Toronto Real Estate Board Submission to Office of the Privacy Commissioner of Canada. July 2016

Similar documents
ITAC RESPONSE: Modernizing Consent and Privacy in PIPEDA

EXPLORATION DEVELOPMENT OPERATION CLOSURE

Our position. ICDPPC declaration on ethics and data protection in artificial intelligence

CONSENT IN THE TIME OF BIG DATA. Richard Austin February 1, 2017

Legislative and Regulatory Update. Diane Bowers, CASRO President CASRO Data Collection Conference November 19, 2009

First Components Ltd, Savigny Oddie Ltd, & Datum Engineering Ltd. is pleased to provide the following

Australian Census 2016 and Privacy Impact Assessment (PIA)

ARTICLE 29 Data Protection Working Party

[Definitions of terms that are underlined are found at the end of this document.]

Identifying and Managing Joint Inventions

Hackathons as a Source of Entrepreneurship in Corporations

Pan-Canadian Trust Framework Overview

Protection of Privacy Policy

Violent Intent Modeling System

Privacy Policy SOP-031

Submission to the Productivity Commission inquiry into Intellectual Property Arrangements

Section 1: Internet Governance Principles

Executive Summary Industry s Responsibility in Promoting Responsible Development and Use:

The Information Commissioner s role

Justice Select Committee: Inquiry on EU Data Protection Framework Proposals

DISPOSITION POLICY. This Policy was approved by the Board of Trustees on March 14, 2017.

Privacy Law in Canada: Obligations and Risks in the Cyber Age Dina L. Maxwell Associate Lawyer

Ministry of Justice: Call for Evidence on EU Data Protection Proposals

Whatever Happened to the. Fair Information Practices?

European Charter for Access to Research Infrastructures - DRAFT

TechAmerica Europe comments for DAPIX on Pseudonymous Data and Profiling as per 19/12/2013 paper on Specific Issues of Chapters I-IV

Ten Principles for a Revised US Privacy Framework

The Canadian Navigable Waters Act

Should privacy impact assessments be mandatory? David Wright Trilateral Research & Consulting 17 Sept 2009

Freedom of Information Act 2000 (FOIA) Decision notice

This policy sets out how Legacy Foresight and its Associates will seek to ensure compliance with the legislation.

Robert Bond Partner, Commercial/IP/IT

Primary IVF Conditions for Registration For Assisted Reproductive Treatment Providers under the Assisted Reproductive Treatment Act 2008

The Information Commissioner s response to the Draft AI Ethics Guidelines of the High-Level Expert Group on Artificial Intelligence

Towards a Magna Carta for Data

Presentation Outline

ICO submission to the inquiry of the House of Lords Select Committee on Communications - The Internet : To Regulate or not to Regulate?

CBD Request to WIPO on the Interrelation of Access to Genetic Resources and Disclosure Requirements

EFRAG s Draft letter to the European Commission regarding endorsement of Definition of Material (Amendments to IAS 1 and IAS 8)

The Ethics of Artificial Intelligence

THE UNIVERSITY OF AUCKLAND INTELLECTUAL PROPERTY CREATED BY STAFF AND STUDENTS POLICY Organisation & Governance

What does the revision of the OECD Privacy Guidelines mean for businesses?

The ALA and ARL Position on Access and Digital Preservation: A Response to the Section 108 Study Group

BUREAU OF LAND MANAGEMENT INFORMATION QUALITY GUIDELINES

PRIVACY ANALYTICS WHITE PAPER

2

Trusted Digital Transformation. Considerations for Canadian Public Policy. January 2019

Directions in Auditing & Assurance: Challenges and Opportunities Clarified ISAs

Details of the Proposal

Fiscal 2007 Environmental Technology Verification Pilot Program Implementation Guidelines

ASSEMBLY - 35TH SESSION

APPEAL TO BOARD OF VETERANS APPEALS

Melbourne IT Audit & Risk Management Committee Charter

ICC POSITION ON LEGITIMATE INTERESTS

Food Product Standards to Support Exports

Commonwealth Data Forum. Giovanni Buttarelli

AusBiotech response to Paper 1: Amending inventive step requirements for Australian patents (August 2017)

POLICY ON INVENTIONS AND SOFTWARE

The TRIPS Agreement and Patentability Criteria

Dr Nicholas J. Gervassis University of Plymouth THE EMERGING UK DATA PROTECTION FRAMEWORK AND BEYOND

Building DIGITAL TRUST People s Plan for Digital: A discussion paper

PATENT PROTECTION FOR PHARMACEUTICAL PRODUCTS IN CANADA CHRONOLOGY OF SIGNIFICANT EVENTS

IV/10. Measures for implementing the Convention on Biological Diversity

ABI Framework for the Management of Gone-Away Customers in the Life and Pensions Market

IAB Europe Response to European Commission Consultation on the DP Framework

Introduction to the Revisions to the 2008 Guidelines on the Acquisition of Archaeological Material and Ancient Art

MINISTRY OF HEALTH STAGE PROBITY REPORT. 26 July 2016

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT. pursuant to Article 294(6) of the Treaty on the Functioning of the European Union

CCTV Policy. Policy reviewed by Academy Transformation Trust on June This policy links to: T:Drive. Safeguarding Policy Data Protection Policy

Environmental Assessment in Canada and Aboriginal Law: Some Practical Considerations for Navigating through a Changing Landscape

Children s rights in the digital environment: Challenges, tensions and opportunities

Personal Data Protection Competency Framework for School Students. Intended to help Educators

UK Research and Innovation Conflicts of Interest Policy

The Citizen View of Government Digital Transformation 2017 Findings

GDPR Implications for ediscovery from a legal and technical point of view

IAASB Main Agenda (March, 2015) Auditing Disclosures Issues and Task Force Recommendations

8 Executive summary. Intelligent Software Agent Technologies: Turning a Privacy Threat into a Privacy Protector

The EFPIA Perspective on the GDPR. Brendan Barnes, EFPIA 2 nd Nordic Real World Data Conference , Helsinki

Privacy Impact Assessment on use of CCTV

Standardised Privacy Policies: A Post-mortem and. Promising Developments

ISO/TR TECHNICAL REPORT. Intelligent transport systems System architecture Privacy aspects in ITS standards and systems

Machines can learn, but what will we teach them? Geraldine Magarey

Seminar on Consultation on. Review of the Personal Data (Privacy) Ordinance. Why the review is being conducted and what this means to you

summary Background and scope

Re: Examination Guideline: Patentability of Inventions involving Computer Programs

Client s Statement of Rights & Responsibilities*

Chapter 6: Finding and Working with Professionals

Privacy by Design: essential for organizational accountability and strong business practices

Counterfeit, Falsified and Substandard Medicines

The GDPR and Upcoming mhealth Code of Conduct. Dr Etain Quigley Postdoctoral Research Fellow (ARCH, UCD)

A stronger system to protect the health and safety of Canadians. Exploring the Future of the Food Regulatory Framework Under the Food and Drugs Act

12 April Fifth World Congress for Freedom of Scientific research. Speech by. Giovanni Buttarelli

Privacy Policy Framework

The Role of the Intellectual Property Office

H5ST 04 (SCDHSC0370) Support the Use of Technological Aids to Promote Independence 1

COMMISSION OF THE EUROPEAN COMMUNITIES COMMISSION RECOMMENDATION

Nymity Demonstrating Compliance Manual: A Structured Approach to Privacy Management Accountability

Indigenous and Public Engagement Working Group Revised Recommendations Submitted to the SMR Roadmap Steering Committee August 17, 2018

Draft executive summaries to target groups on industrial energy efficiency and material substitution in carbonintensive

March 27, The Information Technology Industry Council (ITI) appreciates this opportunity

Transcription:

Toronto Real Estate Board Submission to Office of the Privacy Commissioner of Canada CONSULTATIONS CONCERNING CONSENT AND OTHER MATTERS July 2016 Page 1 of 12

A. Summary Founded in 1920, the Toronto Real Estate Board ( TREB ) is Canada's largest real estate board, serving more than 45,000 licensed real estate brokers and salespersons in and about the Greater Toronto Area. TREB serves the collective voice for both its commercial and residential REALTOR Members. The business practice of TREB members involves the direct collection of personal information of consumers and the use and disclosure of such information for specific authorized purposes. TREB s policy is to respect the privacy rights of consumers. TREB remains vigilant in advising its members as to how best to market real estate while ensuring the protection of personal information. With respect to consent, TREB s view is that sufficient flexibility is already built into PIPEDA. This flexibility permits a more sophisticated approach to consent management. Consent should be a dynamic rather than static process and one that recognizes that organizations need to have a further degree of engagement with individuals over downstream uses. TREB is of the view that Privacy by Design concepts should be considered as part of an organization s accountability, limiting retention, openness and safeguards obligations that currently exist under PIPEDA. No separate legislation, or amendment of PIPEDA, is required. While codes of practice would provide a degree of standardization, TREB believes this would only be practical and workable if the OPC is willing to assist those sectors in the development and review of such codes. TREB believes a privacy seal program, operating alongside PIPEDA, has the potential to increase the regulatory burden of organizations without demonstrating corresponding benefits. TREB is of the opinion that the use of ethics boards should not be pursued. TREB is of the view that the OPC should have an order-making power requiring organizations to take specific actions to prevent further repeats of the acts or practices investigated and found to be non-compliant. Such power should be clearly subject to judicial review. However, the power to compensate any loss or damage suffered (which may include humiliation suffered by the Page 2 of 12

complainant or injury to the complainant's feelings) or administrative monetary penalties should remain with the Federal Court. B. Introduction With Consent and privacy: A discussion paper exploring potential enhancements to consent under the Personal Information Protection and Electronic Documents Act ( Discussion Paper ), the Office of the Privacy Commissioner of Canada ( OPC ) has raised for public consideration what has been characterized as the consent dilemma 1. This term consent dilemma concerns divergent views of the future of the existing consent model as found in the Personal Information Protection and Electronic Documents Act 2 ( PIPEDA ). In providing the Discussion Paper and possible solutions to concerns about the current state of consent in PIPEDA, the OPC seeks to stimulate dialogue and solicit views. The Toronto Real Estate Board ( TREB ), on behalf of our members, is pleased to respond to the OPC s invitation and submit its views. Founded in 1920, TREB is Canada's largest real estate board, serving more than 45,000 licensed real estate brokers and salespersons in and about the Greater Toronto Area. TREB serves as the collective voice for both its commercial and residential REALTOR Members and operates under the direction of an elected voluntary board of directors. TREB s members collect an express consent for the collection, use and disclosure of personal information when entering into listing or representation agreements with vendors and prospective buyers of real estate. The objective of the consents used, together with privacy notices, is to limit the use and disclosure of personal information to the purchase and sale of real estate and support for the Multiple Listing Service system. The collection of personal information is direct and the limited use and disclosure of such information does not change over time. TREB s policy is to respect the privacy rights of consumers. TREB remains vigilant in advising its members as to how best to market real estate while ensuring the protection of personal information. C. Consent is Not a Dilemma 1. Technological Change 1 See Discussion Paper, p.1. 2 SC 2000, c 5. Page 3 of 12

Personal information protection concepts can trace their modern roots to the OECD's 1980 Guidelines for the Protection of Privacy and Transborder Flows of Personal Data 3 ( OCED Guidelines ). While not enforceable, these guidelines became a source for the principles informing data protection legislation in countries around the world, including Canada s PIPEDA. These guidelines and, in many respects, PIPEDA reflect ideas to address problems identified then and concerning, in part, technology that was very different from what is available now. The issue Canadians face now are whether such principles, including the need to obtain consent, continue to work in a world that has gone from mainframe to mobile technology. And whether they can they work where longitudinal profiles of individuals become prized in a data-centric, networked world? The Discussion Paper notes...there is concern that technology and business models have changed so significantly since PIPEDA was drafted as to affect personal information protections and to call into question the feasibility of obtaining meaningful consent. Business and technology models constantly evolve. However, statutes need not promote technology as a driver for legislative change so as to dictate preferences or directions. Legislation, however, does need to be responsive where there is a clear failure in a statute s underlying policy objectives. It is far from clear that PIPEDA s principles approach with respect to consent has failed. PIPEDA was created to be technology-neutral and this concept should not be abandoned. Innovation through enhanced data analytics and the deployment of new collection points (e.g. the Internet of Things or IoT ) represent new challenges to privacy. However, innovation is not predicated on sacrificing privacy. There is a delicate balance in allowing access to and exploitation of one's personal information for commercial gain. The concept of consent forms an important element in maintaining that balance. 2. Notice and Choice Also noted in the Discussion Paper, one view of expecting individuals to take an active role in deciding how their personal information is used in all instances is increasingly unrealistic 4. This discussion arises, in part, because of an argument that the notice and choice model has failed. 3 Updated in 2013, these guidelines may be found at: http://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofp ersonaldata.htm 4 Supra, note 1. Page 4 of 12

Notice here means informing individuals about the personal information collected, used and disclosed and choice means permitting a decision to accept such collection, use and disclosure. The idea being few people read privacy policies. While there is research to support this point, it can be argued this reflects the inadequacy of formalistic and/or legalistic privacy statements. Simply because the notice is inadequate does not mean one eliminates choice. Related to the failure of notice and choice (i.e. consent as a means of expression of agreement with proposed uses/disclosures) is the notion that the ability of individuals to manage their privacy is burdensome. Too many privacy statements to read; too many uses (as well as the on-going evolution of uses) mean that the active management by an individual of the collection, use and disclosure of their personal information becomes difficult. 3. Consent Remains a Fundamental Concept So do these points this mean consent is an antiquated concept? TREB s view is that adherence to explicit consumer consent is fundamental concept that should not be re-thought or abandoned. The technologies deployed today that interact with individuals in a myriad of ways all permit business to create profiles/opinions about them and influence actions towards them. As data collection spread from individuals to devices (e.g. IoT), this ability to create profiles of individuals based on activities, relationships, preferences, or lifestyle makes the concept of consent more important than ever. Indiscriminate information collection does not mean that there will be societal benefits: information does not equal knowledge despite claims to the contrary. Whatever benefits are perceived through the wholesale collection and analysis of personal information, the purpose of PIPEDA involves the recognition of the right of privacy of individuals. Removing individuals from the equation is, at best, paternalistic and, at worst, a de facto dismantling of privacy protection. TREB s members deal with consumers and their personal information on a daily basis. Their limited use and disclosure of personal information of their clients reflects an understanding of the risks (e.g. the potential for mortgage fraud and identity theft) for individuals in the world of real estate. They are also aware of the potential for abuse of personal information by clients when there is an emotionally charged divorce, estrangement or settlement of an estate. As a result, TREB and its members acutely understand how home purchasers and vendors feel about the need to protect their personal information. Page 5 of 12

The 2014 OPC Survey of Canadians on Privacy reflects this need: Canadians increasingly feel that their ability to protect their personal information is diminishing. 73% believe they have less protection of their personal information in their daily lives that they did in the prior ten years. 9 in 10 Canadians expressed some level of concern about the protection of their privacy, with 34% saying they are extremely concerned, an increase from 25% in 2012. Three-quarters of Internet users expressed some concern about the different ways the information available about them online might be used by organizations. 49% were very concerned about the impact on their personal reputation when information is collected, assembled, and made into profiles about them. These numbers reflect the unease of Canadians as to the state of their privacy and TREB is sympathetic to the views of Canadians that there has been a diminishment of personal information protection. One might argue that these numbers reflect a disconnect between existing privacy notices/statements/policies; the degree of understanding of what consent entails and the expectations of Canadians. Further underlining the importance of this issue is the potential uses of personal information collected without the knowledge or consent of individual Canadians. As noted by Patricia Kosseim, Senior General Counsel, Office of the Privacy Commissioner of Canada, in a speech at the Canadian Institute for the Administration of Justice Annual Conference in 2014: What about when big data are used not only to sell our identities, but to shape our identities? When big data track our friends and activities on social media sites in order to predict our political leanings and unleash last-ditch efforts to influence our vote? Or when click stream data are used to profile us into certain interest categories and show us tailored versions of the daily news reinforcing initial biases and depriving us of a more complete understanding of the world s events? Commodifying who we are, inferring who we are, or shaping who we are seems intuitively at least, to injure our identities and offend our sense of dignity. 5 5 Patricia Kosseim, Where Big Data Meets Law, 17 October 2014, online at: https://www.priv.gc.ca/media/sp-d/2014/sp-d_20141017_pk_e.asp. Page 6 of 12

Consent is more than a concept to be incorporated into forms or contracts; it represents a degree of empowerment on the part of individuals over their personal information and that empowerment should not be lost. Given the experience of its members and the kinds of questions raised with TREB in dealing with frontline use and disclosure issues especially with the sensitive financial information surrounding real estate transactions -- TREB s view is that adherence to explicit consumer consent is fundamental concept that should not be re-thought or abandoned. 4. Consent Should Be Dynamic TREB s view is that sufficient flexibility is already built into PIPEDA. The federal statute requires that consent must be obtained (1) before or at the time of collection, or (2) when a new use of personal information has been identified. PIPEDA s Schedule 1 recognizes that the form of consent can vary, taking into account the sensitivity of the information and the reasonable expectations of the individual. And, as the Discussion Paper emphasizes, express consent is the most appropriate and respectful form of consent to use generally, and is required when sensitive information is at issue. This flexibility within PIPEDA suggests that a more sophisticated approach to consent management needs to be considered. Consent is linked to both collection and use but need not be obtained only at an early stage of the relationship between organizations and individuals. Associated with this is a need for communication since trust in an organization s protection and use of personal information will grow with a better refinement of individual privacy expectations. This, in practice, means less of a file and forget attitude on the part of organizations when they publish privacy policies/notices and a more active role in managing privacy expectations. TREB agrees with the suggestion to enhance informed consent through more understandable and useful ways of explaining information management practices to individuals as well as more user-friendly ways of expressing privacy preferences. As the Paper rightfully notes, the proactive approach to privacy protection fosters trust on the part of individuals that their data will not be used in unanticipated ways and without their consent. TREB interprets this as a need for more dialogue and understanding to better meet privacy expectations on the part of both the organization and individuals. In keeping with the principles underpinning PIPEDA, consent can be provided in a variety of ways, at different times and using different mechanisms. As noted in the OPC s own Online Behavioural Advertising Guidelines 6, organizations today can use a 6 Online at https://www.priv.gc.ca/information/guide/2011/gl_ba_1112_e.asp Page 7 of 12

variety of communication tools, including online banners, layered approaches, and interactive tools to explain their practices. This can be extended to off-line activities. TREB believes that consent, therefore, should be a dynamic rather than static process and one that recognizes that organizations have to have a further degree of engagement with individuals over what are often called downstream uses. This approach, when applied to making consent more meaningful and relevant, suggests a need for criteria and guidance for use by organizations to allow them to take a better, more interactive approach. Since consumers often become most upset when they discover that their personal information is being used in ways they did not consider, such engagement will ensure a management of expectations on the part of individuals. D. Alternatives to Consent 1. De-identification TREB believes de-identification has a role in the protection of personal information but cannot be viewed as a substitute for consent or a sufficient protection mechanism in and of itself. One also has to bear in mind, in connection with data analytic efforts, that organizations may not want to de-identify individuals they often want to build profiles of identifiable individuals to better support sales and marking initiatives. The ability to de-identify is dependent upon the technique used and the reidentification risk (this risk defined as whether those seeking to re-identify the information possess the specific skills, knowledge, and access to do so). There are different approaches to de-identification (e.g. removal of direct identifiers, pseudoanonymization) and re-identification. How exactly de-identification can be used as an alternative to consent needs better definition before it can be further considered. 2. No-Go and Caution Zones These concepts to be akin to a red light (no collection of certain types of information; no collection from certain classes of individuals) or yellow light (enhanced treatment of sensitive information) definition of situations. TREB believes that information surrounding real estate transactions would fall into the latter ( yellow light ) category. Page 8 of 12

PIPEDA s Regulation Specifying Publicly Available Information 7, and its subsequent interpretation, defines a zone around publicly available information and puts boundaries around the use of such information. The no go or caution zones suggested in the Discussion Paper reflect a similar concept and the challenge will be in developing reasonable rules/definitions around these zones to balance the interests of organizations and individuals. There are Canadian examples of personal health information protection statutes where use without consent is permitted. Those examples reflect an ecosystem with extensive regulatory oversight by professional bodies, there are limited purposes and there is a general culture of patient confidentiality. Whether that concept will scale across a variety of industries is debatable. One might also ask if the OPC will have the resources to provide a similar type of oversight. TREB s view is that the idea sounds good in theory but there is a real question as to whether it would work in practice. At this time, TREB believes that PIPEDA s requirements under s. 5(3) are sufficient with respect to use. E. Governance The Discussion Paper segues into a number of options to consider for the purposes of ensuring strong privacy protections. As noted, some of proposals serve to enhance consent, some are alternatives to consent, and some may belong in a self-regulatory framework. This section elaborates on TREB s views on such options. 1. Privacy by Design ( PbD ) The Discussion Paper asks how should the seven principles of PbD be treated in the context of Canada s privacy law framework? Should this concept merely be encouraged as a desirable aspect of an accountability regime? Or should it become a legislated requirement as it will soon be in Europe? TREB is of the view that these concepts should be considered as part of an organization s accountability, limiting retention, openness and safeguards obligations that currently exist under PIPEDA. No separate legislation, or amendment of PIPEDA, is required. A better approach is to foster the maturation of privacy management within 7 SOR/2001-7 Page 9 of 12

organizations so as to promote a proactive, lifecycle approach to information management and protection. Taking these concepts from PbD provides a more robust privacy management/accountability framework. 2. Governance: Codes of Practice Whether sectoral codes of practice do indeed enhance consent and/or privacy protection remains to be confirmed. Different organizations within a sector may well have different states of privacy posture with different levels of maturity. Such codes, though, do have a salutary effect as well as an educative role. TREB, for example, uses the National Privacy Code for REALTORS, developed by the Canadian Real Estate Association, to educate its members on their privacy obligations. Codes of practice would provide a degree of standardization but TREB believes this would only be practical and workable if the OPC is willing to assist those sectors in the development and review of such codes. They have to be more than a common privacy policy and have to have a high degree of granularity. Whether agreement on codes at a granular level is possible remains to be seen. 3. Privacy Trustmarks The Discussion Paper raises the question of the merit of a privacy trustmark or seal program. As the paper itself notes for a privacy seal program to function effectively in Canada, there would need to be an objective mechanism in place to evaluate how well the program aligns with legislated privacy requirements as well as an independent audit function to ensure continued upholding of standards. Reference is made in the paper to proposed British and European programs. While the regulatory regime is Europe is heavier than it is in Canada, the UK program is voluntary and the European Privacy Seal program is geared to the narrow certification of compliance of IT products and IT-based services with European regulations on privacy and data security. Such programs are usually intended to promote organizations that exceed the established standard and correspondingly build consumer trust. However, they also require the establishment/designation of an accreditation organization and the establishment of criteria. While the idea is raised in the Discussion Paper, it is not clear whether such a program is voluntary or the implications of some organizations going the mark route while others, for reasons of expense, do not. TREB does not believe it is necessary to allow for a privacy seal program to operate alongside PIPEDA. To introduce such a program increases the potential for an Page 10 of 12

increased regulatory burden and unnecessary bureaucracy without demonstrating corresponding benefits. 4. Ethical Assessments The concept of ethics boards can be seen as a supplemental check as to whether consent was legitimately obtained or based on sufficient knowledge. The fundamental question in any use of a third party to consider whether uses of data are ethical, fair, or appropriate is what standards are used to determine what is fair and appropriate. Section 5(3) of PIPEDA already provides a starting point for an objective determination of what s appropriate in the collection, use or disclosure of personal information. In a medical research context there is a considerable degree of detail associated with a formal consent document. It is an open question as to whether such an approach would be incompatible with what may happen in a business context. There are also questions of the composition and independence of such boards or their power (or desire) to prohibit proposed uses of personal information. TREB is of the opinion that the use of ethics boards should not be pursued. This seems a delegation of a determination that should remain with the OPC. Depending on how such boards are established, such a delegation may result in inconsistent interpretations of what is ethical or fair. F. Enforcement The Discussion Paper raises a question as to enforcement, specifically whether the provision of an order making power to the OPC is appropriate. TREB recognizes that such a power can serve as a strong incentive for organizations to stop privacy-invasive practices. Similarly, amendments made to PIPEDA by the Digital Privacy Act 8, with fines for knowingly violating the notification requirements, introduces another enforcement mechanism. TREB notes that the OPC in its position paper The Case for Reforming the Personal Information Protection and Electronic Documents Act 9 has already advocated for greater power: The days of soft recommendations with few consequences for non-compliance are no longer effective in a rapidly changing environment where privacy risks are on the rise. 8 SC 2015, c 32 9 Online at: https://www.priv.gc.ca/parl/2013/pipeda_r_201305_e.asp#toc2 Page 11 of 12

It is time to put in place financial incentives to ensure that organizations accept greater responsibility for putting appropriate protections in place from the start, and sanctions in the event that they do not. Without such measures, the Privacy Commissioner will have limited ability to ensure that organizations are appropriately protecting personal information in the age of Big Data. TREB is of the view that the OPC should have an order-making power requiring organizations to take specific actions to prevent further repeats of the acts or practices investigated and found to be non-compliant. Such power should also be clearly subject to judicial review. However, such powers should not include an ability to compensate any loss or damage suffered (which may include humiliation suffered by the complainant or injury to the complainant's feelings) or administrative monetary penalties. TREB believes any question of damages or penalties should be left to the Federal Court. G. Concluding Remarks The business of real estate involves the collection, use and disclosure of personal information. Because of this, TREB and its members are sensitive to the privacy interests of consumers who are also real estate clients. TREB s policy is to respect the privacy rights of consumers. TREB remains vigilant in advising its members as to how best to market real estate while ensuring the protection of personal information. Throughout all of its activities, TREB has been consistent in its advocacy of the need to find an appropriate balance between the importance of informed consent in order to protect privacy, and the desire to foster innovation and technological developments. With respect to the main question about consent posed in the Discussion Paper does the solution lie in giving individuals better information and mechanism by which to make informed choices? TREB s answer is yes. Legislative changes are not necessary as PIPEDA, as amended by the Digital Privacy Act, contains provisions that adequately protect consumer privacy interests in Canada. What is required is to make consent a more dynamic process for businesses and consumers alike. Page 12 of 12

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback