatever information they have, they can plead their case to the commission.
We've had cases where the commission has upheld the notice of violation and the amount that the CCO has issued, and there are cases like Blackstone, where they've reduced it. But it shows that the system works.