Thank you very much, Mr. Chair and committee members, for this opportunity to provide the perspective of the Canadian Wireless Telecommunications Association, to which I will refer as the CWTA, on the Personal Information Protection and Electronic Documents Act.
This is new to me, so bear with me. I sat on these committees for 12 years, but I was in your seats. Now this is a bit of a different perspective for me. I'll do my best.
CWTA represents member companies from every part of the wireless sector, including wireless carriers, equipment manufacturers, and other businesses that provide services and products to the industry. Over the past 30 years, Canada's wireless carriers have made more than $42 billion in capital investments in wireless infrastructure, and they continue to invest at the rate of more than $2.5 billion per year. These investments are paying off. Today, 99.3% of Canadians have access to Canada's world-class networks.
With 5G technology at our door, the entire wireless communications sector is working to maintain its role as a driver of innovation.
Maintaining the flexibility of the Personal Information Protection and Electronic Documents Act and applying it fairly to all sectors will also help foster innovation.
In his testimony, the Privacy Commissioner highlighted the main strengths of the act: it is technologically neutral, and it is based on general application principles.
The commissioner suggested four issues to guide your study: consent, reputation, enforcement powers, and the adequacy of the Canadian regime compared with the new European regulation.
My comments will focus on the impact of those four issues on the ability of the wireless sector to serve its clients, as well as on its ability to compete and innovate in the digital economy.
On the issue of consent, the commissioner suggested that relying on consent alone may no longer be reasonable in every possible circumstance, given the impact of technology. To that I would first paraphrase a comment submitted by one of our members at the Privacy Commissioner's consultations on consent, that as technology evolves, so do customers' appreciation and understanding of it.
The care that our member companies take in being transparent with their customers about how they are processing personal information—for instance, through clearer privacy policies—is a key part of their trust relationship with their customers. The most important asset for doing business in the 21st century is trustworthiness, and our members are well aware of it.
As for the application of the consent principle, the fair and equitable application of this across industry sectors is essential to our members' ability to compete in the digital marketplace and to preserving consumer trust in the digital economy. What we refer to as the wireless sector is roughly 30 years old, which is younger than a good portion of the companies we represent, yet today Canada's dynamic wireless sector is responsible for close to 139,000 full-time jobs and $13.3 billion in direct GDP contribution. To continue to grow, innovate, and compete with larger global entities, our members must be confident that the rules will apply the same way to Canadian companies as they do to non-Canadian players. This symmetry in the application of the rules also benefits consumers, who would be right to expect their personal information to be treated similarly in similar contexts.
We would suggest that expanding the definition of what is acceptable use for legitimate business interests could provide more clarity in that regard. For instance, in the European Union, personal information can be used for purposes that support the data controller's legitimate interests so long as these purposes are not incompatible with the original purpose for which the information was collected and so long as it does not violate the fundamental rights and freedoms of the data subject. Such a model would allow our members to innovate and compete on the global stage in a way that respects people's fundamental rights and the business relationship that already exists between companies and their customers.
On the issue of reputation, several witnesses have suggested that Canada may want to follow Europe's lead and include an explicit right to be forgotten into its legislative framework. In practical terms, the European right to be forgotten requires that commercial entities receive complaints directly from individuals, that they evaluate the merit of these complaints, and that they alter their systems as required. I am not one to advise the committee on whether a European-style right to be forgotten strikes the right balance between privacy and freedom of expression for Canadians. However, I do urge the committee to be mindful of the potential burden such measures could place on the operations of Canadian businesses involved in the digital economy.
On the issue of enforcement powers, the Privacy Commissioner suggested that stronger enforcement powers would foster greater compliance with PIPEDA. CWTA believes the current ombudsman model is best suited to the current principles-based framework. A collaborative relationship between industry and the regulator is more efficient, and results in better outcomes for consumers. By investing the commissioner with the power to issue fines and impose orders, Canadian businesses would find themselves in an adversarial relationship that would discourage the informal and expedient resolution of complaints, which would be to the detriment of consumers.
As it stands, the commissioner is already naming companies that are deemed to be in violation of PIPEDA. The potential reputational damage from a finding of non-compliance by the commissioner is a sufficient deterrent, given the importance of consumer trust in the digital economy. We would argue that fines would be no stronger a deterrent than the damage to business reputation.
In the specific case of breaches, we are anticipating the coming into force of mandatory reporting and record-keeping requirements, which were added to PIPEDA through the passage of the Digital Privacy Act in 2015. These provisions will be supported by fines of up to $100,000. Breaches themselves are already subject to class action. We submit that the principles-based structure of PIPEDA does not call for enforcement powers. It would be better served by regular guidance from the Privacy Commissioner. Proactive guidance from the commissioner could explain how PIPEDA's general principles should be applied to new business models. It is ultimately not fair to consumers that the companies they do business with should have to wait for complaints to arise in order to develop policies on personal information management for new business lines.
One specific example is the Privacy Commissioner's upcoming guidance on connected cars. The connected car—and in a few years from now, the automated car—is one example of the many social benefits that will come from 5G wireless networks. As such, CWTA shares the Privacy Commissioner's concern with getting privacy right early on in the process. We hope to have the opportunity to share our industry's perspective on this with the commissioner and future guidance documents.
On the issue of preserving Canada's adequacy status with the European Union, I will say that our members recognize the importance of maintaining Canadian businesses' ability to operate on other continents, just as foreign Internet companies compete with us on our own turf. We would urge the committee to take into account the operational repercussions for Canadian companies of any legislative changes made to the Canadian regime.
In closing, I would once again say that we are determined to maintain our strong record in terms of complying with the act and our good relationship with the commissioner. The current model supports a collaborative approach with the commissioner. That has enabled us to emphasize positive results for our clients.
Thank you very much for your time today. I will be looking forward to questions after.
Thank you very much, Mr. Chair, and good afternoon.
My name is Linda Routledge, and I'm the director of consumer affairs with the Canadian Bankers Association. With me today is Charles Docherty, our senior counsel. We are pleased to be here today to discuss the Personal Information Protection and Electronic Documents Act.
The CBA works on behalf of 62 domestic banks, foreign bank subsidiaries, and foreign bank branches operating in Canada and their 280,000 employees. The privacy and protection of clients' personal information is and always has been a cornerstone of banking. Given the nature of the services that banks provide to millions of Canadians, banks are trusted custodians of significant amounts of personal information. Banks take very seriously their responsibility to protect customers' information. They are committed to meeting not only the requirements of privacy laws but also the expectations of their customers. A former assistant privacy commissioner once acknowledged that privacy is in the banks' DNA.
The banks were among the first group of organizations subject to PIPEDA in 2001. We believe that PIPEDA has worked well to date to balance the protection of individuals' personal information with the legitimate use of personal information by organizations. PIPEDA is principles-based and technologically neutral, providing the necessary framework for innovation as well as new technologies and business models. It's generally well positioned to continue that mandate going forward. The banks would, however, like to suggest a few changes that we believe might enhance and clarify PIPEDA to make it more effective. These suggestions are related to three broad subject areas—meaningful consent, financial crimes, and access rights.
On meaningful consent, banks collect the personal information that is necessary to provide clients with the products and services they want. This information is collected according to the requirements of PIPEDA, and banks take steps to ensure that their clients understand the nature of the consent being provided. All banks have privacy policies in place and privacy officers who oversee compliance with these policies. Banks have a strong incentive to enhance their customers' ability to provide meaningful consent, because building their customers' trust is and always has been a top priority.
The committee heard from several other witnesses who questioned whether the consent that individuals provide is meaningful, given the complexity of terms and conditions when signing up for any product or service. We suggest that one way to address this concern may be to streamline privacy notices so that consent is not required for uses that the individual would expect and consider reasonable. In particular, we support the concept that express consent should not be required for legitimate business purposes. Some examples of such purposes might include the purposes for which personal information was collected, fulfilling a service, understanding or delivering products or services to customers to meet their needs, and customer service training.
Removing the requirement for express consent for legitimate business purposes would simplify privacy notices, thereby facilitating a more informed consent process where consumers can focus on the information that is most important to them and on which they can take action.
Second, the banking industry suggests that the current narrow definition of publicly available information is out of date. The current regulations reference the dominant technologies of the early 2000s, when the regulations were promulgated. We suggest that the committee should look at updating the definition with a view to modernizing it.
With regard to financial crimes, protecting the security and safety of its employees, customers, and the Canadian financial system is a priority for Canada's banks. Banks are constantly upgrading their security systems and work hard to prevent billions of dollars of financial crime each year. Banks work closely with law enforcement agencies and authorities across the country to help them with their investigations and the prosecution of suspected criminals.
Currently provisions in PIPEDA allow the sharing of information between organizations only where it is reasonable for the purposes of detecting, suppressing, or preventing fraud. This does not include other types of criminal activity such as theft of data or personal information, money laundering, terrorist financing, cybercrime, and even bank robbing.
To enhance the banking industry's ability to prevent this broader criminal activity, we recommend that the provisions in PIPEDA relating to disclosures without consent should use the term “financial crime” instead of “fraud” to capture the broader range of criminal activities that Canada's financial institutions deal with on a daily basis.
Further, we suggest that financial crime be defined to include first, fraud; second, criminal activity and any predicate offence related to money laundering and the financing of terrorism; third, other criminal offences committed against financial institutions, their customers, and their employees; and fourth, contravention of laws of foreign jurisdictions including those relating to money laundering and terrorist financing.
Financial crime negatively affects banks, consumers, and the economic integrity of the financial system. Banks understand the important role they have to play and have highly sophisticated security systems and teams of experts in place to protect Canadians from financial crime. We believe this amendment to PIPEDA would give banks greater ability to perform their role in this important endeavour.
Finally, on access rights, there are times when organizations create documents containing personal information related to anticipated litigation. Consistent with guidance issued by the Privacy Commissioner and provisions in the privacy laws of both Alberta and Quebec, this information should not have to be provided in response to an access request. We would ask that PIPEDA be amended to provide a specific exemption for these types of documents based on litigation privilege.
In conclusion, PIPEDA has served Canadians well over the last 17 years, encouraging organizations to protect the personal information they have about individuals and also encouraging individuals to be more aware of their rights and responsibilities to protect their own personal information. Nevertheless, as with any legislation operating in an environment that is continually evolving, there are some areas where slight adjustments and improvements would be desirable.
We hope that our commentary assists the committee with its review of the act.
We look forward to your questions.
Thank you very much.
Thank you to the committee for the invitation to appear before you today to present CMA's views on your study of the Personal Information Protection and Electronic Documents Act, also well known as PIPEDA.
CMA is the largest marketing association in Canada. It represents communications and marketing agencies as well as major brands in retail, financial services, technology, and other sectors. Our advocacy efforts aim to promote an environment in which ethical marketing prevails in both communicating with and serving customers.
CMA has provided a written submission to the committee in advance, but today I would like to focus my remarks on three issues—namely, is PIPEDA in need of amendments, does the consent model still work, and is OPC enforcement effective?
First, on amending PIPEDA, some argue that PIPEDA is broken or inadequate and needs to be fixed. However, our view is that PIPEDA has in fact withstood the test of time in addressing the new challenges of our fast-changing digital world. By deliberate design, PIPEDA was structured on core principles rather than prescriptive rules precisely in order to create a law that would be able to adapt to new technologies, practices, and expectations. The PIPEDA model promotes a more collaborative approach in developing guidance to organizations operating in a very wide range of different contexts. The OPC is in a position to provide further interpretive guidelines as social, technological, and business developments require. This framework has served and continues to serve Canadians very well.
It's also important to recognize that the recent amendments to the law, introduced in 2015 by the Digital Privacy Act, provide additional protections for individuals. These include an increased responsibility for organizations to obtain valid consent, especially for children and other vulnerable parties; mandatory breach notification requirements; and new powers for the Privacy Commissioner to enter compliance agreements with organizations and coordinate enforcement with international counterparts.
While some may argue that further amendments to the law are necessary, CMA strongly cautions against this approach. Our recommendation is to allow the amendments passed in 2015 to take full effect and then assess the impact and effectiveness of those changes before contemplating further changes to the law. For example, the new breach notification provisions that were enacted nearly two years ago have yet to come into force. We are still waiting for the publication of the related regulations that will allow those to take effect. Once the regulations are finalized, organizations will then need to train their personnel, update their processes, and basically get ready for that set of changes to PIPEDA and meet the new requirements.
The second issue I want to address is consent. CMA believes that the right mix of individual choice and a robust accountability framework will strengthen privacy and consent. With business models becoming increasingly focused on innovation, and greater customization of products and services, which is all in response to consumer expectations, the strains on a consent-based regime must be recognized. Privacy policies that are rarely read, smaller screens, and other device restrictions are realities that pose challenges to obtaining meaningful consent.
While consumer consent must still be regarded as an important element in privacy law, shifting more to a risk assessment-based model, where organizations are given more freedom but also more responsibilities over consumer data, would modernize the Canadian privacy framework to the benefit of businesses and consumers alike. In such a model, the types of notices provided and consent obtained are linked with the sensitivity or risk of harm of a given data-handling activity. This is what we see in the breach provisions that were passed several years ago. This is consistent also with schedule 1 of PIPEDA.
CMA believes that strengthening the accountability framework through self-regulatory codes of practice and other creative tools, such as data anonymization, offers the best approach to enhancing privacy protections for individuals. An excellent example of a self-regulatory initiative is the AdChoices program for interest-based advertising, developed by the Digital Advertising Alliance of Canada, the DAAC.
CMA is among the founding marketing and advertising organizations that launched the DAAC in 2013 in order to give consumers real-time notice and choice over whether their browsing data would be used for interest-based advertising. An enhanced accountability model necessarily comes with more responsibilities for organizations. For example, CMA's code of ethics and standards of practice imposes strict limitations on the collection and use of personal information of children under the age of 13.
My third and last point relates to the Privacy Commissioner's enforcement powers. We do not agree that the commissioner requires additional powers. In fact, the commissioner currently has the power to issue findings, audit organizations, make recommendations, and now enter into compliance agreements. The brand reputation damage, as has been noted already, that can result from an adverse commissioner finding can be significant. The impact of such negative publicity is an enforcement tool that cannot be overstated. In addition, if voluntary co-operation is not forthcoming, the commissioner has the power to summon witnesses, administer oaths, compel the production of evidence, and take matters to the Federal Court to rectify situations that remain unresolved.
CMA believes that the ombudsman model under which PIPEDA operates has been highly effective and has resulted in a high level of voluntary compliance from Canadian businesses. Consider the number of PIPEDA-related complaints brought forth to the OPC. Between January 1, 2015, and March 31, 2016, the OPC received 351 complaints. Only 52 of those cases, or just under 15%, were considered well founded by the commissioner. Of those 52 cases, 46, or upwards of 90%, were either completely or conditionally resolved.
The current ombudsman model of oversight permits the OPC to protect and promote privacy rights of individuals through positive and proactive engagement with industry associations and organizations seeking guidance on compliance and emerging privacy issues. Providing the OPC with more direct enforcement powers would undermine that open and co-operative relationship that has developed between the OPC and Canadian industry.
In conclusion, we would point to the OPC's extensive casework and published findings over the past 17 years and the great many improved privacy practices adopted by businesses over the years as a result. This is valuable evidence that PIPEDA works well in its current form.
We would also caution against positioning PIPEDA as a default, catch-all solution for issues arising from the rapid evolution of technology and data uses. In many instances, there are other laws and regulations that may be better suited to address specific sectoral concerns or other issues that arise. PIPEDA must be effective in protecting Canadians' privacy rights while also encouraging organizations to innovate new products and services for their consumers and customers. This often involves the responsible use of data, including personal information. CMA believes that the existing PIPEDA framework has demonstrated the right measures of flexibility and effectiveness in achieving these goals.
Thank you, Mr. Chairman. We welcome the committee's questions.
Thank you very much for your presentation.
I sympathize with my colleague. I would have made the same decision about the teddy bears. You made the right decision.
With social and peer pressure, I have unfortunately had to adapt to the digital era, to tablets and games, since I am a mother of two young boys.
I have done research on consent. I have noticed that parents put photos of their children on social networks and talk about their activities. I educate my young boys a lot about the importance of not posting just anything on those networks. There is a lot of educating to be done in that area, and it is our responsibility as parents. Unfortunately, we may miss some things.
I read that businesses may be forced to remove personal information posted on the Internet. It was said earlier that the processing of complaints would be a burden for businesses. If I have understood correctly, forcing businesses to remove personal information has to do with the right to be forgotten.
I don't know whether you are aware of this, but California passed a law on that issue, and I would like us to discuss it further. The law is titled Privacy Rights for California Minors in the Digital World, and it requires companies, websites and application designers to give children under the age of 18 an opportunity to delete information they themselves have posted. However, that piece of legislation does not pertain to information others have posted about minors.
What do you think about that? Could we apply the same principles here, in Canada?
I can understand where you're coming from. I have a four-, six-, and eight-year-old, and they are on their smart tablets, all the time. They're better at it than I am. We use it for teaching as well as fun.
As I said, when I was growing up, if I was going to get disciplined I'd probably get the wooden spoon. You're not allowed to do that now. We threaten to take away their smart phone and it's devastating for them. It's a good way to get them to listen to us.
Voices: Oh, oh!
Mr. Robert Ghiz: I'm not sure about the California law, but I'd be willing to get my association to look into it. I think there's also the component today of education. I know that the commissioner does fund such organizations as MediaSmarts, and there are other literacy things we need to do to make sure our kids today are ready for the realities of the world they're coming into. It's different from when we grew up. There is a responsibility to make sure that we educate kids that this is the new reality of the world.
For our members, there are rules and data management tools. The carriers have privacy settings on their phones. Parents need to be educated too, to help educate their kids, but I think we can start with young kids, telling them that these are the new realities of the world, and if they're going to be involved, there are associated consequences.
At any rate, I'd be willing to check out the California law. I understand where you're coming from, but I think there is a literacy and educational component to it as well.
The point we're making is that you can retain consent at the core of your privacy framework and at the same time provide greater responsibility and accountability for organizations to utilize personal information where there is maybe a reasonable expectation on the part of the consumer that the information may be used for an additional purpose—in other words, an expanded use of implied consent, if you will. I think the CRTC was here a few days ago talking to you about the anti-spam law. A very robust aspect of that law is built on implied consent as well as express consent. There's a strong element of implied consent where there's an existing customer relationship.
Charles was talking about the fact that organizations may have a legitimate need to use the information for a new purpose that will not put the consumer at risk. It may indeed benefit the customer. In those kinds of instances, going back to consent, is that where we want to be in the environment in which we're operating today, the digital environment? We would suggest that it isn't, and that in different contexts, different industries, you may have different codes and different frameworks that will be established to allow organizations to move forward in the way that I've suggested. Those would be self-regulatory codes, and we think they have a place in what we're describing—that is, a consent-based regime still, but one that imposes great accountability on organizations.
That's an open-ended question.
I would like to see the status quo, from our perspective, with the CWTA, but again, you see a new law in California that relates to things and you see other jurisdictions moving in directions.... I would say, first of all, that we don't believe there should be any changes, but for anything that would happen, I would like to see a consultative process.
We want to avoid a couple of things. One is the regulatory burden it could have on companies and businesses in Canada, which could perhaps slow down innovation. We also want to make sure that for any changes that come into effect, you will see level playing fields between Canadian companies and companies that are not Canadian and operate within our market.
Thank you very much, Mr. Hill.
That concludes our formal question round. We do obviously have some time left on the clock if other members have questions.
Is it all right if I ask...? I have three questions, and I'll be quick.
My first question is this, Mr. Elder. Jennifer Stoddart was the Privacy Commissioner for 10 years. On the first review of the act, she did not recommend new powers for the Privacy Commissioner, but on the second review of the act, in her 10th year, she did. I'd also mention that she's a member of the Order of Canada. She said in 2013:
|| We have made use of the existing tools under the Act, and in some cases, we have been successful in prompting change—but often after we have invested significant resources and almost always after the fact. We have seen some organizations ignore our recommendations until the matter goes to Court; others, in the name of consultation with the Office, pay lip service to our concerns but ultimately ignore our advice. There is nothing in the law that provides enough incentive for organizations to invest in privacy in significant ways given that they can always renege on their agreement to change their practices and decide not to follow through with the Commissioner’s recommendations after the investigation or audit.
|| The days of soft recommendations with few consequences for non-compliance are no longer effective in a rapidly changing environment where privacy risks are on the rise.
Then she goes on to note that several provincial commissioners and international commissioners not only have order-making powers but fine-making powers, including in the U.K., Spain, New Zealand, and of course a number of provinces within our own country.
To put it more specifically, or more directly, why is Ms. Stoddart wrong?