Bill C-12 (Historical)
Safeguarding Canadians' Personal Information Act
An Act to amend the Personal Information Protection and Electronic Documents Act
This bill was last introduced in the 41st Parliament, 1st Session, which ended in September 2013.
Christian Paradis Conservative
Second reading (House), as of Sept. 29, 2011
(This bill did not become law.)
This is from the published bill. The Library of Parliament often publishes better independent summaries.
This enactment amends the Personal Information Protection and Electronic Documents Act to, among other things,
(a) exclude, in certain circumstances, business contact information from the application of Part 1 of that Act;
(b) specify the elements of valid consent for the collection, use or disclosure of personal information;
(c) permit the disclosure of personal information without the knowledge or consent of the individual for the purposes of
(i) identifying an injured, ill or deceased individual and communicating with their next of kin,
(ii) performing police services,
(iii) preventing, detecting or suppressing fraud, or
(iv) protecting victims of financial abuse;
(d) clarify the meaning of lawful authority for the purpose of disclosures to government institutions of personal information without the knowledge or consent of the individual;
(e) permit organizations, for certain purposes, to collect, use and disclose, without the knowledge or consent of the individual, personal information
(i) contained in witness statements related to insurance claims, or
(ii) produced by the individual in the course of their employment, business or profession;
(f) permit organizations, for certain purposes, to use and disclose, without the knowledge or consent of the individual, personal information related to prospective or completed business transactions;
(g) permit federal works, undertakings and businesses to collect, use and disclose personal information without the knowledge or consent of the individual to establish, manage or terminate employment relationships;
(h) provide a framework for organizations to notify individuals proactively about disclosures of their personal information made in certain circumstances to government institutions; and
(i) require organizations to report material breaches of security safeguards to the Privacy Commissioner and to notify certain individuals and organizations of breaches that create a real risk of significant harm.
May 1st, 2014 / 11:45 a.m.
Dr. Éloïse Gratton Partner and Co-Chair, Privacy, McMillan LLP, As an Individual
I will start. Thank you for the invitation.
I'll give the first part of my presentation in French and the second, in English.
I'd like to start by discussing the legal framework governing privacy protection and the response of business. Despite the legislation that exists, the Personal Information Protection and Electronic Documents Act, or PIPEDA, companies and organizations have no real incentive to comply with the act and implement appropriate security measures. What's the worst that could happen from a company's perspective? What are the risks if they don't comply with the act? Not much. The worst case scenario is that their reputation might be tarnished. For example, if a complaint is made, and at the end of the investigation, the commissioner decides to release the company's name, then obviously, the company's reputation might be sullied. That very seldom happens, though.
There is another potential risk. When an individual is notified by the commissioner that the act was in fact breached, that person can take the company to Federal Court for damages. The court has made a few such rulings in the past decade. In five to ten cases, the Federal Court awarded small amounts. In some cases, it awarded no damages, and in others, $5,000.
Last fall, in its ruling on Chitrakar v. Bell TV, the Federal Court awarded $20,000 in damages, and that was a first. Is this the beginning of a new trend? Perhaps. Only time will tell. One thing is for sure: not everyone has the means to take legal action against a company to obtain small amounts in damages. In privacy violation cases, the amounts often range between $5,000 and $10,000. Engaging in a court battle is a complicated and painstaking process.
Furthermore, at the federal level, no incentives exist with respect to class action lawsuits over privacy violations, which have the potential to improve compliance. Incentives do exist in other jurisdictions. And in many cases, companies comply with privacy legislation as a result. Just think of the recent security breaches. Last January, a security breach occurred at Human Resources and Skills Development Canada. In April, a security breach occurred at the Investment Industry Regulatory Organization of Canada, or IIROC. And class action suits were launched in relation to both of those breaches.
In the case of IIROC, a portable drive containing the financial information of 52,000 brokerage firm clients was lost. The damages sought were $1,000 per individual. That has the potential to motivate companies to comply, but under PIPEDA, that isn't an option. The legislation contains no such provision to motivate companies. And even if it did, a class action lawsuit isn't necessarily appealing because authorization to proceed isn't always granted.
In the Quebec case of Larose c. Banque Nationale du Canada, the Superior Court made a ruling in 2010. A typical breach, it involved a lost laptop containing the financial information of many clients. One of the clients was not very happy and took the National Bank to court. At the authorization stage, counsel for the complainant had to show that, as a result of the security breach on the bank's part, actual identity theft had occurred. The court stipulated that the fear of identity theft alone did not entitle someone to compensation. Had there been no evidence of actual identity theft, the court would not have granted authorization for a class action.
That tells you just how high the bar has been set. Proceedings of this nature are not straightforward. And the damages aren't very high. So what's left? If you can't seek compensation because you're afraid you were the victim of identity theft as a result of a security breach, there is little else you can do.
Let's come back to the legislation concerning security measures. Companies are advised to adopt security measures based on the level of sensitivity of the information. Even when companies contract out services to a third party, the legislation says they are still responsible for the information and must ensure its protection through the contract. In reality, what we often see is companies using cloud services or third-party contracts. They contract the service out and then turn a blind eye to what goes on.
I would like you to consider a provision in a piece of Quebec legislation that I see as very useful. It imposes an additional obligation on companies preparing to give or transfer personal information to a third party via a contract. I am referring to section 26 of An Act to Establish a Legal Framework for Information Technology. It reads as follows:
Anyone who places a technology-based document in the custody of a service provider is required to inform the service provider beforehand as to the privacy protection required by the document according to the confidentiality of the information it contains, and as to the persons who are authorized to access the document.
The person who entrusts the function to a service provider and transfers the data to the provider, whether via cloud computing or some other means, has an obligation to tell the service provider how to protect the information in question. I think incorporating a similar provision in our legislation could be useful.
I am active in the protection of privacy and personal information. There is a prevention component to my work. That entails advisory services, compliance, training, policy development and so forth. I am also involved in crisis management. I help with the management of security breaches, provide assistance when complaints are made to privacy commissioners in various jurisdictions and give advice related to privacy class action lawsuits. Clients rarely ask me to do any prevention work for them unless they have had some sort of crisis first. That shows that companies aren't very tuned in to the issue. And yet, the legislation exists. Are they motivated to comply with the act? Not especially, because they wait until a security breach has occurred before taking action. Not until a crisis arises do they realize how costly it can be and that they might do well to invest in prevention.
It's also interesting to see just how many resources are being deployed to compliance and prevention around the coming into force of Canada's new anti-spam legislation. That piece of legislation is being taken seriously. It includes liability provisions that apply to administrators, executives and employers. And since the penalties it sets out are quite stiff, companies take it seriously. Ever since its coming into force was announced, the legislation has monopolized my practice almost full time. Is spam a bigger problem or greater evil than security breaches or identity theft? I doubt it. Why, then, is the situation the way it is? What are we waiting for to motivate companies to invest in prevention?
I have one last point. My second part will be very short.
Some studies show that most security breaches are the result of human error. I am referring to two studies, in particular, that were conducted two years after the requirement to report a security breach was imposed on companies. The first was done by Alberta in 2012-13 and lists all the notifications and security breaches. According to that report, human error was at fault in many of the cases. The second study was done by the Ponemon Institute in 2013 and says that in 33% of cases, employee error was to blame.
That, too, shows that companies aren't taking employee training around privacy protection seriously. Very often, the security breach resulted from a laptop being left in a car. Was the employee aware that behaviour posed a risk? Was a relevant policy in place? Was appropriate training available? The jury is out.
I know time is running. The second part is going to be quick.
I want to raise the fact that currently under PIPEDA we don't have mandatory breach notification, and I believe that this may well play an important role in addressing some of the financial harm that may be triggered in the case of identity theft following a security breach.
If individuals, whether they be consumers, employees, are notified, it will help them to better protect themselves against harm, such as identity theft, because once they're notified they're going to pay special attention to their financial statements every month, every day, tracking down any suspicious or unauthorized transactions. They're going to monitor their credit through credit-rating agencies, such as Equifax and TransUnion. It will also provide businesses with an incentive to establish better data security practices in the first place.
What's the status on mandatory breach notification outside of Canada? We have it in Europe and in the United States. Most of the states in the U.S. have breach notification laws. In Canada, Alberta so far is the only private sector jurisdiction that has this law, and they prescribe fines up to $100,000 for businesses. They have realized that this breach notification obligation in their law has increased the reporting of security breaches, and it has also increased the privacy training. Businesses are more inclined and are more motivated to spend, because they realize that it's going to be an obligation to disclose the breach if there is such a breach.
In Quebec there is a consensus that it is needed. In 2011, la Commission d'accès à l'information du Québec published a report in which they said that this is needed. It's a matter of time. It's in the hands right now of the legislature, but we will have also this obligation in Quebec shortly, hopefully.
At the federal level, we've had various bills that have been introduced: Bill C-29, BillC-12, Bill S-4 recently, and Bill C-475. The latest one is Bill S-4. Will Bill S-4 do the job if it becomes law? It's better than having nothing, that's for sure. Maybe it's not perfect, but it's better than having nothing.
I guess it would create the incentive for businesses to disclose, and I think we need to trigger that incentive. In an ideal situation there should be clear monetary penalties for not reporting security breaches to individuals and to the privacy commissioners. There should be a duty to report a breach as soon as possible. I'm cautious with providing fixed delays, because I've been on the other side. Sometimes there's a breach and you need to do the investigation before you start notifying individuals and privacy commissioners, because you need to know exactly what happened and what needs to be told or not told.
The Privacy Commissioner, I believe, should be given the power to order an organization to report a breach to customers. These orders should be made public and the organization should be named. I think that would create the necessary incentive for them to invest in preventive measures, which would be beneficial to address a financial harm resulting form identity theft.
This is my last point. It would not be a bad idea to have a uniform breach notification law in Canada. Various systems could become problematic when there's a breach. I know that a few years ago, the Uniform Law Conference of Canada drafted a breach notification act. Maybe it could be used as a tool.
Thank you. I think my time is up.
April 1st, 2014 / 12:25 p.m.
The Chair Pat Martin
Your time is pretty much up; there are about 10 seconds left. But I would like to clarify, perhaps, Mr. Jenkin's response.
The PIPEDA act is up for review. It was due to be reviewed about two years ago. It was reviewed once about seven years ago, and the government's response to that review was Bill C-28, which died on the order paper, and Bill C-12, which died on the order paper. So if there was a government response, none of those elements was ever implemented; the act was never amended or changed.
I don't want Mr. Ravignat to think that a review led to amendments to the act. It did not.
Or did you mean something else?
Personal Information Protection and Electronic Documents Act
Private Members' Business
December 5th, 2013 / 6 p.m.
Megan Leslie Halifax, NS
Mr. Speaker, I have a great crowd behind me, because this is a really important bill. There is such a great response. I really want to thank my colleague from Terrebonne—Blainville for working on this important piece of legislation. She deserves congratulations for a lot of reasons. It is a great piece of legislation.
My colleague was elected in 2011. She is proof positive than an individual MP can advocate for constituents, give a caucus important advice in a critic role, represent NDP values in a critic area, and make concrete legislative suggestions to the House. The fact that we have such a good piece of legislation before us speaks volumes about her ability to make a difference here in Parliament.
The former CEO of Google, Eric Schmidt, said that as of 2010, we create more information in just two days than was ever created up to and including 2003. That is an incredible statistic. It is massive. We create about 2,000 years' worth of information every couple of days. That is just one way of measuring how the digital world we live in today is different even compared to just 10 years ago.
Change is happening quickly when it comes to technology, innovation, and information sharing. It is increasingly an issue for Canadians, because in the last 10 years, with the growth of the digital economy, social media, and Internet access, greater amounts of personal data are shared. They are collected, used, and disclosed.
This bill identifies a problem. The problem is that our privacy laws are not built for a digital age when we create and share so much personal information.
PIPEDA was adopted in 2000. I remember it quite well, because I was a law student, starting in 2001, and we talked about what the implications would be for the groups, organizations, and communities we worked with. At that time, there were almost no social networking sites, microblogging sites, or video-sharing sites. Tumblr and YouTube did not exist, and there was no such thing as Facebook. I remember the first time I ever googled something, and it certainly was not a verb at that time.
Now over 18 million Canadians have a Facebook account, including many of us here in the House. A lot of us use this form of social networking. That number of 18 million Canadians is more than half of Canada's population, which is incredible.
Can anyone remember a time when they could not YouTube a viral video or find an old friend on Facebook? It was a completely different world 10 years ago. Now we are light years ahead of where we were in 2000.
What we are talking about here would transform the digital world in Canada. It is the type of change that affects Canadians on a huge scale. As Canadians, we are incredibly connected. We are the second-greatest Internet users in the world. More than 80% of us access the Internet regularly. Approximately 70% of us think that our personal data is less secure and less protected than it was 10 years ago, and 97% of Canadians would like to know when their personal information has been exposed because of a data breach.
It is worth noting these statistics, because most Canadians agree with the goals of this bill. It is absolutely unthinkable that we would expose so many Canadians to risks to their online privacy, especially when many people are aware of and concerned about these risks.
We need to update our privacy laws to recognize these changes and keep up with them; otherwise, we risk leaving Canadians unprotected. Canadians have moved on from 2001. It is time that our privacy protection laws moved on as well.
I would like to stress the importance of taking advantage of the opportunity this bill presents. We know that the Conservatives presented a privacy bill, Bill C-12, that came out of the 2006-2007 review of PIPEDA. However, it has been languishing on the order paper since 2011. That is far too long. Not one but two PIPEDA reviews are overdue.
We need privacy protection for the 21st century, but we also need it in the 21st century. Bill C-475 responds to these pressing challenges for protecting our privacy in a new digital age.
In a May 2013 review of PIPEDA, the Office of the Privacy Commissioner of Canada identified pressure points where PIPEDA needed to be changed. The first two of these pressure points, and arguably the most important ones, are addressed in Bill C-475.
The first pressure point identified in the report was enforcement. The report points to the fact that under PIPEDA the Privacy Commissioner is limited to the role of an administrative investigator, and that while she may seek resolution through negotiation, persuasion, and mediation, she actually has no enforcement powers.
The report says:
The days of soft recommendations with few consequences for non-compliance are no longer effective in a rapidly changing environment where privacy risks are on the rise. It is time to put in place financial incentives to ensure that organizations accept greater responsibility for putting appropriate protections in place from the start, and sanctions in the event that they do not. Without such measures, the Privacy Commissioner will have limited ability to ensure that organizations are appropriately protecting personal information in the age of Big Data.
Bill C-475 answers this recommendation in giving enforcement powers to the Privacy Commissioner to order organizations to comply with privacy legislation and to fine them if they refuse to take action within an established time period.
The second pressure point in the Privacy Commissioner's report was to “shine a light on privacy breaches”. It recommended that PIPEDA should:
require organizations to report breaches of personal information to the Commissioner and to notify affected individuals, where warranted, so that appropriate mitigation measures can be taken in a timely manner.
This is really common sense. First of all, we want to know when our personal information has been put at risk. As I said before, 97% of Canadians agree that they want to know when there has been a breach in their privacy. The harm that comes from these breaches can include identity theft, financial loss, negative credit ratings, and even physical harm. We should be aware that we have been exposed to a higher level of these risks when our privacy has been breached.
I will wrap up by saying that the Privacy Commissioner stressed that too often the rights of individuals are displaced by organizations' business needs and that it is becoming increasingly clear that the balance between these rights and needs is no longer there.
I would like the House to know that New Democrats are not stuck in the past. We recognize the imbalance, and with the bill we will take the first steps to make sure to protect the interests of businesses and consumers in the new digital age.
Personal Information Protection and Electronic Documents Act
Private Members' Business
October 22nd, 2013 / 6 p.m.
Scott Andrews Avalon, NL
Mr. Speaker, it is a pleasure to contribute to this debate today. I listened to the parliamentary secretary speak to the bill. He left out a few interesting facts.
Bill C-12, which was the government's bill, was introduced in 2007. Five long years have passed since then, and the government has not kept its commitment to changing PIPEDA and making the necessary changes. Twice the bill has fallen off the order paper. The government has not been taking PIPEDA very seriously at all.
I commend the member for bringing forward the bill. It would deal with two small measures. First, it talks about reporting the loss or disclosure of unauthorized access to personal information. Where a reasonable person would conclude that there exists some possible risk, the commissioner would have to be notified. The other part would give the commissioner some actual teeth to dig in and fine when personal information is lost.
We, as a government, are falling behind the rest of the world when it comes to protecting people's privacy.
I find it comical that the parliamentary secretary says that PIPEDA has kept its relevance. I am going to quote Commissioner Stoddart with respect to its relevance. She stated:
Back in 2001, when PIPEDA began coming into force, – and even when I became Privacy Commissioner in 2003 – there was no Facebook, no Twitter and no Google Street View. Phones weren't smart. “The cloud” was something that threatened picnic plans. And predictive analytics was largely the domain of tarot card readers.
A lot has changed since 2001, and our PIPEDA legislation just has not kept up.
This is a good start. It would give the commissioner more enforcement powers. Currently the commissioner can only publicly shame a company for breaching PIPEDA. It is time for the commissioner to have the strong enforcement powers needed. Some of that may have been contained in the government's bill, Bill C-12, but that bill has not seen the light of day.
Bill C-475 is with us now. It is something we need to refer to committee. We need to update our privacy laws, and we will be supporting the bill.
Personal Information Protection and Electronic Documents Act
Private Members' Business
October 22nd, 2013 / 5:50 p.m.
Mike Lake Parliamentary Secretary to the Minister of Industry
Mr. Speaker, I am pleased to speak to private member's Bill C-475 as presented by my hon. colleague from across the aisle.
Bill C-475 proposes to amend the Personal Information Protection and Electronic Documents Act known as PIPEDA, a law that has been in place for over a decade. PIPEDA has proven its value and retained its relevance in the face of unprecedented technological change.
At its core, PIPEDA gives individuals control over whether and how their personal information can be collected, used or disclosed during commercial activity. This protection fosters trust and confidence in the online marketplace, an important part of the Canadian economy that is growing by leaps and bounds.
The government is committed to updating PIPEDA. In fact, the Minister of Industry met with the Privacy Commissioner only yesterday. However, any changes that are proposed should have been discussed thoroughly with business, consumer advocates and academics or fall within the framework of the existing legislation, as is the case with the former Bill C-12. The proposed new measures put forward in Bill C-475 were not. The proposed amendments in Bill C-475 give the Privacy Commissioner new powers and present a major change to PIPEDA and the role of the commissioner. The impact of such a change on all stakeholders has not been considered.
The Privacy Commissioner's role as defined in PIPEDA is to serve as an ombudsman, a role she has performed impressively to the great benefit of Canadians. Indeed, the commissioner has been internationally recognized and applauded for her success. It was in recognition of this that her term was extended to three years in 2010.
As the commissioner's term enters its final months, the government is pleased to have this opportunity to express its gratitude for the commissioner's dedication to the protection of the privacy of Canadians.
Let us begin by highlighting some of the successes so far. PIPEDA's ombudsman model has proven very successful in setting a high standard for the protection of personal information in Canada. PIPEDA allows for mediated solutions to privacy conflicts that can give both individuals and companies a clear understanding of their rights and responsibilities. A less formal dispute-resolution mechanism is far less intimidating for individuals and easier for them to navigate.
PIPEDA's current oversight and redress regime reflects a deliberate decision by Parliament to adopt a mechanism that avoids litigation when resolving privacy disputes. PIPEDA also provides the Privacy Commissioner with a range of powers to address privacy issues. She can investigate, enter premises and compel evidence, mediate a settlement, make recommendations, publish the names of those who contravene PIPEDA and take matters to the Federal Court.
Bill C-475 would give the Privacy Commissioner new, quasi-judicial enforcement powers. Unfortunately, the enforcement regime proposed by the private member's bill is fraught with procedural failings. As my colleagues will note, the bill contains a list of consequences for non-compliance. This includes a monetary penalty of up to $500,000, a very significant amount.
However, should penalties imposed on small firms be as large as those for multinationals? Unfortunately, the bill completely overlooks this matter. The size of the firm or its ability to bear the burden of monetary penalty is apparently not a factor to be considered.
Given the potential severity of the monetary penalty, it is also puzzling to observe that this particular remedy only applies to failure to comply with orders. Indeed, organizations that have been found to wilfully violate the privacy of individuals, including those that have profited significantly from the violation, are not subject to this penalty. They are only penalized if they have failed to change their ways after having been caught. There are many outstanding issues and questions with respect to the enforcement measures that are being proposed in Bill C-475.
PIPEDA already provides the Federal Court with the ability to provide any remedy it deems appropriate, including orders to correct practices, award damages, or order offending parties to publish a notice of corrective action. Clearly, PIPEDA establishes a comprehensive process for taking action against privacy violations. Businesses, both large and small, together with individuals, have found much success in the resolution of their disputes.
We must ask, then, how the proposed enforcement measures are going to affect the level of co-operation that exists between organizations subject to PIPEDA and the Privacy Commissioner. Would the enforcement regime of Bill C-475 change the current dynamic between organizations subject to PIPEDA and the commissioner, making the parties more adversarial and the process counterproductive? These are questions that cannot be taken lightly.
Finally, the implications of these new powers on the structure and resources of the Privacy Commissioner's office do not seem to have been considered during the drafting of Bill C-475. The new powers would place an undue burden on personnel within the Privacy Commissioner's office. One cannot simply add new enforcement powers to a law without thorough study and consideration of the impact on its existing oversight regime or on its regulator.
We cannot support Bill C-475. There are too many omissions and fundamental questions left unanswered in this bill.
In spite of the difficulties with this private member's bill, though, the issue of compliance with PIPEDA certainly warrants further exploration. The government will continue to send a strong message about the importance of complying with PIPEDA, given its critical role in building trust and confidence in the online marketplace. Furthermore, there must be an opportunity for all Canadians with an interest in privacy issues to be comprehensively canvassed and thoroughly heard.
To conclude, the government does not support private member's Bill C-475. Instead, the government remains committed to updating PIPEDA in a more considered and comprehensive manner. Our government will have a balanced approach, one that takes seriously the protection of private information while establishing a regulatory framework that is workable for businesses.
Personal Information Protection and Electronic Documents Act
Private Members' Business
October 22nd, 2013 / 5:35 p.m.
Charmaine Borg Terrebonne—Blainville, QC
moved that Bill C-475, An Act to amend the Personal Information Protection and Electronic Documents Act (order-making power), be read the second time and referred to a committee.
Mr. Speaker, I am having a déjà vu. I feel like I already delivered a speech for the first hour of debate.
I am very pleased to have the opportunity to reopen the debate on an issue that is extremely important for Canadians and our digital industry and that is the issue of protecting personal information.
My Bill C-475 seeks to modernize the Personal Information Protection and Electronic Documents Act, which has not been updated since the arrival of the first generation of iPod. That is an eternity in a modern and ever-changing society like ours. Several million Canadians have never known a world without smart phones. This legislation that governs crucial aspects of our lives does not respond to the challenges of our time.
As I have already mentioned, we use the Internet every day. We use the Web to socialize, share our ideas with others, work, contribute to the Canadian and global economies, participate in democracy and educate ourselves. The Internet is indispensable to our personal, academic and professional development.
The Internet is central to the lives of both children and adults, who use it for entertainment and as a work tool. However, all of our web activities create a digital information footprint, which makes it even more clear that we need to protect our information.
I would like to share some facts that show how big a role the Internet plays in our lives. Quebeckers and Canadians spend about 45 hours a week online More than 70% of Canadians use it daily. Our citizens have more than 18 million Facebook accounts. The digital economy is a sector that is growing exponentially.
Our democracy is becoming increasingly digitized. One example is petitions, which allow our citizens to speak up and become involved in regional, national and international issues. Canada as a country is firmly plugged in.
We are increasingly managing our lives digitally. Because of this major shift, new rules are needed. These rules must take into account the new risks associated with this shift.
Since the beginning of this year, we have seen what a huge impact the loss of personal information has on our communities, for all citizens, regardless of their vulnerability or level of digital literacy. Millions of Canadians are affected by the loss of information, and this is happening more frequently every year, according to the Privacy Commissioner.
A study published in 2011 showed that every publicly traded Canadian company experiences an average of 18 privacy breaches a year. That is a lot.
Two recent reports revealed that 7 million Canadians have lost $3 billion as a result of cybercrimes. The most common crimes are identity theft and privacy and security breaches. Companies should protect against such breaches.
These reports said that 94% of companies say that they have never experienced a privacy breach. These numbers frighten me. In addition, the more information that is shared on the Internet and our smart phones, the more chances there are that our information could be lost or stolen. This only encourages crime groups in the very lucrative phishing market that have managed to scam thousands of Canadians and steal $76 million, last year alone, through 156 million emails sent from all over the world.
This is an international problem and we have to address it immediately. Unfortunately, the current legislation to protect privacy and Canadians' personal information has not been updated to address these risks and put in place appropriate measures for our society.
The current legislation does not provide for Canadians to be notified of a breach of their personal information. In fact, organizations are not required to notify them, regardless of the seriousness of the breach. This means that they cannot take appropriate action to protect their identity or their credit in order to reduce any harm they might suffer.
Compliance with Canadian legislation governing the sharing of personal information is another major problem in Canada. In 2011, the Privacy Commissioner noted that a quarter of the most-visited websites in Canada do not comply with Canadian law; they disclose our data without our consent. What is much worse is that companies that choose to ignore our laws do not currently suffer any consequences.
For more than 10 years, Canadians have been waiting for a better regulatory framework, and they are rightly expecting results. It is in that spirit that I decided to draft Bill C-475.
I would like to quickly remind my colleagues of the two simple and effective mechanisms proposed by Bill C-475 to enhance the protection of Canadians' personal information.
First off, Bill C-475 requires that the Office of the Privacy Commissioner be notified by any organization having personal information under its control when there is a possible risk of harm to users. Experts in the commissioner's office will assess the seriousness of the situation against a criterion for harm that sets a high standard. They will recommend whether or not the organization should notify the users affected. This mechanism allows for an objective analysis of the risk and better management of the risk through an expectation of a high level of security, rather than a subjective analysis based on the interests of the organization, which may differ from the interests of users.
In addition, objective risk analysis will ensure that users are not bombarded with notifications of data breaches that do not affect them at all or present a minimal risk. Indeed, this framework will ensure that users are not bombarded with useless notifications. They will only be notified after a thorough risk assessment by the Office of the Privacy Commissioner. The process will empower Canadians to take steps to protect themselves much more quickly, in addition to reducing the harm done to them.
The second mechanism provided for in Bill C-475 is designed to give the Office of the Privacy Commissioner order-making power when an organization fails to obey the law.
The Federal Court would have legislated authority to penalize organizations that fail to carry out an order issued by the commissioner.
These mechanisms are straightforward and clarify the commissioner's powers. In short, the Office of the Commissioner will now have the power to enforce the law, which unfortunately is not now the case. All too often, the commissioner's recommendations are not being followed, and it is Canadians' privacy that is suffering.
This bill was drafted to address the concerns of Canadians, people in the digital industry, civil liberties organizations, Internet experts and specialists in the protection of privacy, some of whom we heard testify during the study conducted by the Standing Committee on Access to Information, Privacy and Ethics on social networks and privacy.
Bill C-475 is a direct response to requests from the community to adapt the law to suit our digital age by providing some flexibility for people in the industry and protecting the ombudsman's role of the Office of the Commissioner.
The bill therefore takes a very balanced approach, despite what members opposite said last May. On October 9, information and privacy commissioners and ombudspersons from Canada's federal, provincial and territorial governments met in Vancouver for their annual meeting. They voted in favour of a resolution calling for reforms to address a series of measures they are interested in looking at and supporting, including the key principles in my bill. These measures follow up on recommendations Commissioner Stoddart put forward last May with the aim of modernizing the Personal Information Protection and Electronic Documents Act in order to strengthen the authority to enforce the act, including the commissioner's ability to make orders and make it mandatory for organizations to report when information has been compromised.
The bill is also balanced with regard to companies, since clear roles and processes enable them to plan their policies and response. It will be clear for organizations that they are required to report a breach to the Office of the Commissioner, but they will not be responsible for deciding what the ultimate risk is. Companies that are law-abiding will no longer have to compete with companies that are not.
Finally, this bill makes it possible to bring our privacy protection legislation up to the same level as countries such as Germany, Great-Britain, Australia and France, as well as Canadian provinces such as Quebec and Alberta. Canada, as a world leader in technology, must implement international standards. A cross-Canada survey published in April by the Office of the Privacy Commissioner, found that 97% of Canadians would want to be notified if the personal information they had given to an organization were compromised. In addition, 80% of respondents would grant more powers to the Office of the Privacy Commissioner.
The principles defended by my bill have garnered support from all classes of stakeholders affected by these changes, including industry representatives, civil liberties organizations, academics specializing in all areas, consumer protection agencies and even by the Privacy Commissioner and the ombudsman for privacy and information.
This fall, the public consultations I conducted in my riding and the West confirmed the growing interest of Canadians in privacy issues and their support for my bill.
The Union des consommateurs, for example, has stated that:
[it] believes that the implementation of the principles proposed by the NDP, through their private member's bill amending the Personal Information Protection and Electronic Documents Act, constitutes a real advancement to better protect the privacy of consumers.
Michael Geist, the Canada research chair of Internet and e-commerce law at the University of Ottawa said the following:
Bill C-475 is a far better proposal ...Those provisions would do far to ensure a greater respect for Canadian privacy law and give Canadians the assurance of notifications in the event of security breaches.
A few years ago, my colleagues on the other side introduced a bill to modernize the Personal Information Protection and Electronic Documents Act. Therefore, I know they share my concerns about the privacy of Canadians.
Furthermore, in the Speech from the Throne last week, the Conservatives reiterated their willingness to defend the rights of consumers, and the protection of privacy is a crucial part of these rights.
However, Bill C-12 did not receive the serious consideration it needed in the House, and today its principles no longer reflect the reality of our current needs. Moreover, due to the prorogation of Parliament, Bill C-12 has died on the order paper.
My bill is the most up-to-date bill and the only one currently on the table.
I urge my colleagues across the way to reconsider their position on Bill C-475, not only because it meets the current needs of citizens and surveillance authorities, but also because, if we wait for the reintroduction and re-evaluation of an outdated bill, it will take months or even years. Canadians need to be protected now, and Bill C-475 will help restore their confidence in the companies with which they do business, as well as in our institutions.
Canada has a deplorable record on the international front when it comes to privacy, and the increasing costly attacks on our personal information demonstrate beyond a shadow of a doubt that we cannot afford to wait any longer; we must act now.
Canada's Privacy Commissioner, Jennifer Stoddart, said it best on October 9, 2013:
We live in a world where technologies are evolving at lightning speed and organizations are using our personal information in ways previously unimaginable—creating new risks for our privacy. Our laws need to keep up. Canadians expect and deserve modern, effective laws to protect their right to privacy.
By voting in favour of Bill C-475, my colleagues would be meeting Canadians' expectations. If the members of this House truly care about the privacy of their citizens, they have absolutely no reason to vote against my bill.
If the Conservatives take their commitment to consumers seriously, they must vote in favour of Bill C-475.
I would also like to reiterate that I am willing to work with all parties in order to ensure that Canadians have the protection they deserve in this digital age.
We must work together, as parliamentarians, to better protect the privacy rights of our citizens, our youth and seniors.
June 7th, 2013 / 11:50 a.m.
Christian Paradis Minister of Industry and Minister of State (Agriculture)
Mr. Speaker, we thank the Privacy Commissioner for her report, and we indeed have taken measures to have tougher measures. That is why we introduced Bill C-12, which would improve privacy safeguards.
It is unfortunate that the opposition decided to play political games and needlessly delayed the bill.
We seek the support from the opposition. Everything covered in this bill is in response to what was recommended by the committee. I urge the opposition to support Bill C-12 immediately.
June 7th, 2013 / 11:50 a.m.
Charmaine Borg Terrebonne—Blainville, QC
Mr. Speaker, it is clear that Conservatives do not take the privacy of Canadians seriously. The commissioner herself has raised concerns about Bill C-12. To paraphrase the Privacy Commissioner, the Conservatives are taking a soft approach when it comes to protecting Canadians' privacy online.
The commissioner made it clear. The present lack of oversight for online snooping is putting Canadians' privacy at risk.
When will the Conservative government agree that we need a tougher law, better oversight, and reporting mechanisms? When will the Conservatives start protecting Canadians' privacy online?
June 7th, 2013 / 11:50 a.m.
Christian Paradis Minister of Industry and Minister of State (Agriculture)
Mr. Speaker, naturally we thank the commissioner for her report. Our government is truly determined to protect Canadians' privacy.
That is why we introduced Bill C-12, which strengthens guarantees to protect personal information and implements the committee's recommendations. With all due respect, the bill introduced by my colleague does not cover all these aspects.
We will take the time to carefully study the commissioner's report. However, I would ask the NDP to support Bill C-12, which addresses the committee's findings.
May 28th, 2013 / 4:40 p.m.
Dr. Michael Geist Canada Research Chair, Internet and E-commerce Law, University of Ottawa, As an Individual
Thank you, Mr. Chair.
Good afternoon. As you heard, my name is Michael Geist. I'm a law professor at the University of Ottawa, where I hold the Canada research chair in Internet and e-commerce law, but I appear before this committee today in a personal capacity, representing only my own views.
I appreciate the invitation. I'm certainly supportive of the committee's study on the issue of SME adoption of digital technologies.
As the committee has already heard, Canada fares relatively poorly in some areas when compared with peer countries. For example, you heard from Shopify's Harley Finkelstein on the lower e-commerce adoption rates by Canadian firms as compared to those in the U.S. There are many other studies that point to the same concerns. A 2011 CEFRIO study on Canadian SME ICT adoption found that mobile device usage was relatively low; moreover, many of the online collaborative tools—application sharing, web sharing, video conferencing—are only used by a small minority of Canadian SMEs.
The Canadian Chamber of Commerce's 2010 study on SME use of e-business solutions arrived at similar conclusions. Moreover, it pointed to Canada's declining rank, whether in the World Economic Forum's global competitiveness index, the OECD's broadband ranking, or The Economist's e-readiness ranking.
Of course, I suggest that the committee is well aware of these shortcomings, as your May 2012 report, “E-commerce in Canada”, cited similar statistics and studies and took note of the performance of Canadian SMEs.
So we have a problem, and while I'm pleased that the committee is looking at this, you'll forgive me if there is a sense of déjà vu about this discussion. This committee is currently also studying broadband and Internet access across Canada, has completed a study on the IP regime in Canada and, as I've just noted, also completed a study on e-commerce. As you know, you're not alone. The Canadian Heritage committee has completed a study on the entertainment software industry in Canada. The Access to Information, Privacy and Ethics committee completed a study on privacy and social media. The Justice and Human Rights committee has studied cyber-bullying. The Senate committee on Transport and Communications last year released a study on the wireless sector.
My point is that our problems with the digital economy, including SME digital technology adoption, are not the result of a lack of study. Many of these issues have been studied intensively for years. At least part of the problem lies in Canada's lack of a cohesive, forward-looking digital economy strategy. That failure is plainly hurting all aspects of our digital economy. It creates business uncertainty, it undermines consumer adoption of e-commerce, harms innovation, and sends an unmistakable signal that this is simply not a policy priority.
For an SME, the effects of Canada's digital economy strategy failure—something I've often termed as Canada's “Penske file”—can be found everywhere. Let me give three quick examples.
The failure to craft a cohesive strategy to ensure a competitive broadband and wireless market means higher costs and less choice for business and consumers alike. High data rates have often meant that the adoption of mobile solutions have been costlier in Canada than elsewhere, which hurts the business case for ICT investment. Further, when Canadian businesses travel to other countries to explore new opportunities, they face some of the highest roaming fees in the world.
Second, on the regulatory front, the digital economy strategy failure has meant that important legislation has stalled, creating legal uncertainty. For example, an SME considering an electronic marketing campaign will want to know what is permitted under Canadian law. I think that this government rightly passed anti-spam legislation in 2010, but the regulation-making process has dragged on for years, meaning that the law has still not taken effect. As a result, there is uncertainty about what is permitted, uncertainty about what will be permitted, and tailoring an e-marketing strategy is difficult.
Third, and somewhat similarly, Canadians want all businesses, including SMEs, to take security and privacy seriously. Making investment in these areas means factoring these issues into account. Yet with Bill C-12, the privacy reform bill languishing in the House of Commons, and, with all respect, inaccurate criticisms of a private member's bill on security breach disclosure requirements, the message, quite frankly, to SMEs is that the Privacy Commissioner may be concerned with the state of privacy law, but it is not a priority.
Now we could talk about, and I hope we do have the chance to talk about, what a digital economy strategy incorporating SME digital technology adoption might look like, including some of the legislative reforms, educational initiatives, skills training, as well as commitments to increase competition and ensure access for all. But my starting point is simply to say that without a broad-based digital economy strategy that weaves together these various issues, we should not be surprised by the lagging performance by Canadian SMEs. Indeed, we've practically scripted it.
I look forward to your questions.
Incorporation by Reference in Regulations Act
May 23rd, 2013 / 7:40 p.m.
Kevin Lamoureux Winnipeg North, MB
Mr. Speaker, it is a pleasure to rise this evening to address this bill. I have never had the honour of sitting on the statutory instruments regulations committee. It sounds as if it might be a very interesting committee. I do find it most fascinating that the government has chosen to use this particular bill, given that we are allocated four or five hours, which is probably more hours of debate than for many other pieces of legislation. However, at the end of the day, it is going to be interesting. I suspect that we might see differing opinions. We in the Liberal Party have a great deal of concern with regard to this bill. We cannot see ourselves supporting it at this time, and we will have to wait and see what happens at committee stage and see if the government is going to be able to address the issues.
We were talking about a different bill, Bill C-475, during private members' business, and it dealt with personal information. A government member stood up and made a comment on how wonderful it would be to have Bill C-12 debated, given that all sides of the House seemed to be supportive of Bill C-12. The member made the suggestion that he would even be prepared to see that bill debated right away. Maybe if the Conservatives recognize the importance of that bill, they might also want to call that; the last time it was brought before the House being back in September 2011. We will have to wait and see.
Another concern that was raised was in the form of questions that I asked both Conservative speakers in regard to the whole issue of the French language. I come from the province of Manitoba, and the French language issue in terms of laws and regulations was a critically important ruling that came from the Supreme Court of Canada. The ruling reflected on many of Manitoba's laws and, because of not having appropriate translation, the court had virtually given Manitoba a time schedule to pass all sorts of other regulations and laws in order to keep them in effect. It gave us a bit of a sunset clause in terms of needing to pass this in order to comply. Otherwise, we would have had a series of laws, whether provincial legislation or regulation, that would have become void. Therefore, we take the issue very seriously in terms of some of the things, and that is the reason I posed the questions.
In looking at Bill S-12, there are a couple of things that are really important to note. Quite often, the intent might be clear. Individuals, whether members of Parliament or those assisting in trying to create legislation or regulation, will be fairly clear on what it is they are trying to accomplish, the actual intent. The real challenge is to try to take that intent that is being expressed and put it into words, and in our case also to ensure that the translation is in essence saying the same thing whether in English or in French. That is a very important point.
As an example, one of the first issues that came up was related to Air Canada. It was an important issue, through which I suspect many individuals who might be listening in on the debate might get a better sense of the importance of converting intent into appropriate words. I recall the Air Canada Public Participation Act that was brought in a number of years ago. There is absolutely no doubt that, if we look at the debates and some of the discussions that took place in the committee, we would find that the intent that was being spoken was that communities like Winnipeg, Mississauga and Montreal would be guaranteed their overhaul maintenance positions.
This literally translated into thousands of jobs in Winnipeg, hundreds of jobs that were in essence guaranteed in that law. That was the intent.
If we read the legislation that is there today, I think most Canadians, in reading it, would come to the same conclusion to which I came. I raised that issue shortly after being elected back in December 2011. When I raised it, it was to challenge the government. It was to tell the Prime Minister that we had a law that said these overhaul maintenance bases were supposed to be guaranteed. Air Canada was legally obligated to maintain those bases.
The Prime Minister and the government responded by saying that this was not necessarily their interpretation. Apparently, the government found a lawyer somewhere who said that this was not the case, that there was no legal obligation.
It did not matter what we attempted, whether it was through postcards or petitions. Many different stakeholders and individuals read the law and said that the law was pretty clear.
I raise that because at the end of the day is it very important. When we think of a regulation or a law, we often talk about what we are hoping to achieve by passing it, but what is written down on that piece of paper and translated is what counts.
As legislators, we have to take that responsibility very seriously. In recognizing what this legislation is doing, it is offloading a great deal of responsibility. I know the record will clearly demonstrate that this has not necessarily been a government that wants to take responsibility. By allowing this legislation to pass as it is, we need to recognize that there will be more laws being put into place with less scrutiny from the House of Commons.
That is one of the effects that the passage of this bill will have. We need to be very clear on that point.
Another profound impact the legislation will have is in regard to the whole idea of incorporation by reference and what will happen in regard to that secondary language, whether it happens to be English or French. We are in a bilingual nation and there is an expectation. I will provide a little more comment on that in a few minutes.
The legislative summary that was provided by the Library of Parliament had some interesting information that is worth expressing. One point deals with the amount of regulation versus laws in terms of numbers of pages. It is interesting to note, and this is a quote from the parliamentary library, “There are, at the federal level alone, approximately 3,000 regulations comprising over 30,000 pages”. Compare that to somewhere in the neighbourhood of 450 statutes, which comprise roughly 13,000 pages.
Furthermore, departments and agencies submit to the regulations section, on average, about 1,000 draft regulations each year, whereas Parliament enacts about 80 bills during the same period. The executive therefore plays a major role in setting the rules of law that apply to Canadian citizens.
What we will find is that the number of laws in comparison to regulations is decreasing as we rely more on regulations. When we go into or finish second reading and then it goes to committee stage, how often do we hear from government representatives or policy analysts who say “this is what the clause says and further explanation will be provided via regulation?” We hear a lot of that.
Why then should we be concerned? We have to be careful that we recognize the importance of laws versus regulations and the incorporation of references into regulations.
We start off with our Constitution and our Charter of Rights. These are things that no one would question. We then go on to laws that would be passed in the House of Commons, then to regulations. Finally, we would go to the incorporation of reference.
Look at each stage and how difficult it is to change the Constitution. We do not see too much public will or interest in changing the Constitution. In terms of legislation, the same principle applies. There is a process of changing legislation. There is first reading, second reading, committee, third reading, the Senate and finally royal assent. There is a great deal of scrutiny that takes place.
What about regulations? There is a legal examination and registration that have to take place. Ultimately, publication takes place in the Canada Gazette.
We can see the difference between them. Each level has a different sense of accountability or process that we have to follow. If we take just the one component, the legal examination, the examination for the passage of legislation will come through here. There are all sorts of responsibilities that all members, particularly critics, caucuses, vested interest groups and stakeholders of a wide variety, have in ensuring there is some form of due diligence and a sense of accountability.
What about the regulation? When it comes to legal examination, we know there is an obligation for the Clerk of the Privy Council. There have been four things that were cited again, dealing specifically with this bill, that came from the Library of Parliament. Those four things in passing or ensuring that there is some form of legal examination of that regulation.
The first is, “(a) it is authorized by the statute pursuant to which it is to be made”. Another way of saying it is that if we want to change or pass a regulation, we want to ensure it is in compliance with the legislation or a current law that has been passed by the House of Commons.
The second is, “(b) it does not constitute an unusual or unexpected use of the authority pursuant to which it is to be made”. That would be something that would obviously make a whole lot of sense. After all, it cannot override a law, like a law cannot override our Constitution.
The third is, “(c) it does not trespass unduly on existing rights and freedoms and is not, in any case, inconsistent with the purposes and provisions of the Canadian Charter of Rights and Freedoms and the Canadian Bill of Rights”. We are asking that the Clerk of the Privy Council, in consultation with others, ensure that it does not contradict some of those basic rights. Before, if it was a law, it would be something where members, and in particular the Minister of Justice, would play a much stronger role in ensuring the compliance in that regard.
The fourth is, “(d) the form and draftsmanship of the proposed regulations are in accordance with established standards”. This is something where one would expect our legislative counsel and others that assist us to ensure the wording was correct. That is why at the beginning I commented on the importance of wording, that in fact one can be very clear orally what the intent is, but we have to ensure that this intent is put into proper words because it is the wording that is of critical importance.
I would like to quote from the Library of Parliament because I believe it is stated quite well in terms of what specifically, when we think of regulations, is actually at stake in dealing with Bill S-12. I quote directly from the report that has been provided to us from the Library of Parliament. It states:
When Parliament confers a power to make regulations, the regulation-maker usually exercises this power by drafting the text of the regulation to be enacted. The regulation-maker may also decide that the contents of an existing document are what should be used in the regulation it intends to enact. One way to make the contents of such a document part of the text of the regulation would be to reproduce it word for word in the regulation. Alternatively, the regulation-maker can simply refer to the title of the document in the regulation. The contents of the document will then be said to be “incorporated by reference”. The legal effect of incorporation by reference is to write the words of the incorporated document into the regulation just as if it had actually been reproduced word for word. The incorporation by reference of an existing document is no more than a drafting technique, and a regulation-maker need not be granted any specific power in order to resort to this technique. This is referred to as “closed” or “static” incorporation by reference.
We need to be very careful with that. When we talk about international standards, what we are really saying is that incorporation by referencing says that we are going to take a third party standard, whether international, provincial or it does not even have to be a government agency. It could be any sort of a third party and it could be a one paragraph document or it could be a 500-page document.
I see my time has run out. Hopefully there will be a question and I will be able to conclude my comment on that aspect of it.
Personal Information Protection and Electronic Documents Act
Private Members' Business
May 23rd, 2013 / 6:15 p.m.
Laurin Liu Rivière-des-Mille-Îles, QC
Before I begin, Mr. Speaker, I would like to remind the members opposite that Bill C-475 does not represent a comprehensive review of the Personal Information Protection and Electronic Documents Act, and for that reason, it cannot be compared with the government’s Bill C-12, which does in fact constitute a thorough review and is much broader in scope. Therefore I would invite the members to learn more about this bill before criticizing it.
I am especially pleased today to speak to this bill which was introduced by my colleague from Terrebonne—Blainville. Since being elected she has worked tirelessly on various issues related to the digital world. In particular, she fought against Bill C-30 and forced the Conservative government to kill its online spying bill. She also held public consultations on the North Shore on personal information protection as it relates to her bill.
Today, with Bill C-475, my colleague is calling for the Personal Information Protection and Electronic Documents Act to be modernized to take into account the new digital reality. It is hard to believe that this legislation has not been modernized since it was first passed 13 years ago in 2000. Back then, there were no iPods, smart phones, Facebook or Twitter, and I did not even have an email address. It is time for the government to blow the cobwebs away and modernize this legislation to better protect Canadians’ personal information.
The Personal Information Protection and Electronic Documents Act is based on the ombudsman model. The primary duty of the privacy commissioner is to investigate complaints concerning privacy breaches. The privacy commissioner has the power to investigate, to file complaints, to conduct audits and to publicly report on an organization’s personal information management practices. However, the act does not give the commissioner the power to make compliance orders, or in other words, to order organizations to amend their practices or face a fine if they fail to do so.
To clearly grasp the issue here, I would like to give a few examples that illustrate the need to give the Privacy Commissioner more powers. The commissioner recalled that in 2010, the retailer Staples had failed to delete all of the client data stored on devices such as laptops or USB hard drives that had been returned to their stores and were slated for resale. What is most disturbing is that this retailer had been investigated twice before and was still not complying with the commissioner’s orders.
Let us be honest here. The government created a watchdog who in essence has been muzzled. This watchdog does not have the power to enforce the act. This initiative by my colleague from Terrebonne—Blainville would give the Privacy Commissioner the means to do her job.
Another example is Google Street View, which collected personal information such as email addresses, emails, usernames, passwords, telephone numbers and street addresses. The commissioner found that this practice constituted a serious breach of Canadians’ right to privacy. In this instance, the outcome was a little more positive. Google appears to have accepted the recommendations of the commissioner, who observed that the company was on the right track to resolving these major problems.
I should also like to mention the Edmonton-based site Nexopia, which describes itself as the largest social networking site for young Canadians. The site has over 1.6 million registered users, 80% of whom live in Canada. Nexopia.com users create profiles, engage in blogging, create photo galleries and post articles, artwork, music, poems and videos. The problem is that Nexopia does not have any kind of system in place to block public searches of the profiles of young users, and the website does not allow users to shield their profile from the public. You can see the problem.
These facts are troubling, considering that young people are often careless when it comes to their personal information and that they are targeted by many companies and some offenders. The commissioner conducted a thorough investigation, found that this organization was not in compliance with the legislation in a number of areas and issued 24 recommendations.
Following the release of her report, the federal Privacy Commissioner was forced to ask the Federal Court to make an order compelling Nexopia to stop retaining personal information. Since this action was launched, Nexopia has changed hands, and we are still waiting for the new owner to follow up on all of the commissioner’s recommendations.
Bill C-475 introduced by my colleague attempts to resolve much of the problem by amending the Personal Information Protection and Electronic Documents Act in two ways. First, it would give the Privacy Commissioner enforcement powers, the power to order an organization that has failed to comply with the act to take the necessary steps to comply. Any organization that refused to take action within the timeframe set by the commissioner would risk a fine of up to $500,000.
As well, the bill makes it mandatory to signal any data breaches that could harm an individual. If an individual's personal information has been compromised in a way that could harm that individual, the organization responsible must inform the privacy commissioner of the violation. The commissioner can then determine if the violation could harm the individual and may force the organization responsible to inform the individual that their personal information has been compromised. Non-compliance could result in a fine of up to $500,000.
We believe that this will help increase compliance with the law, reduce the cost of the current process, and reduce delays. It will also establish solid case law that will allow individuals and organizations to better understand their rights and responsibilities.
I would like to point out that three provinces already have laws that are basically similar to the federal law concerning privacy in the private sector. Unlike Ottawa, the provinces of Quebec, Alberta and British Columbia empower their commissioner to make binding decisions in certain circumstances.
As my colleague mentioned when she introduced the bill, it seems that there is a consensus among the public to increase fines for offenders. As the Commissioner said, it is important to note that Canadians are the heaviest Internet users worldwide, spending an average of 45 hours a month online.
We are also among the most avid users of networking websites in the world. I was not surprised to hear that half of Canadians are on Facebook. In light of those statistics, it is not surprising that privacy is an ongoing concern for Canadians.
The 2011 Canadians and Privacy Survey found that the vast majority of respondents are in favour of stiff penalties for organizations that fail to protect peoples' privacy. More than 8 out of 10 respondents want to see measures passed to name offending organizations, impose fines or take the organizations to court.
The Commissioner herself is calling for more power to fulfill her mandate. In her 2011 report, she said:
In recent years, we have seen very serious, large-scale data breaches. Data breach notification, in itself, may not be sufficient to create the kind of incentives necessary to ensure that organizations take security issues more seriously in the current environment. Many other countries are taking a harder line on breaches. For example, the United States has been a leader in this area and virtually all states have data breach laws. Meanwhile, a European Commission Regulation proposed in early 2012 included data breach provisions and very significant fining powers for European data protection authorities. Commissioner Stoddart has encouraged the federal government to explore strengthened enforcement options that would create stronger incentives for organizations to ensure personal information is adequately protected.
The report could not have been any clearer.
Why are the Conservatives so soft on those whose business practices are compromising Canadians' personal data?
As a final point, it is important to understand that the Personal Information Protection and Electronic Documents Act and this bill apply to the use of personal information only in the private sector. Ideally, the proposed measures would also apply to government organizations.
I know in the past my hon. colleague has asked the Standing Committee on Access to Information, Privacy and Ethics to examine the possibility of opening up the Personal Information Protection and Electronic Documents Act to resolve this issue.
In closing, it is unfortunate that the Conservatives oppose this, and I hope we can come up with a solution to this serious problem.
Personal Information Protection and Electronic Documents Act
Private Members' Business
May 23rd, 2013 / 6:10 p.m.
Mike Lake Parliamentary Secretary to the Minister of Industry
First, I will correct the record for the hon. member. I think it was February 15, and I do not know if the hon. member was here, when our House leader certainly made very clear that we were willing to move Bill C-12 to committee, but it was obstructed by the opposition party that denied consent for that.
The Internet has become a platform for commerce. More and more online transactions rely on flows of information, including personal information. In fact, personal information is often cited as the lifeblood of the modern economy. It is a key asset and a driver for innovation. However, for information to continue to be an engine of growth and innovation, it is necessary to maintain a solid foundation of trust in the fair and responsible handling of personal information.
As the opposition is well aware, the government already has amendments to PIPEDA before the House in the form of Bill C-12, the safeguarding Canadians' personal information act. The amendments in this bill are the result of extensive public consultations and reflect the work of our parliamentary committee and legislative review process. They reflect the values of Canadian consumers as well as the realities of the marketplace.
Bill C-12 establishes broad-based, balanced, comprehensive improvements to PIPEDA which set out enhanced protections for Canadians' privacy, while ensuring that legitimate business needs for information are met.
By contrast, the opposition's approach to privacy in Bill C-475 introduces only two new measures in PIPEDA. The first of these is a potentially costly and administratively burdensome data breach notification regime.
Bill C-475 would require that organizations report every data breach involving a “possible risk of harm”, no matter how remote to the Privacy Commissioner of Canada. The commissioner must then spend time determining whether each one of those breaches poses an “appreciable risk of harm”, and thereby warrants notification to affected individuals.
In contrast, the government's Bill C-12 proposes an approach to data breach notification that balances the cost to organizations of unnecessary notifications with the needs of consumers.
Bill C-12 would require notification to individuals only in situations where the organization determined that a breach carried a “real risk of significant harm”, which includes both financial harm, such as fraud, and non-financial harm, such as humiliation. This would eliminate the need for costly notification where it was not needed. This would minimize the compliance burden on organizations and reduce the risk of notification fatigue among consumers, while ensuring individuals would get the information they needed to protect themselves.
The opposition's Bill C-475 contains a lengthy list of consequences for non-compliance. This includes a monetary penalty of up to $500,000, which I am sure members will agree is a significant amount. However, should penalties for small businesses in our communities be as large as those of multinationals? The opposition seems to think this should be the case because Bill C-475 is silent on this question.
In contrast, the proposed measures in Bill C-12 reflect the importance of personal information to the smooth functioning of the marketplace. They address barriers to information flows, which were unforeseen when the act first came into force. They clarify and streamline privacy rules for business, while at the same time providing companies with the information they require to continue to grow and prosper.
Consumer information plays a role in many legitimate businesses. Financing transactions and acquisitions that occur in the normal course of development of many businesses require an assessment of business assets. These assets can include databases containing the personal information of customers the businesses intend to keep serving or information about the training and skills of employees who will continue to work with the business. Without the ability to access this personal information, it can be difficult for companies to assess the economic viability of a particular transaction.
Bill C-12 proposes to amend PIPEDA to enable companies to review personal information when necessary to conduct the proper due diligence prior to engaging in business dealings. Before any information can be shared between parties to a business transaction, each party must enter into a formal agreement that constrains the use of the information to purposes related to the transaction itself. In keeping with PIPEDA's existing principles, the agreement must also require the parties to protect that information with strong security safeguards.
Bill C-12 involves amendments that will remove barriers to the availability of information that is necessary to establish, manage or end an employment relationship.
Private sector representatives and the Privacy Commissioner of Canada have recognized that adjustments to PIPEDA were needed to reflect the unique context of the employment relationship.
As a result, Bill C-12 would amend the act to address situations where, for example, employers might need to collect and use the personal information of their employees to issue identification cards and control access to restricted areas.
These measures have been carefully balanced to maintain the protection of employee privacy by limiting the collection, use or disclosure of employees' personal information to that which is absolutely necessary and by ensuring that individuals are notified when their information is being collected, used or disclosed in the employment context.
Bill C-12 also follows up on other key recommendations. For instance, it would provide greater certainty and would clarify rules for business by streamlining private sector investigations. PIPEDA currently allows companies to share personal information with organizations that have a legitimate mandate to conduct investigations into breaches of agreements and contraventions of the law.
However, under PIPEDA, a burdensome and lengthy regulatory process is required in order to render this effective. To date, four separate regulatory processes have had to be launched to allow for the designation of 84 organizations or classes of investigative organizations with more expected.
Under Bill C-12, if passed, Parliament will act to replace this onerous regulatory process with an exception that will enable the information to be shared only in limited circumstances. Indeed, the government will only allow this information to be shared when it is necessary for the conduct of investigations and for fraud prevention.
I call upon members to support Bill C-12 rather than Bill C-475. I would mention for my colleagues from across the way that if they actually want to pass Bill C-12, as they seem to, both parties have mentioned it in the last few minutes, we would be glad to have that discussion and move it to committee tomorrow.
Personal Information Protection and Electronic Documents Act
Private Members' Business
May 23rd, 2013 / 6 p.m.
Murray Rankin Victoria, BC
Frankly, the question that arises is: Whatever happened to Bill C-12? This was to be the government's showpiece legislation to reform private sector privacy in Canada. That was back on September 29, 2011, and it is missing in action. As my colleagues have said repeatedly, privacy is the victim. Canadians are expecting, in this 21st century world in which we live, this digital economy, that their privacy will be protected.
I want to say in my remarks that this is good for business. This is actually essential for business. We can talk about privacy protection in the private sector as a human right, but we can also talk about it as being good for business, and I want to give a couple of examples where, in fact, we have kind of missed the boat on that.
The government had the opportunity. There was a requirement for it to bring in Bill C-12. It did not do this because of privacy protection concerns or even for good business reasons; it had to do it because the Personal Information Protection and Electronic Documents Act required that there be a statutory review. It has taken a long time, and I guess we will have another statutory review before it ever deals with Bill C-12. The point is that it is not just bad for privacy for all the reasons I have said, including the digital economy changing so utterly since 2001, but it is bad for business. That is a language the government, presumably, will understand, so let me talk about business.
We live in a world of big data. The current Foreign Affairs magazine talks about the rise of big data. Canadian Business magazine talks about a couple of examples where Canada, sadly, dropped the ball. Let me explain.
A few years ago Google made overtures in Quebec, but the provincial government and Hydro-Québec were unwilling to provide the kind of electricity required so a large data centre could be situated in that jurisdiction. What happened? Google went to Finland and, as a result, the company built a 350-million-euro data centre. Facebook is currently building a 900,000-square-foot facility 100 kilometres south of the Arctic Circle in Sweden. There is a gigantic industry available for gigantic data, and Canada is missing the train. Why is that?
We have cheap electricity by world standards. That should be easy. We have a very secure Canadian Shield in which we could situate these large data centres. Places like Kamloops in British Columbia have been considered. Here is what else we have. We have laws in the private sector that are substantially similar to those of the European Union. It has a very strong data protection law there. It cares deeply about privacy in that jurisdiction. Companies like Facebook have come to Canada and, essentially, test driven their new privacy regimes to see if they pass muster under the Canadian privacy laws, because if they do, they probably will pass muster in the European Union, the U.K. and places of that sort, since our laws are substantially similar.
Canada is perfectly situated between the United States and Europe with a relatively robust privacy protection regime to attract lots of business, but we dropped the ball. The government has utterly dropped the ball with Bill C-12. Who knows if it will ever see the light of day? I say that is tragic for business.
My colleague from Terrebonne—Blainville has spoken strongly in favour of privacy as a constitutional right, and that is true, of course, but the business side of this is good as well. What does her bill do? It does two fundamental things. It deals with breach notification, which according to the Privacy Commissioner of Canada today, 97% of Canadians think is a good idea, according to a poll. Talk about a no-brainer. Second, it talks about better enforcement provisions and order-making powers. Let me speak about each of those things that her bill would do.
First, in Bill C-475 there is a requirement to notify the commissioner of a breach if there is a possible risk of harm. We have seen lots of breaches where credit card information has found its way to various places it ought not to be, and the like, medical information, information that Canadians hold dear. If there is a risk of harm, the notification must be made in a form prescribed in regulations or otherwise specified by the commissioner.
We do not put everything in statutes; we wait for regulations to put flesh on the bones. That is how we do business. It is not surprising that is the way this has been proposed in Bill C-475 as well.
Then there was some concern because the bill talks about the commissioner requiring the organization to notify affected individuals to whom there is an “appreciable risk of harm” as a result of the data breach. Somehow I gather we should be criticized for the appreciable risk not being spelled out. Well, do we have “reasonable person” standards spelled out in our laws? Do we have every situation in the Criminal Code spelled out? Of course not. We use general words. We allow courts and commissioners and regulatory bodies to figure out what those mean. That is the way we do business. It is not surprising that has not been spelled out in detail here either. That is entirely consistent with normal Canadian drafting processes.
The commissioner would have the ability to order the private sector organization to notify individuals and the bill provides a certain number of criteria that should be considered in doing so. Then there is the possibility of an administrative monetary penalty, depending on certain factors that are listed, of up to $500,000. There is, of course, the issue of the right of action that the commissioner might have against an organization that has not complied with orders.
To me, these are entirely common sense, entirely 21st century provisions. I am so pleased that Canada's highly respected privacy commissioner, Jennifer Stoddart, has agreed entirely with these initiatives at a press conference in Toronto today. I thought this quote was perfectly in line with my colleague's bill. She said:
Personal information has been called the oil of the digital economy. As organizations find new ways to profit from personal information, the risks to privacy are growing exponentially.
That goes to the point that the law we have in Canada, although good at the time in 2001, is entirely out of date and everyone knows it has to be improved. The Conservatives seem to not want to do that. Therefore, this bill would at least get us half the way there with two key things.
Finally, we would have order making power for the commissioner. I live in British Columbia. In my province and in the provinces of Quebec, Alberta and Newfoundland and Labrador, people have had the ability for this umpire in the game, this ombudsperson, to make orders where appropriate, and the sky has not fallen. It seems to me it has worked extremely well.
Why is it that we have taken so long to come up with what has been proven to be a huge success story at the provincial level? Imagine that: an administrative body making an order. How many thousands of examples can we find in Canadian legislation of just that kind of power? This is hardly surprising or radical. It is consistent with administrative justice regimes we find at the federal and provincial levels across the country.
The other thing Canadians want is breach notification. That is the other key element in this initiative. Why? It is because it is the most visceral example of privacy violation. When thousands of records frequently find themselves in the hands of others, not only is there a risk of identity theft and enormous personal loss, not only is it a drain on our economy if that occurs, but there is also a sense of enormous personal violation when individuals' privacy is put at risk.
There is an example in the United Kingdom, where someone left a data stick in the back of one of those black London taxis. It contained the records of several million British taxpayers. Just think what one could do with that information, not just economically. Think of the kind of very sensitive information that would entail. One could find out who was paying money to people, for example, who might have children of whom their current partner was unaware. That would be shown by way of alimony payments and maintenance payments that could be deducted from income tax.
There are a zillion examples of those kinds of breaches. Canadians are worried about that. According to our privacy commissioner, 97% in a survey expressed that concern.
I want to congratulate my colleague for her excellent work in bringing forward Bill C-475. I am shocked that our Government of Canada has not seen fit to move forward with Bill C-12. We get more platitudes about it but no action. I am thankful for the action this legislation entails.
Personal Information Protection and Electronic Documents Act
Private Members' Business
May 23rd, 2013 / 5:55 p.m.
Scott Andrews Avalon, NL
Mr. Speaker, I listened to the member talking about supporting Bill C-12. The problem is that the bill has been sitting on the order paper now for almost a year and the government has done absolutely nothing in advancing it, so that we could get it to committee and have a debate on it. One thing that Bill C-475 does is move forward the debate on privacy and the access to and protection of people's private information.
We are encouraged by Bill C-475 and want to get it to committee so we can update the legislation that has been in place. Only today, the Privacy Commissioner of Canada, Commissioner Stoddart, said we are falling behind and we are at risk of not being up to date with others around the world.
PIPEDA has been in place since 2001 with no changes since that particular date. On that, Commissioner Stoddart said:
Back in 2001, when PIPEDA began coming into force, --and even when I became Privacy Commissioner in 2003--there was no Facebook, no Twitter and no Google Street View. Phones weren’t smart. “The cloud” was something that threatened picnic plans. And predictive analytics was largely the domain of tarot card readers.
Things have changed in the last 15 years and we need to get up to date. Bill C-475 is a good first start. We need to also look at the commissioner's white paper released today, because she did say we are at risk of falling behind.
The reforms that need to be made to PIPEDA include stronger enforcement powers, requiring organizations to report breaches of personal information, requiring organizations to publicly report the number of disclosures they make and modifying the accountability principle.
One of the things the commissioner even said today is that she has no power. The only power the commissioner has is to name companies who breach these laws, so we need strong legislation and enforcement powers, and we need to make sure she has power to fine. Some of that may be in Bill C-12, but we have not seen that and we have not seen it being moved forward in the legislature.
These things do need to be updated. We look forward to having some more debate and getting this bill to committee so that we can really dig into it to see how these changes are going to have an impact and what improvements may need to be made to the bill from the information commissioner. We look forward to doing that in committee.