The committee met at 1:03 p.m.

[M. Elmore in the chair.]

M. Elmore (Chair): Good afternoon. I’d like to welcome everyone participating and listening today to our public hearing. My name is Mable Elmore. I’m the MLA for Vancouver-Kensington and the Chair of the Special Committee to Review the Personal Information Protection Act.

I’m pleased to be joining you from the traditional territory of the Musqueam, Squamish and Tsleil-Waututh Nations.

We are an all-parliamentary committee of the Legislative Assembly, with a mandate to review the Personal Information Protection Act. In support of this, the committee is holding public hearings to gather input from British Columbians.

In addition to the public hearings, the committee is also inviting British Columbians to send us their thoughts in writing before July 30. All the information we receive will be carefully considered as we prepare our report to the Legislative Assembly, which will be released in December this year. I encourage anyone who’s interested in the consultation or wants to learn more about the work of the committee to visit our website at www.leg.bc.ca/cmt/pipa.

On behalf of committee members, we’re looking forward to hearing from a number of presenters today.

[1:05 p.m.]

I’ll now ask the members of the committee to introduce themselves. I’ll hand it off to our capable vice-Chair, Dan Ashton.

Go ahead, Dan.

D. Ashton (Deputy Chair): Thanks, Mable.

Good afternoon and welcome. I’m Dan Ashton. I have the pleasure of representing the folks from Penticton to Peachland.

I’ll pass you over to my peer.

A. Wilkinson: Hello. I’m Andrew Wilkinson from Vancouver-Quilchena.

K. Greene: Hi. I’m Kelly Greene, MLA for Richmond-Steveston.

I’m coming to you from the traditional territory of the Musqueam Nation.

G. Begg: Hi, everyone. I’m Garry Begg. I’m the MLA for Surrey-Guildford.

I’m proud to be joining you today from the traditional territories of the Coast Salish peoples, including the Kwantlen, the Semiahmoo and the Katzie First Nations.

R. Glumac: I’m Rick Glumac, MLA for Port Moody–​Coquitlam.

I’m on the traditional territory of the Coast Salish peoples.

M. Elmore (Chair): Thank you, Members.

Assisting the committee today are Susan Sourial, Lisa Hill and Mai Nguyen, from the Parliamentary Committees Office. Amanda Heffelfinger, from Hansard Services, is also here to record the proceedings.

Now, our first presenters are from the Canadian Life and Health Insurance Association. Joining us are Stephen Frank, who is the president and CEO, and Anny Duval, who is the association’s senior counsel.

You have up to 15 minutes for your presentation. Hansard Services has provided a timer, which will be visible on your screen, if you use the gallery view. We’ll have some questions and answers following that. Please begin when you are ready.

Presentations on
Personal Information Protection Act

CANADIAN LIFE AND HEALTH
INSURANCE ASSOCIATION

S. Frank: First off, thank you so much for the opportunity to speak with you on this very important matter. We won’t be speaking for 15 minutes. We’ll have some brief introductory remarks. Hopefully, we can get into more of a dialogue with you after that fact. I look forward to any questions you may have.

I’ll just introduce myself. I am the president and CEO of the Canadian Life and Health Insurance Association. Anny Duval is our senior counsel and my resident expert in privacy matters. I’ll look forward to, like I said, your discussions. We can speak at a conceptual level and then in some detail, depending on the interests of the group today.

Just a quick overview of who we are. The CLHIA represents all of the life and health insurance companies across Canada. We have about 67 members and represent effectively all of the industry. We say 99 percent. There may be a company out there we’re not aware of, but effectively we’re able to speak for everybody.

Within British Columbia, we have a very important role. As you can see here…. I won’t read through all of these, but we make roughly $12 billion of payments annually to British Columbians. The vast majority of those go to living policy holders. Those would be for things like prescription drug coverage, pension payments and annuity payments, maybe disability coverage that people may have through an employer plan, and then your standard life insurance — so your term life insurance or universal and whole-life, etc.

We’re also a very, very significant investor in the economy, with well over $100 billion invested locally in British Columbia. The majority of those are for quite long-term projects, because that’s a good match for our business.

A little bit of who we are. We do a lot more than just traditional life, but that is sort of our core traditional type of product.

Just a little bit on our interest in this area about protection of personal information. I want to remind the committee that, by law, when individuals are applying for insurance, they are required to provide all relevant information to the underwriting of that risk. In other words, if there is information that is relevant to an insurer and you go to assess the premium that should be charged and whether or not to provide coverage, we have the ability to ask for that information. It’s critical in the up-front phase that we collect a lot of that data, and we also use it on the back end to determine when and how to pay claims.

The flow of data and the use of data is something that’s right at the core of insurance and has been for hundreds of years. It really is sort of at its core. We are a data-driven business.

[1:10 p.m.]

As an industry, we’ve always treated and viewed the protection of that information as absolutely critical. We know very well that if consumers lose faith in the insurance industry, if they don’t trust that we’re going to be there for them when they need us, they’re not going to be open to purchasing insurance from us.

We’ve always had an extremely high standard on how we collect information, how we protect it, when we use it and how it’s divulged to third parties. We view ourselves as being well aligned with the kinds of issues that this committee is exploring because we, too, really see the value in having a robust and appropriate privacy legislation that provides confidence to consumers and, also, confidence to the industry in our ability to continue to conduct business in the province.

We see an appropriate regulatory framework as one that balances two things. Clearly, we need to ensure that people’s information is protected, they have confidence in what’s being collected and how it’s going to be used and they have confidence in how that data is being protected once we have it.

We also need to get the balance right, though, to ensure that we can continue as an industry to do innovative products, provide innovative services and develop new tools and solutions for Canadians, going forward. As I said, at its core, insurance is a data-driven business. We want to make sure that we strike that appropriate balance.

On to the substance of PIPA. Our view is that, up to this point, PIPA has generally worked very well to protect B.C. individuals, and overall, we’re pleased with the regime in B.C. That being said, there are two areas in particular that we think there could be some enhancements that would be helpful. The first involves people’s ability to access their medical information. This would be an individual, for whatever reason, contacting an insurer and saying: “I want you to share this information with someone.” We would do that through a medical practitioner. We want to be able to make that information available.

That can be a very challenging process, even if it’s initiated by the consumer or the individual. It can be challenging for us to make that happen. We think there are some opportunities to smooth that process out so individuals have the ability to move that information.

Then almost on the flip side, the other area we’ve noted over time is on the opposite end of the extreme. We do think there’s room for providing a bit more protection for organizations not to provide information when it may be prejudicial to an ongoing judicial process.

On occasion, we may receive requests that are part of some kind of legal proceeding and where we feel it’s not appropriate or it may prejudice that proceeding. Again, it’s almost the flip side, providing a bit more opportunity to protect that information and the flow of that. We’d be happy to get into some more details on that with you all, if that would be helpful. Anny can certainly speak to that in some more detail.

This would be, I think, broadly, very pleased with how the regime’s working in B.C. Those would be the two areas, from our perspective, where there could be some potential for some improvement if the committee is open to that.

At its core, this is an issue that we’re very cognizant of and we watch very carefully in all jurisdictions, globally, when it comes to data protection. This is true with respect to the federal legislation, it’s true with respect to B.C., and it’s true when we are dealing with regulators internationally.

It’s really important for us to be able to move data across provincial borders. It’s absolutely essential that we’re able to do that for an efficient and modern delivery of service to Canadians. That could be to facilitate many of the back office functions, like underwriting our client services or claims payments.

For example, if someone is injured in an accident and they want to claim some of their disability coverage, the decision on whether or not to pay may be taken in B.C. It may be taken at a call centre somewhere else. Those folks adjudicating those claims need to be able to access that information. So it’s critical on a back office. Much of the underwriting and upfront work is now being increasingly consolidated, too, for questions of scale.

The ability to flow data in and out of B.C., of course with the appropriate protections, is really important for our industry. We fully support the strong protection of that information, and we fully support ensuring it’s protected wherever it’s being used. But we want to make sure that we continue to have the ability to do that across Canada.

[1:15 p.m.]

We do think the current section 34 provides the right balance there from our perspective. We wouldn’t want to see any major changes there. We do think it hits the right balance.

The other area that we are always cognizant of — certainly, for industries like ours that operate on a national and, in fact, a global basis — is we want to ensure that we have a privacy protection regime in Canada that is as aligned as possible across the various provinces. Coordinating B.C. with other provincial privacy regimes and, indeed, at the federal level is important from our perspective.

We believe PIPA should remain substantially similar to the PIPEDA, which is the federal act in place currently. You are all aware, I’m sure, that Bill C-11 will be updating that. That’s been put off due to the rising of the House federally, but in due course, there will be a replacement for PIPEDA. We would certainly urge the committee to ensure that the B.C. approach remains as aligned as possible with the federal rules, which allow us to standardize our approach right across Canada.

Equally, the Europeans have their GDPR model, which has, to some extent, set some standards globally, and we want to make sure that the Canadian regimes remain aligned with GDPR so we can continue to do business in Europe. Many of our member companies are very active on continental Europe.

I guess our ask of the committee is that, as you consider any changes to the legislation in B.C., we try to align the timelines and we try to align any changes as much as possible with what we’re expecting to come in PIPEDA and Bill C-11.

I’ll just comment very briefly on C-11 as my final comment. Then I’m happy to take any questions you many have. Generally, we are very supportive of the changes that are proposed in C-11. We like the fact that it’s a principles-based model and it’s technology-neutral. We think those are important elements.

We think it achieves some important advances in some key areas such as with the individual rights, the right to have automated decision-making and the role for voluntary codes and certification. We think those are important elements that are in Bill C-11. It maintains a focus on consent, which we think is absolutely appropriate. We think it gets the balance about right there on what consent can mean and how to operationalize that in a business.

Again, importantly, it continues to ensure that Canada is interoperable with other jurisdictions, particularly throughout Europe and into the U.S. Broadly, we are pretty supportive of the direction that Bill C-11 is taking.

Just in conclusion, I think the regime in B.C. has worked well to date. There are a couple of areas where we think there could be some improvements. Certainly, we’d love to work with this committee and the province on some of those. While we would support some of those improvements, it’s important that, to the extent possible, B.C. remain aligned with the federal approach which, in turn, keeps us well aligned with what is the common practice internationally.

Those are my intro remarks. I’m happy to pause there and take any questions you may have. I would also welcome Anny.

If you want to jump in with any thoughts as we do the Q and A, you’re welcome to do that as well.

I’ll pass it back to the Chair. I look forward to our discussion.

M. Elmore (Chair): Thank you, Stephen. Thank you for your presentation.

I’ll open up to committee members for questions. If there are any, I’ll allow folks to jump in. I do have a question. I can get things rolling here.

Stephen, can you talk a little bit more…? I know you had two specific recommendations with respect to improvements. Can you just go into it a little more and talk about your second recommendation — access rights used for litigation purposes? Tell me more about that.

S. Frank: Maybe I’ll get Anny to do that. I don’t want to get too into that and say the wrong thing.

Anny, why don’t you maybe provide a little more colour on that?

[1:20 p.m.]

A. Duval: I will jump in.

Often what happens — and we’ve been seeing it more and more — is the plaintiff bar is jumping in and asking the individual that they are representing and foreseeing representing to use an access request to get the information ahead of time sort of as a fishing expedition or ahead of any discoveries to see what they would find, if there is a reason to sue. So they’re circumventing the judicial process altogether. It’s not efficient for anyone.

The judicial process works well, so there’s no reason to use the access right in that way — in a way it was never contemplated to be used. There is an exclusion in Quebec to avoid that if it would impact processing, and it works well, so we were recommending that you adopt a similar exclusion.

M. Elmore (Chair): Thanks, Anny. Now, excuse me if I didn’t see it, but is that explicit recommendation included in your presentation with reference to the Quebec example?

A. Duval: I believe it is. I’m not sure the reference to Quebec is there, but we’re preparing a supplemental document for you, and it will certainly be.

M. Elmore (Chair): Okay. Great. Thank you.

A. Duval: You’re welcome.

M. Elmore (Chair): Any other questions from committee members?

A. Wilkinson: Mable, I’ll jump in, if that’s okay.

M. Elmore (Chair): Yeah. Go for it, Andrew.

A. Wilkinson: Having practised litigation for 25 years, the access request involving medical information…. That’s pretty much routine that someone goes to see a lawyer and says, “I’m not sure if I’ve got a case,” and they request all of the available records. In that 1992 Supreme Court of Canada decision, the medical information is held in trust by government or doctors or you, for that matter, and has to be disclosed to the patient.

I’m a little confused about your request, and the second request I don’t understand at all.

A. Duval: You mean the request to get medical information directly to the health care professional?

A. Wilkinson: Yeah.

A. Duval: The issue that we have is that the process we have right now….

If you look at section 5 of the regulation, there’s almost like a four-step process. If there’s an access request where there is medical information that we believe may be…. The test is: “…reasonably be expected to cause grave and immediate harm….” Well, first of all, if there’s an access request to an insurance company that includes medical information, this is a test that should be lowered. It shouldn’t be that grave when we could be allowed, if possible, to have that information transferred via medical practitioner.

The reason is this. If there’s information in there and the person already has a pre-existing condition that could cause them harm, even if it’s not great harm, they don’t want to hear it from us. It would be much, much safer if they heard it from a medical practitioner who has been trained to deliver, sometimes, information that might be more difficult and who could also do a follow-up as to if the individual has a very bad result out of a test and that person suffers from anxiety or something like that.

Maybe it would be better if this individual hears it from their doctor. If there’s discovery of a cancer or something, they can explain exactly what the ins and outs are, what the next steps are and what the consequences are, as opposed to saying: “Well, here’s what we have in your file. You deal with it.” It’s difficult.

The regulation, section 5 that I was referring to, has four subsections that would require the insurer to go ask for a medical or health care professional and say: “Can you assess this information? First of all, we need to get you to sign a confidentiality agreement before we send you that information so you can assess it.”

Logically, that medical professional is probably going to send it to their account. So it’s going to get reviewed. It’s going to come back to us. Okay. We can get it. I can take the information. I’m comfortable with the confidentiality agreement. Then they receive all the information. They assess if it meets the test, and then they have to return everything afterwards. They are asked not to use the information for anything else but their assessment, which makes sense.

[1:25 p.m.]

One would think that it’s not required to have such a bulky process when, really, what we could do is pick up the phone, call the individual’s doctor and say: “There’s been an access request. There’s information that even sometimes will come from you, now. Can you disclose it to the individual so you can have full control about the next steps and how it’s delivered as a message?”

S. Frank: I think the key message is that we’d like to work through the individual’s physician and let the physician position and control some of the sharing of that information versus us having to do it. We’re not sure…. Even for us to do it, there’s quite a robust set of hurdles we need to jump through. We don’t think it’s in the patient’s interest to necessarily keep that rigid a system. Some flexibility there, I think, is really what we’re looking for on that second request.

A. Wilkinson: The concern or counterpoint is that about a quarter of our population doesn’t have a doctor to go to. That’s an ongoing issue across Canada. The second one is that the courts have provided that that it’s permissible to have it filtered or reviewed en route to the patient in the case of dire psychiatric threats. But most health care is provided through publicly funded systems now, certainly in Canada.

If the MRI results or the biopsy results are not going to be coming to you, they’re going to a publicly funded health care system. I guess what I’d say is I’m skeptical that this is a big enough source of mischief that it warrants legislative intervention.

A. Duval: Well, you already have section 5 — the regulation. Why would you have that process altogether, if it wasn’t something that gets to be used? We’re just saying this process is way too complicated. In the rare cases where it happens, it’s just too burdensome.

A. Wilkinson: Burdensome to whom? As we said, in 1992, the Supreme Court of Canada decided that health information is the property of the patient. It’s only held in trust by you or me as a doctor or a hospital. So we might have to query whether they were wrong.

S. Frank: I think what we’re saying is we’d like to share that information more easily and with less hoops. I think, Andrew, that we’re speaking on the same side here. If a patient asks us to disclose that information, we would like to do it. We’d like to do it in a quicker, easier way then we’re able to today, and we’d like to have a physician be the one controlling how that’s communicated.

I guess our point is that the current hoops we jump through today make that a very cumbersome process to actually do that on behalf of a patient. We’re looking to open things up, not to restrict them, in this instance.

A. Wilkinson: But it also transfers costs from you to the patient, because I’m going to find a practitioner who’s prepared to do this.

A. Duval: Well no, it would be an option. If the individual doesn’t have a practitioner, then obviously, that’s the only way we have. But if they do have a practitioner, then we would certainly feel it’s easier for everyone, including the patient, if their own doctor can deliver the information.

S. Frank: Yeah, we would never….

A. Wilkinson: But it should be the patient’s choice, shouldn’t it?

S. Frank: Well, of course. But I think we would suggest that if you’re going to get some difficult information about test results, or something that’s revealing something about your health status, it should be communicated to you most appropriately by your physician. We would like to make that available in an easier fashion.

If someone doesn’t have a physician, I can’t imagine our process would ever be, “Well, we can’t. Too bad. Go get yourself a GP,” before we would disclose it. That would never be our model. We would always look to accommodate that.

For the majority who have a physician, we think it’s a better experience. We think it’s better for them to have it explained appropriately. We’d like to make that available a little more easily than today. It’s a question of opening up the ability to do that for British Columbians. That’s what we’re referring to here.

A. Wilkinson: Just lastly, what kinds of test results are you referring to that wouldn’t be done through the public system?

S. Frank: When people are applying for life coverage, as you know…. I don’t know when you last did that. You’ll have a nurse visit your house. They’ll be collecting information, potentially blood work, as part of that application. If you are on a very high-cost, rare-disease drug that’s not covered by B.C. PharmaCare…. The majority of British Columbians have private coverage that may cover that. There may be some tests that are required before access is given to those medications.

There could be a whole variety of things that are done outside of the public health system that would be in your file with us that your physician may not have.

M. Elmore (Chair): We’re at time here. Thank you for the excellent conversation. I want to appreciate Stephen and Anny. Thank you very much for joining us and taking the time to submit your presentation to us and to also join us in our committee today.

[1:30 p.m.]

S. Frank: Very good. Thank you for the opportunity. Very important work. We’ll look forward to working closely with you on this, going forward.

Have a good afternoon, everyone.

M. Elmore (Chair): Bye now. Take care.

Our next presenter is Dr. Colin Bennett, who is a professor of political science at the University of Victoria whose research has focused on the social implications of new information technologies and on the development and implementation of privacy protection policies.

Welcome, Dr. Bennett. You have up to 25 minutes for your presentation. Hansard Services has provided a timer which will be visible on your screen, if you’re using gallery view. Before you begin, I’ll ask the members to introduce themselves.

I’ll start with myself. I’m Mable Elmore, MLA for Vancouver-Kensington. I’m the Chair of the Special Committee to Review the Personal Information Protection Act.

I’m joining you from the traditional territories of the Musqueam, Squamish and Tsleil-Waututh Nations.

I’ll hand it off to the vice-Chair, Dan.

D. Ashton (Deputy Chair): Good afternoon. I’m Dan Ashton. I represent the area from Penticton to Peachland. Welcome.

I’ll pass you on to my associate.

A. Wilkinson: Hello. I’m Andrew Wilkinson. I represent Vancouver-Quilchena.

K. Greene: Hi. I’m Kelly Greene. I’m the MLA for Richmond-Steveston.

I’m coming to you from the traditional, unceded territory of the Musqueam people.

G. Begg: I’m Garry Begg. I’m the MLA for Surrey-Guildford.

I’m proud to be joining today from the traditional territories of the Coast Salish peoples, including the Kwantlen, the Semiahmoo and the Katzie First Nations.

R. Glumac: I’m Rick Glumac, MLA for Port Moody–​Coquitlam.

I’m on the traditional territory of the Coast Salish peoples.

I will have to duck out at some point before two o’clock. I have to leave for another meeting.

M. Elmore (Chair): Thank you, Members.

Please begin when you’re ready, Dr. Bennett.

COLIN BENNETT

C. Bennett: Thank you very much.

Good afternoon, everybody. I did upload a submission a couple of weeks ago, which I hope you’ve had access to. I did it before I went on vacation, and that’s what I want to speak to. I don’t want to read it. I want to keep it casual and informal and just engage in discussion with you.

As you mentioned, I’ve been studying privacy protection for a long time now, for about 30 years, both in Canada and internationally. So I think I’ve got some insight into what works and what doesn’t.

I understood from your call here that you’re quite interested in the GDPR and in C-11 and in the relationship between international, national and provincial privacy protection. That’s what I’d like to talk to you about. I’ve got some more specific requests for amendment to PIPA, but I thought it would be more useful to perhaps begin with the broader context.

I should also say that since I wrote the paper you have in front of you, the Ontario government has produced its white paper, and I actually think that white paper is really good. So I would encourage you to take a close look at it, because I think it really does engage with the critical issues for provinces in modernizing privacy protection law.

Firstly, let me say a little bit about the European General Data Protection Regulation and why it matters for B.C. There’s a lot written about this, and I think you’ll hear some commentators saying that it’s overly prescriptive and overly bureaucratic and top-down and European and not kind of fit for purpose for the Canadian context.

I think it’s important to recognize that the GDPR really represents a mix of different tools which can be used by organizations and by nations in the ways that they see is best to protect the privacy of their citizens.

[1:35 p.m.]

Through the adequacy mechanism, which is the principle that European data should not flow out of Europe to other countries unless there’s an adequate level of protection, but also just because of market mechanisms and the flow of these rules through the international digital economy, the GDPR has had a global influence — in Canada, in B.C. — and not only with respect to our relations with Europe but also with respect to our relations with Asia. Some important economists in Asia, including Japan and Korea, have updated their data protection legislation to be GDPR consistent.

I think it’s very important, whatever we do, to make sure that it reaches that adequacy threshold. That is not only for Canadian citizens and consumers but also for Canadian businesses. You heard from the CLHIA just now about the importance of the interoperability of different rules. Like it or not, the GDPR is producing the global standard for privacy and data protection. That’s not to say there aren’t things that are wrong with it. There are things that are wrong with every privacy law. But it’s something that we really have to take into account.

I’ve written also about C-11, and I’ve been quite critical of C-11. I listened to the Privacy Commissioner’s testimony to you last week. I generally agree with him that C-11 does need some significant amendment. I personally have been talking to ISED about the sorts of things that I would like to see. But I think there have been some opportunities missed with C-11 in modernizing privacy protection. I go through, in my paper, areas where I think the bill does not match up to the contemporary global standard. Therefore, I’m hoping that they do fix those deficiencies.

Whether or not, whenever the federal government acts on these issues, we’re going to need to do something in B.C. I think what I want to suggest now are the various things that I think we can do to PIPA which can be done in advance or coterminously with whatever the federal government is doing. In the last part of the paper, I just sort of review where I would like to see B.C. going here.

I think it’s important to put this in context. This law is 20 years old. It is dated. The concepts it uses are dated. For example, it’s based on a very anachronistic distinction between the collection, the use and the disclosure of personal data. That’s the structure of PIPA. I don’t know what those distinctions mean these days in the context of artificial intelligence and automated processing of personal data. The GDPR just uses the term “data processing,” as does C-11. Those distinctions are broken down.

I think there are several things that we need to do. I’ll just go through my list, if I may. I don’t think we should wait for a federal bill to be passed before we act. I don’t see that there’s real reason to do that. Yes, whatever we do has to be substantially similar to the federal legislation, but I really don’t see any danger in our not being substantially similar if we can produce a piece of legislation which is largely consistent with the international standards.

I also think that it’s important to note that provincial statutes in B.C., in Quebec and in Ontario, hopefully, are going to do the heavy lifting with respect to protecting the direct relationship between the consumer and the organization as well as the employee and his or her organization. I think there’s a lot that we can do in order to drive the agenda. I think you’re seeing that in Ontario. You’re seeing it in Quebec. There’s no reason, I think, to sort of wait for the federal government to get its act together and figure out what to do before moving forward.

The second point I want to make is that I don’t think quick fixes will really cut it. I see that there are some real problems with the very structure of PIPA. I’ve already mentioned one, the distinction between collection, use and disclosure. I also would draw your attention to the fact that PIPA relies on what I would call a consent with exceptions model. The basic legitimacy for processing data is consent, and there are then exceptions.

[1:40 p.m.]

The problem with that model is that consent then becomes less a process of an individual transaction — me dealing with my business, me dealing with my auto manufacturer and so on — and more a process of collective licence where a business can say, “We got consent for that,” particularly if it’s implied consent as is allowed for in PIPA. Therefore, that allows all kinds of processing that the consumer never agreed to and is largely unaware of.

Modern privacy legislation, I think, shifts the onus away from the responsibility of the individual to control his or her information to that of the organization and to that of the regulator. That’s what I’d really like to see here.

Yes, consent has to be there. But if consent is there, it has to be real consent. It has to be proper consent. It has to be transparent. It has to be: “I know what I’m consenting to.” But in so many circumstances, we do not know how our data is being processed. The complexities of the network economy are such that an individual cannot control all that information.

What does that mean? It means that you cannot rely on consent, even though it’s important. What it means is that there needs to be far stronger accountability mechanisms in the legislation to say that you, as an organization, can do X, Y and Z for these legitimate purposes, but you have to be accountable for that. You have to be transparent, and you have to use all of the tools in the toolbox in order to demonstrate that you are accountable.

What that means is that an organization will say: “Yeah, we want to use the personal information in this way. We have done a risk assessment. We have understood the sensitivity of the data. We’ve done privacy impact assessments where necessary, and we stand ready to demonstrate to the individual or, more directly, to the regulator that we are accountable for the personal data that we process.” Using all of the contemporary privacy tools, policy tools, in the toolbox, I think, is critical not only for the individual but also for the business and for the regulator.

In this regard, there’s a couple I’d just like to mention to you very briefly. I mentioned privacy impact assessments. These are very useful tools. It says to an organization that if you think you’re processing personal data which is going to be of risk to the individual, perhaps where highly sensitive data is being used, you’ve got to do an assessment, and you’ve got to demonstrate that you’ve understood and you’ve thought through the privacy implications. You may not need to publish that. You may not need to even make it available, but it should be there if the regulator comes knocking.

That’s not necessary for necessarily small and medium enterprises, but where there’s a key risk to the individual where sensitive data is being used, it should be something that is part of good business practices. It’s something that businesses do anyway, even if they’re not required. I’d like to see that put in the law.

The second thing that is very, very important, which you see in the GDPR, is what is called privacy by design. What this essentially says is that it imposes an obligation on the controllers of organizations to implement appropriate technical and organizational measures so that privacy is the default. It’s the design. If you don’t need to use personal data to deliver your service or deliver your business, then you have an obligation to not do so. It makes the default option the non-collection of personal data.

There are all kinds of variations of that, but I’ll just read to you what Quebec’s Bill 64 says. It requires the highest level of confidentiality by default, without any intervention by the person concerned.

A regulator can come along and say: “Look, why do you actually need that personal data in the first place?” If you can perform your service, if you can deliver your goods and services without capturing large amounts of personal data, then you have an obligation to do so. But so often, in the contemporary economy, the default is the collection, the capture, of data rather than non-capture of data.

[1:45 p.m.]

A few other things. Then I’ll conclude. I’m very much in agreement with the commissioner on mandatory breach notification. I think that’s a no-brainer. There’ll be discussions about the threshold, but that is a standard tool in the contemporary toolbox. Data breaches can have massive consequences for corporations, for share prices, for reputations, etc. They should be obliged to notify the commissioner when they have suffered a significant breach. I think that is, as I say, a no-brainer.

I do support the commissioner’s call for enhanced investigative powers and his ability to administer penalties and fines. I think that, too, is all part of the toolbox, where it’s necessary. I also think that there need to be stronger protections throughout the data-processing chain — so obligations for service providers.

PIPA should be amended to protect personal data that’s transferred to service providers, whether it’s in B.C. or in Canada or elsewhere. There should be an obligation on the organization that’s capturing that data to ensure that privacy protection throws throughout the data-processing chain, and not just by contract.

I think consumers are also going to want to know where their data’s actually been processed. If an organization is processing personal data in a jurisdiction which does not have a respect for human rights, does not have strong privacy legislation, then the organization, in my view, should be obliged to do a risk assessment to ensure that the data is being processed appropriately.

One final thing I’ll mention. One of the key points about the GDPR is it makes a critical distinction between sensitive forms of data and non-sensitive forms of data. We do that sort of implicitly in PIPA, but contemporary privacy law has stronger forms of protection for data which is defined as sensitive, and in some legislative schemes, those are laid out — health data, biometrics, data on political opinions, data on genetics, and so on.

That needs to be looked at, and as part of that also — and this is where I will conclude — we need stronger protections for the processing of personal data on children. Most contemporary data protection laws have special protections for the protection of children. That’s a failing of C-11, in my judgment. It’s simply not okay to track kids. It’s simply not okay to do that. I think most parents would agree with that and that most politicians would agree with it, but it’s something that is not currently in PIPA.

Just to conclude here, I’ve gone through a lot, I know, and there’s a lot more I could say. I’ve got the submission in front of you, and I’ll supplement it as necessary.

Good privacy protection enhances consumer trust. That is in the interest of business. I don’t think you or anybody should really see that enhanced regulation, modernized regulation, giving the tools to both business and to the commissioner to get this right and to produce a modern statute that’s fit for purpose in this digital age is necessarily going to impose compliance costs on business. There are already compliance costs. There are compliance costs through the loss of privacy, through data breaches, and so on.

It’s a matter of producing a statute — I don’t think a quick fix is going to do it — that is fit for purpose, certainly which is substantially similar and which is also consistent with modern trends in terms of the protection of privacy in the global economy.

Thank you very much. I’ll leave it there. I’m seven minutes short. I hope that gives plenty of time for Q and A. I stand ready to assist you going forward. This is an area of, as you can imagine, my research on which I’ve written a lot. Thank you so much for your attention.

[1:50 p.m.]

M. Elmore (Chair): Thank you very much, Dr. Bennett, for your proposal that you submitted and also for your presentation.

I’ll open it up for questions to committee members.

K. Greene: Thank you, Dr. Bennett. That was very comprehensive and helpful information for us to have.

I have a question about the GDPR, which was referenced a number of times, and the notion of adequacy. Would you be able to speak to that — about how C-11 fits into that? Most often we compare within Canada. Having a comparison outside of that, whether that adequacy would be met, if we were looking at C-11 as a newer baseline.

C. Bennett: Yeah. Well, from the European points of view, what they’re looking for is…. This is their law, right? They have to ensure that when data flows out of the European Union, it has an equivalent level of protection — that it goes to places where there are laws which are “essentially equivalent.” What does that mean?

Well, there’s a bit of vagueness there. But what it essentially means is the basic privacy principles — the sort of thing that you see in PIPEDA, which impose obligations on businesses and give rights to individuals — a good level of enforcement and independent oversight and investigation.

Now, that sounds fairly straightforward and fairly basic, but the thing is that when the Europeans have actually been looking at laws elsewhere, they got a lot, lot deeper. They’ve used their market power to leverage changes to legislation in different parts of the world which you may or may not think is appropriate, but which nevertheless produces higher levels of protection.

It’s very unlikely that B.C. as a jurisdiction will apply to the European Union for adequacy. The way this has worked is that PIPEDA was deemed adequate back in 1992 and then it was assumed that substantially similar legislation in the provinces would also be adequate as well.

Although when Quebec went to the European Union and said, “Can we have an adequacy designation for our former law?” the European Union said no. That’s an interesting dimension here.

I think the wisest course is to look at the GDPR as a set of solutions. You can’t copy it. We shouldn’t copy it. It’s a different legal regime, different administrative law, different constitutional law, but it produces a set of tools which we can import into our province. If that is done, as well as having the basic principles in place — access and so on — then I think we would really be meeting that adequacy standard and, therefore, also be meeting a substantial similarity standard.

Is that clear? Does that make some sense?

K. Greene: Yes, thank you. That was great.

C. Bennett: Okay. Good.

M. Elmore (Chair): Do we have questions from other…?

Andrew.

A. Wilkinson: Yeah, Mable.

I agree. This is very helpful. Thank you.

I guess it’s the practicalities of this that in our ideal world we would say C-11 or its successor or whatever federal regime falls into place, along with GDPR. Sure, it would be nice to dovetail with them and be on the same playing field so we can get equivalency and we get the federal pat on the head to say that we have the jurisdiction, rather than the federal act applying. Then individuals, businesses, whoever is involved says: “Great. British Columbia is on the path. It’s GDPR and C-11 and British Columbia-compatible. Off we go.”

Given that C-11 is in limbo…. As you said, GDPR is designed for a complex civil law regime that doesn’t apply in Canada. Chicken and the egg problem. Maybe two chickens and three eggs.

C. Bennett: It may be less of a problem than it actually seems, though, Mr. Wilkinson. Yet you’re dead right. Ideally, the feds would have acted before now.

[1:55 p.m.]

They would have got an adequacy stamp of approval, and we could say: “Okay, yeah, those are the standards which we in B.C. and the other provinces need to meet.”

There are two or three problems there. One is that getting the adequacy determination is a lengthy process, and there are other countries in line which have not had adequacy before. So that’s going to take some time.

Secondly, harmonization of statutes is never going to happen in Canada because of our constitutional system, but that does not mean to say that the statutes cannot be interoperable. That is the distinction I would make there. This is the way it’s sort of worked over the last 20 years — that businesses have worked out the ways that they can operate across the provinces. Yeah, there are differences between our provincial and federal regimes, but they’re not significant differences.

If you take something like mandatory breach notification, for example, there are ways, on a regulatory level, that those provisions can be made interoperable so that a business knows that if it is complying with the federal government’s standard on mandatory breach notification, it’s going to meet the standard in Quebec and B.C. as well.

Or privacy impact assessments. A business does a privacy impact assessment. Take an example such as Clearview AI scraping data from Twitter and giving it to law enforcement. Not a good thing, right? Illegal. Had it done a PIA, it would have found out that that there are some real human rights issues. So if it does a PIA under the federal standard, it should know that, well, that’s going to meet the test in B.C. and Quebec as well.

You don’t need to have the laws absolutely in alignment for them to be interoperable, so that businesses such as the life insurance people you’ve just heard from don’t say that they’ve got to comply with several different laws. That’s not the way it has worked in practice, and I don’t necessarily see that it’s a significant problem, going forward.

Does that answer your question, Mr. Wilkinson?

A. Wilkinson: Conceptually, yes. Practically, it makes me worry even more. That raises the prospect of saying to the legislative drafters in British Columbia: “If you were present in the room, and Wilkinson suggested, ’Couldn’t we take C-11 and basically take the guts of it, assume it’s going to be the same, and whatever happens after a federal election…?’ We can add on what we want as sidecars, and that’ll be our moving ahead plan.”

Is that viable, or is C-11 going to be changed substantially so that we can’t predict what the C-11 replacement will actually have in it?

C. Bennett: Well, I think that could work in terms of the basic principles of privacy protection — the basic, fair information privacy principles which are consistent across Canada and, indeed, consistent internationally. So I don’t see that that’s necessarily….

The problem with C-11 is that there are too many exemptions to consent. There are too many business exemptions. There’s not enough guardrails. The accountability in the bill is not strict enough that it really gives the sort of assurances that I think consumers need.

Without getting into it in great detail, there are also some very difficult issues concerning the de-identification of data and what that means. That’s something that the legislators here are going to have to grapple with.

It’s a two-way street. I think that’s what I’d say. The federal legislators should also be learning from the provinces, as they are. They’re taking little bits from Quebec and the Ontario white paper.

I think that would work, but C-11 is not only the only model that B.C. needs to look to. I guess that would be my response there.

M. Elmore (Chair): All right. Any further questions from other committee members? It’s been an excellent conversation.

Seeing no one else further, Dr. Bennett, I want to thank you for taking the time and sharing your expertise with us, your area of research. Your paper that you’ve provided is very helpful to the committee. Thank you for your time. I hope you enjoy the rest of your day.

C. Bennett: Thank you very much indeed. Good luck.

D. Ashton (Deputy Chair): Thank you, Doctor.

M. Elmore (Chair): Okay, thank you.

All right, Members. We have a little bit of time before our next presenters, so we’ll reconvene at 2:20. Everybody just stay online, and we’ll see you back just before 2:20. Thanks.

The committee recessed from 2 p.m. to 2:20 p.m.

[M. Elmore in the chair.]

M. Elmore (Chair): Hello, everybody. Our next presenter this afternoon is Dr. Teresa Scassa, who is the Canada Research Chair in Information Law and Policy and a professor in the faculty of law at the University of Ottawa.

Thank you for joining us today, Dr. Scassa. You’ll have up to 25 minutes for your presentation. Hansard Services has provided a timer, which will be visible on your screen, if you are using gallery view.

Before you begin, I’ll ask the members to introduce themselves. My name is Mable Elmore. I’m the MLA for Vancouver-Kensington and the Chair of the Special Committee to Review the Personal Information Protection Act.

D. Ashton (Deputy Chair): Good afternoon and welcome. I’m Dan Ashton. I represent the people from Penticton to Peachland. Welcome.

A. Wilkinson: Hello. I’m Andrew Wilkinson. I represent Vancouver-Quilchena.

K. Greene: Hi. I’m Kelly Greene, MLA for Richmond-Steveston.

I’m on the traditional, unceded territory of the Mus­queam Nation today.

G. Begg: Hi, Dr. Scassa. I’m Garry Begg. I’m the MLA for Surrey-Guildford.

I am proud today to be on the traditional territories of the Coast Salish peoples, including the Kwantlen, Katzie and Semiahmoo First Nations.

M. Elmore (Chair): Thank you very much, Members.

Dr. Scassa, I’m joining today from the traditional territories of the Musqueam, Squamish and Tsleil-Waututh Nations.

Please begin when you’re ready.

TERESA SCASSA

T. Scassa: Thank you very much, and thank you, also, for the opportunity to address this committee on such an important topic. I am a law professor at the University of Ottawa, where I also hold the Canada Research Chair in Information Law and Policy. The comments I make today are on my own behalf.

The reform of B.C.’s Personal Information Protection Act has never been more important. Both the EU’s General Data Protection Regulation and the federal Bill C-11 are, no doubt, motivators for reforming B.C.’s law, but they are themselves responses to a rapidly altered data privacy context, which should be the main driver for change in B.C. First-generation private sector data protection laws in Canada — PIPEDA and the provincial statutes in B.C., Alberta and Quebec — were enacted to address the growing vulnerability of digital data to misuse or misappropriation and the need to build trust among the population in e-commerce, in the interests of economic growth.

The context in which we find ourselves today is fundamentally and substantially different from that of the early 2000s. We’re now in the era of big data and artificial intelligence. Personal data are no longer just part of the relationship between business and consumer. They are increasingly a commodity in their own right. They can be mined, processed, analyzed, shared, sold and exploited in a myriad of new ways, quite independently of their human source.

Personal data are collected ubiquitously and continuously, and increasingly relate to every facet of our lives. Data may be collected about every step we take, about our heart rates, our sleep patterns, our moods, our shopping, reading and viewing preferences. An increasing volume and variety of data will be collected from our cars, including location data; driving patterns and habits; and even entertainment choices. Through social media, companies whose existence may not even be known to us are profiling our networks, connections, preferences, interests, likes and dislikes.

Our homes are increasingly harvesting our data — from what we share with digital data assistants, to the contents of our refrigerators, our usage of various appliances and our daily activity patterns. Our sensitive biometric data is increasingly collected and analyzed. Companies such as Clearview AI are scraping social media platforms to create massive facial recognition databases. Our voice prints, face prints, keyboard stroke patterns — all of these are reduced to data by various organizations. We may even have shared our DNA profiles with companies like Ancestry.com or 23andMe.

Some of the services that harvest our data are ones that we adopt ourselves. Others are built into the digital tools we use in our daily lives, and we may not even be aware of them. Still others are imposed on us. Workplace surveillance technologies, for example, can collect vast quantities of data for employee performance metrics and evaluations.

[2:25 p.m.]

Our data may also be shared without our knowledge. Photos of us are posted on social media by others. Our voices are captured by the digital assistants of family and friends. Our images are recorded by motion-activated doorbell cameras as we walk down the street. I could go on. This data is not just collected. It’s used in a variety of new and different ways. It increasingly fuels artificial intelligence technologies, which in turn are used to profile and to make decisions about us.

I provide these examples to illustrate how crucial it is to regulate how personal data is collected, used and shared, now more than ever. I accept that personal data can fuel economically beneficial innovation, and much of this innovation may be of interest and value to individuals and groups. Data protection law is not about stopping or stifling innovation, but it is about ensuring that that innovation does not come at an unacceptable cost to human dignity and well-being.

The first generation of data protection laws are no longer fit for purpose, and action is required. Now, I know that you heard earlier today from professor Colin Bennett on the importance of the GDPR and the broader international context. My focus will be on the issue of the substantial similarity of B.C. law with any reformed federal law that’s enacted, whether it’s Bill C-11 or some new version that comes out in the fall.

I’m aware of the importance of harmonization within our federal system to enhance certainty and reduce the compliance burden on businesses that increasingly operate across provincial and national borders. Nevertheless, I will emphasize the need for B.C. to set its own course and to look beyond substantial similarity with Bill C-11 in some key areas.

Private sector data protection law in Canada straddles an uneasy constitutional fence. PIPEDA is grounded in the federal government’s general trade and commerce power. Sensitive to the limits of this jurisdiction, PIPEDA has a substantial-similarity formula that provides that, where provincial private sector data protection law is substantially similar to PIPEDA, it will be the provincial law that applies exclusively to intraprovincial matters. PIPEDA will continue to apply to interprovincial and international data flows.

Within this framework, those provinces with substantially similar private sector data protection laws — Alberta, Quebec and B.C. — have begun to assert their own jurisdiction over data protection issues that affect their residents, regardless of whether the flow of data crosses domestic or international borders. This exercise of concurrent jurisdiction is seen in a growing number of joint investigations carried out by provincial commissioners and the federal Office of the Privacy Commissioner. This kind of cooperation is valuable and can lead to harmonization of interpretation approaches.

However, the B.C. commissioner is significantly hampered in these activities by the wording of PIPA. Section 3(2)(c) of PIPA provides that where PIPEDA applies, PIPA does not. In essence, that’s what it states. This limits concurrent jurisdiction in B.C. in a way that the laws of Alberta and Quebec do not.

There are good reasons why B.C. should not surrender jurisdiction over interprovincial and international data flows that affect B.C. residents. The nature of digital commerce is such that some of the most important commercial relationships that consumers have are ones that cross provincial and/or national borders. B.C. residents can be profoundly affected by data breaches that take place in Ontario or in California. They can be seriously impacted by the improper sharing of personal information by social media giants and by the scraping of data from social media platforms.

The interests of British Columbians are best served by having a commissioner with jurisdiction over such incidents and one who can join forces with provincial and federal commissioners to investigate and to make orders with respect to these breaches. As Commissioner McEvoy notes, it’s not just about being able to be part of the collective process that’s important. It’s also the power to act if the federal commissioner chooses not to act, lacks the resources to investigate, or perhaps even reaches a decision that’s different from what would be reached in British Columbia. As a first step, therefore, B.C.’s PIPA should be amended to remove this limit on its application.

Substantial similarity with PIPEDA — or with Bill C-11 or whatever may be coming next — is essentially a baseline requirement designed to ensure that PIPEDA does not cede jurisdiction to a law that offers lesser protection than it does. But the requirement of substantial similarity doesn’t mean that B.C. cannot go further to protect its residents.

The changing data landscape means that the federal legislation may be ill-suited to address all of the data protection challenges that we face. Bill C-11 already shows signs of reticence in certain areas where there may be division-of-powers issues. In these areas, if B.C. residents are to receive adequate protection, it will likely have to come from PIPA and not the federal statute.

[2:30 p.m.]

I’m going to deal with four issues here where I think the division of powers has limited what the federal government has chosen to do in Bill C-11 and where I think it’s particularly important for B.C. to act. These are the overall legislative approach, the dominance of the consent regime and approaches to data mobility and to automated decision-making.

To start with the legislative approach, the federal Privacy Commissioner has argued for a human rights–based approach to data protection, but the federal government has demurred. Its hesitance seems motivated by division-of-powers concerns. Given the shift to a data-driven economy, the dramatic changes in how personal data are harvested and used and the significant risks that this can pose to individuals and groups, a human rights–based approach seems warranted. Such an approach is reflected in the GDPR, which anchors its provisions in EU human rights instruments that guarantee both privacy and data protection rights.

While the Canadian Charter of Rights and Freedoms is relatively limited when it comes to privacy rights and is silent as to data protection, the Supreme Court of Canada has found that data protection laws are quasi-constitutional in nature. The Charter also clearly affirms equality rights. Further, as Quebec has demonstrated, a province is entirely free to establish its own human rights framework. There’s nothing to stop British Columbia from bringing a human rights–based approach to its data protection law.

A human rights–based approach establishes a framework for the appropriate use of personal data in commercial and other contexts that is grounded in the respect for privacy, human rights and fundamental freedoms. Such an approach could be set out in a preamble to the law or in a purpose section. For example, a purpose section is used in B.C.’s human rights code. I note that in its white paper on private sector data protection law, Ontario is proposing the use of a preamble to reinforce a human rights–based approach to privacy.

Since Canadian data protection laws are already recognized by the Supreme Court of Canada as addressing the quasi-constitutional right to privacy, you may wonder why it’s necessary to adopt a human rights–based approach. The privacy paradigm focuses on the individual and his or her right to control their personal information and their identity. This is an important value.

However, the personal data being collected and used in our contemporary, data-driven economy increasingly affects not just the person from whom it’s collected but many others as well. Personal data from thousands or even millions of people are used to train artificial intelligence applications that will assist in profiling us or in making decisions about us. Our personal characteristics will be processed by AI in potentially non-transparent ways, leading to outcomes that affect us without us necessarily being aware of how or why.

The potential for discrimination is well documented. Some profiling may be used to limit the ideas or information to which we are exposed, implicating freedom-of-expression values. We already see that in the social media context. A human rights–based approach to data protection widens the lens for how we understand, interpret and apply those provisions that are designed to protect individuals from exploitation and abuse in a data-driven society.

Moving on to the consent regime, Bill C-11, like PIPEDA before it, puts the consent regime at its normative heart. Although consent reinforces the idea of individual autonomy, it’s frequently reduced to theatre when it comes to data protection.

Digital data collection is now ubiquitous and often continuous. Individuals are bombarded with privacy policies they have no time to read and that, in any event, are not written with easy comprehension as a goal. In many cases, individuals have no choice but to use certain platforms or services. This has been very clear during the pandemic, for example, where individuals have had to consent to the terms of use of video communications platforms in order to attend classes or carry out their work.

With consent at the heart of Bill C-11, the federal government has also created new exceptions to consent, allowing businesses to collect and use personal information without knowledge or consent in an expansive range of circumstances. In my view, this strong focus on consent in C-11 is in part due to concerns over the constitutional division of powers. There’s a very transactional element to consent which ties in comfortably with the general trade and commerce power.

In theory, a consumer is presented with a product or service and is asked to both pay for that product or service and to consent to the terms and conditions of its sale or use. Consent to these terms becomes part of the contract and the transaction. Focusing on a transactional approach reinforces the fit of the legislation within the general trade and commerce power. Using other contemporary tools for data protection may look too much like the broader regulation of business activities within provincial jurisdiction.

[2:35 p.m.]

Privacy advocates have argued that consent alone can no longer, if it ever did, adequately protect individuals in a context in which it is simply unreasonable to expect people to be able to manage the myriad daily instances in which they are asked to consent to the collection, use and disclosure of their personal information, and for increasingly remote and complex purposes.

There need to be additional protections for individuals. These can include requirements of privacy by default and by design, and I know Prof. Colin Bennett has spoken and written about these; requirements to carry out privacy impact assessments in some circumstances; special rules for the protection of children’s privacy; a definition of sensitive personal information, along with special limits on the collection, use and disclosure of such information; and proactive oversight and enforcement powers. I note that Commissioner McEvoy has made a number of recommendations in this regard.

All of these are examples of how individuals can and should be protected independently of the consent regime within a data protection law. Recognizing that consent is not a sufficient basis for adequate data protection and that Bill C-11 may be pulling its punches in this regard because of constitutional concerns, amendments to B.C.’s PIPA should include a variety of measures that enhance the protection of its residents.

A third issue that I want to discuss is data mobility or data portability. The GDPR introduced a data portability right, something that has attracted considerable interest in Canada and elsewhere. On the one hand, data portability has a data protection dimension because it enhances individual control over personal data. It allows individuals to choose to port their data from one service provider to another. However, its largest impact is likely with respect to enhancing competition and providing some degree of consumer protection in a data-driven marketplace.

The GDPR’s data portability right is cast in broad terms, basically making it a right to port data in a “structured, commonly used and machine-readable format.” Because data portability impacts how business is carried out, this may raise division-of-powers issues in Canada. As a result, instead of creating a broad, open-ended portability right of the kind seen in the GDPR, the federal government, in Bill C-11, has limited data mobility to those contexts in which a mobility scheme has been created by regulation. We can expect that the regulatory frameworks will relate only to federally regulated sectors.

Open banking will likely be the data portability test case. Open telecom data may follow. But provinces should not expect data mobility frameworks in provincially regulated sectors of the economy unless they legislate themselves in this regard. This committee should therefore seriously consider what type of data portability right it wishes to create.

Quebec has opted for a broad, GDPR-style portability right. In its recent white paper, Ontario suggests that it may adopt the more cautious federal approach, requiring a regulatory framework to be in place before the data portability right is activated.

There are arguments that could support either approach. A broad portability right of the kind seen in the GDPR could be a burden on businesses without much benefit if the data cannot easily be used by businesses that receive it. It’s also a risk to consumers if appropriate security safeguards are not in place and the information is of a more sensitive kind. On the other hand, a broad portability right could be a catalyst within industries and sectors. A regulation-driven approach may be more secure for consumers but may also be slow to develop.

I think there is lots to think about there. Essentially, if there is to be data portability in the provincial private sector, it will have to come from B.C.

A fourth issue is automated decision-making. The dramatic rise of the use of artificial intelligence systems to profile, predict, recommend and make decisions affecting individuals has led to a need for some form of governance and regulation. The GDPR led the way by incorporating a right to object to profiling and restrictions on automated decision-making where it has important impacts on the individual.

Quebec’s Bill 64 creates notice requirements for automated decision-making, a right to an explanation of the decision, a right to correction of the information used to make the decision and a right to submit observations to someone who can review the decision.

Ontario’s proposal for a private sector data protection law contemplates going even further, with a series of potential rights regarding automated decision-making. Ontario is contemplating a prohibition on the use of automated decision systems in some situations, for example where the decision would have a substantial impact on the individual, with careful exceptions crafted for that, so something along the lines of what is in the GDPR.

[2:40 p.m.]

Providing rights with respect to the personal information used to make the decision is also part of the Ontario plan, including a right to correct that information, a right to an explanation and rights to comment on and contest the decision and to have it reviewed by an individual within the organization. All of these rights go well beyond what you see in Bill C-11.

In my view, the federal government sees its jurisdiction in this area as being limited to those automated decision-making rights that are most closely tied to personal data in the commercial context. Thus Bill C-11 contains a right to an explanation of an automated decision as well as an explanation of how the personal information that was used to make the prediction, recommendation or decision was obtained. So it’s really focusing in on the personal information dimension.

It does not contain a right to contest the decision, since this might be considered to stray unduly into matters of provincial jurisdiction. Nothing, however, prevents the B.C. Legislature from using this opportunity to provide British Columbians with important new rights with respect to automated decision-making, particularly as this form of decision-making is becoming increasingly widespread and may have significant impacts.

It’s also important to note that PIPA applies in contexts where PIPEDA does not — for example, in the employment context within the provincial private sector. AI and automated decision systems are increasingly being deployed in these contexts. They’re used in hiring and in the monitoring and performance evaluation of employees.

Some of the monitoring and evaluation technologies are quite intrusive. Provisions crafted to address AI and automated decision systems can and should apply in the employment context, as protections for employees will be necessary. The employment context should be kept specifically in mind in developing rights regarding AI and ADS.

I have quickly highlighted four areas where division of powers concerns may have limited the ambitions of Bill C-11. I don’t think it’s any coincidence that these areas either arise from the new data context in which we find ourselves or have been significantly affected by that context.

The concerns that place limits on what the federal government does in Bill C-11 should not limit the rights and interests of British Columbians. It’s increasingly problematic to rely upon the federal government’s limited jurisdiction in order to govern the use of personal data in a data-driven society and economy and in an AI environment. I would encourage this committee to think beyond substantial similarity in considering how a reformed Personal Information Protection Act can best protect British Columbians.

I think I’ll end there and open it up to you to see what questions you may have and where you want to go with those questions. I’m open to any questions.

M. Elmore (Chair): Terrific. Thank you very much, Dr. Scassa, for your fascinating and comprehensive presentation. We really appreciate it.

Now I’d like to open it up to questions or comments from committee members. Does anybody have…?

Garry, go ahead.

G. Begg: Thanks to you, Dr. Scassa, for a fascinating presentation. I like the level at which you made your observations from. I think, many times, this could either be a utopian or a dystopian view of things, depending upon your point of view.

There are, sort of unconsciously, things that we’re exposed to each day that impinge upon our privacy. You talk about doorbells, cell phones, all kinds of various modes of surveillance, some of which, around the world, have been surreptitiously used and broadcast. I just like the manner with which you presented it and the obvious research that you’ve done. It reinforces for us the importance of carefully crafted legislation that puts us in a position where we want to be. Thank you very much.

T. Scassa: Well, thank you.

M. Elmore (Chair): Any other committee members?

[2:45 p.m.]

Dr. Scassa, I want to thank you for making a strong case in terms of encouraging us to be proactive with respect to ensuring that the much-needed updates to the current reality of…. You really lay it out, in your presentation, that we’re awash in an economy and a society of data and data collection, really, in all aspects of our lives, down to our genetic data. The challenge, in ensuring that privacy is protected, evolves every day, and certainly, in terms of our review of PIPA, it’s much needed.

I want to thank you for really highlighting and laying out your four recommendations with respect to ensuring that our committee updates PIPA with respect to a consideration of concerns to protect British Columbians. I want to convey to you and give you the assurance that we hear that message. We are responsive to the regulations of C-11 and the provisions within C-11, but certainly, we take your message and our responsibility to ensure that we meet the standard and expectations for British Columbians here with respect to protection of their data. I appreciate your four recommendations laying that out.

We’ve heard from other presenters with respect to ensuring that there’s a human rights framework. In my mind, that would seem to be a good common ground, not only provincially but nationally and internationally, in terms of ensuring that the protection of privacy is built on that foundation of a human rights framework. I take your point, as well, with respect to ensuring that data mobility and portability within various jurisdictions, that we’re not going to leave that up to C-11 or the federal regulators. That, certainly, is our responsibility — and just the challenges that you have laid out with respect to automated decision-making and the rise of AI. Certainly, that’s very challenging.

Maybe if you could comment just a little bit…. I’m very interested…. We’ve had some conversation and discussion about consent, the model of consent and ensuring…. I know you laid out some practical components in terms of looking at how we layer that consent — we have the previous presentations as well — and build in privacy by default and design, special rules to protect children’s privacy and increased oversight for the commissioner. Those are some recommendations that we had also from Dr. Colin Bennett.

Can you say a little bit more on the consent model and what that means in our current data-driven economy, in terms of being proactive around ensuring that we put in place measures that will be able to respond to just those challenges? If you could comment on that.

T. Scassa: Thank you for that. I think consent is one of those really big, challenging issues.

In principle, consent has always been a part of how we approach data protection, and it is very much linked to the individual and to individual choice — this idea that we can go out in the world and we can decide who we want to share our personal data with and for what purposes and that that’s our choice. Consent is linked to the dignity and autonomy ideas that underlie privacy, but at the same time, I think all of us know just how unrealistic consent has become.

There aren’t enough hours in the day to read all of the privacy policies that we’re confronted with. We’re also dealing…. It’s not just that there are particular moments where consent has to be given. There certainly are some of those, but increasingly, the data is being collected constantly through our phones, web browsers, driving the car, smart appliances and so on. It’s constantly going on in the background, and we forget that it’s taking place.

[2:50 p.m.]

There are all of these challenges and barriers to consent, and as I mentioned before, there are certain circumstances where consent isn’t even realistic because we simply have to use a tool or a technology. It’s not as if we’re negotiating with Facebook or negotiating with any of these companies over what can and can’t happen with our personal data. It’s almost always: “Take it or leave it.” Consent is very challenging in that context.

There are still hopes for consent, in the sense of individuals being able to better control their data. Data portability or data mobility is one of those where there is this concept that individuals will have the right to move their data from one provider to another. I think there’s a lot that’s quite interesting in that. It’s not as if we want to throw out consent. The right to erasure, for example — the right to go to a company and say, “I’m done with you, and I want you to erase all of my data” — is very much tied to that consent and control.

There’s still value and merit to consent and to giving individuals some choices and some autonomy. There may be future ways in which that can become very useful. So you don’t want to completely get rid of it, but at the same time, it isn’t enough. It’s not going to do the job.

It would be much better for individuals if we knew — in spite of the fact that we’re constantly exchanging personal data with various organizations — that there is a set of rules in the background that limit what those companies can do with that data and how they can collect it, that place certain restrictions and that are enforced with proactive powers on the part of the commissioner so that it’s not just when something goes wrong that you can bring a complaint and have an investigation but that there are ongoing, proactive compliance measures that are in place.

It’s those additional mechanisms, I think, that become really valuable in this context to assist in protecting individuals in contexts where simply we cannot carry this burden on our own.

Of course, the other issue with consent is that it’s not necessarily just about us anymore, as individuals. This data is being collected and being used and processed in ways that affect not just us but other people too.

If you are very careful about your data and what you share and so on, then maybe the profiles that get developed about you are actually really poor and inaccurate and based on the data of other people who are of the same age and sociodemographic background and income as you. So then you’re getting treated like all of those people who have shared their data, and this becomes the data that is used to make decisions about you or to profile you. So it’s everybody’s data that is impacting all of us in a variety of different ways.

Individual consent, again, in that context is not the full answer. We need broader accountability and broader controls in order to protect individuals.

M. Elmore (Chair): Terrific. Thank you very much, Dr. Scassa. It’s fascinating.

Committee members, any last remarks or comments?

I want to thank you, Dr. Scassa, certainly for your insight. I know you’re keeping busy as the Canada Research Chair in Information Law and Policy. Certainly, a lot ahead as well. So thank you very much for taking the time and sharing your thoughts and recommendations with the committee today. We really appreciate it and appreciate the conversation. Thank you on behalf of the committee. I hope you enjoy the rest of your day.

T. Scassa: Thank you very much. Thank you, everybody, for your attention. Good luck. You’ve got your work cut out for you, I think.

M. Elmore (Chair): Challenge ahead. Thank you.

All right. Okay. Now, Susan, do we have our next presenter available?

S. Sourial (Clerk Assistant, Committees and Interparliamentary Relations): No, Madam Chair. Not for another five minutes.

M. Elmore (Chair): Okay. So a five-minute break, everybody. See you back in five.

The committee recessed from 2:54 p.m. to 3:06 p.m.

[M. Elmore in the chair.]

M. Elmore (Chair): Our next presenter this afternoon is Vincy Wing-Sze Yung.

Thank you for joining us this afternoon. You will have up to 15 minutes for your presentation. Hansard Services has provided a timer, which will be visible on your screen, if you’re using gallery view. Before you begin, I’ll ask members to introduce themselves.

My name is Mable Elmore. I’m the MLA for Vancouver-Kensington and the Chair of the Special Committee to Review the Personal Information Protection Act.

I’ll pass it off to our vice-Chair, Dan.

D. Ashton (Deputy Chair): Thanks, Mable.

Hi, Vincy. Welcome. I represent the people from Penticton to Peachland.

I’ll pass you over to Andrew.

A. Wilkinson: Hello. I’m Andrew Wilkinson, from Vancouver-Quilchena.

K. Greene: Hi. I’m Kelly Greene, MLA for Richmond-Steveston.

I’m on the traditional territory of the Musqueam people.

G. Begg: Hi, Vincy. I’m Garry Begg. I’m the MLA for Surrey-Guildford.

I’m proud today to be joining you from the traditional territories of the Coast Salish peoples, including the Kwantlen, Katzie and Semiahmoo First Nations.

M. Elmore (Chair): Vincy, I’m joining from the traditional territories of the Musqueam, Squamish and Tsleil-Waututh Nations.

Thank you, Members.

Ms. Yung, please begin when you’re ready.

VINCY WING-SZE YUNG

V. Yung: Greetings to all. Thank you for the opportunity to allow me to present my personal experience in relation to data breaches.

As noted, my email address was paused, to say the least, in multiple breaches, and my account was accessed numerous times during the past few years. Every time there’s a breach, whether it’s Adobe, Office, or even Facebook, I see my email address on there, but I am never notified by any of the corporations.

What makes it a little bit peculiar this year is that when Facebook announced a breach in April, I saw that my account was accessed in December. This person is an unnamed individual — anonymous. I can only see the IP address from Facebook logins. From that IP address, I was able to track down the location. However, I just feel very unsafe for my photos, my private conversations with my family and friends to be exposed.

I am from Hong Kong, so I do have some connections related to my classmates and family members in Hong Kong. Currently the situation there is quite unstable. For that reason, I stopped communicating with them since the breach. That is the first scenario in all the privacy breaches that I’ve been through.

The second scenario is related to a banking situation. I was contacted by one of my relatives in April 2018. They were having some issues in applying for mortgages, and they saw my name appear in their mortgage application. They checked in with me to see if I used their name in applying for a line of credit for education.

[3:10 p.m.]

Of course, I didn’t. I checked in with my bank, and I found out that TransUnion just merged all the people within the family together, despite…. We are all adults. The banking information was reported to multiple credit bureau agencies. I was told that this is mandatory reporting, but I wasn’t able to correct that information myself and I had to follow through for a few months to ensure that all the information is reported accurately and that my relatives can submit their credit applications or whatever they want.

That’s the second scenario. I also, at the time, requested the bank to report to the OIPC, but I did not obtain a confirmation or a letter indicating that they have done so.

That brings me to the third scenario, which is related to my workplace. What happened is, since COVID, we were allowed to work from home. We use Citrix as an online platform to do our work from home and use our network.

Originally, my personal computer only had three access log-ins. Ever since then, I searched and found out there are a lot of log-ins in my computer, which I never created. I attempted to delete the log-in information from my computer — I’m sorry; this is probably a little bit boring — but it resulted in a hard drive burn-down. So I am unable to access any of my information.

There is a cost related to this. When organizations are allowed to just keep their records for one year, there is no way to know who actually accessed that information. Currently Facebook and a lot of social media accounts only contain log-in records for up to 28 days, which is not really compliant with the current legislation. I just want to ensure that the committee is aware, for them to take positions in the future, in terms of the retention policy for log-ins, especially when it comes to giant media corporations.

That’s all I have for today. Thank you so much.

M. Elmore (Chair): Thank you for sharing your experiences. I’m sorry to hear about those multiple negative experiences and challenges and difficulties you’ve had.

Does anyone on the committee have a question or comment?

I just want to say thank you very much for sharing your experiences. That really gives us a concrete example of some of these issues that we are deliberating. The four scenarios that you’ve laid out really fall under a number of the headings that we’re looking at updating to ensure that privacy and personal data are adequately protected in British Columbia, particularly around mandatory breach notification and ensuring that there is accountability and protection of personal data right across different sectors. I know you mentioned corporations, social media and others.

Your experiences that you’ve shared really bring to light some of the challenges that we face in making our deliberations and also really updating our privacy laws. Thank you very much for taking the time. I hope you enjoy the rest of your day.

V. Yung: Thank you very much.

M. Elmore (Chair): Okay. We have one more presenter, Susan — Kevin Gooden. Is Kevin on board?

S. Sourial (Clerk Assistant, Committees and Interparliamentary Relations): Not here yet, no. Perhaps if we could recess….

M. Elmore (Chair): When is he due up?

S. Sourial (Clerk Assistant, Committees and Interparliamentary Relations): At 3:25.

M. Elmore (Chair): So 3:25, okay. That’s 15 minutes, then. Just before 3:25, if you want to check back, everybody. If you get back a little bit sooner and if he’s on board, then we can get rolling.

The committee recessed from 3:14 p.m. to 3:24 p.m.

[M. Elmore in the chair.]

M. Elmore (Chair): Our final presenter this afternoon is Kevin Gooden.

Thank you for joining us. Kevin, you’ll have up to 15 minutes for your presentation. Hansard Services has provided a timer, which will be visible on your screen, if you’re using gallery view. Before you begin, I’ll ask the members to introduce themselves.

[3:25 p.m.]

My name is Mable Elmore. I’m the MLA for Vancouver-Kensington and the Chair of the Special Committee to Review the Personal Information Protection Act.

I’m joining you from the traditional territories of the Musqueam, Squamish and Tsleil-Waututh Nations.

I’ll hand it off to the vice-Chair, Dan.

D. Ashton (Deputy Chair): Welcome, Mr. Gooden. I represent the people from Penticton to Peachland, and I’m Dan Ashton.

A. Wilkinson: Hello. I’m Andrew Wilkinson from Vancouver-Quilchena.

K. Greene: Hi. I’m Kelly Greene, MLA for Richmond-Steveston.

I’m coming to you today from the unceded territory of the Musqueam First Nation.

G. Begg: I’m Garry Begg. I’m the MLA for Surrey-Guildford.

I’m coming to you today from the traditional territories of the Coast Salish peoples, including the Katzie, the Kwantlen and the Semiahmoo First Nations.

M. Elmore (Chair): Thank you, Members.

Kevin, please begin when you’re ready.

KEVIN GOODEN

K. Gooden: I appreciate the opportunity to speak to everyone today. I’m not sure if, in the technology here, I’ll have an opportunity to share a PowerPoint presentation that I’ve created or not. I got mixed feedback on that when I was talking to somebody about setting this up.

S. Sourial (Clerk Assistant, Committees and Interparliamentary Relations): If you have it ready, sharing is enabled.

K. Gooden: Okay, great.

I am speaking to you from Salmon Arm. This is the traditional, unceded territory of the Secwepemc people. That is very difficult for me to say, because we didn’t use that term when I grew up here. It’s a very common term now, which I’m quite happy to see.

In my presentation, I’m going to describe a situation that happened with my wife and I that gives an example of a privacy situation which might be applicable to what you’re working on.

Hopefully you can read this. I’m not quite sure. Because this was a real situation, in my presentation, I will actually name a couple of companies. I’m not alleging that anybody in these companies did anything wrong, unethical or illegal. It’s just a real-life example where we did feel our privacy was violated and want to share that with you. I’m not saying anything about any of the companies involved.

Background. In 2013, my wife and I purchased a new vehicle, including a maintenance package, which is a quite common thing for vehicle sellers to try to sell people. This particular seller was often too busy to do the prepaid maintenance, so we had to get work performed by various other providers, like quick-change oil places, different things like that.

This year, in trading the vehicle in…. This is where we discovered something that we consider to be a breach of our privacy, where people were collecting our personal information. This even had some impact on us financially. I’ll explain that a little bit more in a bit here.

This relates to vehicle service records. The dealer considering our vehicle for trade-in showed us a printout of our service records. I’ve included that in the presentation, and I’ll have a little bit more zoomed-in view in a second. Just to explain the highlighting in the service record here, this is highlighting that that dealer put into the record when they were talking with my wife. We had never had maintenance done at this dealer before, so for this dealer to have this information about our car was actually quite surprising and quite shocking.

[3:30 p.m.]

The dealer got the information from a database that’s available to anybody, containing our entire service record for the vehicle. We never gave permission for any service provider to ever put the information about our vehicle into a database.

Some of you may have experienced, when you go to an oil change place or a car dealer, they ask for your odometer…. When they’re about to do maintenance, typically, you just give that to them, and off they go. That’s what we did. When we did that, we never gave permission for that information to go anywhere. We just thought that would be something that that service provider would be using for their own records.

What happened in this situation…. Again, I’ll show you a more zoomed-in view in a second. The service records ended up containing a very significant error. It shows that in a one-month period in 2018, our vehicle mileage was shown to increase from 108,000 kilometres to 180,000 kilometres. That’s in a one-month period. This is where, at one point, we went to a Kal Tire dealer to get some tires changed, and a month later, we were getting some oil changed at a different service provider.

In that one-month period, according to the service record, our kilometres went up 71,000 kilometres in a single month — equivalent to driving around planet Earth 1.8 times in a month — which is, actually, physically impossible. We didn’t know anything about this error. We didn’t know this was being stored in a database somewhere. The error ended up getting carried forward by numerous other service providers when we were getting different maintenance done — tires, oil changes. You can see the 180,000 goes to 194,000, goes to 214,000, goes to 228,000.

In 2019, somebody providing service actually looked at our odometer and recorded the true mileage, but they also entered a comment that we found somewhat offensive, where they had 228,000 kilometres. They wrote down 130,972, which was the actual odometer reading, but over on the right side, they wrote “potential odometer rollback.” They suggested that, perhaps, we’d been cheating and running our wheels backward to get the mileage down on our car.

Again, nobody said anything to us. We knew nothing about this until we were trading the vehicle in, and the dealer said: “This looks sketchy. Anybody can see this, and it puts a question about your vehicle and whether you’re honest or not.” This, actually, factored into the trade-in negotiations to some degree, which was terrible.

One of the companies that provides this kind of information is called CARFAX.ca. On their website, if you go there and you enter in the VIN, the vehicle identification number, you can get a report. I believe that for your own vehicle, you might be able to get that for free. I haven’t done this myself — but I saw this available online — but you can get a report on any vehicle and any VIN number by paying a fee.

The other thing that’s available on this website…. Up in the top right-hand corner, there’s a little button that says: “Dealer login.” What kind of information dealers can get from that, what they have to pay, or how any of that works, we have no idea. For us, some of the privacy issues that we consider issues are that people are collecting this service information and putting it up into some database that anybody can see — this was totally unknown to us; it definitely wasn’t with our permission — and it seems like anybody can get into that database if they have your VIN number.

[3:35 p.m.]

Again, vehicle owners aren’t informed about the data that’s in that database. In our case, it was erroneous and quite serious. Other information that doesn’t get into that database is quite important, like an owner attempting to get pre-paid service and not even being able to get it. It might imply that you’re not getting your vehicle service done, when you’re actually trying very diligently to get it done, but this service record that’s online gives a bad appearance.

A couple of improvement suggestions that we have. Anybody providing vehicle service who’s uploading your service record odometer information into these databases should be getting your permission to do that and should be informing you that this is happening. If you actually grant that permission, the service provider should give you a copy of what has been entered into that database so that you can keep your own records and keep a running record, like exists out there in the ether world. There should be entries into that record if a consumer is requesting maintenance.

If the service provider — for one reason or another, claiming they’re too busy — isn’t giving it to you, that should get entered in there as well, just to be fair to the consumer. Another thought is that no company should be allowed to make this data available to the general public or to dealers without permission from the consumer. This possibly should even be for each request. One of the other concerns — I don’t have this in my presentation, but this actually came up while speaking with my daughter — is just security of people.

Some VINs are actually visible through the windshield of the car. Given the system the way it works right now, somebody could go and get the VIN from, potentially, a woman that’s having trouble with a stalker. They could take that VIN, go and type it in on the database, and see where that person gets their maintenance done. That, again, in my mind, could potentially be quite serious.

That’s all I had for my presentation. If anybody has any questions, I’d be happy to answer any questions about my presentation.

G. Begg: Thanks, Kevin, for the presentation. Just for clarity, did the odometer of the vehicle always reflect the actual mileage?

K. Gooden: Yes. It did. I think part of the issue was that the true mileage was 108,000-and-change, and it got written down erroneously as 180,000-and-change. So I believe that a worker in the oil-change place just got a couple digits backwards.

In this particular vehicle, the odometer was always just a digital readout in one of the meter panels. My wife and I have always found that readout a little bit hard to read. We really just didn’t notice that for quite a while. Then when it got corrected, it’s sort of like: “Oh, that makes sense.” We’d thought something odd was going on, but we weren’t totally clear what it was. Again, not knowing that all of this information was going up into a database somewhere, it hadn’t really seemed like it was anything that would be of great concern anyway.

G. Begg: When you say it got corrected — eventually, when it got corrected — you meant that the transcript or the service record was corrected?

K. Gooden: That’s correct. Somebody at one of the service providers actually looked at the odometer and wrote down that number. Then they saw the number was quite a bit lower than the number that had been in all these other service records, so they put in their own comment: “Potential odometer rollback.”

G. Begg: This became part of the permanent record, right?

K. Gooden: Yes, it did. Actually, it became involved in our trade-in negotiations, which was just shocking to us.

K. Greene: Thank you, Mr. Gooden, for coming and speaking to us about your situation. It sounds like a giant headache.

[3:40 p.m.]

I did have a question about the notion of correcting the record. At some point, the service technician realized that the odometer was wrong. Did you ever at any time have dealings with CARFAX to get access to your information and a correction that way? One of the things that we are interested in discussing is the ability of a customer to be able to correct errors in their own information. I’m just wondering if you can speak to that at all.

K. Gooden: Honestly, I don’t know. My wife purchased this new vehicle and was dealing with the trade-in. I’m not even sure if that particular dealer got the record from Carfax or if there are other providers.

Again, we only became aware of this in the eleventh hour, when all this was happening. When we did become aware of it, if we had said, “Where did you get this from,” we could have talked to the provider, and perhaps they could have done some correcting. I don’t know. The vehicle was going out of our hands right at that moment as well. I, just by coincidence, was aware of your committee and your looking into this act. I thought it was sort of too late to even try to get those records corrected for us but that I should at least bring this forward to the committee and make you aware of it.

M. Elmore (Chair): Thank you very much, Kevin. I don’t see other questions. I want to thank you for taking the time to put together the slide presentation and also to bring this matter to our attention. MLA Kelly Greene mentioned that this issue is something that’s important to us — to ensure that these matters and folks’ personal data and information and privacy are protected in British Columbia.

Also, I’m sorry to hear that you had these difficulties, but I want to thank you for taking the time to share your experience with the committee today. I hope you enjoy the rest of the day.

K. Gooden: Thanks very much. I appreciate the opportunity. Bye for now.

M. Elmore (Chair): Okay, everybody. That’s a wrap for today. That’s our presenters. Thanks, everybody. That just flew by.

Thanks Susan.

We’re back again tomorrow at 9 a.m. All right. See you then. Enjoy the rest of the day.

The committee adjourned at 3:42 p.m.