Appearance before the Standing Senate Committee on Official Languages on the study to examine Canadians’ views about modernizing the Official Languages Act

March 18, 2019
Ottawa, Ontario

Opening Statement by Brent Homan
Deputy Commissioner, Compliance Sector

(Check against delivery)

---

Good afternoon Senators. 

With me today from my office is Regan Morris, Legal Counsel.

I would like to thank the Committee for the invitation to speak about compliance agreements in the context of your study on Modernizing the Official Languages Act.

The OPC is mandated to conduct independent and impartial investigations into complaints about the management of personal information involving businesses subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) and government bodies subject to the Privacy Act.

The Privacy Commissioner has no direct enforcement powers. He may seek resolution of a complaint through negotiation, persuasion and mediation and may make recommendations to help prevent issues from recurring. He cannot make orders or impose fines.

Should a private sector organization fail to comply with our recommendations under PIPEDA the Commissioner can apply to the Federal Court to seek an order requiring the respondent to take action to correct its practices. The court may also award damages to a complainant.

The OPC can also enter into a voluntary compliance agreement with a private sector organization to help ensure that the organization follows through on commitments it has made to the OPC to rectify its practices. There is currently no equivalent mechanism under the public sector Privacy Act.

The OPC has had the authority to enter into compliance agreements with private sector organizations since 2015, when PIPEDA was amended. To date, we have entered into four Compliance Agreements.

Our experience with Compliance Agreements has generally been positive, but it is clear that there is still room to increase their effectiveness.

On one hand, they allow us to be flexible. We can include any terms in a Compliance Agreement that we consider necessary to ensure compliance. We may use a Compliance Agreement to underscore issues of great scope or concern to our Office and the public. To date, Compliance Agreements have resulted in positive privacy outcomes. For example, our monitoring of the Ashley Madison Compliance Agreement allowed us to ensure fulsome implementation of a variety of remedial actions, including the implementation of a comprehensive privacy and security framework.

On the other hand, the commitments, terms and timelines in a Compliance Agreement must be negotiated with the organization. We do not have the authority to impose specific terms on an organization.

As is the case with our investigations or audits, in the absence of sufficient cooperation, we must file an application with the Federal Court to enforce the terms of a Compliance Agreement. However, Compliance Agreements have the advantage of being court-enforceable based on their terms, while absent a Compliance Agreement, a Federal Court application for an investigation would represent a de novo proceeding.

Compliance agreements are an arrow in the quiver to support the OPC’s regulatory role. But they are not a substitute for enforcement powers and the ability to levy fines.

Our principles-based law is quite permissive and gives companies wide latitude to use personal information for their own benefit. Under PIPEDA, organizations have a legal obligation to be transparent and accountable, but Canadians cannot rely exclusively on companies to manage their information responsibly.

Commissioner Therrien has called for legislative reform to give Canadians better privacy protection through modern, rights-based legislation that can be effectively enforced.

In particular, he has asked for the power to make orders, issue fines and conduct inspections to promote compliance. These powers would bring the OPC in line with many of our international regulatory counterparts in the privacy world.

It is not enough to simply ask or negotiate with organizations to live up to their responsibilities. Canadians need laws that will protect them when organizations fail to do so. Respect for those laws must be enforced by a regulator, independent from industry and the government, with sufficient powers to ensure compliance.

Thank you and I welcome your questions.