THE STANDING SENATE COMMITTEE ON TRANSPORT AND COMMUNICATIONS
OTTAWA, Tuesday, October 16, 2018
The Standing Senate Committee on Transport and Communications met this day at 9:30 a.m. to examine how the three federal communications statutes (the Telecommunications Act, the Broadcasting Act, and the Radiocommunication Act) can be modernized to account for the evolution of the broadcasting and telecommunications sectors in the last decades.
Senator David Tkachuk (Chair) in the chair.
The Chair: Welcome. Just a quick note for senators. Please remain after the meeting for a few minutes to approve the witness list and give some direction on the witnesses. We don’t have a steering committee right now until we get notification from the ISG as to who their member will be, so we can’t operate a steering. We will have to operate as a committee to do this. That is where we are right now. We will do that today. It shouldn’t take more than 10 or 15 minutes. It will give us some direction and we will go from there.
Last June, the Senate authorized the committee to examine and report on how the three federal communications statutes — the Telecommunications Act, the Broadcasting Act and the Radiocommunication Act — can be modernized.
This morning we continue our study. I would like to welcome our witnesses. From the Office of the Privacy Commissioner of Canada, we have Daniel Therrien, Privacy Commissioner; Gregory Smolynec, Deputy Commissioner, Policy and Promotion Sector; and Brent Homan, Deputy Commissioner, Compliance Sector. Thank you for attending our meeting.
You are not related to the curler, are you?
Mr. Homan: Yes, I am. She is my niece.
The Chair: She is very good.
Mr. Homan: Yes, she is.
The Chair: Good for you. Canada is a small country; everyone is related somehow.
With that, will you start, Mr. Therrien? Do you have a presentation? Please go ahead.
Daniel Therrien, Privacy Commissioner, Office of the Privacy Commissioner of Canada: Mr. Chair and honourable senators, thank you for inviting me to participate in your study on the modernization of Canadian communications legislation. My office oversees compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA), that is to say the federal act dealing with privacy in the private sector. The act applies to the collection, use and disclosure of personal information in the course of commercial activity, including telecommunications companies. In matters of privacy, therefore, communications companies are subject mostly to PIPEDA.
The office also shares responsibilities for enforcing Canada’s anti-spam law with the Canadian Radio-television and Telecommunications Commission (CRTC) and the Competition Bureau Canada.
Canadians entrust vast amounts of their sensitive personal information to telecommunications service providers in order to gain access to the Internet and wireless communications.
The Chair: Excuse me one second. Is everyone getting clear translation? Are you getting translation, Senator Manning? I am not. I think it is important I actually hear what you say.
Mr. Therrien: Mr. Chair, briefly, I was explaining that telecommunications companies are governed with respect to privacy primarily — not exclusively — by PIPEDA, the private-sector privacy law in Canada and, of course, the OPC is responsible for the oversight of PIPEDA. We also share responsibility with the CRTC and the Competition Bureau for oversight of CASL, the anti-spam legislation.
The Chair: I will ask the translator to speak to me. Give me a couple of seconds, maybe the great score from the Ottawa hockey game yesterday? That’s too bad. That’s pretty good, though. At least I don’t have interference. Ottawa won, by the way; they were very good yesterday.
Mr. Therrien: I was explaining that Canadians entrust vast amounts of their sensitive personal information to telecommunications service providers in order to gain access to the Internet, and to mobile, telephone and television communications in Canada. This is important for your study on privacy, though it was not the case when the telecommunications acts were adopted.
Not only does personal information hold vast commercial value, but it is also of considerable interest to law enforcement, intelligence and security agencies. Canadians’ right to privacy must remain top of mind in this context.
The Supreme Court decision in R v. Spencer, three or four years ago, was an important step forward in privacy protection. In its unanimous decision, the Supreme Court held that there is a reasonable expectation of privacy in basic telecom subscriber information. The Supreme Court agreed that this information could reveal Internet usage data and that, absent exigent circumstances, essentially an emergency, or a reasonable law, law enforcement officials need prior judicial authorization, meaning a warrant, to obtain such data from telecommunications companies.
The evolution of telecommunication technologies holds serious implications for privacy protection. Take the example of the set-top box, the device that turns a standard television into a smart TV, enabling users to access a wide range of video content found online.
The information from set-top boxes can contain granular information about individual viewing habits. Depending on the scale and scope of the information collected, this can reveal detailed portraits of individuals and can include sensitive information.
My office has provided advice to the CRTC on a program to measure audience viewing habits to ensure that set-top box data is sufficiently anonymized.
Again, a reality of the modern age is that telecommunication companies and broadcasters do not only emit signals, but they collect, use and share a lot of information, including personal information. That is a fundamental reality of your study, in my view.
Other jurisdictions have also been grappling with the regulatory and legal complexities of telco technologies.
The EU is currently in the process of finalizing the text of the new ePrivacy regulation which will supplement the GDPR, the general privacy regulation that came into force in May, by addressing in detail the confidentiality of electronic communication and the tracking and profiling of Internet users.
South of the border, a recent decision by the U.S. Supreme Court emphasized the importance of protecting privacy as technology advances.
In Carpenter v. United States, the Supreme Court held that the Fourth Amendment, which affirms the right to be secure from unreasonable search and seizure, protects location records generated by mobile phones. The Supreme Court found that individuals have a legitimate privacy interest in their physical location and movements, even if the records were generated for commercial purposes and held by a third party, as “a person does not surrender all Fourth Amendment protection by venturing into the public sphere.”
Carpenter is somewhat akin to Spencer and the decision of our Supreme Court.
Beyond that issue, in the U.S. the regulatory role of the U.S. Federal Communications Commission, roughly the equivalent of the CRTC, in protecting consumer privacy on communications networks is continuing to evolve.
The FCC, the Federal Communications Commission, shares a privacy regulation role with the Federal Trade Commission, the FTC — more or less the equivalent of our office — and the FTC is the privacy and consumer protection agency in the U.S.
Under Canada’s anti-spam law, CASL, the OPC was given a new role in helping to fight spam and addressing certain online threats such as spyware propagated through our domestic telecommunications carriers.
We have made progress on this front and we collaborate actively with the CRTC and the Competition Bureau on public education and investigation. However, I would point out that inter-agency information sharing is limited to very specific circumstances where all the regulatory agencies are governed by confidentiality provisions. When we investigate, we must independently protect the confidentiality of the information we receive and cannot, unless specifically authorized, share what we receive and are therefore limited in our co-operation with sister regulatory agencies. That is a problem, and it has been a problem in certain investigations where we have been limited in our ability to share and therefore cooperate with the CRTC and the Competition Bureau.
Your study is broader than this issue, therefore I welcome your questions on any matter you find relevant to your study. Thank you.
The Chair: Thank you for that. I think this is an important part of the study. We continue to hear information over the news media about questions of privacy and people use of telephones. They follow you wherever you are.
How do you prevent this intrusion into our personal lives, while at the same time allow people to make use of the technology? The technology is overwhelming. People need it to do business, but at the same time the gathering of information by these organizations, by these companies, is definitely threatening our privacy.
Mr. Therrien: To start with geolocation, certainly telecommunication companies that provide you with phone service need to know where you are; otherwise, the phone would not function.
One of the important principles in privacy law under PIPEDA is that companies or organizations are permitted to obtain, use and share information when it is directly relevant to the service offered. The phone company needs to know where you are, otherwise they won’t reach you and you won’t be able to use your phone. The challenge is, beyond information that is required to deliver a service, there is quite a bit of information sharing and disclosure to others and use for other purposes. That is where the consent principle comes in under PIPEDA.
You don’t have the right to abstain from giving consent if the company truly needs the information to offer the service. Beyond that, we are in the world of consent under the current privacy law in Canada and a challenge, obviously, is whether consent is obtained meaningfully or not, and whether it should be implied or expressed.
Telecommunication companies, among others — there are many other companies in this situation — collect sensitive information about your daily habits, where you go, how often you go into a certain building which may house a medical practitioner, a psychologist, a place of worship, and so on. Sensitive information is obtained by companies.
The principle under federal privacy law is that if information is of a sensitive nature, as I have just described, consent should be explicit, it should be expressed. However, that leaves a lot of room for implied consent where the data is less sensitive and that is a big part of the challenge in front of us.
I will stop there.
The Chair: Consent to use and storage are two different things. I can consent so that my phone will work, but they don’t have to keep that information. After a certain time period they can delete it all, but they don’t. They keep it. That is a problem.
Mr. Therrien: PIPEDA has a principle that companies should only retain information as long as is necessary for their legitimate corporate purposes. That’s the general rule. How long that period is depends on the circumstances.
The Chair: Does it follow you when you shut it off? If I shut the phone off, do they still get information?
Mr. Therrien: It depends on the device. It varies.
The Chair: The regular iPhone?
Mr. Therrien: Have we looked at this? I don’t know for sure. Normally, if you shut it off it should no longer collect information. However, we have seen instances of companies that continue to collect even though the service is not being obtained. That would be a violation of the law, unless it was consented to. There is a lot of room for companies to do a lot of things under consent.
The Chair: Yes, and consent is not usually just one line.
Mr. Therrien: Indeed.
Senator Cormier: In your annual report to Parliament, 2017-2018, on the Personal Information Protection and Electronic Documents Act, you mentioned the Facebook and Cambridge Analytica crisis and said in your introduction that: “These issues also underscore deficiencies in Canada’s privacy laws.” Can you tell us about some of these deficiencies as they specifically affect telecommunications companies and companies subject to the Broadcasting Act?
In modernizing Canadian legislation on telecommunications, should Canada build certain provisions of the Privacy Act, or certain of your recommendations directly into the text of the Telecommunications Act?
Mr. Therrien: Can you repeat your second question?
Senator Cormier: Should we build certain provisions of the Privacy Act into the text of the Telecommunications Act?
Mr. Therrien: I will start there. The most recent version of the laws on telecommunications, if I am not mistaken, were passed somewhere around the 1990s. Very few technological services were available at that time. It was a completely different world. In the Telecommunications Act, but not the Broadcasting Act, the CRTC has the objective and the mandate to take measures to protect privacy. At that time, there was no general legislation protecting privacy in the private sector, no PIPEDA. That is how things were in the 1990s.
PIPEDA, the general legislation, was passed in 2000, and has become the generally applied legislation on privacy protection in the private sector, wherever commercial operations, activities, take place, including the communications and telecommunications sector. PIPEDA is the general legislation, and one of its virtues is that it is neutral. The act is based on principles, it is not prescriptive and, above all, it is neutral in terms of technologies. The general principles apply to all technologies. We consider this a virtue because there are great advantages to all companies using different technologies being subject to the same privacy rules, whatever the sector of activity and whatever the technology.
Now, the general legislation has been in effect since 2000 and the provisions of the Telecommunications Act from the 1990s continue to apply. Is it working well? I am getting to your question about building things in. In practice, it works well. There is a general act, and the CRTC, by virtue of its mandate to protect privacy under the Telecommunications Act, has taken steps to protect privacy, having consulted us generally, if not always. Those measures increase the level of protection in the sector to which telecommunications companies are subject.
The fact remains that, because of the sequence in which things happened, one act applies generally and another is peculiar to one sector. I have no problem with the standards in telecommunications being a little higher, which is the effect of the two current acts, I feel that it would be helpful for you to ask yourselves that. Let me answer your question directly: is it right and proper, is it desirable, for telecommunications companies to be subject to a slightly different system? They are subject to the same general system, but they are also subject to a system of their own. Is that what we want? Is it fair that companies—and let me be very specific—like Bell and Telus are subject to a system that, in theory, is a little more stringent than are Facebook and Google as they carry out similar activities?
I do not have the answer. You are starting this study. The government has given CRTC a mandate to conduct a study too. I have no answer for you, but I do feel that it is a matter you should be looking into.
In practice, that works well. We get along well with the CRTC. The rules adopted by the CRTC and those in PIPEDA do not conflict. But I feel that you should ask yourselves this question: what is the fairest situation between companies that may be competitors, but are not really subject to quite the same system?
Senator Cormier: Thank you.
The Chair: So I am clear, you are saying should privacy laws apply to —
Mr. Therrien: Currently, they do.
The Chair: But do they apply to Google? Do they apply to PIPEDA?
Mr. Therrien: PIPEDA applies to Google, Facebook, et cetera, but not the Telecommunications Act.
Netflix is an interesting company for this question of which law should apply to Netflix. PIPEDA applies to Netflix. Should the Telecommunications Act apply to Netflix?
I know that privacy is only one of the issues that are in front of you, so my comments are strictly on privacy. However, I am conscious of the fact that you are looking at what should be the better law for Canadian content and all kinds of other issues. However, with respect to privacy, I think that is an issue before you, namely, should everything be governed by the law of general application, being PIPEDA, regardless of the sector, or do you continue the current regime where telecommunications companies are covered by PIPEDA but are also covered by CRTC measures with respect to privacy?
The Chair: Thank you very much.
Senator Manning: Thank you to our witnesses.
My first question deals with a couple of questions that you have dealt with in your remarks. Is there anything that you have seen or found in other jurisdictions on the regulations that could be applied to Canada to enhance our system?
Second, when you ask about sharing information with the CRTC and Competition Bureau Canada, what type of information are you talking about with respect to sharing with those other groups?
Mr. Therrien: I will start with the second question, if you don’t mind.
Currently, we have at least three regulatory agencies that, in part, cover the same territory: CRTC, Competition Bureau and the Office of the Privacy Commissioner of Canada. Any of the three could investigate a given issue and, in the context of the investigation, collect information that may be commercial secrets, personal information, whatnot. Under the current laws, all regulatory agencies are prohibited from sharing information with others, including our sister regulatory agencies, which somewhat impedes the completeness of the studies that we make. We can have discussions at the broad policy level with the CRTC and the Competition Bureau, but when we investigate specific complaints we cannot share with them — although it would be very productive — the product of our investigations because we are legally prohibited. So the information for which I would like more flexibility — and I think the sister agencies are in agreement with that — would be information that we collect in the course of our work.
Concerning your first question: Is there anything from the laws or regimes in place elsewhere that we could usefully import in Canada? This touches a bit on what Senator Cormier was asking, which I did not answer, that is, do we have an optimum regime for privacy protection in Canada?
My answer would be what is found in our annual report for 2017-18, which is that one of the realities of modern technology is that collection of information and business models are opaque. Ordinary consumers do not understand how their information is obtained, used and shared. Privacy policies or documents that are presented in front of us, sometimes on the screen to give consent or not, are theoretically meant to inform consumers of how their information will be used, but we all know that doesn’t work. These are very long, complicated, legalistic and impossible to understand.
The opaqueness of technologies and business models is what leads us to say that because consumers are not well placed to identify problems in terms of what is happening to their information, one of the crucial elements in the law that should change would be to give us — because we have some technological knowledge and business models in this sphere — the authority to audit or inspect what is happening under the hood of technology used by companies so that we can ensure that what is happening is consistent with privacy law.
Currently, we can only intervene when there are reasonable grounds to believe there has been a violation, but no one really knows if there has been a violation. It would be at least helpful and, I would argue, necessary, for us to be able to inspect without grounds to believe that a violation has occurred.
It may be a poor analogy or good one, I’ll let you judge, but in the food quality inspection regime, for instance, you have people going into meat factories not because they think a violation has occurred, but because health and the quality of food is obviously an important consideration and these inspections reassure the public that the activities of these companies comply with the law.
Similarly, we think it would be helpful, if not necessary, for us to be able to go beyond the opaqueness of practices and verify that the law is actually being complied with.
The Chair: So an example would be that because a search engine like Google accumulates information on all of us as to what bank we go to, where we have our savings and all of this sort of information, we don’t know exactly what they do with it, right? In other words, bad people would like this information, obviously, because it makes their job easier.
You’re saying that the Privacy Commissioner, or your organization, would be able to go to the company unannounced and find out if they are maybe selling this information?
Mr. Therrien: Or if they are using it in a way that is not consistent with privacy law; for instance, the consent principle. A company’s first argument for using or sharing information with others is usually consent, and it’s usually implied consent. What kind of information is shared? Is it sensitive? Is it not sensitive? Was consent properly obtained? Should it have been explicit consent? So we would verify whether the law was actually being respected.
Senator Gagné: Thank you for your presentation. You really have provided a lot of information and answered a number of questions. You have talked about the challenges for the Office of the Privacy Commissioner of Canada. You said that one of the challenges is not having the authority you need to contact checks and audits, to become involved and to keep track of things. Do you have to face any other challenges?
Mr. Therrien: Our lack of power to make orders is often discussed. Currently, we have the power, the obligation, to conduct investigations when there are complaints from consumers. The final result of those investigations, when it is found that the act has not been complied with, is simply to issue a recommendation to the company in question. We cannot issue orders, neither can we impose fines to make sure that the act will be complied with. My primary goal is not to issue orders or to impose fines but to ensure compliance with the act.
We communicate with the companies a lot. We have a statutory role in public education, including with companies, to make sure that their practices comply with the act. The preferred way to ensure compliance with the act is to have discussions with the companies. But we must not be naïve; some companies are not going to make the effort to comply with the act just because the commissioner recommends that they do so. A number of factors are in play. The companies make a huge amount of money collecting and using personal information. Sometimes, it can be necessary just to downright order the companies to comply with the act and, in certain cases, to impose fines to make sure that they do.
Senator Gagné: Thank you for that information. Currently, the telephone, the television, all the various platforms are quite integrated. Does that lead to other challenges? How can we be assured that the privacy of consumers is protected when all the systems ebb and flow together, as is the case now?
Mr. Therrien: That is quite a problem, quite a challenge. Under the current legislation, the answer should be whether the consent given by consumers is informed or not. Consumers are dealing with companies with integrated services. There is nothing illegal as such in wanting to integrate services in order to provide better services and make profits. That is part of the market economy in which we operate. However, the provisions of PIPEDA require that it be done with the people’s informed consent. That is the crux of the issue.
I will ask my colleague Brent Homan to give some specific examples of this kind of integration. They are from an investigation that we conducted two or three years ago on Bell Canada, which had launched a publicity campaign specifically based on integrating the information that the company had collected from different sources.
Brent Homan, Deputy Commissioner, Compliance Sector, Office of the Privacy Commissioner of Canada: This example of the Bell relevant advertising program investigation covers a couple of points that were put out here. One is the opacity in terms of the information that had been collected and that was available to Bell, including demographic information, service information, surfing habits and perhaps viewing habits across the horizontally integrated suite of services they provide from mobile to home phone, to TV, to Internet.
When Bell came out with the relevant advertising program and announced it, it had quite a reaction in Canada. In fact, we received the greatest number of complaints that we had ever received on a complaint and on an issue, and the issue was that Bell was looking to use all of that information to target relevant advertising.
The key here is that with this horizontal integration of these services, all of this information taken as a whole — and Bell being in a unique position to have access to that information because of the delivery of service — would provide a rich multidimensional profile of an individual and a consumer. Not unsurprisingly, that caused alarm.
What we said in our conclusion was that if you are going to go down this path, then it has to be on an opt-in basis and with expressed consent. Canadians need to opt in to the use of this information. As well, there were certain types of information that were no-go zones, like the use of credit scores.
That is a trend you’ll see, because of telecoms and ISPs and the integration of both. Because of the position they are in, they have the ability to make use of more information than other organizations might have available to them.
The Chair: Do you oversee government organizations and Crown corporations?
Mr. Therrien: Yes.
The Chair: Would you like the same kind of powers to check out CRA to see what they are doing, or maybe the CBC?
Mr. Therrien: There is a different law for the government, per se. Some Crown corporations are somewhere in the middle between PIPEDA and the Privacy Act, but for government institutions like the Canada Revenue Agency, they are squarely within the Privacy Act, as opposed to PIPEDA. We can investigate based on complaints, but yes, to the question of whether we would like similar powers, the answer is yes.
Senator McIntyre: Thank you for your presentation, Mr. Therrien. As a general rule, do free trade agreements provide sufficient protection for private data? In other words, are they good ways to protect people’s privacy?
Mr. Therrien: That is an excellent question, and a very difficult one. It is very difficult to say. The recent agreement indicates that the signatory countries can, or actually must, have legislation on privacy protection. That is a very good starting point. Then, the agreements generally specify that countries cannot require data to be processed on their territory. That is a good thing, because people ultimately receive better services if data can cross borders and if consumers have access to better experts as their data is processed. However, under a number of circumstances, for example with police or security forces having access to the data of Canadians, we have to wonder whether the agreements provide good protection in that respect. The agreements, including the one that was recently reached, contain quite general provisions in that respect.
That leads me to say that it is quite difficult to understand the ultimate result, which is to ban a requirement that data be processed on one’s own territory as a principle, with the exception of public interest data. If Canada wanted to pass legislation to require certain types of data to be processed locally, because they are particularly sensitive, because they affect Canada’s national security, for example, it could in theory be done under the public interest criterion. But we do not know. These agreements have never been applied in a way that allows us to know how the provisions will be interpreted. The dispute resolution mechanism in these agreements has been the subject of major discussions between Canada, the United States and Mexico and, to my knowledge, the dispute resolution mechanisms do not require subject matter experts, particularly experts in privacy issues.
Potentially, the provisions can give Canada protection over the personal information of Canadians. But that depends on the interpretation that will be given to those provisions; they are written very broadly and applied using a dispute resolution mechanism that still has to be determined.
Senator McIntyre: Has your office been in communication with the panel conducting the broadcasting and telecommunications legislative review? As you know, it has recently launched its consultation process.
Mr. Therrien: Are you talking about the expert panel or the people from the CRTC?
Senator McIntyre: Yes.
Mr. Therrien: The expert panel? I don’t know. I don’t think so. We have certainly had discussions on the subject with the CRTC and with the Department of Innovation, Science and Economic Development. The process is basically just getting under way. We are here to try and give you some areas of information that we hope will be useful. We most certainly intend to communicate with the government authorities responsible for that review.
Senator McIntyre: I understand the review panel has to submit its report to the government by January 31, 2020. So you have enough time.
Mr. Therrien: We have a little time, yes.
Senator McIntyre: Thank you, Mr. Therrien.
The Chair: They get paid by the day, Senator McIntyre. That will take a long time. We will be all done before they get started.
Senator Miville-Dechêne: Mr. Therrien, I would like to take a little step backwards and I apologize if this is a basic question. You said that PIPEDA applies to communications companies, but, if I understand correctly, Canadian companies like Bell and Telus are subject to other legislation as well, because they have to comply with the Telecommunications Act. I am talking about privacy. That is what I understood.
Mr. Therrien: Yes.
Senator Miville-Dechêne: As commissioner, what can you do with companies like Bell and Telus that you cannot do with companies like Google and Facebook?
Mr. Therrien: I have the same powers vis-à-vis telecommunications companies as I have vis-à-vis other companies like Google and Facebook. I have the power to investigate complaints filed by consumers. Those investigations leads to recommendations and not to orders. I have exactly the same powers vis-à-vis telecommunications companies as for other companies.
Senator Miville-Dechêne: So when you talk about increasing your powers, it is for all companies?
Mr. Therrien: It is for all companies.
Senator Miville-Dechêne: You talked about the possibility of investigating even without a complaint, and about the possibility of imposing fines or imposing a decision. Is there anything else that you might need in our current situation in order to be effective? For example, are there principles that have been adopted in Europe that seem important to you and that, without copying them, we could use as a model as we come up with recommendations on the changes to be made?
Mr. Therrien: There are perhaps two issues: the right to dereferencing, which is often known as the right to forget, and the transfer of data.
Senator Miville-Dechêne: I wanted to talk about the right to forget, a subject that is of particular interest to me.
Mr. Therrien: There is a technical term that escapes me at the moment, but I will talk about these two issues: the right to dereferencing, or the right to forget, and the right of consumers to transfer their data. Let’s start with the second one. European law, the General Data Protection Regulation (GDPR), which was adopted in May, provides, among other things, for the right of individuals, mainly consumers, to transfer their data from one service provider to another, the principle being of course that the data does not belong to the companies, but to the individual. I think that would be a useful principle that you should consider.
Senator Miville-Dechêne: It doesn’t exist?
Mr. Therrien: It does not exist here as such and would, I believe, support an important feature of privacy rights, namely control. It is up to people to control their data, including requiring companies with which they do business to transfer it to another service provider if they wish to do so as consumers.
With regard to the right to dereferencing or the right to forget, the European Court of Human Rights, the equivalent of the Supreme Court in Canada, rendered a judgment in 2014 in Europe in a case involving a Spanish citizen who recognized a right to dereferencing, that is, companies that do business in Europe — Canadian companies included — have an obligation to derefer, that is, to make it more difficult for a company to access documents or information that may be held by a company when the information is incorrect, inaccurate or outdated, in other words, information that no longer reflects who the person is as we speak.
Senator Miville-Dechêne: When legal issues in particular are being considered.
Mr. Therrien: Among other things, legal issues, pardons, for example. This right was recognised in Europe in 2014. In early 2018, my office published a draft position indicating that when you read PIPEDA, you get the same results as in Europe. Canadian companies have an obligation to process only information that is accurate and up-to-date, and companies also have an obligation to provide consumers with procedures to ensure that the information that companies process is indeed up-to-date and accurate.
Senator Miville-Dechêne: If you are saying it exists, have you ever used it?
Mr. Therrien: It’s a project. We have received a few complaints from consumers, but there are several companies, including Google and other search engines, and also press companies, which disagree with this position because they believe that this position jeopardizes freedom of the press and freedom of expression. These are important rights that, in my opinion, must be weighed against the right to reputation and privacy. I do not deny in any way that there are concerns about freedom of expression and freedom of the press, and several companies disagree.
Noting this fact, a few days ago, the office decided to refer the matter to the Federal Court for a ruling on some preliminary questions such as this: Are search engines like Google subject to PIPEDA?
There is an exception in PIPEDA that if a company processes information for journalistic purposes, the company is not subject to PIPEDA. This obviously clearly applies to media companies, but Google is invoking this exception. One of the questions that is being asked in the Federal Court is: Is Google entitled to this exception to PIPEDA? Does it carry out journalistic or other activities?
So, a preliminary position was issued in January. The objections were found without investigation and without absolute certainty as to whether our position is well founded in law. Instead of creating expectations among people, the commissioner will investigate and derefer the information.
I thought it would be more prudent to put the questions to the court and put everything on hold until the court decides. The preliminary position I have taken is pending, as are the ongoing investigations pending the court’s decision. Once it has made its decision, we will act accordingly.
Senator Miville-Dechêne: It’s very exciting. Keep us posted.
The Chair: Mr. Homan, on the Bell recommendation, did the government act on the recommendation?
Mr. Homan: What we asked Bell to do is commit to engaging in that program only on an opt-in basis, and they agreed with our recommendations and complied.
The Chair: Do you have fining powers?
Mr. Therrien: We should. We do not.
The Chair: I think you should, too. So, if you do an investigation and you fine them, they can seek recourse through the courts or whatever. That is interesting.
Mr. Therrien: There is a private member’s bill on that point, actually, by Mr. Erskine-Smith, a member of the ETHI Committee in the House of Commons. Currently, there is a private member’s bill on that very point before Parliament.
The Chair: That may be something that the government could look at as well. We will definitely look at that. That is interesting.
Senator Cormier: Relating to the relationship between the Office and the CRTC, you mentioned a certain relationship, in the context of the modernization of telecommunications and broadcasting laws. What don’t you do together that you should do together?
Mr. Therrien: We should share more information on investigations so that they have a stronger factual basis when our investigations are conducted independently. However, interaction between regulatory agencies is a secondary issue. I would say that the fundamental question you should be looking at is this: Should all companies be subject to a single law of general application? Or, is it useful and desirable to continue the current regime where telecommunications companies are subject to CRTC measures that may go beyond measures of general application? As Privacy Commissioner, I have no problem with some companies being subject to a higher standard. It’s good for privacy.
However, if I put myself in the shoes of companies that have competitors swimming in the same waters, including Facebook, Google and others, who are extremely important players in terms of competition and the balance of applicable legal regimes, I think there is an issue to consider. Is it a good thing that, in terms of privacy, telecommunications companies are subject to a slightly elevated regime?
Senator Cormier: If I understand what you’re saying, it’s that companies like Google and Facebook, since they only fall under PIPEDA, pose a challenge to privacy infringement, because there is less requirement for privacy protection.
Mr. Therrien: Yes, but I would say it differently. I think there is a law of general application that we think needs to be improved, that is not perfect, but the Minister of Innovation, Mr. Bains has already indicated that the government is looking at improvements to PIPEDA. So, if we assume that the law of general application will be improved in this possible scenario, is it still necessary to have specific telecommunications provisions with respect to privacy?
There are clearly issues, such as Canadian content and other issues raised in your study, that are exclusively the responsibility of the CRTC and a telecommunications act. It has nothing to do with privacy. The CRTC has a role to play. I am not saying that we could not reach an agreement with the CRTC once the laws are amended, mine and theirs. We could agree, but the first issue you should consider is the balance of justice between the areas of operation with respect to privacy issues. Then either you will judge that telecommunications companies should only be subject to the law of general application and that there is no problem of collaboration with the CRTC, or you will judge that it is always useful and that we should do business with the CRTC, collaborate with it and be able to share information.
Let’s go to the American side. If there are two regulatory agencies with partially overlapping mandates, as in the United States between the Federal Communications Commission and the Federal Trade Commission, in the worst case scenario, it can lead to different conflicts and decisions. This was the case in the United States. Recently, the two organizations reached an agreement and entered into a collaboration agreement in which they share certain areas of intervention. So they solved the problem of potential conflict. However, if there are two regulatory agencies, questions will have to be asked about how the two agencies will work together. Does one of them have a predominant role in privacy protection over the other? All these questions are being raised.
Senator Cormier: Thank you.
The Chair: To follow up, Senator Manning asked a question earlier about other jurisdictions and what we could learn from them. Do other jurisdictions in similar bodies like yours have the disciplinary powers that we talked about earlier? Maybe you can give us an example if they do.
Mr. Therrien: Disciplinary as in orders and fines?
The Chair: As in maybe a fine?
Mr. Therrien: Yes. That is the general rule. The Federal Trade Commission in the United States can impose fines. They are called settlement agreements, but they are fines and they are often in the millions of dollars. That is the situation south of the border.
In Europe, in the GDPR, the general privacy regulation adopted in May, my equivalents in Europe can impose fines that are extremely hefty, representing four per cent of the business volume or the value of a business transaction of a given company. For Google and Facebook, for example, the fine can be extremely hefty.
I think the OPC should have the power to set and impose fines. We have not called for an exact amount. To take an example in Canada, the Competition Bureau can impose fines in the neighbourhood of $15 million Canadian. The amount should be enough to create an incentive for companies to comply so that the companies do not treat paying the fine as a cost of doing business. I don’t have a view on exactly what the amount should be.
The Chair: I know what you are saying, though. What about government organizations? How would you deal with that? Fine them personally?
Mr. Therrien: We have not looked at this closely with respect to the private sector. What I will say is preliminary.
I am not sure that the situation is exactly the same for the private sector. A regulator imposes a fine to the Canada Revenue Agency, so you have money transferring from one government envelope to another government envelope. Does that really achieve the purpose? I’m not sure that the situation is exactly the same, but we haven’t reached any conclusion on that point.
The Chair: That would be interesting to look at.
Senator Miville-Dechêne: I just want to be sure, because I’m a little confused between the answer you gave me and the one you gave Senator Cormier to the following question: Should we harmonize the plans and ensure that only one law applies, whether it’s Bell—
Mr. Therrien: No matter the sector.
Senator Miville-Dechêne: You said that, as Commissioner, you have no problem with that, because you have about the same powers over Facebook as you do over Bell. However, if you have the same powers in the status quo, why do you feel the need to say that everyone should face the same rules? Are there any additional important rules that Bell and Telus have to respect that Facebook and Google do not? Important rules that, even if they have no influence on your own action…. Can you give me some concrete examples so that I can understand why there is a need to harmonize or have the same laws for everyone?
Mr. Therrien: As things stand, the CRTC’s objective is to protect privacy. This is a mandate it received before the law of general application was adopted. To give you some examples of actions taken by the CRTC, we are talking about nuances in relation to the rules that apply under PIPEDA. The CRTC has in the past issued decisions that require telecommunications companies to inform consumers about their privacy practices. The CRTC has imposed as an advertising requirement that telecommunications service providers obtain the express consent of consumers before using their data for advertising purposes. In the PIPEDA, the rule is broader, and for example, consumer consent is mandatory. Consent must be express if the data collected is sensitive or the consumer has a reasonable expectation that his or her information will not be used without his or her express consent. So the rule is more general in application. The CRTC added a clarification by determining that, in the case of telecommunications companies, if the company wants to use information for advertising purposes, express consent is required. So we are talking about the same principles with a slightly more precise application according to some CRTC decisions.
Senator Miville-Dechêne: Thank you.
Senator McIntyre: My question is along the same lines as that of Senator Manning and Senator Tkachuk with regard to the global situation. In your brief, you refer to the general regulation on data of the European Union. In your opinion, should this data be applicable to all levels of the ecology of communication media focused on Internet applications and services?
Mr. Therrien: You’re asking if the content of the European regulation should apply to Canadian companies.
Senator McIntyre: Yes.
Mr. Therrien: There are several good things in the European General Regulation adopted in May. It is up to Canada to determine the best regime that should apply to Canadian companies and Canadian consumers. We are dealing with the United States, which does not have a general privacy law, although there are discussions right now to develop such a law. Europe has a regime that some say is very prescriptive. In Canada, there is one law, the PIPEDA, that is based on flexible principles. It needs to be improved, but it is not a bad starting point. So I do not think we should try to imitate the European regulation in all its aspects. There are several good things in the European regulation, and you should look at its content. However, the goal should not be to copy it in each of these aspects.
Senator McIntyre: Thank you.
The Chair: Thank you very much, witnesses. Much appreciated.
We will suspend for a couple of minutes to go in camera and we will be able to further thank the witnesses after we do that.