Appearance before the Standing Committee on Access to Information, Privacy and Ethics (ETHI) on the Study of the Personal Information Protection and Electronic Documents Act (PIPEDA)

February 16, 2017
Ottawa, Ontario

Opening Statement by Daniel Therrien
Privacy Commissioner of Canada

(Check against delivery)

---

Mr. Chair, members of the Committee,

Thank you for inviting me here for your study of the Personal Information Protection and Electronic Documents Act (PIPEDA). Accompanying me today are Patricia Kosseim, Senior General Counsel and Brent Homan, Director-General of PIPEDA Investigations.

Introduction

As you know, PIPEDA is technology-neutral and based on principles of general application, two qualities that should remain as these are strengths that make this law a flexible tool. However, the constant and accelerating pace of technological change since the turn of the 21st century, when PIPEDA came into force, is challenging the law’s effectiveness and sustainability as an instrument for protecting the privacy of Canadians.

These technological changes bring important benefits to individuals. They greatly facilitate communications, they make available a wealth of information of all sorts and they bring products and services from all areas of the world. But these technologies also create important risks. Internet users want to share their views and search sensitive issues like health without fear that these activities will be tracked and shared with others with adverse interests. In fact, it is an essential aspect of the right to privacy that individuals have control over with whom they share their personal information.

New technologies also hold the promise of important benefits for society. Future economic growth will come in large part from growth in the digital economy. For instance, Canada is well placed to become a world leader in artificial intelligence, which depends on the collection and use of massive amounts of data. The 2016 OECD Ministerial Declaration on the Digital Economy commits, among other things, to an international effort to protect privacy, recognizing its importance for economic and social prosperity.  Indeed, the protection of privacy is critical for building consumer trust and enabling a vibrant, robust and competitive digital economy.

Yet, the vast majority of Canadians are worried that they are losing control of their personal information, with 92% of Canadians expressing concern, and 57% being very concerned, about a loss of privacy in our most recent public opinion poll. Without significant improvements to the ways in which their privacy is protected, Canadians will not have the trust required for the digital economy to flourish, they will not reap all the benefits made possible through innovation and, ultimately, their rights will not be adequately respected.

Consent

Consent has always been considered a foundational element of PIPEDA. Legally, organizations must obtain consent to collect, use and disclose an individual’s personal information, subject to a list of specific exceptions.

But obtaining meaningful consent has become increasingly challenging in the age of big data, the Internet of Things, artificial intelligence and robotics.

When PIPEDA was adopted, the interactions with businesses were generally predictable, transparent and bidirectional. Consumers understood why the company that they were dealing with needed certain personal information. It is no longer entirely clear who is processing our data and for what purposes.

As such, the practicability of the current consent model has been called into question.

To be clear, I think there remains an important role for consent in protecting the right to privacy, where it can be meaningfully given with better information. There may also be situations in which consent is maybe simply impracticable, and under appropriate conditions, it is worth exploring whether alternatives to consent can otherwise protect the privacy of Canadians. Some of these may require legislative amendments.

Through written submissions and in-person consultations with stakeholders across Canada, we’ve heard a broad range of suggestions.  

For instance, individuals could be empowered to make decisions through simplified privacy notices that draw users’ attention to practices which differ from a defined norm, or highlight information of greatest interest to individuals (such as, what data is collected, how is it used, and to whom it is disclosed).

Organizations, on the other hand, could enhance their trustworthiness through the use of privacy by design, demonstrable accountability, or the adoption of industry codes of practice.

We heard that some wanted us to provide further guidance for organizations or promoting compliance through more proactive means such as audits. Others wanted us to have greater enforcement powers, a point to which I will return. We also heard consistently that public education is essential and that, while efforts have been made in that area, more needs to be done.

These solutions, and many others, will be discussed in our consolidated findings on the matter, which we would be happy to share with the Committee once completed in mid-2017.

Reputation

Another priority area for our Office is Reputation and Privacy.  Our ultimate goal here is to help create an environment where individuals may use the Internet to explore their interests and develop as persons without fear that their digital trace will lead to unfair treatment. Similar to the consent project, we started our work by issuing a discussion paper and invited submissions.

Many of the submissions received commented on the “right to be forgotten” – the concept, arising out of the EU, that individuals can request certain links be removed from search results associated with their name. While acknowledging the potential harms that can come from a ‘net that never forgets’, some submissions raised significant concern about what a formally recognized right to be forgotten would mean for freedom of expression. 

Others questioned whether PIPEDA even applies to a number of aspects of online reputation, or to search engines who are important players in that debate, calling for other solutions instead.  These ranged from greater use of targeted legislation to prevent specific harms (as we have seen in the cases of cyberbullying and revenge porn), improved education on safe and appropriate use of the Internet (especially for vulnerable populations), and improved practices for websites and online services such as social networks.

We would be pleased to inform the Committee of our views once our policy position has been fully shaped.

Enforcement Powers

Let me now return to the question of enforcement powers. Enforcement is key to securing trust in the digital ecosystem. Our recent poll found that 7-in-10 Canadians would be more likely to do business with companies if they were subject to financial penalties for misusing their information.

Currently, my Office cannot make orders or impose fines, and is in many respects weaker than some of our provincial and international counterparts. Industry worries that should enforcement powers be granted to my Office, organizations would be less willing to collaborate with us and negotiate towards solution.  Yet my colleagues elsewhere have not had this experience.  Perhaps it is time, then, to bring my Office’s powers in line with that of others around the world.

This being said, I also believe there is an important role for proactive compliance. Organizations are using data in innovative ways to derive value and Canadians expect this activity to be regulated. A proactive approach to overseeing compliance at the front end, before complaints happen, would bring certainty to the market, and further reassure Canadians that their concerns are being addressed.

Adequacy

In 2018, the General Data Protection Regulation (GDPR) will come into force in the EU.  As the GDPR requires reviews of adequacy decisions every four years, Canada’s adequacy status (which, since 2001, has allowed data to flow freely from the EU to Canada) will have to be revisited.

A January 2017 Communication from the European Commission notes that Canada’s adequacy status is “partial” in that it only covers PIPEDA, and that all future adequacy decisions will involve a comprehensive assessment of the country’s privacy regime, including access to personal data by public authorities for law enforcement, national security and other public interest purposes.

Given the far-reaching impacts of our country’s adequacy status on trade, as well as the differences between the GDPR and PIPEDA, it will be important to keep this consideration in mind as the Committee moves forward with its study.

Conclusion

In conclusion - Professor Klaus Schwab, founder of the World Economic Forum, states that we stand on the brink of the 4^th Industrial Revolution. Characterized by a blurring of lines between the physical, digital and biological spheres, this transformation, he argues, will be unlike anything humankind has experienced before.

PIPEDA was good legislation when it came into force in 2001, and it continues to provide a sound foundation upon which to build. However, in light of this new revolution– and more importantly, to meet the privacy expectations of Canadians – I believe PIPEDA must be modernized.