Industry Committee on Feb. 5th, 2015

Thank you, Mr. Chair.

Good morning to you, to the minister and his officials, and to all my colleagues around the table.

We are talking about Bill S-4. In today's technological environment, it is indeed important to bring forward measures like these, but it is also important to make sure that personal information is well-protected.

Let's get right into it and look at new section 7(3)(d)(i), which deals with exceptions to consent requirements. It says that the information can be disclosed if the organization "has reasonable grounds to believe that the information relates to a contravention of the laws of Canada, a province or a foreign jurisdiction that has been, is being or is about to be committed".

How can an organization determine the relevance of the information it is sharing to a federal or provincial contravention, all the while protecting individuals' rights?

That's a good question.

In our view, Bill S-4 clearly defines the obligations organizations and businesses are under in that regard. Once the bill comes into force, if any organizations have questions or need clarification, they can certainly speak to the people in my department or contact the Office of the Privacy Commissioner of Canada.

We introduced this bill to address the need to balance the rights of Canadians and the right to privacy. As I said in answer to Mr. Lake's question, we need to make sure that we are not creating barriers for organizations and businesses wishing to fully participate in the digital economy.

Very well. Thank you, minister.

We're talking about disclosing information. How is it possible to know whether the reason for disclosure is valid or not? The individual concerned doesn't know that the information is being shared between organizations. How is it possible to determine whether the reasons for sharing the information were valid?

That's a good question.

It's not always easy to figure out. Hence the importance of making sure that, whenever you give your credit card number to a supplier online, you have to read all the fine print, so to speak, because, at the end of the day, you are giving an organization your legitimate consent to share your personal information.

It's vital that, when using technology, consumers be extremely careful with their personal information. For that reason, Bill S-4 has a provision meant to protect young people, because they are the most vulnerable to these kinds of violations.

It's challenging for a government to put in place laws and regulations to protect people in their online communications. We believe this legislation gives the commissioner the powers needed to protect Canadians.

It's an ongoing debate in society and the media, not to mention within families. Whenever a breach of personal information occurs, we have to try to understand what went wrong and adopt new measures to protect individuals.

Minister, I realize that this is a piece of legislation and, as such, has to be somewhat general in nature. The bill refers to prospective breaches, however. Don't you think including future data breaches gives the bill an overly broad or general scope?

No, I don't. I think it's appropriate.

We can't predict what direction the online world will take. The bill contains rules and principles that will remain valid. I have no doubt that, down the road, after its implementation, the legislation will undergo a review. At that point, we'll be able to tell whether it's doing the job and protecting Canadians' interests.

Now on to Madam Gallant for five minutes.

Sure. As you said, we've undertaken both with Minister Bernier as small business minister and, prior to that, Minister Rob Moore when he was minister of small businesses, the red tape reduction action plan, a bold name for a very important initiative for small businesses to ensure they are not overly burdened.

This legislation provides changes because we need to recognize companies need to have access to and to use personal information to conduct legitimate businesses.

Up until now there has been a lack of clarity, which is part of the reason small business organizations were brought into the process of drafting this legislation, hearing their concerns about how we can move forward.

You can imagine the massive shift that is happening. We see it with retail stores and the way in which we're advancing their businesses, especially if you're a small business.

If you're going to reorient your business and shift much of your sales regime to online sales, you need to make sure not only do you have the best, most efficient, and most up-to-date systems of engaging with consumers, but you're doing it in a safe and responsible way. As I said, if you have one data breach in a small firm, and that word gets around, and it goes viral electronically, your business is shuttered. It's toxic.

Therefore firms have to do their due diligence. We as a government have to be part of that, not just in imposing more and more obligations onto firms of what you must and must not do, which would cause small or medium-sized enterprises that are aspiring to be bigger and to engage in bigger markets, including markets overseas.... With the passage of the Canada-Korea Free Trade Agreement and the coming of the Canada-Europe free trade agreement, as small and medium-sized enterprises aspire to be global in their reach, they need to make sure their systems are fully secure and safe and protecting individuals. Not only in the practical application of law like this in terms of regulation, but also reputationally, we need to make sure Canadian firms are seen globally as operating within a regime that is world-leading in the protection of the privacy rights of individual consumers.

That's what we aspire to do. We think we do this in a very clear and straightforward way that reduces red tape—I know red tape is a bit of a catch phrase—in that sense by making the rules clear for small businesses that wish to further engage in the opportunities of doing commerce online.

With respect to the comments you made pertaining to the Charter of Rights, when a data breach occurs through hacking, it's a criminal offence, and you're confirming that a warrant will be required to investigate a cybercrime.

That's correct.

It would depend on the context of the data breach, for example, but yes, the current procedures that require the government and police forces to access this information would stand.

So this applies only to Canadian companies that are physically situated here?

No, it applies to firms that have access to Canadians' data.

Chris, I'm sure I'm lacking clarity on this.

Canadians don't necessarily know if the company with which they are doing their online shopping is situated in Canada. Many companies have a .ca even though they are somewhere else.

How do they know they are PIPEDA protected?

Yes, and the lens is inverse. We're protecting Canadians. It's about protecting Canadians and their right to have their information protected by firms. That's what it's about. It's not about the firm. It's about the rights of Canadians.

We go to Ms. Nash, for five minutes.

Thank you, Mr. Chair.

Welcome again to the industry committee, Minister, and your top officials.

Many Canadians broadly welcome action by the government on digital privacy. It has certainly been long overdue. Canadians do want enhanced protection for their digital privacy.

I want to, as some of my colleagues have, ask questions about certain parts of the bill that many consider to actually threaten Internet and digital privacy of Canadians. I'm specifically referring to clauses 6 and 7, which add to the exemptions in which personal information can be collected, used, or disclosed without consent or the knowledge of the individual. Testimony at the Senate hearings on this bill raised these concerns.

A member of the Canadian Bar Association on the national privacy and access law section said:

We are concerned that, as drafted, the proposed PIPEDA amendment, section 7(3)(d.1) and (d.2), is unnecessarily broad and would permit disclosure without consent in an inappropriately broad range of circumstances.

The office of the Privacy Commissioner said:

First, we believe that the grounds for disclosing to another organization are overly broad and need to be circumscribed, for example, by defining or limiting the types of activities for which the personal information could be used. The proposed 7(3)(d.2) would allow disclosures without consent to another organization to “prevent fraud”. Allowing such disclosures to prevent potential fraud may open the door to widespread disclosures and routine sharing of personal information among organizations on the grounds that this information might be useful to prevent future fraud.

Minister, are you of the opinion that sharing personal information without the knowledge of consent between businesses is helping the privacy of Canadians?

Not without the consent of the individual, which was part of my response to our Liberal colleague about the consent. People have to consent in order for their information to be shared.

Some of the particular circumstances where we allow for sharing of information business to business, for example—separate from the government, where we allow it to happen—are for the examples that I've described, such as elder abuse. This has been called for and asked of the government.

You've listed some of the firms that have raised some concerns about the legislation; many of the people you cited still think the bill should be passed. I can certainly give you a long list of people who have given us quotes saying they're very thankful that the government has put in place this kind of flexibility in the legislation, so that we can prevent things like elder abuse, financial abuse, and that we can protect our children. Very often we do have to have the sharing of information between firms, so that they are doing their due diligence and protecting consumers from privacy breaches.

Thank you, Minister.

I have such a short time. I just need clarification because, if I understand the law correctly, section 7.2(1) says:

In addition to the circumstances set out in subsection 7(2) and (3) for the purpose of clause 4.3 of Schedule 1...organizations that are parties to a prospective business transaction may use and disclose personal information without the knowledge or consent of the individual if

And then it has a long list that I won't read. For example:

(a) the organizations have entered into an agreement that requires the organization that receives the personal information (i) to use and disclose that information solely for purposes related to the transaction, (ii) to protect that information by security safeguards appropriate to the sensitivity of the information, and (iii) if the transaction does not proceed, to return that information to the organization that disclosed it, or destroy it, within a reasonable time; and (b) the personal information is necessary (i) to determine whether to proceed with the transaction, and (ii) if the determination is made to proceed with the transaction, to complete it.

There are other sections that I could read. I guess my question is, where there are these warrantless disclosures of personal information—that's basically personal information-sharing between companies—is the minister open to any amendments to either remove some of the sections that have really been troubling, or perhaps to put in some checks and balances in order to ensure that these clauses are not abused? I think there are some very good things in this bill, but there are some legitimate concerns that they may be overly vague or broad.

We're about one minute over, so I'll just take it off for the answer.

Go ahead, Mr. Knubley.