Evidence of meeting #41 for Access to Information, Privacy and Ethics in the 41st Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was information.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

  • Jennifer Stoddart  Privacy Commissioner, Office of the Privacy Commissioner of Canada
  • Barbara Bucknell  Strategic Policy Analyst, Legal Services, Policy and Research Branch, Office of the Privacy Commissioner of Canada
  • Janet Goulding  Director General, Governance, Policy Coordination and Planning, Department of Industry
  • Jill Paterson  Policy Analyst, Security and Privacy Policy, Digital Policy, Department of Industry
  • Maxime-Olivier Thibodeau  Committee Researcher

12:40 p.m.

Liberal

Scott Andrews Avalon, NL

Thank you, Mr. Chair, and welcome.

To continue on that concept, the first thing, the most central principle you said is the need for consent. When you're talking about consent, how much jargon can be in there? How simple can we make it? I know we talked about the Privacy Commissioner, when someone has consent—you give consent to give your information to somebody else—how simple can we make this, so that people get it, and everyone knows what we're doing when we give consent? Is it possible?

12:40 p.m.

Director General, Governance, Policy Coordination and Planning, Department of Industry

Janet Goulding

I would have to agree with the Privacy Commissioner on this front. I think it is possible, but it is up to organizations to make those clear statements to their users as to what they're consenting to and what their information will be used for.

12:40 p.m.

Liberal

Scott Andrews Avalon, NL

You also said that this is whether consent is “expressed or implied”. Can you give us an example of implied consent? Should users be very concerned that some of this may be implied and they don't realize it?

12:40 p.m.

Director General, Governance, Policy Coordination and Planning, Department of Industry

Janet Goulding

The legislation indicates that implied consent depends on the context and the circumstances around it. So, for example, if the consumer is purchasing a magazine subscription, their consent might be implied to get a follow-up notice about the fact that their subscription is expiring, but it's very much contextual and it depends on the circumstances in place. So that kind of framework allows flexibility in allowing the Privacy Commissioner to interpret what's reasonable in the context of implied consent. I think it's one of the valuable aspects of the legislation.

Once you move to something that's more prescriptive, then by definition you tend to exclude something you can't foresee, and so the principles are very flexible and that's one of the strengths of the legislation. But the Privacy Commissioner has issued a number of guidelines on how consent should be interpreted, and they are available on our website.

12:45 p.m.

Liberal

Scott Andrews Avalon, NL

Quite often now, you see when you sign up that there's a box to be ticked beside a sentence that says, “We will provide this information to other vendors” and you can tick it if you wish to do that.

If you do tick the box, how far does it go down the chain to these vendors or other groups? How about the resale of this data? Does that go on? Does some organization get this data from somewhere else and then in turn resell it to somebody else? Are we concerned that this data gets passed through many hands through the resale?

12:45 p.m.

Director General, Governance, Policy Coordination and Planning, Department of Industry

Janet Goulding

I can't speak to all business models but I don't think what you're describing is unheard of. I think that the principle of consent applies, no matter what the context. So if the information that's being collected is to be passed on to a third party, that consent is required by the legislation to be explicit and informed.

12:45 p.m.

Liberal

Scott Andrews Avalon, NL

And even if that third party then resells it?

12:45 p.m.

Director General, Governance, Policy Coordination and Planning, Department of Industry

Janet Goulding

Certainly within the context of the legislation, I would say, yes.

12:45 p.m.

Liberal

Scott Andrews Avalon, NL

Talking about breach notifications, the Privacy Commissioner said that not all businesses are reporting data breaches. How widespread do you think data breaches are?

12:45 p.m.

Director General, Governance, Policy Coordination and Planning, Department of Industry

Janet Goulding

Unfortunately, we don't have any research available to us to indicate how widespread data breaches are, but I think that in a world where organizations have vast amounts of data at their fingertips, it's important that we have legislation that requires all organizations to be subject to the same level playing field, and that they be required to take measures to protect that information in a manner consistent with the sensitivity of the information.

I think once the legislation is in force, the Privacy Commissioner will have the ability to have a better understanding of how widespread data breaches are in Canada.

12:45 p.m.

Liberal

Scott Andrews Avalon, NL

How quickly would notifications of these breaches need to be divulged to individuals?

12:45 p.m.

Director General, Governance, Policy Coordination and Planning, Department of Industry

Janet Goulding

Again, the speed with which the notification needs to happen is commensurate with the potential harm. If there's a significant risk of harm, you would expect that this notification should take place very quickly so that people can act to protect the information that may have been breached.

So for instance, in the example of potential credit card breaches, individuals might want to act quickly to cancel cards or further protect themselves. Again, the legislation is not prescriptive but it does say, “as soon as feasible”.

12:45 p.m.

NDP

The Chair Pierre-Luc Dusseault

Mr. Carmichael has the last five minutes.

12:45 p.m.

Conservative

John Carmichael Don Valley West, ON

Thank you, Mr. Chair, and welcome to our witnesses today.

I'd like to follow up on my colleague's questioning regarding the data breaches. I understand there is an amendment that would safeguard consumers against data breaches.

The concern I have is that the Commissioner was talking earlier about the fact that she lacks the enforcement ability on some of these challenges, so we put in the data breaches. We've covered that off in the legislation, but I wonder what the penalties are. How do we protect consumers? Even though you have it in there, who's responsible to lock that down?

12:45 p.m.

Director General, Governance, Policy Coordination and Planning, Department of Industry

Janet Goulding

Under the legislation, the Privacy Commissioner is responsible for enforcement of complaints. She does have the ability to launch an investigation, to make public her recommendations, and if she feels further action is required, to take that matter to the Federal Court. The Federal Court can order organizations to change their behaviour, and it can also award damages. The current legislative regime is based on an ombudsman approach, but as the commissioner alluded, perhaps in the second parliamentary review of PIPEDA, the issue of her compliance powers might be something that parliamentarians want to study.